 
ASA Version 8.0(2)
!
hostname Cisco-ASA5510
domain-name test.com
enable password encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xx.xx.xx.29 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.31 255.255.255.0
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 192.168.150.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
passwd ngAUxjup8owi2hu2 encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EDT 3
dns server-group DefaultDNS
 domain-name test.com
object-group icmp-type icmp-allow
 icmp-object echo-reply
 icmp-object unreachable
 icmp-object time-exceeded
 icmp-object parameter-problem
object-group network ssh_users
 network-object host xx.xx.xx.34
 network-object host xx.xx.xx.99
 network-object host xx.xx.xx.254
 network-object host xx.xx.xx.209
 network-object host xx.xx.xx.248
object-group network logical_users
 network-object host xx.xx.xx.18
object-group service deny_outbound tcp
 port-object eq telnet
 port-object eq smtp
 port-object eq pop3
object-group network brosco_addresses
 description Brosco public IP addresses
 network-object host xx.xx.xx.245
 network-object host xx.xx.xx.60
 network-object host xx.xx.xx.98
object-group network PCAnywhere-Factory
 network-object host 192.168.34.53
object-group network TermServers
 network-object 192.168.11.0 255.255.255.0
object-group network WebVPN-Network
 network-object 172.16.11.0 255.255.255.0
object-group service RDP tcp
 port-object eq 3389
object-group network MXLogicSubnets
 network-object xx.xx.xx.0 255.255.248.0
 network-object xx.xx.xx.0 255.255.252.0
object-group network CNEPulseCollectors
 description Constellation New Energy Pulse Meter Data Collectors
 network-object host 192.168.21.250
 network-object host 192.168.21.251
 network-object host 192.168.21.252
 network-object host 192.168.30.250
 network-object host 192.168.34.250
object-group service DM_INLINE_TCP_1 tcp
 port-object eq pop3
 port-object eq smtp
object-group service DM_INLINE_TCP_2 tcp
 port-object eq pop3
 port-object eq smtp
access-list IPS extended permit ip any any
access-list inside_access_in remark Carlene Fassett VPN hole
access-list inside_access_in extended permit tcp host 192.168.41.18 any
access-list inside_access_in extended permit tcp host 192.168.10.62 any
access-list inside_access_in extended permit tcp object-group CNEPulseCollectors
 host xx.xx.xx.29 eq smtp
access-list inside_access_in extended permit icmp host 192.168.10.10 host 192.16
8.150.10
access-list inside_access_in extended permit tcp host 192.168.10.28 any eq smtp
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.0.0 host 19
2.168.150.10 eq www
access-list inside_access_in extended permit ip host 192.168.10.38 host 192.168.
150.10
access-list inside_access_in remark Brosco Ordering system port
access-list inside_access_in extended permit tcp any object-group brosco_address
es eq 5005
access-list inside_access_in extended deny ip 192.168.0.0 255.255.0.0 host 192.1
68.150.10
access-list inside_access_in remark Allow Mail requests for ISIS implementation
access-list inside_access_in extended permit tcp any host xx.xx.xx.123 object-g
roup DM_INLINE_TCP_1
access-list inside_access_in extended deny tcp any any object-group deny_outboun
d
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.0.0 host 19
2.168.150.10 eq https
access-list dmz_access_in extended permit icmp host 192.168.150.10 host 192.168.
10.10
access-list dmz_access_in extended permit icmp host 192.168.150.10 host 192.168.
10.38
access-list dmz_access_in extended permit tcp host 192.168.150.10 host 192.168.1
0.38 eq telnet
access-list dmz_access_in extended permit tcp host 192.168.150.10 host 192.168.1
0.38 eq rsh
access-list dmz_access_in extended permit tcp host 192.168.150.10 host 192.168.1
0.38 eq 19200
access-list dmz_access_in extended permit tcp host 192.168.150.10 host 192.168.1
0.250 eq 7999
access-list dmz_access_in extended permit tcp any 192.168.0.0 255.255.0.0 eq www

access-list dmz_access_in extended deny ip any 192.168.0.0 255.255.0.0
access-list dmz_access_in extended permit ip any any
access-list outside_access_in remark Carlene Fassett VPN hole
access-list outside_access_in extended permit tcp any host 192.168.41.18
access-list outside_access_in extended permit tcp any host 192.168.10.62
access-list outside_access_in extended permit icmp any any object-group icmp-all
ow
access-list outside_access_in extended permit tcp any host xx.xx.xx.17 eq www
access-list outside_access_in extended permit tcp any host xx.xx.xx.17 eq http
s
access-list outside_access_in extended permit tcp any host xx.xx.xx.20 eq http
s
access-list outside_access_in extended permit tcp host xx.xx.xx.68 host xx.xx.
xx.17 eq 5900
access-list outside_access_in extended permit tcp object-group ssh_users host xx
.xx.xx.17 eq ssh
access-list outside_access_in extended permit tcp object-group logical_users hos
t xx.xx.xx.18 eq ssh
access-list outside_access_in extended permit tcp any host xx.xx.xx.20 eq www
access-list outside_access_in extended permit udp host xx.xx.xx.30 host xx.xx
.xx.17 eq snmp
access-list outside_access_in remark WebEx Additional Port
access-list outside_access_in extended permit udp any eq 1270 host xx.xx.xx.17
 eq 1270
access-list outside_access_in remark Webex Additional Port
access-list outside_access_in extended permit tcp any eq www host xx.xx.xx.17
eq 32316
access-list outside_access_in extended permit tcp object-group MXLogicSubnets ho
st xx.xx.xx.17 eq smtp
access-list outside_access_in remark Enable mail access for ISIS Implementation
access-list outside_access_in extended permit tcp host xx.xx.xx.123 any object-
group DM_INLINE_TCP_2
access-list inside_nat0_outbound extended permit ip object-group TermServers obj
ect-group WebVPN-Network
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.
168.90.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.11.0 255.255.255.
0
access-list TermServerACL standard permit 192.168.11.0 255.255.255.0
access-list 199 extended permit ip host 192.168.150.10 any
access-list 199 extended permit ip any host 192.168.150.10
access-list WebVPN-ACL extended permit tcp 172.16.11.0 255.255.255.0 192.168.11.
0 255.255.255.0 object-group RDP
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.0.0 192.1
68.90.0 255.255.255.0
access-list outside_map_acl_1 extended permit ip 192.168.0.0 255.255.0.0 192.168
.90.0 255.255.255.0
pager lines 24
logging enable
logging buffered warnings
logging trap warnings
logging asdm warnings
logging facility 16
logging host inside 192.168.10.15 format emblem
logging host inside 192.168.10.105
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool WebVPNpool 172.16.11.1-172.16.11.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
global (outside) 102 xx.xx.xx.17
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 102 192.168.10.28 255.255.255.255
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp xx.xx.xx.18 ssh 192.168.10.25 ssh netmask 255.255.
255.255
static (inside,outside) tcp xx.xx.xx.17 ssh 192.168.10.38 ssh netmask 255.255.
255.255
static (inside,outside) tcp xx.xx.xx.17 www 192.168.10.251 www netmask 255.255
.255.255
static (inside,outside) tcp xx.xx.xx.17 https 192.168.10.28 https netmask 255.
255.255.255
static (inside,outside) tcp xx.xx.xx.17 5900 192.168.10.35 5900 netmask 255.25
5.255.255
static (inside,outside) tcp xx.xx.xx.17 smtp 192.168.10.28 smtp netmask 255.25
5.255.255
static (inside,outside) udp xx.xx.xx.17 snmp 192.168.10.105 snmp netmask 255.2
55.255.255
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (dmz,outside) xx.xx.xx.20 192.168.150.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.30 1
route inside 192.168.0.0 255.255.0.0 192.168.10.1 1
route outside 192.168.90.0 255.255.255.0 xx.xx.xx.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RadiusServer protocol radius
aaa-server RadiusServer host 192.168.10.20
 timeout 5
 key radius4asa
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community hancock
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_map_acl_1
crypto map outside_map 1 set peer xx.xx.xx.239
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 20
ssh xx.xx.xx.96 255.255.255.224 outside
ssh xx.xx.xx.141 255.255.255.255 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 20
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map ips-class
 match access-list IPS
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 1500
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
 svc enable
group-policy TermServerPolicy internal
group-policy TermServerPolicy attributes
 vpn-filter value WebVPN-ACL
 vpn-tunnel-protocol svc
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value TermServerACL
 address-pools value WebVPNpool
 webvpn
  svc ask none default svc
group-policy DfltGrpPolicy attributes
 banner value Connected to Hancock Lumber FW-VPN
 dns-server value 192.168.10.20
group-policy iphone internal
group-policy iphone attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value test.com
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group RadiusServer
 dhcp-server 192.168.10.20
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group RadiusServer
 default-group-policy TermServerPolicy
tunnel-group TermServers type remote-access
tunnel-group TermServers general-attributes
 address-pool WebVPNpool
 default-group-policy TermServerPolicy
tunnel-group iphone type remote-access
tunnel-group iphone general-attributes
 authentication-server-group RadiusServer
 default-group-policy iphone
 dhcp-server 192.168.10.20
tunnel-group iphone webvpn-attributes
 group-alias iphone enable
tunnel-group iphone ipsec-attributes
 pre-shared-key *
tunnel-group xx.xx.xx.239 type ipsec-l2l
tunnel-group xx.xx.xx.239 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:d1cf4bbcbacc0732120499c5329c11f2
: end
Hancock-ASA5510#