: Saved : ASA Version 8.0(2) ! hostname ASA5510 names name 67.17.174.104 STRATUS_GATEWAY name 172.16.0.0 ALL_ADDRESSES description ALL RMH Internal IP Addresses dns-guard ! interface Ethernet0/0 description Stratus Wave Fractional T1 nameif outside security-level 0 ip address 67.17.174.106 255.255.255.248 ! interface Ethernet0/1 description RMH Inside Network nameif inside security-level 100 ip address 172.16.3.234 255.255.0.0 rip send version 2 ! interface Ethernet0/2 description HBO Care Bridge Frame Relay Line nameif Care_Bridge_Inside security-level 90 ip address 32.77.72.2 255.255.255.0 ! interface Ethernet0/3 description Comcast Broadband Outside Connection shutdown nameif Comcast_Broadband security-level 0 ip address dhcp setroute ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! boot system disk0:/asa802-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup inside dns server-group DefaultDNS object-group service ALL_PORTS tcp description ALL Services and Port Numbers port-object range 1 254 port-object eq ftp-data port-object eq ftp object-group network UNLIMITED_ACCESS_GROUP description All PC's that are allowed unlimited access to internet sites access-list 110 extended permit ip ALL_ADDRESSES 255.255.0.0 VPN_Pool_Addresses 255.255.255.0 access-list 110 extended permit ip host BOJ host Quadax access-list 110 extended permit ip any VPN_Pool_Addresses 255.255.255.0 access-list 110 extended permit ip VPN_Pool_Addresses 255.255.255.0 VPN_Pool_Addresses 255.255.255.0 access-list 110 extended permit ip host HH8 interface outside access-list 110 extended permit ip host GHX VPN_Pool_Addresses 255.255.255.0 access-list 110 extended permit ip host IpacsWebServer 10.7.210.0 255.255.255.0 access-list 110 extended permit ip host Radiology_Web_Server 10.7.210.0 255.255.255.0 access-list 100 remark Allow Care Centric access to Server HH8 using Microsoft Remote Desktop from a PC that access-list 100 remark has 64.213.53.217 as its ip address access-list 100 extended permit tcp host 64.88.169.3 host 67.17.174.106 object-group Microsoft_Remote_Desktop access-list 100 remark Permit any IP addresses in the ATT_VPN_GIGS group access to the outside access-list 100 remark using the ESP(50) protocol which is IPSEC Authentication access-list 100 extended permit esp object-group ATT_VPN_GIGS any access-list 100 extended permit udp object-group ATT_VPN_GIGS any eq isakmp access-list 100 extended permit udp object-group ATT_VPN_GIGS any eq 4500 access-list 120 remark This denies ALL traffic from traversing from the inside interface to the outside interface access-list 120 remark Restrict all PCs from web sites in the Blocked_Sites group access-list 120 extended deny ip any object-group Blocked_Sites access-list 120 remark This allows all the users in the UNLIMITED_GROUP access to the Internet with no restrictions access-list 120 extended permit ip object-group UNLIMITED_ACCESS_GROUP any access-list 120 remark This allows all users access to the class D sites access-list 120 extended permit ip ALL_ADDRESSES 255.255.0.0 object-group Class_D_Sites access-list 120 remark This allows all users access to the sites in the Limited Group access-list 120 extended permit ip ALL_ADDRESSES 255.255.0.0 object-group Limited_Internet_Sites access-list 120 remark This allows medicare inquires for Beth and Laurie in the BO accross the Frame Relay Line access-list 120 extended permit ip ALL_ADDRESSES 255.255.0.0 204.146.91.0 255.255.255.0 access-list 120 extended permit ip ALL_ADDRESSES 255.255.0.0 204.153.216.0 255.255.254.0 access-list 120 extended permit ip ALL_ADDRESSES 255.255.0.0 Nutrition_Care_Manual 255.255.255.0 access-list 120 remark Permit any IP addresses in the ATT_VPN_GIGS group access to the outside access-list 120 remark using the ESP(50) protocol which is IPSEC Authentication access-list 120 extended permit esp object-group ATT_VPN_GIGS any access-list 120 extended permit udp object-group ATT_VPN_GIGS any eq isakmp access-list 120 extended permit udp object-group ATT_VPN_GIGS any eq 4500 access-list 120 remark This implicitly denies all IP traffic thru the Firewall access-list rmhvpn_splitTunnelAcl standard deny VPN_Pool_Addresses 255.255.255.0 access-list rmhvpn_splitTunnelAcl standard permit ALL_ADDRESSES 255.255.0.0 access-list outside_cryptomap_20 remark Siemens Remote Network access-list outside_cryptomap_20 extended permit ip host 1.172.1.13 129.73.116.88 255.255.255.248 access-list outside_cryptomap_20 extended permit ip host 1.172.1.14 129.73.116.88 255.255.255.248 access-list outside_cryptomap_20 extended permit ip host 1.172.1.17 129.73.116.88 255.255.255.248 access-list outside_cryptomap_dyn_21 extended permit ip any VPN_Pool_Addresses 255.255.255.0 access-list outside_cryptomap_dyn_41 extended permit ip VPN_Pool_Addresses 255.255.255.0 VPN_Pool_Addresses 255.255.255.0 access-list Care_Bridge_Outside_nat0_outbound extended permit ip host 67.17.174.106 CareCentric1 255.255.255.0 access-list carebridge_in extended permit ip 204.153.216.0 255.255.254.0 any access-list outside_cryptomap_20_1 extended permit ip host IpacsWebServer 10.7.210.0 255.255.255.0 access-list outside_cryptomap_20_1 extended permit ip host Radiology_Web_Server 10.7.210.0 255.255.255.0 access-list default_rip_in_acl standard deny any access-list default_rip_out_acl standard permit host 0.0.0.0 access-list default_out_rip_acl standard deny any logging enable logging list VPN_Event_Logging_List_Critical level debugging class vpn logging list VPN_Event_Logging_List_Critical level debugging class svc logging buffered errors logging trap errors logging asdm errors logging mail alerts logging from-address ASA5510@reymem.com logging recipient-address rpw5354@reymem.com level critical logging host inside GHX_Server format emblem logging debug-trace logging permit-hostdown mtu outside 1500 mtu inside 1500 mtu Care_Bridge_Inside 1500 mtu Comcast_Broadband 1500 mtu management 1500 ip local pool vpnpool 192.168.100.1-192.168.100.10 mask 255.255.255.0 ip verify reverse-path interface outside icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-602.bin asdm history enable arp timeout 14400 nat-control global (outside) 1 67.17.174.107 netmask 255.255.255.248 global (Care_Bridge_Inside) 1 interface nat (inside) 0 access-list 110 nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) 1.172.1.15 CAT_Scanner_Navigator netmask 255.255.255.255 static (inside,outside) 1.172.1.16 CAT_Scanner_Wizard netmask 255.255.255.255 static (inside,outside) 1.172.1.17 Mobile_MRI_Scanner netmask 255.255.255.255 static (inside,Care_Bridge_Inside) 32.77.72.3 HBOCStar netmask 255.255.255.255 static (inside,Care_Bridge_Inside) 32.77.72.4 Care_Manager_RISC_6000 netmask 255.255.255.255 static (inside,Care_Bridge_Inside) 32.77.72.5 WIN2003SERVER netmask 255.255.255.255 access-group 100 in interface outside access-group 120 in interface inside access-group carebridge_in in interface Care_Bridge_Inside ! router rip network ALL_ADDRESSES default-information originate distribute-list default_rip_out_acl out interface inside distribute-list default_rip_in_acl in interface inside ! route outside 0.0.0.0 0.0.0.0 67.17.174.105 1 route Care_Bridge_Inside 32.71.31.98 255.255.255.255 32.77.72.1 1 route Care_Bridge_Inside 139.177.192.0 255.255.192.0 32.77.72.1 1 route outside 139.177.224.0 255.255.248.0 67.17.174.105 1 route Care_Bridge_Inside 204.146.91.0 255.255.255.0 32.77.72.1 1 route Care_Bridge_Inside 204.153.216.0 255.255.254.0 32.77.72.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius nac-policy DfltGrpPolicy-nac-framework-create nac-framework reval-period 36000 sq-period 300 aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL aaa authorization command LOCAL aaa local authentication attempts max-fail 5 no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps snmp authentication linkup linkdown coldstart sysopt connection tcpmss 0 crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map rmh 1 set transform-set ESP-3DES-MD5 crypto dynamic-map rmh 21 match address outside_cryptomap_dyn_21 crypto dynamic-map rmh 21 set transform-set ESP-3DES-MD5 crypto dynamic-map rmh 41 match address outside_cryptomap_dyn_41 crypto dynamic-map rmh 41 set transform-set ESP-3DES-MD5 crypto dynamic-map rmh 61 set transform-set ESP-3DES-MD5 crypto dynamic-map rmh 81 set transform-set ESP-3DES-MD5 crypto map dyn-map 20 match address outside_cryptomap_20_1 crypto map dyn-map 20 set peer 216.96.65.114 crypto map dyn-map 20 set transform-set ESP-AES-256-MD5 crypto map dyn-map 65535 ipsec-isakmp dynamic rmh crypto map dyn-map interface outside crypto map dyn_map 20 match address outside_cryptomap_20 crypto map dyn_map 20 set peer 12.46.135.193 crypto map dyn_map 20 set transform-set ESP-3DES-MD5 crypto map dyn_map 20 set security-association lifetime seconds 3600 crypto ca trustpoint ASDM_TrustPoint0 enrollment self fqdn ASA5510 subject-name CN=ASA5510 no client-types crl configure crypto ca certificate chain ASDM_TrustPoint0 crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 1000 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash md5 group 7 lifetime 86400 crypto isakmp policy 90 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 no crypto isakmp nat-traversal class-map TESTCLASSMAP class-map inside-class match default-inspection-traffic class-map map ! policy-map type inspect ftp ftp_port_control parameters policy-map inside-policy class inside-class inspect h323 ras inspect icmp error inspect rtsp inspect esmtp inspect netbios inspect pptp inspect snmp inspect http inspect icmp inspect rsh inspect ils inspect h323 h225 inspect dns ! service-policy inside-policy interface inside ntp server WIN2003SERVER source inside prefer tftp-server inside IS1 c:\tftp-root webvpn enable outside default-idle-timeout 600 svc image disk0:/any-connect.pkg 1 svc enable group-policy DfltGrpPolicy attributes banner value YOU HAVE CONNECTED TO THE REYNOLDS MEMORIAL HOSPITAL I.S. NETWORK. banner value ANY INFORAMTION OBTAINED FROM THIS NETWORK IS TO BE CONSIDERED banner value CONFIDENTIAL. BY LOGGING ON TO THE NETWORK YOU ARE ACKNOWLEDING banner value THAT FACT. vpn-session-timeout 60 vpn-tunnel-protocol IPSec svc group-lock value rmhvpn secure-unit-authentication enable user-authentication enable nac-settings value DfltGrpPolicy-nac-framework-create address-pools value vpnpool webvpn svc dpd-interval client none svc dpd-interval gateway none group-policy GHX internal group-policy GHX attributes banner value YOU HAVE CONNECTED TO THE REYNOLDS MEMORIAL HOSPITAL I.S. Network. banner value ANY INFORAMTION OBTAINED FROM THIS NETWORK IS TO BE CONSIDERED banner value CONFIDENTIAL. BY LOGGING ON TO THE NETWORK YOU ARE ACKNOWLEDING banner value THAT FACT. vpn-tunnel-protocol IPSec group-lock value GHX secure-unit-authentication enable user-authentication enable user-authentication-idle-timeout 30 address-pools none group-policy rmhvpn internal group-policy rmhvpn attributes banner value YOU HAVE CONNECTED TO THE REYNOLDS MEMORIAL HOSPITAL I.S. NETWORK. banner value ANY INFORAMTION OBTAINED FROM THIS NETWORK IS TO BE CONSIDERED banner value CONFIDENTIAL. BY LOGGING ON TO THE NETWORK YOU ARE ACKNOWLEDING banner value THAT FACT. vpn-idle-timeout 30 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value rmhvpn_splitTunnelAcl secure-unit-authentication enable user-authentication enable user-authentication-idle-timeout 30 address-pools value vpnpool