Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ASA Version 8.4(3)
- !
- terminal width 200
- hostname gw
- domain-name internal.example.com
- !
- interface Ethernet0/0
- nameif outside
- security-level 0
- ip address 216.x.x.x 255.255.255.224
- !
- interface Ethernet0/1
- nameif inside
- security-level 100
- ip address 192.168.0.1 255.255.255.0
- !
- interface Ethernet0/2
- nameif vpn
- security-level 100
- ip address 172.16.0.1 255.255.255.0
- !
- interface Ethernet0/3
- shutdown
- no nameif
- no security-level
- no ip address
- !
- interface Management0/0
- nameif management
- security-level 100
- ip address 192.168.1.1 255.255.255.0
- management-only
- !
- boot system disk0:/asa843-k8.bin
- ftp mode passive
- clock timezone MST -7
- dns domain-lookup outside
- dns server-group DefaultDNS
- name-server 8.8.8.8
- domain-name internal.example.com
- same-security-traffic permit inter-interface
- same-security-traffic permit intra-interface
- object network public_pool
- range 216.x.x.x 216.x.x.x
- object network public_dc
- subnet 204.x.x.x 255.255.255.224
- object network public_secondary
- subnet 68.64.214.16 255.255.255.248
- object network subnet_a
- subnet 192.168.20.0 255.255.255.0
- object network subnet_a_wireless
- subnet 192.168.21.0 255.255.255.0
- object network subnet_b
- subnet 192.168.10.0 255.255.255.0
- object network subnet_b_wireless
- subnet 192.168.11.0 255.255.255.0
- object network subnet_c
- subnet 192.168.30.0 255.255.255.0
- object network subnet_c_wireless
- subnet 192.168.31.0 255.255.255.0
- object network subnet_dc
- subnet 10.10.10.0 255.255.255.192
- object network subnet_server
- subnet 192.168.5.0 255.255.255.0
- object network NETWORK_OBJ_192.168.0.0_24
- subnet 192.168.0.0 255.255.255.0
- object network subnet_primary
- subnet 192.168.0.0 255.255.255.0
- object network subnet_192.168.0.0
- subnet 192.168.0.0 255.255.0.0
- object network vpn_nat
- subnet 192.168.0.0 255.255.0.0
- object network obj-192.168
- subnet 192.168.0.0 255.255.255.0
- object-group network internal_lan_wireless
- network-object object subnet_b_wireless
- network-object object subnet_c_wireless
- network-object object subnet_a_wireless
- object-group network company_trusted_lan
- network-object object subnet_a
- network-object object subnet_b
- network-object object subnet_c
- network-object object subnet_server
- network-object object subnet_dc
- network-object object subnet_primary
- object-group network company_lan
- network-object object subnet_a
- network-object object subnet_a_wireless
- network-object object subnet_b
- network-object object subnet_b_wireless
- network-object object subnet_c
- network-object object subnet_c_wireless
- network-object object subnet_dc
- network-object object subnet_primary
- network-object object subnet_server
- object-group network company_lan_internal
- network-object object subnet_a
- network-object object subnet_a_wireless
- network-object object subnet_b
- network-object object subnet_b_wireless
- network-object object subnet_c
- network-object object subnet_c_wireless
- network-object object subnet_primary
- network-object object subnet_server
- access-list inside_access_in extended permit ip any any log disable
- access-list inside_access_in extended permit icmp any any
- access-list global_access extended permit icmp any any log disable
- access-list global_access extended permit ip any any log disable
- access-list outside_access_in extended permit ip any any log disable
- access-list outside_access_in extended permit icmp any any log disable
- access-list split_tunnel extended permit ip object-group company_lan any log disable
- access-list split_tunnel extended permit icmp object-group company_lan any log
- access-list DC_VPN_TRAFFIC extended permit ip object subnet_192.168.0.0 object subnet_dc
- access-list inside_acl extended permit ip object-group company_lan any
- access-list inside_acl extended permit icmp object-group company_lan any
- access-list outside_access_out extended permit ip any any log disable
- access-list outside_access_out extended permit icmp any any log disable
- pager lines 30
- logging enable
- logging buffered debugging
- logging asdm notifications
- mtu outside 1500
- mtu inside 1500
- mtu vpn 1500
- mtu management 1500
- ip local pool vpn_pool 192.168.0.101-192.168.0.254 mask 255.255.255.0
- icmp unreachable rate-limit 1 burst-size 1
- asdm image disk0:/asdm-647.bin
- no asdm history enable
- arp timeout 14400
- nat (outside,outside) source static obj-192.168 obj-192.168 destination static subnet_dc subnet_dc no-proxy-arp route-lookup
- nat (inside,outside) source static company_lan_internal company_lan_internal destination static company_lan company_lan no-proxy-arp route-lookup
- !
- nat (inside,outside) after-auto source dynamic company_lan_internal interface
- access-group global_access global
- !
- router eigrp 10
- no auto-summary
- network 192.168.0.0 255.255.255.0
- !
- route outside 0.0.0.0 0.0.0.0 216.x.x.x
- timeout xlate 3:00:00
- timeout pat-xlate 0:00:30
- timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
- timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
- timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
- timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
- timeout tcp-proxy-reassembly 0:01:00
- timeout floating-conn 0:00:00
- dynamic-access-policy-record DfltAccessPolicy
- aaa-server company protocol radius
- aaa-server company (inside) host 192.168.5.x
- key *
- radius-common-pw *
- user-identity default-domain LOCAL
- aaa authentication ssh console LOCAL
- http server enable
- http 192.168.1.0 255.255.255.0 management
- http 192.168.0.0 255.255.0.0 inside
- http redirect outside 80
- no snmp-server location
- no snmp-server contact
- snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
- crypto ipsec fragmentation after-encryption outside
- crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
- crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
- crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
- crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
- crypto map DC_VPN_MAP 1 match address DC_VPN_TRAFFIC
- crypto map DC_VPN_MAP 1 set pfs
- crypto map DC_VPN_MAP 1 set peer 204.x.x.x
- crypto map DC_VPN_MAP 1 set ikev1 transform-set ESP-3DES-SHA
- crypto map DC_VPN_MAP 1 set security-association lifetime seconds 2147483647
- crypto map DC_VPN_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
- crypto map DC_VPN_MAP interface outside
- telnet timeout 5
- ssh timeout 60
- ssh version 2
- console timeout 0
- management-access inside
- dhcpd address 192.168.0.20-192.168.0.100 inside
- dhcpd dns 192.168.5.x interface inside
- dhcpd wins 192.168.5.x interface inside
- dhcpd ping_timeout 20 interface inside
- dhcpd domain internal.example.com interface inside
- dhcpd enable inside
- !
- dhcpd address 192.168.1.2-192.168.1.254 management
- dhcpd enable management
- !
- threat-detection basic-threat
- threat-detection statistics
- threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
- ntp server 91.189.94.4 source outside prefer
- ssl trust-point anyconnect_trustpoint outside
- webvpn
- enable outside
- anyconnect image disk0:/anyconnect-win-2.5.3054-k9.pkg 1
- anyconnect enable
- tunnel-group-list enable
- group-policy DefaultRAGroup internal
- group-policy DefaultRAGroup attributes
- wins-server value 192.168.5.x
- dns-server value 192.168.5.x
- vpn-tunnel-protocol ikev1 ikev2 ssl-client
- password-storage enable
- split-tunnel-network-list value split_tunnel
- default-domain value internal.example.com
- group-policy DfltGrpPolicy attributes
- dns-server value 8.8.8.8
- password-storage enable
- split-tunnel-policy tunnelspecified
- split-tunnel-network-list value split_tunnel
- default-domain value internal.example.com
- group-policy company internal
- group-policy company attributes
- wins-server value 192.168.5.x
- dns-server value 192.168.5.x
- vpn-tunnel-protocol ikev1
- password-storage enable
- split-tunnel-network-list value split_tunnel
- default-domain value internal.example.com
- group-policy GroupPolicy_company_anyconnect internal
- group-policy GroupPolicy_company_anyconnect attributes
- wins-server value 192.168.5.x
- dns-server value 192.168.5.x
- vpn-tunnel-protocol ikev2 ssl-client
- password-storage enable
- split-tunnel-network-list value split_tunnel
- default-domain value internal.example.com
- webvpn
- anyconnect profiles value company_anyconnect_client_profile type user
- tunnel-group DefaultRAGroup general-attributes
- address-pool vpn_pool
- authentication-server-group company LOCAL
- authentication-server-group (inside) company LOCAL
- default-group-policy DefaultRAGroup
- tunnel-group DefaultRAGroup ipsec-attributes
- ikev1 pre-shared-key *****
- tunnel-group DefaultRAGroup ppp-attributes
- authentication ms-chap-v2
- tunnel-group DefaultWEBVPNGroup general-attributes
- authentication-server-group company LOCAL
- authentication-server-group (inside) company LOCAL
- tunnel-group company_anyconnect type remote-access
- tunnel-group company_anyconnect general-attributes
- address-pool vpn_pool
- authentication-server-group company LOCAL
- authentication-server-group (inside) company LOCAL
- default-group-policy GroupPolicy_company_anyconnect
- tunnel-group company_anyconnect webvpn-attributes
- group-alias company_anyconnect enable
- tunnel-group company type remote-access
- tunnel-group company general-attributes
- address-pool vpn_pool
- authentication-server-group company LOCAL
- authentication-server-group (inside) company LOCAL
- default-group-policy company
- tunnel-group company ipsec-attributes
- ikev1 pre-shared-key *****
- tunnel-group DC_VPN type ipsec-l2l
- tunnel-group 204.x.x.x type ipsec-l2l
- tunnel-group 204.x.x.x ipsec-attributes
- ikev1 pre-shared-key *
- !
- class-map CLASS_MAP_SSH
- match port tcp eq ssh
- class-map inspection_default
- match default-inspection-traffic
- !
- !
- policy-map type inspect dns preset_dns_map
- parameters
- message-length maximum client auto
- message-length maximum 512
- policy-map global_policy
- class inspection_default
- inspect dns preset_dns_map
- inspect ftp
- inspect h323 h225
- inspect h323 ras
- inspect rsh
- inspect rtsp
- inspect esmtp
- inspect sqlnet
- inspect skinny
- inspect sunrpc
- inspect xdmcp
- inspect sip
- inspect netbios
- inspect tftp
- inspect ip-options
- class CLASS_MAP_SSH
- set connection random-sequence-number disable
- set connection timeout idle 0:00:00
- set connection decrement-ttl
- class class-default
- user-statistics accounting
- !
- service-policy global_policy global
- prompt hostname context
- no call-home reporting anonymous
- password encryption aes
- : end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement