API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 18th, 2012
376
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.52 KB | None | 0 0
raw download clone embed print report
  1. ASA Version 8.4(3)
  2. !
  3. terminal width 200
  4. hostname gw
  5. domain-name internal.example.com
  6. !
  7. interface Ethernet0/0
  8. nameif outside
  9. security-level 0
  10. ip address 216.x.x.x 255.255.255.224
  11. !
  12. interface Ethernet0/1
  13. nameif inside
  14. security-level 100
  15. ip address 192.168.0.1 255.255.255.0
  16. !
  17. interface Ethernet0/2
  18. nameif vpn
  19. security-level 100
  20. ip address 172.16.0.1 255.255.255.0
  21. !
  22. interface Ethernet0/3
  23. shutdown
  24. no nameif
  25. no security-level
  26. no ip address
  27. !
  28. interface Management0/0
  29. nameif management
  30. security-level 100
  31. ip address 192.168.1.1 255.255.255.0
  32. management-only
  33. !
  34. boot system disk0:/asa843-k8.bin
  35. ftp mode passive
  36. clock timezone MST -7
  37. dns domain-lookup outside
  38. dns server-group DefaultDNS
  39. name-server 8.8.8.8
  40. domain-name internal.example.com
  41. same-security-traffic permit inter-interface
  42. same-security-traffic permit intra-interface
  43. object network public_pool
  44. range 216.x.x.x 216.x.x.x
  45. object network public_dc
  46. subnet 204.x.x.x 255.255.255.224
  47. object network public_secondary
  48. subnet 68.64.214.16 255.255.255.248
  49. object network subnet_a
  50. subnet 192.168.20.0 255.255.255.0
  51. object network subnet_a_wireless
  52. subnet 192.168.21.0 255.255.255.0
  53. object network subnet_b
  54. subnet 192.168.10.0 255.255.255.0
  55. object network subnet_b_wireless
  56. subnet 192.168.11.0 255.255.255.0
  57. object network subnet_c
  58. subnet 192.168.30.0 255.255.255.0
  59. object network subnet_c_wireless
  60. subnet 192.168.31.0 255.255.255.0
  61. object network subnet_dc
  62. subnet 10.10.10.0 255.255.255.192
  63. object network subnet_server
  64. subnet 192.168.5.0 255.255.255.0
  65. object network NETWORK_OBJ_192.168.0.0_24
  66. subnet 192.168.0.0 255.255.255.0
  67. object network subnet_primary
  68. subnet 192.168.0.0 255.255.255.0
  69. object network subnet_192.168.0.0
  70. subnet 192.168.0.0 255.255.0.0
  71. object network vpn_nat
  72. subnet 192.168.0.0 255.255.0.0
  73. object network obj-192.168
  74. subnet 192.168.0.0 255.255.255.0
  75. object-group network internal_lan_wireless
  76. network-object object subnet_b_wireless
  77. network-object object subnet_c_wireless
  78. network-object object subnet_a_wireless
  79. object-group network company_trusted_lan
  80. network-object object subnet_a
  81. network-object object subnet_b
  82. network-object object subnet_c
  83. network-object object subnet_server
  84. network-object object subnet_dc
  85. network-object object subnet_primary
  86. object-group network company_lan
  87. network-object object subnet_a
  88. network-object object subnet_a_wireless
  89. network-object object subnet_b
  90. network-object object subnet_b_wireless
  91. network-object object subnet_c
  92. network-object object subnet_c_wireless
  93. network-object object subnet_dc
  94. network-object object subnet_primary
  95. network-object object subnet_server
  96. object-group network company_lan_internal
  97. network-object object subnet_a
  98. network-object object subnet_a_wireless
  99. network-object object subnet_b
  100. network-object object subnet_b_wireless
  101. network-object object subnet_c
  102. network-object object subnet_c_wireless
  103. network-object object subnet_primary
  104. network-object object subnet_server
  105. access-list inside_access_in extended permit ip any any log disable
  106. access-list inside_access_in extended permit icmp any any
  107. access-list global_access extended permit icmp any any log disable
  108. access-list global_access extended permit ip any any log disable
  109. access-list outside_access_in extended permit ip any any log disable
  110. access-list outside_access_in extended permit icmp any any log disable
  111. access-list split_tunnel extended permit ip object-group company_lan any log disable
  112. access-list split_tunnel extended permit icmp object-group company_lan any log
  113. access-list DC_VPN_TRAFFIC extended permit ip object subnet_192.168.0.0 object subnet_dc
  114. access-list inside_acl extended permit ip object-group company_lan any
  115. access-list inside_acl extended permit icmp object-group company_lan any
  116. access-list outside_access_out extended permit ip any any log disable
  117. access-list outside_access_out extended permit icmp any any log disable
  118. pager lines 30
  119. logging enable
  120. logging buffered debugging
  121. logging asdm notifications
  122. mtu outside 1500
  123. mtu inside 1500
  124. mtu vpn 1500
  125. mtu management 1500
  126. ip local pool vpn_pool 192.168.0.101-192.168.0.254 mask 255.255.255.0
  127. icmp unreachable rate-limit 1 burst-size 1
  128. asdm image disk0:/asdm-647.bin
  129. no asdm history enable
  130. arp timeout 14400
  131. nat (outside,outside) source static obj-192.168 obj-192.168 destination static subnet_dc subnet_dc no-proxy-arp route-lookup
  132. nat (inside,outside) source static company_lan_internal company_lan_internal destination static company_lan company_lan no-proxy-arp route-lookup
  133. !
  134. nat (inside,outside) after-auto source dynamic company_lan_internal interface
  135. access-group global_access global
  136. !
  137. router eigrp 10
  138. no auto-summary
  139. network 192.168.0.0 255.255.255.0
  140. !
  141. route outside 0.0.0.0 0.0.0.0 216.x.x.x
  142. timeout xlate 3:00:00
  143. timeout pat-xlate 0:00:30
  144. timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  145. timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  146. timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  147. timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  148. timeout tcp-proxy-reassembly 0:01:00
  149. timeout floating-conn 0:00:00
  150. dynamic-access-policy-record DfltAccessPolicy
  151. aaa-server company protocol radius
  152. aaa-server company (inside) host 192.168.5.x
  153. key *
  154. radius-common-pw *
  155. user-identity default-domain LOCAL
  156. aaa authentication ssh console LOCAL
  157. http server enable
  158. http 192.168.1.0 255.255.255.0 management
  159. http 192.168.0.0 255.255.0.0 inside
  160. http redirect outside 80
  161. no snmp-server location
  162. no snmp-server contact
  163. snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  164. crypto ipsec fragmentation after-encryption outside
  165. crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  166. crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  167. crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  168. crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  169. crypto map DC_VPN_MAP 1 match address DC_VPN_TRAFFIC
  170. crypto map DC_VPN_MAP 1 set pfs
  171. crypto map DC_VPN_MAP 1 set peer 204.x.x.x
  172. crypto map DC_VPN_MAP 1 set ikev1 transform-set ESP-3DES-SHA
  173. crypto map DC_VPN_MAP 1 set security-association lifetime seconds 2147483647
  174. crypto map DC_VPN_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  175. crypto map DC_VPN_MAP interface outside
  176. telnet timeout 5
  177. ssh timeout 60
  178. ssh version 2
  179. console timeout 0
  180. management-access inside
  181. dhcpd address 192.168.0.20-192.168.0.100 inside
  182. dhcpd dns 192.168.5.x interface inside
  183. dhcpd wins 192.168.5.x interface inside
  184. dhcpd ping_timeout 20 interface inside
  185. dhcpd domain internal.example.com interface inside
  186. dhcpd enable inside
  187. !
  188. dhcpd address 192.168.1.2-192.168.1.254 management
  189. dhcpd enable management
  190. !
  191. threat-detection basic-threat
  192. threat-detection statistics
  193. threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  194. ntp server 91.189.94.4 source outside prefer
  195. ssl trust-point anyconnect_trustpoint outside
  196. webvpn
  197. enable outside
  198. anyconnect image disk0:/anyconnect-win-2.5.3054-k9.pkg 1
  199. anyconnect enable
  200. tunnel-group-list enable
  201. group-policy DefaultRAGroup internal
  202. group-policy DefaultRAGroup attributes
  203. wins-server value 192.168.5.x
  204. dns-server value 192.168.5.x
  205. vpn-tunnel-protocol ikev1 ikev2 ssl-client
  206. password-storage enable
  207. split-tunnel-network-list value split_tunnel
  208. default-domain value internal.example.com
  209. group-policy DfltGrpPolicy attributes
  210. dns-server value 8.8.8.8
  211. password-storage enable
  212. split-tunnel-policy tunnelspecified
  213. split-tunnel-network-list value split_tunnel
  214. default-domain value internal.example.com
  215. group-policy company internal
  216. group-policy company attributes
  217. wins-server value 192.168.5.x
  218. dns-server value 192.168.5.x
  219. vpn-tunnel-protocol ikev1
  220. password-storage enable
  221. split-tunnel-network-list value split_tunnel
  222. default-domain value internal.example.com
  223. group-policy GroupPolicy_company_anyconnect internal
  224. group-policy GroupPolicy_company_anyconnect attributes
  225. wins-server value 192.168.5.x
  226. dns-server value 192.168.5.x
  227. vpn-tunnel-protocol ikev2 ssl-client
  228. password-storage enable
  229. split-tunnel-network-list value split_tunnel
  230. default-domain value internal.example.com
  231. webvpn
  232. anyconnect profiles value company_anyconnect_client_profile type user
  233. tunnel-group DefaultRAGroup general-attributes
  234. address-pool vpn_pool
  235. authentication-server-group company LOCAL
  236. authentication-server-group (inside) company LOCAL
  237. default-group-policy DefaultRAGroup
  238. tunnel-group DefaultRAGroup ipsec-attributes
  239. ikev1 pre-shared-key *****
  240. tunnel-group DefaultRAGroup ppp-attributes
  241. authentication ms-chap-v2
  242. tunnel-group DefaultWEBVPNGroup general-attributes
  243. authentication-server-group company LOCAL
  244. authentication-server-group (inside) company LOCAL
  245. tunnel-group company_anyconnect type remote-access
  246. tunnel-group company_anyconnect general-attributes
  247. address-pool vpn_pool
  248. authentication-server-group company LOCAL
  249. authentication-server-group (inside) company LOCAL
  250. default-group-policy GroupPolicy_company_anyconnect
  251. tunnel-group company_anyconnect webvpn-attributes
  252. group-alias company_anyconnect enable
  253. tunnel-group company type remote-access
  254. tunnel-group company general-attributes
  255. address-pool vpn_pool
  256. authentication-server-group company LOCAL
  257. authentication-server-group (inside) company LOCAL
  258. default-group-policy company
  259. tunnel-group company ipsec-attributes
  260. ikev1 pre-shared-key *****
  261. tunnel-group DC_VPN type ipsec-l2l
  262. tunnel-group 204.x.x.x type ipsec-l2l
  263. tunnel-group 204.x.x.x ipsec-attributes
  264. ikev1 pre-shared-key *
  265. !
  266. class-map CLASS_MAP_SSH
  267. match port tcp eq ssh
  268. class-map inspection_default
  269. match default-inspection-traffic
  270. !
  271. !
  272. policy-map type inspect dns preset_dns_map
  273. parameters
  274. message-length maximum client auto
  275. message-length maximum 512
  276. policy-map global_policy
  277. class inspection_default
  278. inspect dns preset_dns_map
  279. inspect ftp
  280. inspect h323 h225
  281. inspect h323 ras
  282. inspect rsh
  283. inspect rtsp
  284. inspect esmtp
  285. inspect sqlnet
  286. inspect skinny
  287. inspect sunrpc
  288. inspect xdmcp
  289. inspect sip
  290. inspect netbios
  291. inspect tftp
  292. inspect ip-options
  293. class CLASS_MAP_SSH
  294. set connection random-sequence-number disable
  295. set connection timeout idle 0:00:00
  296. set connection decrement-ttl
  297. class class-default
  298. user-statistics accounting
  299. !
  300. service-policy global_policy global
  301. prompt hostname context
  302. no call-home reporting anonymous
  303. password encryption aes
  304. : end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!