ASA Version 8.0(2) ! hostname test-ASA5510 domain-name test.com enable password 1dnV5E4yGuP8qPcP encrypted names dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address xx.xx.xx.29 255.255.255.240 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.10.31 255.255.255.0 ! interface Ethernet0/2 nameif dmz security-level 50 ip address 192.168.150.1 255.255.255.0 ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown nameif management security-level 100 no ip address management-only ! passwd ngAUxjup8owi2hu2 encrypted boot system disk0:/asa802-k8.bin ftp mode passive clock timezone EDT 3 dns server-group DefaultDNS domain-name test.com same-security-traffic permit intra-interface object-group icmp-type icmp-allow icmp-object echo-reply icmp-object unreachable icmp-object time-exceeded icmp-object parameter-problem object-group network ssh_users network-object host xx.xx.xx.34 network-object host xx.xx.xx.99 network-object host xx.xx.xx.254 network-object host xx.xx.xx.209 network-object host xx.xx.xx.248 object-group network logical_users network-object host xx.xx.xx.18 object-group service deny_outbound tcp port-object eq telnet port-object eq smtp port-object eq pop3 object-group network brosco_addresses description brosco public IP addresses network-object host xx.xx.xx.245 network-object host xx.xx.xx.60 network-object host xx.xx.xx.98 object-group network PCAnywhere-Factory network-object host 192.168.34.53 object-group network TermServers network-object 192.168.11.0 255.255.255.0 object-group network WebVPN-Network network-object 172.16.11.0 255.255.255.0 object-group service RDP tcp port-object eq 3389 object-group network MXLogicSubnets network-object xx.xx.xx.0 255.255.248.0 network-object xx.xx.xx.0 255.255.252.0 object-group network CNEPulseCollectors description Constellation New Energy Pulse Meter Data Collectors network-object host 192.168.21.250 network-object host 192.168.21.251 network-object host 192.168.21.252 network-object host 192.168.30.250 network-object host 192.168.34.250 object-group service DM_INLINE_TCP_1 tcp port-object eq pop3 port-object eq smtp object-group service DM_INLINE_TCP_2 tcp port-object eq pop3 port-object eq smtp access-list IPS extended permit ip any any access-list inside_access_in remark VPN hole access-list inside_access_in extended permit tcp host 192.168.41.18 any access-list inside_access_in extended permit tcp host 192.168.10.62 any access-list inside_access_in extended permit tcp object-group CNEPulseCollectors host xx.xx.xx.29 eq smtp access-list inside_access_in extended permit icmp host 192.168.10.10 host 192.16 8.150.10 access-list inside_access_in extended permit tcp host 192.168.10.28 any eq smtp access-list inside_access_in extended permit tcp 192.168.0.0 255.255.0.0 host 19 2.168.150.10 eq www access-list inside_access_in extended permit ip host 192.168.10.38 host 192.168. 150.10 access-list inside_access_in remark Brosco Ordering system port access-list inside_access_in extended permit tcp any object-group brosco_address es eq 5005 access-list inside_access_in extended deny ip 192.168.0.0 255.255.0.0 host 192.1 68.150.10 access-list inside_access_in remark Allow Mail requests for ISIS implementation access-list inside_access_in extended permit tcp any host xx.xx.xx.123 object-g roup DM_INLINE_TCP_1 access-list inside_access_in extended deny tcp any any object-group deny_outboun d access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit tcp 192.168.0.0 255.255.0.0 host 19 2.168.150.10 eq https access-list dmz_access_in extended permit icmp host 192.168.150.10 host 192.168. 10.10 access-list dmz_access_in extended permit icmp host 192.168.150.10 host 192.168. 10.38 access-list dmz_access_in extended permit tcp host 192.168.150.10 host 192.168.1 0.38 eq telnet access-list dmz_access_in extended permit tcp host 192.168.150.10 host 192.168.1 0.38 eq rsh access-list dmz_access_in extended permit tcp host 192.168.150.10 host 192.168.1 0.38 eq 19200 access-list dmz_access_in extended permit tcp host 192.168.150.10 host 192.168.1 0.250 eq 7999 access-list dmz_access_in extended permit tcp any 192.168.0.0 255.255.0.0 eq www access-list dmz_access_in extended deny ip any 192.168.0.0 255.255.0.0 access-list dmz_access_in extended permit ip any any access-list outside_access_in remark VPN hole access-list outside_access_in extended permit tcp any host 192.168.41.18 access-list outside_access_in extended permit tcp any host 192.168.10.62 access-list outside_access_in extended permit icmp any any object-group icmp-all ow access-list outside_access_in extended permit tcp any host xx.xx.xx.17 eq www access-list outside_access_in extended permit tcp any host xx.xx.xx.17 eq http s access-list outside_access_in extended permit tcp any host xx.xx.xx.20 eq http s access-list outside_access_in extended permit tcp host xx.xx.xx.68 host xx.xx. xx.17 eq 5900 access-list outside_access_in extended permit tcp object-group ssh_users host xx .xx.xx.17 eq ssh access-list outside_access_in extended permit tcp object-group logical_users hos t xx.xx.xx.18 eq ssh access-list outside_access_in extended permit tcp any host xx.xx.xx.20 eq www access-list outside_access_in extended permit udp host xx.xx.xx.30 host xx.xx .xx.17 eq snmp access-list outside_access_in remark WebEx Additional Port access-list outside_access_in extended permit udp any eq 1270 host xx.xx.xx.17 eq 1270 access-list outside_access_in remark Webex Additional Port access-list outside_access_in extended permit tcp any eq www host xx.xx.xx.17 eq 32316 access-list outside_access_in extended permit tcp object-group MXLogicSubnets ho st xx.xx.xx.17 eq smtp access-list outside_access_in remark Enable mail access for ISIS Implementation access-list outside_access_in extended permit tcp host xx.xx.xx.123 any object- group DM_INLINE_TCP_2 access-list inside_nat0_outbound extended permit ip object-group TermServers obj ect-group WebVPN-Network access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192. 168.90.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192. 168.20.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip any 172.16.11.0 255.255.255. 0 access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172. 16.35.0 255.255.255.0 access-list TermServerACL standard permit 192.168.11.0 255.255.255.0 access-list 199 extended permit ip host 192.168.150.10 any access-list 199 extended permit ip any host 192.168.150.10 access-list WebVPN-ACL extended permit tcp 172.16.11.0 255.255.255.0 192.168.11. 0 255.255.255.0 object-group RDP access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.0.0 192.1 68.90.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.0.0 192.1 68.20.0 255.255.255.0 access-list outside_map_acl_1 extended permit ip 192.168.0.0 255.255.0.0 192.168 .90.0 255.255.255.0 access-list iphone_split_tunnel standard permit 192.168.0.0 255.255.0.0 access-list iphone_split_tunnel standard permit 172.16.35.0 255.255.255.0 access-list outside_cryptomap_1 extended permit ip 192.168.0.0 255.255.0.0 192.1 68.20.0 255.255.255.0 pager lines 24 logging enable logging buffered warnings logging trap warnings logging asdm warnings logging facility 16 logging host inside 192.168.10.15 format emblem logging host inside 192.168.10.105 mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu management 1500 ip local pool WebVPNpool 172.16.11.1-172.16.11.254 mask 255.255.255.0 ip local pool iphonepool 172.16.35.1-172.16.35.254 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-602.bin no asdm history enable arp timeout 14400 global (outside) 101 interface global (outside) 102 xx.xx.xx.17 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 102 192.168.10.28 255.255.255.255 nat (inside) 101 0.0.0.0 0.0.0.0 static (inside,outside) tcp xx.xx.xx.18 ssh 192.168.10.25 ssh netmask 255.255. 255.255 static (inside,outside) tcp xx.xx.xx.17 ssh 192.168.10.38 ssh netmask 255.255. 255.255 static (inside,outside) tcp xx.xx.xx.17 www 192.168.10.251 www netmask 255.255 .255.255 static (inside,outside) tcp xx.xx.xx.17 https 192.168.10.28 https netmask 255. 255.255.255 static (inside,outside) tcp xx.xx.xx.17 5900 192.168.10.35 5900 netmask 255.25 5.255.255 static (inside,outside) tcp xx.xx.xx.17 smtp 192.168.10.28 smtp netmask 255.25 5.255.255 static (inside,outside) udp xx.xx.xx.17 snmp 192.168.10.105 snmp netmask 255.2 55.255.255 static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 static (dmz,outside) xx.xx.xx.20 192.168.150.10 netmask 255.255.255.255 dns access-group outside_access_in in interface outside access-group inside_access_in in interface inside access-group dmz_access_in in interface dmz route outside 0.0.0.0 0.0.0.0 xx.xx.xx.30 1 route inside 192.168.0.0 255.255.0.0 192.168.10.1 1 route outside 192.168.20.0 255.255.255.0 xx.xx.xx.30 1 route outside 192.168.90.0 255.255.255.0 xx.xx.xx.30 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa-server RadiusServer protocol radius aaa-server RadiusServer host 192.168.10.20 timeout 5 key radius4asa http server enable http 192.168.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128 -SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256 -MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 3 match address outside_cryptomap_1 crypto map outside_map 3 set peer xx.xx.xx.2 crypto map outside_map 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-A ES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES -MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 192.168.0.0 255.255.0.0 inside telnet timeout 20 ssh xx.xx.xx.96 255.255.255.224 outside ssh xx.xx.xx.141 255.255.255.255 outside ssh 171.68.225.212 255.255.255.255 outside ssh 192.168.0.0 255.255.0.0 inside ssh timeout 20 console timeout 0 management-access inside threat-detection basic-threat threat-detection statistics access-list ! class-map ips-class match access-list IPS class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 1500 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global webvpn enable outside svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1 svc enable group-policy TermServerPolicy internal group-policy TermServerPolicy attributes vpn-filter value WebVPN-ACL vpn-tunnel-protocol svc split-tunnel-policy tunnelspecified split-tunnel-network-list value TermServerACL address-pools value WebVPNpool webvpn svc ask none default svc group-policy DfltGrpPolicy attributes banner value Connected to FW-VPN dns-server value 192.168.10.20 group-policy iphone internal group-policy iphone attributes banner value Welcome to the Iphone Network vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value iphone_split_tunnel default-domain value test.com username mike password PH9bOfPJup6gcBmT encrypted username mike attributes service-type remote-access username bill password 28PRkqIBNETe5/YA encrypted privilege 15 tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key * tunnel-group DefaultRAGroup general-attributes authentication-server-group RadiusServer dhcp-server 192.168.10.20 tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group DefaultRAGroup ppp-attributes authentication ms-chap-v2 tunnel-group DefaultWEBVPNGroup general-attributes authentication-server-group RadiusServer default-group-policy TermServerPolicy tunnel-group TermServers type remote-access tunnel-group TermServers general-attributes address-pool WebVPNpool default-group-policy TermServerPolicy tunnel-group iphone type remote-access tunnel-group iphone general-attributes address-pool iphonepool authentication-server-group RadiusServer default-group-policy iphone tunnel-group iphone webvpn-attributes group-alias iphone disable tunnel-group iphone ipsec-attributes pre-shared-key * tunnel-group xx.xx.xx.2 type ipsec-l2l tunnel-group xx.xx.xx.2 ipsec-attributes pre-shared-key * prompt hostname context Cryptochecksum:2742f5c1edbb9ca74b5056c14258abb0 : end test-ASA5510#