Created
April 18, 2012 21:54
-
-
Save anonymous/2416876 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
: Saved | |
: | |
ASA Version 8.4(2) | |
! | |
hostname DANS-FW | |
domain-name securesub.net | |
enable password **** encrypted | |
passwd **** encrypted | |
names | |
name 192.168.0.11 DAN_NIX | |
name 192.168.0.1 ASA_INSIDE | |
! | |
interface Ethernet0/0 | |
switchport access vlan 2 | |
! | |
interface Ethernet0/1 | |
! | |
interface Ethernet0/2 | |
! | |
interface Ethernet0/3 | |
! | |
interface Ethernet0/4 | |
! | |
interface Ethernet0/5 | |
! | |
interface Ethernet0/6 | |
! | |
interface Ethernet0/7 | |
! | |
interface Vlan1 | |
description \\LAN Connection to Switch\\ | |
nameif inside | |
security-level 100 | |
ip address ASA_INSIDE 255.255.255.0 | |
! | |
interface Vlan2 | |
description //OUT TO FIOS/// | |
nameif outside | |
security-level 0 | |
ip address dhcp setroute | |
! | |
ftp mode passive | |
dns domain-lookup inside | |
dns domain-lookup outside | |
dns server-group DefaultDNS | |
name-server 192.168.0.25 | |
name-server 4.2.2.2 | |
domain-name securesub.net | |
same-security-traffic permit intra-interface | |
object network INSIDE_LAN | |
subnet 192.168.0.0 255.255.255.0 | |
object network CAFFEINATED-SSH | |
host 192.168.0.22 | |
object network ASA_INSIDE | |
host 192.168.0.1 | |
object network ASA-ASDM_SSLVPN | |
host 192.168.0.1 | |
object network AnyConnect_VPN_USERS | |
description Anyconnet VPN Range | |
object network ANYCONNECT_VPN_USERS | |
object network ANYCONNECT_VPN_POOL | |
object network ANYCONNECT_VPN | |
subnet 192.168.0.200 255.255.255.248 | |
object network EXCHANGE_SMTP(SSL) | |
host 192.168.0.4 | |
object network Dans-Desktop | |
host 192.168.0.10 | |
object network EXCHANGE_OWA | |
host 192.168.0.4 | |
object network EXCHANGE_ACTIVESYNC | |
host 192.168.0.4 | |
object network EXCHANGE_IMAP | |
host 192.168.0.4 | |
object network EXCHANGE_SMTP | |
host 192.168.0.4 | |
object network ESX_5_SERVER | |
host 192.168.0.5 | |
description ESX5 Server | |
object network MEDIA_2K8 | |
host 192.168.0.6 | |
description MEDIA SERVER | |
object network RRAS | |
host 192.168.0.4 | |
object network RDWeb_App | |
host 192.168.0.4 | |
object network RRAS_L2TP_IKE | |
host 192.168.0.4 | |
object network RRAS_L2TP_IPSEC | |
host 192.168.0.4 | |
object network VPN-POOL | |
host 192.168.0.200 | |
object network DD-WRT | |
host 192.168.0.101 | |
object network SWITCH | |
host 192.168.0.2 | |
object network ESX_MANAGEMENT | |
host 192.168.0.3 | |
object network WDTV | |
host 192.168.0.7 | |
object network FREENAS | |
host 192.168.0.12 | |
object network CANON_PRINTER | |
host 192.168.0.26 | |
object network NETWORK_OBJ_192.168.0.200_29 | |
subnet 192.168.0.200 255.255.255.248 | |
object-group network obj-192.168.0.0 | |
object-group service metasploit_range tcp | |
port-object range 4444 4454 | |
object-group protocol TCPUDP | |
protocol-object udp | |
protocol-object tcp | |
object-group network INTERNAL_ONLY_DEVICES | |
network-object object CANON_PRINTER | |
network-object object DD-WRT | |
network-object object ESX_5_SERVER | |
network-object object ESX_MANAGEMENT | |
network-object object FREENAS | |
network-object object SWITCH | |
network-object object WDTV | |
access-list outside_access_in extended permit tcp any object CAFFEINATED-SSH eq ssh | |
access-list outside_access_in extended permit tcp any object ASA_INSIDE eq 8080 | |
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0 | |
access-list PERMIT_IPV6 extended permit ip 192.168.0.0 255.255.255.0 object ANYCONNECT_VPN | |
access-list outside_access_in_1 extended permit ip any any | |
access-list outside_access_in_1 extended permit 41 any any | |
access-list inside_access_in_1 extended permit 41 any any | |
access-list inside_access_in_1 extended permit ip any any | |
access-list global_access extended permit icmp any any echo | |
access-list global_access extended permit icmp any any echo-reply | |
access-list global_access extended deny ip object-group INTERNAL_ONLY_DEVICES interface outside | |
access-list global_access extended permit ip 192.168.0.0 255.255.255.0 any | |
access-list global_access extended permit tcp any object MEDIA_2K8 eq 64620 | |
access-list global_access extended permit tcp any object EXCHANGE_ACTIVESYNC eq www | |
access-list global_access extended permit tcp any object RDWeb_App eq 3389 | |
access-list global_access extended permit tcp any object EXCHANGE_OWA eq https | |
access-list global_access extended permit tcp any object EXCHANGE_SMTP(SSL) eq 587 | |
access-list global_access extended permit tcp any object CAFFEINATED-SSH eq ssh | |
access-list global_access extended permit tcp any object ASA-ASDM_SSLVPN eq www | |
access-list global_access extended permit tcp any object EXCHANGE_IMAP eq 993 | |
access-list global_access extended permit tcp any object EXCHANGE_SMTP eq smtp | |
access-list global_access extended permit tcp any object RRAS eq pptp | |
access-list global_access extended permit gre any object RRAS | |
access-list BAH-PKI-LAB remark BAH-PKI-LAB ACCESS | |
access-list BAH-PKI-LAB standard permit 10.100.60.0 255.255.255.0 | |
access-list BAH-PKI-LAB remark Vandyke WIFI | |
access-list BAH-PKI-LAB standard permit 192.168.5.0 255.255.255.0 | |
access-list BAH-PKI-LAB remark PIX 501@Vandyke | |
access-list BAH-PKI-LAB standard permit 172.16.0.0 255.255.255.0 | |
pager lines 24 | |
logging enable | |
logging console notifications | |
logging monitor errors | |
logging buffered notifications | |
logging asdm notifications | |
logging from-address asa@coffee.no-ip.info | |
mtu inside 1500 | |
mtu outside 1500 | |
ip local pool VPN 192.168.0.200-192.168.0.205 mask 255.255.255.0 | |
ipv6 access-list outside_access_ipv6_in permit icmp6 interface outside interface inside echo | |
ipv6 access-list outside_access_ipv6_in permit icmp6 interface outside interface inside echo-reply | |
icmp unreachable rate-limit 1 burst-size 1 | |
asdm image disk0:/asdm-641.bin | |
no asdm history enable | |
arp timeout 14400 | |
nat (inside,outside) source static INSIDE_LAN INSIDE_LAN destination static ANYCONNECT_VPN ANYCONNECT_VPN | |
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.200_29 NETWORK_OBJ_192.168.0.200_29 | |
! | |
object network INSIDE_LAN | |
nat (inside,outside) dynamic interface | |
object network CAFFEINATED-SSH | |
nat (inside,outside) static interface service tcp ssh ssh | |
object network EXCHANGE_SMTP(SSL) | |
nat (inside,outside) static interface service tcp 587 587 | |
object network EXCHANGE_OWA | |
nat (inside,outside) static interface service tcp https https | |
object network EXCHANGE_ACTIVESYNC | |
nat (inside,outside) static interface service tcp www www | |
object network EXCHANGE_IMAP | |
nat (inside,outside) static interface service tcp 993 993 | |
object network EXCHANGE_SMTP | |
nat (inside,outside) static interface service tcp smtp smtp | |
object network MEDIA_2K8 | |
nat (inside,outside) static interface service tcp 64620 64620 | |
object network RRAS | |
nat (inside,outside) static interface service tcp pptp pptp | |
object network RDWeb_App | |
nat (inside,outside) static interface service tcp 3389 3389 | |
! | |
nat (outside,outside) after-auto source dynamic VPN-POOL interface | |
access-group PERMIT_IPV6 in interface outside | |
access-group outside_access_ipv6_in in interface outside | |
access-group global_access global | |
timeout xlate 3:00:00 | |
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 | |
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 | |
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 | |
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute | |
timeout tcp-proxy-reassembly 0:01:00 | |
timeout floating-conn 0:00:00 | |
dynamic-access-policy-record DfltAccessPolicy | |
user-identity default-domain LOCAL | |
aaa authentication ssh console LOCAL | |
http server enable 8080 | |
http 0.0.0.0 0.0.0.0 outside | |
http 0.0.0.0 0.0.0.0 inside | |
no snmp-server location | |
no snmp-server contact | |
snmp-server enable traps snmp authentication linkup linkdown coldstart | |
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac | |
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac | |
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac | |
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac | |
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac | |
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac | |
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac | |
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac | |
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac | |
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac | |
crypto ipsec ikev2 ipsec-proposal AES256 | |
protocol esp encryption aes-256 | |
protocol esp integrity sha-1 md5 | |
crypto ipsec ikev2 ipsec-proposal AES192 | |
protocol esp encryption aes-192 | |
protocol esp integrity sha-1 md5 | |
crypto ipsec ikev2 ipsec-proposal AES | |
protocol esp encryption aes | |
protocol esp integrity sha-1 md5 | |
crypto ipsec ikev2 ipsec-proposal 3DES | |
protocol esp encryption 3des | |
protocol esp integrity sha-1 md5 | |
crypto ipsec ikev2 ipsec-proposal DES | |
protocol esp encryption des | |
protocol esp integrity sha-1 md5 | |
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 | |
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 | |
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES | |
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP | |
crypto map outside_map interface outside | |
crypto ca trustpoint ASDM_TrustPoint0 | |
enrollment self | |
fqdn DANS-FW | |
subject-name CN=DANS-FW | |
keypair sslvpnkey | |
no client-types | |
crl configure | |
crypto ca certificate chain ASDM_TrustPoint0 | |
certificate 184b464e | |
308201cb 30820134 a0030201 02020418 4b464e30 0d06092a 864886f7 0d010104 | |
0500302a 3110300e 06035504 03130744 414e532d 46573116 30140609 2a864886 | |
f70d0109 02160744 414e532d 4657301e 170d3131 30383133 30393539 35325a17 | |
0d323130 38313030 39353935 325a302a 3110300e 06035504 03130744 414e532d | |
46573116 30140609 2a864886 f70d0109 02160744 414e532d 46573081 9f300d06 | |
092a8648 86f70d01 01010500 03818d00 30818902 818100ae 53e7e59e add0bfc1 | |
10013a1f 9d15be8e 3f5c63dd fa0c4ff7 87b19e5d 2180d901 9a637859 9d275561 | |
c0f0a362 a6347ae8 593d3d40 1be35bd7 95534670 f25ed53f ee877752 28074c86 | |
fa5457dd f0db3518 fdfa0155 28422e37 1d4d8d6b 496f8b78 f3bc97d7 5a7e87b5 | |
73627862 57e6b22c 5fdf437f f388eeee 1aca4991 b2d7a702 03010001 300d0609 | |
2a864886 f70d0101 04050003 81810096 baa4e96e ba0991bb 65550537 777cf341 | |
74f7b17b 4a446fc0 11e0c9a7 b235b2a2 ad6749fa d43a2329 4cecd850 6d3000e5 | |
d41c5e0f a2a12efe b77d373e 51ed8c76 6d0fb7da 0b72d714 1b6692ee 7f3dcfb7 | |
43f70596 af7e1139 7f8725a0 18a64a69 a49122fa 6fc85c0e 3a3fb658 7146aa09 | |
93b731ea 047ab713 74de300f c68599 | |
quit | |
crypto ikev2 policy 1 | |
encryption aes-256 | |
integrity sha | |
group 5 | |
prf sha | |
lifetime seconds 86400 | |
crypto ikev2 policy 10 | |
encryption aes-192 | |
integrity sha | |
group 5 | |
prf sha | |
lifetime seconds 86400 | |
crypto ikev2 policy 20 | |
encryption aes | |
integrity sha | |
group 5 | |
prf sha | |
lifetime seconds 86400 | |
crypto ikev2 policy 30 | |
encryption 3des | |
integrity sha | |
group 5 | |
prf sha | |
lifetime seconds 86400 | |
crypto ikev2 policy 40 | |
encryption des | |
integrity sha | |
group 5 | |
prf sha | |
lifetime seconds 86400 | |
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 | |
crypto ikev1 enable outside | |
crypto ikev1 policy 10 | |
authentication pre-share | |
encryption des | |
hash sha | |
group 2 | |
lifetime 86400 | |
crypto ikev1 policy 30 | |
authentication pre-share | |
encryption 3des | |
hash md5 | |
group 2 | |
lifetime 86400 | |
telnet timeout 5 | |
ssh 192.168.0.0 255.255.255.0 inside | |
ssh timeout 60 | |
console timeout 0 | |
dhcpd auto_config outside | |
! | |
dhcpd dns 129.250.35.250 129.250.35.251 interface inside | |
! | |
threat-detection basic-threat | |
threat-detection statistics | |
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 | |
ssl trust-point ASDM_TrustPoint0 inside | |
ssl trust-point ASDM_TrustPoint0 outside | |
webvpn | |
port 8080 | |
enable outside | |
anyconnect image disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1 | |
anyconnect profiles coffee_anyconnect_client_profile disk0:/coffee_anyconnect_client_profile.xml | |
anyconnect enable | |
tunnel-group-list enable | |
group-policy DefaultRAGroup internal | |
group-policy DfltGrpPolicy attributes | |
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless | |
group-policy GroupPolicy_coffee_anyconnect internal | |
group-policy GroupPolicy_coffee_anyconnect attributes | |
wins-server none | |
dns-server value 192.168.0.25 | |
vpn-tunnel-protocol ikev2 ssl-client | |
split-tunnel-policy excludespecified | |
split-tunnel-network-list value BAH-PKI-LAB | |
default-domain value securesub | |
webvpn | |
anyconnect ssl rekey time 30 | |
anyconnect ssl rekey method ssl | |
anyconnect profiles value coffee_anyconnect_client_profile type user | |
group-policy securesub_evpn internal | |
group-policy securesub_evpn attributes | |
dns-server value 192.168.0.25 4.2.2.2 | |
vpn-tunnel-protocol ikev1 | |
split-tunnel-policy excludespecified | |
split-tunnel-network-list value BAH-PKI-LAB | |
default-domain value securesub.net | |
group-policy coffee_clientless internal | |
group-policy coffee_clientless attributes | |
vpn-tunnel-protocol ssl-clientless | |
webvpn | |
url-list value dans | |
anyconnect ask none default anyconnect | |
username dano password **** encrypted privilege 15 | |
tunnel-group coffee_anyconnect type remote-access | |
tunnel-group coffee_anyconnect general-attributes | |
address-pool VPN | |
default-group-policy GroupPolicy_coffee_anyconnect | |
tunnel-group coffee_anyconnect webvpn-attributes | |
group-alias coffee_anyconnect disable | |
group-alias securesub enable | |
tunnel-group coffee_clientless type remote-access | |
tunnel-group coffee_clientless general-attributes | |
default-group-policy coffee_clientless | |
tunnel-group securesub_evpn type remote-access | |
tunnel-group securesub_evpn general-attributes | |
address-pool VPN | |
default-group-policy securesub_evpn | |
tunnel-group securesub_evpn ipsec-attributes | |
ikev1 pre-shared-key ***** | |
! | |
class-map global-class | |
match default-inspection-traffic | |
class-map inspection_default | |
match default-inspection-traffic | |
! | |
! | |
policy-map type inspect dns preset_dns_map | |
parameters | |
message-length maximum 512 | |
policy-map FTPPOLICY | |
class inspection_default | |
inspect ftp | |
policy-map global-policy | |
class global-class | |
inspect esmtp | |
inspect ipsec-pass-thru | |
! | |
service-policy global-policy global | |
prompt hostname context | |
no call-home reporting anonymous | |
call-home | |
profile CiscoTAC-1 | |
no active | |
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService | |
destination address email callhome@cisco.com | |
destination transport-method http | |
subscribe-to-alert-group diagnostic | |
subscribe-to-alert-group environment | |
subscribe-to-alert-group inventory periodic monthly | |
subscribe-to-alert-group configuration periodic monthly | |
subscribe-to-alert-group telemetry periodic daily | |
hpm topN enable | |
Cryptochecksum:b3aa3e1365fd354977d72a3c67d1d8b8 | |
: end | |
asdm image disk0:/asdm-641.bin | |
no asdm history enable |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment