sho run : Saved : ASA Version 8.0(4) ! hostname MED-F5510-MDF domain-name sorensonmedia.com enable password 1JGrAHYIN4hjHZqq encrypted passwd 2KFQnbNIdI.2KYOU encrypted names name 192.168.252.0 smi-data-network description sorenson media data network name 192.168.250.0 smi-voice-network description sorenson media voice network name 192.168.40.0 cda-inside-network description coeur d'alene internal network name 10.0.0.0 sdi-internal-network description internal sdi subnet name 71.35.223.156 hassett.home description kathy hassett home ip name 192.168.250.2 adbackup description adbackup windows servers dns-guard ! interface Ethernet0/0 description outside interface nameif outside security-level 0 ip address 64.244.87.2 255.255.255.128 ospf cost 10 ! interface Ethernet0/1 description inside interface nameif inside security-level 100 ip address 172.17.10.1 255.255.255.252 ospf cost 10 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 description management interface shutdown nameif management security-level 100 no ip address ospf cost 10 management-only ! banner exec All connections are logged. Unauthorized access is not permitted. banner exec ******************* WARNING ************************ banner exec Sorenson Media banner exec (801) 313-8150 banner exec Access to this information processing system is banner exec restricted to authorized personnel ONLY! banner exec ***************************************************** boot system disk0:/asa804-k8.bin ftp mode passive clock timezone MST -7 clock summer-time MDT recurring dns server-group DefaultDNS name-server smedia.internal domain-name sorensonmedia.com same-security-traffic permit intra-interface object-group service www.ports description TCP ports 80 and 443 service-object tcp eq www service-object tcp eq https object-group service razor2 tcp description tcp ports 2703 and 7 used by esva port-object eq 2703 port-object eq echo object-group service dcc udp description UDP port 6277 used by ESVA port-object eq 6277 object-group service pyzor udp description UDP port 24441 used by ESVA port-object eq 24441 object-group service default.ports description TCP and UDP common outbound ports service-object icmp service-object tcp eq citrix-ica service-object tcp eq domain service-object tcp eq ftp service-object tcp eq ftp-data service-object tcp eq h323 service-object tcp eq www service-object tcp eq https service-object tcp eq imap4 service-object tcp eq irc service-object tcp eq ldap service-object tcp eq ldaps service-object tcp eq pcanywhere-data service-object tcp eq pop3 service-object tcp eq smtp service-object tcp eq ssh service-object tcp eq telnet service-object udp eq ntp service-object udp eq domain service-object tcp eq 3389 service-object tcp eq 8080 service-object tcp eq 123 object-group service esva.inbound.tcp tcp description TCP ports used by ESVA for inbound connections group-object razor2 port-object eq domain port-object eq www port-object eq smtp object-group service esva.inbound.udp udp description UDP ports used by ESVA for inbound connections group-object dcc group-object pyzor port-object eq domain object-group service esva.outbound.tcp tcp description TCP ports used by ESVA for outbound connections group-object razor2 port-object eq domain port-object eq www port-object eq smtp object-group service esva.outbound.udp udp description UDP ports used by ESVA for outbound connections group-object dcc group-object pyzor port-object eq domain object-group network smi.mail.external description mail servers in use by sorenson media network-object host filter.external network-object host mediamail.external object-group service web.mail description TCP ports 80, 443, 143, 25, 110, 993, and 995 service-object tcp eq www service-object tcp eq https service-object tcp eq smtp service-object tcp eq pop3 service-object tcp eq imap4 service-object tcp eq 993 service-object tcp eq 995 object-group service engineyard.ssh tcp description TCP ports for accessing EngineYard servers port-object eq 8161 port-object eq 8162 port-object eq 8318 port-object eq 8319 port-object range 8324 8327 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service im.ports tcp-udp description TCP and UDP ports used by IM port-object eq 11004 port-object eq 1863 port-object eq 5050 port-object eq 5190 port-object eq 5222 port-object eq 7001 port-object eq 993 object-group service samba.ports tcp-udp description TCP and UDP ports 137, 138, and 139 port-object range 137 139 object-group service smedia.ports tcp description tcp ports 137-139, 161, 3260, and 9100 used by smedia port-object eq 161 port-object eq 3260 port-object eq 9100 group-object samba.ports object-group service irc.ports tcp-udp description TCP and UDP ports 6666-6670 port-object range 6666 6670 object-group service im.ports.udp udp description UDP port 9 for IM port-object eq discard object-group service vnc.yorke tcp description tcp ports 10098, 10100, 10076, and 10091 used by paul yorke for vnc port-object eq 10091 port-object eq 10098 port-object eq 10100 port-object eq 10076 object-group service afp tcp description TCP port 548 used by Apple File Protocol port-object eq 548 object-group service rdp tcp description tcp port 3389 used remote desktop protocol port-object eq 3389 object-group service remote.ports.tcp tcp description tcp ports rdp, rdp, and ssh for remote access port-object eq ssh port-object eq 3389 port-object eq 548 object-group network irc.freenode.net description ip addresses for irc.freenode.net network-object host chat.freenode.net.04 network-object host chat.freenode.net.05 network-object host chat.freenode.net.06 network-object host chat.freenode.net.07 network-object host chat.freenode.net.08 network-object host chat.freenode.net.09 network-object host chat.freenode.net.10 network-object host chat.freenode.net.11 network-object host chat.freenode.net.12 network-object host chat.freenode.net.01 network-object host chat.freenode.net.02 network-object host chat.freenode.net.03 object-group network irc.servers description allowable irc servers network-object host irc.sorensonmedia.com group-object irc.freenode.net object-group service vnc.cox tcp description tcp port 5900 port-object eq 5900 object-group service vmware.port tcp description tcp port 902 port-object eq 902 object-group network xmission.physical.servers description physical servers at xmission network-object host bear network-object host giant network-object host ram network-object host raider network-object host seahawk network-object host colt network-object host saint network-object host jaguar network-object host panther network-object host packer network-object host patriot network-object host bronco network-object host raven object-group service remote.ports.udp udp description UDP ports ard and others for remote access port-object eq 3283 object-group network DM_INLINE_NETWORK_1 network-object 172.18.10.0 255.255.255.128 network-object 192.168.1.0 255.255.255.0 object-group network smi-internal-network description smi internal network network-object smi-voice-network 255.255.254.0 network-object smi-data-network 255.255.255.0 object-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object icmp object-group service domain.ports tcp-udp description tcp and udp ports 53 port-object eq domain object-group service DM_INLINE_TCP_1 tcp group-object domain.ports group-object smedia.ports object-group service smtps.imaps.pop3s tcp description tcp ports 465, 587, and 995 over ssl port-object eq 465 port-object eq 587 port-object eq 995 object-group service awstats.engineyard.port tcp description tcp port 9080 port-object eq 9080 object-group protocol DM_INLINE_PROTOCOL_2 protocol-object ip protocol-object icmp object-group protocol DM_INLINE_PROTOCOL_3 protocol-object ip protocol-object icmp object-group protocol DM_INLINE_PROTOCOL_4 protocol-object ip protocol-object icmp access-list outside_access_in remark Allow outside connections access to mediamail access-list outside_access_in extended permit object-group web.mail any object-group smi.mail.external access-list smiremoteusers_splitTunnelAcl standard permit smi-data-network 255.255.255.0 access-list smiremoteusers_splitTunnelAcl standard permit sdi-internal-network 255.0.0.0 access-list smiremoteusers_splitTunnelAcl standard permit 172.18.10.0 255.255.255.128 access-list inside_nat0_outbound extended permit ip smi-data-network 255.255.255.0 172.18.10.0 255.255.255.192 access-list inside_nat0_outbound extended permit ip smi-data-network 255.255.255.0 172.18.10.64 255.255.255.192 access-list inside_nat0_outbound extended permit ip smi-voice-network 255.255.254.0 cda-inside-network 255.255.255.0 access-list inside_nat0_outbound extended permit ip object-group smi-internal-network cda-inside-network 255.255.255.0 access-list inside_access_in remark Allow internal users access out on limited ports access-list inside_access_in extended permit object-group default.ports any any access-list inside_access_in remark Allow internal users access to awstats port at engineyard access-list inside_access_in extended permit tcp any any object-group awstats.engineyard.port access-list inside_access_in remark Allow internal users to access instant messaging services access-list inside_access_in extended permit object-group TCPUDP any any object-group im.ports access-list inside_access_in remark Allow internal users access ssl email client connections access-list inside_access_in extended permit tcp any any object-group smtps.imaps.pop3s access-list inside_access_in remark Allow internal users access to vmware port 902 at xmission access-list inside_access_in extended permit tcp any object-group xmission.physical.servers object-group vmware.port access-list inside_access_in remark Allow internal users access to irc access-list inside_access_in extended permit object-group TCPUDP any object-group irc.servers object-group irc.ports access-list inside_access_in remark Allow all internal users access to ssh to servers at engineyard access-list inside_access_in extended permit tcp any host engineyard.external object-group engineyard.ssh access-list inside_access_in remark Allow smedia outbound access access-list inside_access_in extended permit tcp smi-data-network 255.255.255.0 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_1 access-list inside_access_in remark Allow smi internal network access to coeur d'alene internal network access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 object-group smi-internal-network cda-inside-network 255.255.255.0 access-list inside_access_in remark Allow filter tcp outbound access on specific ports access-list inside_access_in extended permit tcp host filter.internal any object-group esva.outbound.tcp access-list inside_access_in remark Allow filter udp outbound access access-list inside_access_in extended permit udp host filter.internal any object-group esva.outbound.udp access-list inside_access_in remark Allow mediamail to talk to any on the outside network access-list inside_access_in extended permit object-group web.mail host mediamail.internal any access-list inside_access_in remark Allow Kerry Cox to connect to home server using vnc access-list inside_access_in extended permit tcp any host cox.home object-group vnc.cox access-list inside_access_in remark Allow Jim Hudgins access to remote home machines access-list inside_access_in extended permit tcp any hudgins.home 255.255.255.248 object-group remote.ports.tcp access-list inside_access_in remark Allow Paul Yorke to connect to his home server using unique VNC ports access-list inside_access_in extended permit tcp any host yorke.home object-group vnc.yorke access-list outside_1_cryptomap extended permit ip smi-data-network 255.255.255.0 cda-inside-network 255.255.255.0 access-list outside_1_cryptomap extended permit ip smi-voice-network 255.255.254.0 cda-inside-network 255.255.255.0 access-list outside_1_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_4 object-group smi-internal-network cda-inside-network 255.255.255.0 access-list outside_1_cryptomap_2 extended permit ip object-group smi-internal-network cda-inside-network 255.255.255.0 access-list nonat extended permit ip smi-voice-network 255.255.255.0 cda-inside-network 255.255.255.0 access-list nonat extended permit ip 172.17.10.0 255.255.255.252 cda-inside-network 255.255.255.0 no pager logging enable logging asdm informational logging from-address admin@smivpn.sorensonmedia.com logging recipient-address kerry@genetree.com level alerts mtu outside 1500 mtu inside 1500 mtu management 1500 ip local pool vpnpool1 172.18.10.1-172.18.10.62 mask 255.255.255.192 ip local pool vpnpool2 172.18.10.65-172.18.10.126 mask 255.255.255.192 ip local pool vpnpool3 172.18.10.129-172.18.10.191 mask 255.255.255.192 ip local pool vpnpool4 172.18.10.193-172.18.10.254 mask 255.255.255.192 ip verify reverse-path interface outside ip verify reverse-path interface inside icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-615.bin no asdm history enable arp timeout 14400 nat-control global (outside) 10 64.244.87.96-64.244.87.126 global (outside) 1 interface nat (outside) 10 172.18.10.64 255.255.255.192 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 10 172.18.10.64 255.255.255.192 nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) filter.external filter.internal netmask 255.255.255.255 static (inside,outside) mediamail.external mediamail.internal netmask 255.255.255.255 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 64.244.87.1 1 route inside smi-voice-network 255.255.254.0 172.17.10.2 1 route inside smi-data-network 255.255.255.0 172.17.10.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL aaa authentication http console LOCAL http server enable http smi-data-network 255.255.255.0 management http cox.home 255.255.255.255 management http 172.16.11.0 255.255.255.192 management http smi-data-network 255.255.255.0 inside http 67.139.134.152 255.255.255.255 outside http 166.70.89.113 255.255.255.255 outside http cox.home 255.255.255.255 outside snmp-server xxxxxxxxx snmp-server location xxxxx snmp-server contact xxxxx snmp-server community xxxxx snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap_2 crypto map outside_map 1 set peer cda.asa5505 crypto map outside_map 1 set transform-set ESP-3DES-MD5 crypto map outside_map 1 set security-association lifetime seconds 28800 crypto map outside_map 1 set security-association lifetime kilobytes 4608000 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp ipsec-over-tcp port 10000 vpn-addr-assign local reuse-delay 5 telnet timeout 15 ssh smi-data-network 255.255.255.0 inside ssh smi-data-network 255.255.255.0 management ssh timeout 15 console timeout 0 management-access management threat-detection basic-threat threat-detection statistics host threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp authenticate ntp server 198.60.22.240 source outside prefer webvpn enable outside group-policy smiremoteusers internal group-policy smiremoteusers attributes dns-server value 192.168.252.11 192.168.250.2 vpn-tunnel-protocol IPSec svc split-tunnel-policy tunnelspecified split-tunnel-network-list value smiremoteusers_splitTunnelAcl group-policy smiinternalusers internal group-policy smiinternalusers attributes dns-server value 192.168.252.11 198.60.22.2 vpn-tunnel-protocol IPSec svc tunnel-group smiremoteusers type remote-access tunnel-group smiremoteusers general-attributes address-pool vpnpool1 default-group-policy smiremoteusers tunnel-group smiremoteusers webvpn-attributes group-alias splittunnel enable group-alias splittunneling disable tunnel-group smiremoteusers ipsec-attributes pre-shared-key * tunnel-group smiinternalusers type remote-access tunnel-group smiinternalusers general-attributes address-pool vpnpool2 default-group-policy smiinternalusers tunnel-group smiinternalusers webvpn-attributes group-alias hairpin enable group-alias users disable tunnel-group smiinternalusers ipsec-attributes pre-shared-key * tunnel-group 96.239.196.24 type ipsec-l2l tunnel-group 96.239.196.24 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global smtp-server 192.168.252.13 prompt hostname context Cryptochecksum:5fae0e1088731900df074b4bb235266d : end MED-F5510-MDF#