Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- : Saved
- :
- PIX Version 6.3(5)
- interface ethernet0 100full
- interface ethernet1 auto
- interface ethernet2 auto
- interface ethernet3 auto
- interface ethernet4 auto shutdown
- interface ethernet5 auto shutdown
- nameif ethernet0 outside security0
- nameif ethernet1 inside security100
- nameif ethernet2 dmz1 security50
- nameif ethernet3 dmz2 security49
- nameif ethernet4 intf4 security20
- nameif ethernet5 fail security20
- enable password REDACTED encrypted
- passwd REDACTED encrypted
- hostname PixFirewall
- domain-name example.com
- clock timezone EST -5
- clock summer-time EDT recurring
- fixup protocol dns maximum-length 512
- fixup protocol ftp 21
- fixup protocol h323 h225 1720
- fixup protocol h323 ras 1718-1719
- fixup protocol http 80
- fixup protocol ils 389
- fixup protocol rsh 514
- fixup protocol rtsp 554
- fixup protocol sip 5060
- fixup protocol sip udp 5060
- fixup protocol skinny 2000
- no fixup protocol smtp 25
- fixup protocol sqlnet 1521
- fixup protocol tftp 69
- names
- object-group network deny-known-bad-ips
- network-object host A.B.C.D
- network-object host E.F.G.H
- ...
- object-group network spam-filter
- network-object I.J.K.L 255.255.240.0
- network-object M.N.O.P 255.255.224.0
- ...
- object-group network ipsoft
- network-object 192.168.12.23 255.255.255.255
- network-object 192.168.12.24 255.255.255.255
- object-group network catCLE
- network-object 10.2.12.17 255.255.255.255
- network-object 10.2.12.18 255.255.255.255
- object-group network CLE
- network-object 10.2.0.0 255.255.0.0
- network-object 166.8.136.0 255.255.255.0
- network-object 166.8.138.0 255.255.255.0
- object-group network cloud_app
- network-object Q.R.S.T 255.255.255.224
- network-object U.V.W.X 255.255.255.240
- ...
- object-group network ftp-server-access
- description ACL group for allowing access to certain services on the FTP server
- network-object host a.b.c.d
- network-object host e.f.g.h
- object-group network vendor-access
- description Access group to allow vendor access remotely
- network-object host i.j.k.l
- network-object host m.n.o.p
- object-group network ssh-access
- description Access group to allow SSH Access
- network-object host q.r.s.t
- network-object host u.v.w.x
- object-group network newerFTP-web-access
- description Access group to allow web access to newer FTP server
- network-object host 1.2.3.4
- object-group network RDP-access
- description "Network Group to allow RDP access to IT people"
- network-object host 2.3.4.5
- network-object host 3.4.5.6
- access-list inside-to-out permit tcp any any
- access-list inside-to-out permit udp any any
- access-list inside-to-out permit icmp any any echo
- access-list inside-to-out permit icmp any any echo-reply
- access-list outside-to-in permit tcp any host F.S.T.45 eq https
- access-list outside-to-in permit tcp any host F.S.T.46 eq www
- access-list outside-to-in permit tcp any host F.S.T.46 eq https
- access-list outside-to-in permit tcp any host F.S.T.48 eq https
- access-list outside-to-in permit tcp any host F.S.T.48 eq www
- access-list outside-to-in permit tcp any host F.S.T.51 eq www
- access-list outside-to-in permit tcp any host F.S.T.51 eq https
- access-list outside-to-in permit tcp any host F.S.T.47 eq https
- access-list outside-to-in permit tcp any host F.S.T.47 eq www
- access-list outside-to-in permit tcp any host F.S.T.44 eq www
- access-list outside-to-in permit tcp any host F.S.T.44 eq https
- access-list outside-to-in permit udp any host F.S.T.41 eq isakmp
- access-list outside-to-in permit esp any host F.S.T.41
- access-list outside-to-in permit tcp any host F.S.T.37 eq domain
- access-list outside-to-in permit udp any host F.S.T.37 eq domain
- access-list outside-to-in permit tcp any host F.S.T.40 eq domain
- access-list outside-to-in permit udp any host F.S.T.40 eq domain
- access-list outside-to-in permit tcp object-group spam-filter host F.S.T.40 eq smtp
- access-list outside-to-in permit tcp any host F.S.T.53 eq www
- access-list outside-to-in permit tcp any host F.S.T.53 eq https
- access-list outside-to-in permit tcp any host F.S.T.54 eq www
- access-list outside-to-in permit tcp any host F.S.T.54 eq https
- access-list outside-to-in permit tcp any host F.S.T.45 eq www
- access-list outside-to-in permit tcp host 20.18.19.22 host F.S.T.49 eq 445
- access-list outside-to-in permit tcp any host F.S.T.46 eq ftp
- access-list outside-to-in permit tcp any host F.S.T.55 eq https
- access-list outside-to-in permit tcp any host F.S.T.55 eq www
- access-list outside-to-in permit tcp any host F.S.T.42 eq www
- access-list outside-to-in permit udp any host F.S.T.41 eq 4500
- access-list outside-to-in permit tcp any host F.S.T.57 eq www
- access-list outside-to-in permit tcp any host F.S.T.53 eq 2052
- access-list outside-to-in permit tcp object-group cloud_app host F.S.T.40 eq smtp
- access-list outside-to-in permit tcp any host F.S.T.45 eq pop3
- access-list outside-to-in permit tcp any host F.S.T.59 eq ftp
- access-list outside-to-in permit icmp any any echo-reply
- access-list outside-to-in permit icmp any any echo
- access-list outside-to-in permit tcp any host F.S.T.59 range 38700 39699
- access-list outside-to-in permit icmp any any unreachable
- access-list outside-to-in permit icmp any any time-exceeded
- access-list outside-to-in permit tcp any host F.S.T.42 eq 8080
- access-list outside-to-in permit tcp object-group ftp-server-access host F.S.T.59 eq www
- access-list outside-to-in permit tcp any host F.S.T.53 range 28000 30000
- access-list outside-to-in permit tcp any host F.S.T.60 eq ftp
- access-list outside-to-in permit tcp any host F.S.T.60 range 38700 39699
- access-list outside-to-in permit tcp object-group vendor-access host F.S.T.61 eq ssh
- access-list outside-to-in permit tcp object-group ssh-access host F.S.T.39 eq ssh
- access-list outside-to-in permit tcp object-group newerFTP-web-access host F.S.T.60 eq www
- access-list outside-to-in permit tcp object-group RDP-access host F.S.T.62 eq 3389
- access-list outside-to-in permit tcp object-group ssh-access host F.S.T.36 eq ssh
- access-list outside-to-in permit tcp any host F.S.T.36 eq smtp
- access-list outside-to-in permit tcp any host F.S.T.36 eq www
- access-list outside-to-in permit tcp any host F.S.T.36 eq pop3
- access-list outside-to-in permit tcp any host F.S.T.36 eq imap4
- access-list outside-to-in permit tcp any host F.S.T.36 eq https
- access-list outside-to-in permit tcp any host F.S.T.36 eq 587
- access-list outside-to-in permit tcp any host F.S.T.36 eq 993
- access-list outside-to-in permit tcp any host F.S.T.36 eq 995
- access-list outside-to-in permit tcp any host F.S.T.42 eq https
- access-list outside-to-in permit tcp object-group ssh-access host F.S.T.43 eq ssh
- access-list outside-to-in permit tcp any host F.S.T.43 eq https
- access-list outside-to-in permit tcp any host F.S.T.43 eq 6876
- access-list outside-to-in permit tcp object-group ftp-server-access host F.S.T.59 eq https
- access-list outside-to-in permit tcp any host F.S.T.43 eq www
- access-list outside-to-in permit tcp any host F.S.T.57 eq https
- access-list dmz1fltr permit tcp host 192.168.8.25 host 10.2.12.12 eq 8009
- access-list dmz1fltr permit udp host 192.168.8.11 host 10.2.0.3 eq domain
- access-list dmz1fltr permit udp host 192.168.8.12 host 10.2.0.3 eq domain
- access-list dmz1fltr permit tcp host 192.168.8.11 host 10.2.8.5 eq 1433
- access-list dmz1fltr permit tcp host 192.168.8.12 host 10.2.8.5 eq 1433
- access-list dmz1fltr permit tcp host 192.168.8.11 host 10.2.12.12 eq 8009
- access-list dmz1fltr permit tcp host 192.168.8.12 host 10.2.12.12 eq 8009
- access-list dmz1fltr permit tcp host 192.168.8.5 any eq domain
- access-list dmz1fltr permit udp host 192.168.8.5 any eq domain
- access-list dmz1fltr permit tcp host 192.168.8.5 any eq smtp
- access-list dmz1fltr deny ip host 192.168.8.6 host 10.2.12.12
- access-list dmz1fltr deny ip host 192.168.8.6 host 10.2.4.2
- access-list dmz1fltr deny ip host 192.168.8.6 host 10.2.0.3
- access-list dmz1fltr deny ip host 192.168.8.6 host 10.2.8.5
- access-list dmz1fltr permit tcp host 192.168.8.6 any eq smtp
- access-list dmz1fltr permit tcp host 192.168.8.6 any eq domain
- access-list dmz1fltr permit udp host 192.168.8.6 any eq domain
- access-list dmz1fltr deny ip host 192.168.8.8 host 10.2.12.12
- access-list dmz1fltr deny ip host 192.168.8.8 host 10.2.4.2
- access-list dmz1fltr deny ip host 192.168.8.8 host 10.2.0.3
- access-list dmz1fltr deny ip host 192.168.8.8 host 10.2.8.5
- access-list dmz1fltr permit esp host 192.168.8.8 any
- access-list dmz1fltr permit udp host 192.168.8.8 any eq isakmp
- access-list dmz1fltr permit udp host 192.168.8.8 any eq 4500
- access-list dmz1fltr permit tcp host 192.168.8.5 any eq ftp
- access-list dmz1fltr permit tcp host 192.168.8.5 host 10.2.8.81 eq ftp
- access-list dmz1fltr permit udp host 192.168.8.53 host 10.2.0.3 eq domain
- access-list dmz1fltr permit udp host 192.168.8.60 host 10.2.0.3 eq domain
- access-list dmz1fltr permit udp host 192.168.8.60 host 10.2.8.7 eq domain
- access-list dmz1fltr permit tcp host 192.168.8.60 any
- access-list dmz1fltr permit tcp host 192.168.8.53 host 10.2.24.5 eq 2737
- access-list dmz1fltr permit tcp host 192.168.8.53 host 10.2.24.5 eq 2051
- access-list dmz1fltr permit udp host 192.168.8.53 host 10.2.24.5 eq 20000
- access-list dmz1fltr permit tcp host 192.168.8.53 host 10.2.24.5 eq 20000
- access-list dmz1fltr permit tcp host 192.168.8.4 host 10.2.8.81 eq ftp
- access-list dmz1fltr permit icmp any any echo-reply
- access-list dmz1fltr permit icmp any any echo
- access-list dmz1fltr permit tcp host 192.168.8.4 any eq www
- access-list dmz1fltr permit tcp any host 192.168.8.4 eq www
- access-list dmz1fltr permit tcp host 192.168.8.4 any eq ftp-data
- access-list dmz1fltr permit tcp any host 192.168.8.4 eq ssh
- access-list dmz1fltr permit tcp host 192.168.8.4 any eq ssh
- access-list dmz1fltr permit tcp host 192.168.8.4 any eq domain
- access-list dmz1fltr permit udp host 192.168.8.4 any eq domain
- access-list dmz1fltr permit udp any host 192.168.8.4 eq domain
- access-list dmz1fltr permit tcp any host 192.168.8.4 eq domain
- access-list dmz1fltr permit tcp host 192.168.8.4 any eq ftp
- access-list dmz1fltr permit tcp host 192.168.8.4 any eq cmd
- access-list dmz1fltr permit tcp any host 192.168.8.4 eq cmd
- access-list dmz1fltr permit tcp any host 192.168.8.5 eq cmd
- access-list dmz1fltr permit tcp host 192.168.8.5 any eq cmd
- access-list dmz1fltr permit tcp host 192.168.8.4 any eq telnet
- access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.117 eq www
- access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.97 eq www
- access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.145 eq www
- access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.117 eq https
- access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.97 eq https
- access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.145 eq https
- access-list dmz2fltr permit tcp host 166.8.137.30 host 10.2.0.21 eq https
- access-list dmz2fltr deny ip any host 166.8.138.117
- access-list dmz2fltr deny ip any host 166.8.138.97
- access-list dmz2fltr deny ip any host 10.2.0.21
- access-list dmz2fltr deny ip host 166.8.137.5 host 166.8.138.117
- access-list dmz2fltr deny ip host 166.8.137.5 host 166.8.138.97
- access-list dmz2fltr deny ip host 166.8.137.5 host 166.8.138.145
- access-list dmz2fltr deny ip host 166.8.137.5 host 10.2.0.21
- access-list dmz2fltr permit tcp host 166.8.137.5 any eq smtp
- access-list dmz2fltr permit tcp host 166.8.137.5 host 10.2.0.19 eq smtp
- access-list dmz2fltr permit udp host 166.8.137.5 host 10.2.0.3 eq domain
- access-list dmz2fltr permit tcp host 166.8.137.30 host 10.2.0.28 eq https
- access-list dmz2fltr permit tcp host 166.8.137.30 host 10.2.0.28 eq www
- access-list dmz2fltr deny ip any host 10.2.0.28
- access-list dmz2fltr permit tcp host 166.8.137.31 any eq ftp
- access-list dmz2fltr permit tcp host 166.8.137.5 host 10.2.8.98 eq ssh
- access-list dmz2fltr permit tcp host 166.8.137.42 host 166.8.138.141 eq 1433
- access-list dmz2fltr permit udp host 166.8.137.42 host 10.2.0.3 eq domain
- access-list dmz2fltr deny ip any host 10.2.0.3
- access-list dmz2fltr deny ip any host 10.2.0.19
- access-list dmz2fltr deny ip any host 166.8.138.141
- access-list dmz2fltr permit tcp host 166.8.137.42 any eq www
- access-list dmz2fltr permit tcp host 166.8.137.42 any eq https
- access-list dmz2fltr permit tcp host 166.8.137.42 any eq ftp
- access-list dmz2fltr permit tcp host 166.8.137.5 host 10.2.0.28 eq smtp
- access-list dmz2fltr permit icmp any any echo
- access-list dmz2fltr permit icmp any any echo-reply
- access-list dmz2fltr permit tcp host 166.8.137.42 any eq 8080
- access-list nonat deny ip any 16.18.20.0 255.255.255.0
- access-list nonat deny ip any 10.255.1.0 255.255.255.0
- access-list nonat permit ip object-group catCLE object-group ipsoft
- access-list nonat permit ip object-group CLE host 166.8.137.31
- access-list vpn-cat permit ip object-group catCLE object-group ipsoft
- pager lines 24
- logging on
- logging monitor warnings
- logging buffered critical
- logging trap errors
- logging history emergencies
- logging host inside 10.2.8.100
- icmp permit any unreachable outside
- icmp permit any unreachable dmz1
- mtu outside 1500
- mtu inside 1500
- mtu dmz1 1500
- mtu dmz2 1500
- mtu intf4 1500
- mtu fail 1500
- ip address outside F.S.T.34 255.255.255.224
- ip address inside 192.168.14.2 255.255.255.0
- ip address dmz1 192.168.8.1 255.255.255.0
- ip address dmz2 166.8.137.1 255.255.255.0
- ip address intf4 172.16.1.1 255.255.255.0
- ip address fail 192.168.11.1 255.255.255.0
- ip audit info action alarm
- ip audit attack action alarm
- no failover
- failover timeout 0:00:00
- failover poll 15
- no failover ip address outside
- no failover ip address inside
- no failover ip address dmz1
- no failover ip address dmz2
- no failover ip address intf4
- no failover ip address fail
- pdm history enable
- arp timeout 14400
- global (outside) 1 F.S.T.35
- global (dmz1) 1 interface
- global (dmz2) 1 interface
- nat (inside) 0 access-list nonat
- nat (inside) 1 166.8.136.0 255.255.255.0 0 0
- nat (inside) 1 166.8.138.0 255.255.255.0 0 0
- nat (inside) 1 166.8.139.0 255.255.255.0 0 0
- nat (inside) 1 192.168.6.0 255.255.255.0 0 0
- nat (inside) 1 10.2.0.0 255.255.0.0 0 0
- alias (inside) F.S.T.44 166.8.137.10 255.255.255.255
- alias (inside) F.S.T.46 166.8.137.31 255.255.255.255
- static (inside,dmz2) 10.2.0.19 10.2.0.19 netmask 255.255.255.255 0 0
- static (inside,dmz2) 10.2.0.3 10.2.0.3 netmask 255.255.255.255 0 0
- static (inside,dmz1) 10.2.0.3 10.2.0.3 netmask 255.255.255.255 0 0
- static (inside,dmz1) 10.2.8.5 10.2.8.5 netmask 255.255.255.255 0 0
- static (inside,dmz2) 10.2.0.21 10.2.0.21 netmask 255.255.255.255 0 0
- static (inside,dmz2) 166.8.138.97 166.8.138.97 netmask 255.255.255.255 0 0
- static (inside,dmz2) 166.8.138.145 166.8.138.145 netmask 255.255.255.255 0 0
- static (inside,dmz2) 166.8.138.117 166.8.138.117 netmask 255.255.255.255 0 0
- static (inside,dmz1) 10.2.4.2 10.2.4.2 netmask 255.255.255.255 0 0
- static (inside,dmz1) 10.2.12.12 10.2.12.12 netmask 255.255.255.255 0 0
- static (dmz2,outside) F.S.T.45 166.8.137.30 netmask 255.255.255.255 0 0
- static (dmz2,outside) F.S.T.46 166.8.137.31 netmask 255.255.255.255 0 0
- static (dmz1,outside) F.S.T.51 192.168.8.25 netmask 255.255.255.255 0 0
- static (dmz2,outside) F.S.T.47 166.8.137.40 netmask 255.255.255.255 0 0
- static (dmz2,outside) F.S.T.44 166.8.137.10 netmask 255.255.255.255 0 0
- static (dmz1,outside) F.S.T.41 192.168.8.8 netmask 255.255.255.255 0 0
- static (dmz1,outside) F.S.T.37 192.168.8.2 netmask 255.255.255.255 0 0
- static (dmz2,outside) F.S.T.54 166.8.137.50 netmask 255.255.255.255 0 0
- static (inside,dmz2) 10.2.0.28 10.2.0.28 netmask 255.255.255.255 0 0
- static (inside,outside) F.S.T.48 166.8.138.145 netmask 255.255.255.255 0 0
- static (inside,outside) F.S.T.49 10.2.4.45 netmask 255.255.255.255 0 0
- static (dmz2,outside) F.S.T.40 166.8.137.5 netmask 255.255.255.255 0 0
- static (dmz2,outside) F.S.T.55 166.8.137.60 netmask 255.255.255.255 0 0
- static (dmz2,outside) F.S.T.42 166.8.137.42 netmask 255.255.255.255 0 0
- static (inside,dmz2) 166.8.138.141 166.8.138.141 netmask 255.255.255.255 0 0
- static (inside,dmz1) 10.2.8.81 10.2.8.81 netmask 255.255.255.255 0 0
- static (inside,dmz1) 10.2.4.35 10.2.4.35 netmask 255.255.255.255 0 0
- static (dmz1,outside) F.S.T.53 192.168.8.53 netmask 255.255.255.255 0 0
- static (inside,dmz1) 166.8.136.35 166.8.136.35 netmask 255.255.255.255 0 0
- static (inside,dmz1) 10.2.8.7 10.2.8.7 netmask 255.255.255.255 0 0
- static (dmz1,outside) F.S.T.58 192.168.8.60 netmask 255.255.255.255 0 0
- static (inside,dmz1) 10.2.24.5 10.2.24.5 netmask 255.255.255.255 0 0
- static (inside,dmz1) 10.2.4.45 10.2.4.45 netmask 255.255.255.255 0 0
- static (inside,dmz1) 10.2.5.67 10.2.5.67 netmask 255.255.255.255 0 0
- static (inside,outside) F.S.T.59 10.2.8.48 netmask 255.255.255.255 0 0
- static (inside,outside) F.S.T.39 10.2.9.86 netmask 255.255.255.255 0 0
- static (inside,outside) F.S.T.60 10.2.8.148 netmask 255.255.255.255 0 0
- static (inside,outside) F.S.T.61 10.2.8.44 netmask 255.255.255.255 0 0
- static (inside,outside) F.S.T.62 10.2.0.100 netmask 255.255.255.255 0 0
- static (inside,outside) F.S.T.36 10.2.8.250 netmask 255.255.255.255 0 0
- static (inside,outside) F.S.T.43 10.2.4.250 netmask 255.255.255.255 0 0
- static (inside,outside) F.S.T.57 10.2.8.88 netmask 255.255.255.255 0 0
- access-group outside-to-in in interface outside
- access-group inside-to-out in interface inside
- access-group dmz1fltr in interface dmz1
- access-group dmz2fltr in interface dmz2
- route outside 0.0.0.0 0.0.0.0 F.S.T.33 1
- route inside 10.2.0.0 255.255.0.0 192.168.14.1 1
- route inside 10.22.66.22 255.255.255.255 192.168.14.1 1
- route inside 10.22.66.23 255.255.255.255 192.168.14.1 1
- route inside 166.8.1.0 255.255.255.0 192.168.14.1 1
- route inside 166.8.65.38 255.255.255.255 192.168.14.1 1
- route inside 166.8.136.0 255.255.255.0 192.168.14.1 1
- route inside 166.8.138.0 255.255.255.0 192.168.14.1 1
- route inside 166.8.139.0 255.255.255.0 192.168.14.1 1
- route inside 192.168.6.0 255.255.255.0 192.168.14.1 1
- timeout xlate 1:00:00
- timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
- timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
- timeout sip-disconnect 0:02:00 sip-invite 0:03:00
- timeout uauth 0:05:00 absolute
- aaa-server TACACS+ protocol tacacs+
- aaa-server TACACS+ max-failed-attempts 3
- aaa-server TACACS+ deadtime 10
- aaa-server RADIUS protocol radius
- aaa-server RADIUS max-failed-attempts 3
- aaa-server RADIUS deadtime 10
- aaa-server LOCAL protocol local
- ntp server 10.2.0.5 source inside
- http server enable
- http 10.2.0.123 255.255.255.255 inside
- snmp-server host inside 10.2.8.98
- no snmp-server location
- no snmp-server contact
- snmp-server community public
- snmp-server enable traps
- floodguard enable
- sysopt connection permit-ipsec
- crypto ipsec transform-set kristrong esp-3des esp-sha-hmac
- crypto ipsec security-association lifetime seconds 3600 kilobytes 10000
- crypto map kri 15 ipsec-isakmp
- crypto map kri 15 match address vpn-cat
- crypto map kri 15 set pfs group2
- crypto map kri 15 set peer 20.17.14.4
- crypto map kri 15 set transform-set kristrong
- crypto map kri interface outside
- isakmp enable outside
- isakmp key ******** address 20.17.14.4 netmask 255.255.255.255
- isakmp identity address
- isakmp policy 10 authentication pre-share
- isakmp policy 10 encryption 3des
- isakmp policy 10 hash sha
- isakmp policy 10 group 2
- isakmp policy 10 lifetime 3600
- telnet 10.2.8.100 255.255.255.255 inside
- telnet timeout 30
- ssh 10.2.8.100 255.255.255.255 inside
- ssh 10.229.66.228 255.255.255.255 inside
- ssh 10.2.0.0 255.255.252.0 inside
- ssh timeout 30
- console timeout 0
- terminal width 80
- Cryptochecksum:b80c9ac5e742040be7dc4f8d1f69f1c2
- : end
Add Comment
Please, Sign In to add comment