> show running-config : Saved : : Serial Number: FCH1xxxxx : Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores) : NGFW Version 6.2.3.7 ! hostname ciscoasa enable password $sha512$5000$CcwTrZ47wvSugb0ul1f+aA==$7fmgPMd2HFXZQ6cht1AHXg== pbkdf2 names ip local pool VPN-Pool 192.168.100.10-192.168.100.20 mask 255.255.255.0 ! interface GigabitEthernet0/0 description Outside REN Interface nameif outside cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 ip address 129.x.x.x 255.255.255.224 ! interface GigabitEthernet0/1 description Inside LAN Network Default GW nameif inside cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 ip address 10.100.0.1 255.255.255.0 ! interface GigabitEthernet0/2 description Fake Public Interface for testing nameif fake_public_nccoe cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 ip address 129.6.x.x 255.255.255.0 ! interface GigabitEthernet0/3 description .2 subnet nameif management-network cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 ip address 10.100.2.1 255.255.255.0 ! interface GigabitEthernet0/4 description DMZ Default GW interface nameif dmz cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 ip address 10.100.1.1 255.255.255.0 ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif diagnostic cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 no ip address ! interface GigabitEthernet1/0 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! boot system disk0:/os.img ftp mode passive ngips conn-match vlan-id object network IPv4-Private-10.0.0.0-8 subnet 10.0.0.0 255.0.0.0 object network DMZ-Network subnet 10.100.1.0 255.255.255.0 description ICS Lab DMZ Network object network Testbed-LAN-Network subnet 10.100.0.0 255.255.255.0 object network PCS-Historian-Host host 172.16.2.4 description Historian Physical system Windows 7 system object network PCS-HistorianVM host 172.16.2.14 description Windows 2008 VM in PCS object network PI-Server-DMZ host 10.100.1.4 description PI Server in DMZ Network object network PCS-Network subnet 172.16.0.0 255.255.252.0 description Process Control Network Subnet object network LAN-AD01-DNS-Server host 10.100.0.17 object network CRS-NAT-IP host 10.100.0.20 description Robotics NAT IP object network Veeam host 10.100.0.10 description Veeam.lan.lab object network Hyper-VServers range 10.100.2.2 10.100.2.13 description Hyper-V hosts object network Esxi-Host.mgmt host 10.100.2.9 object network SymantecMgr host 10.100.0.5 object network Graylog host 10.100.0.14 description Graylog object network VPN-Pool range 192.168.100.10 192.168.100.20 description VPN DHCP Pool object network PCS-Workstation host 172.16.3.10 object network PCS-HMI host 172.16.1.4 object-group service RDP-Windows tcp port-object eq 3389 object-group service SSH tcp port-object eq ssh object-group service PI-to-PI tcp port-object eq 5450 object-group service TCP_high_ports tcp port-object range 1021 65535 object-group network PCS-Historian description PCS-Historian servers network-object object PCS-Historian-Host network-object object PCS-HistorianVM object-group network FMC_INLINE_src_rule_268434433 description Auto Generated by FMC from src of UnifiedNGFWRule# 1 (AC-Policy/mandatory) network-object object Testbed-LAN-Network network-object object PCS-Network object-group service DNS_over_UDP udp port-object eq domain object-group service PI-Connector tcp port-object eq 5460 object-group service PI-DCM tcp port-object eq 5461 object-group service NetBIOS-UDP udp port-object range 135 139 object-group service Veeam-Installer-Ports tcp port-object range 6160 6163 object-group service SMB-Windows tcp-udp port-object eq 445 object-group service NetBIOS-TCP tcp port-object range 135 netbios-ssn object-group service Veeam-channel-ports tcp port-object range 2500 5000 object-group network FMC_INLINE_dst_rule_268435458 description Auto Generated by FMC from dst of UnifiedNGFWRule# 7 (AC-Policy/mandatory) network-object object Hyper-VServers network-object object Esxi-Host.mgmt object-group service HTTPS tcp port-object eq https object-group network FMC_INLINE_src_rule_268436480 description Auto Generated by FMC from src of UnifiedNGFWRule# 8 (AC-Policy/mandatory) network-object object Hyper-VServers network-object object Esxi-Host.mgmt object-group service Symantec tcp port-object eq 8014 object-group service HTTP tcp port-object eq www object-group service SYSLOG udp port-object eq syslog object-group network FMC_INLINE_dst_rule_268438528 description Auto Generated by FMC from dst of UnifiedNGFWRule# 13 (AC-Policy/mandatory) network-object object PCS-Workstation network-object object PCS-HMI access-list CSM_FW_ACL_ remark rule-id 9998: PREFILTER POLICY: Default Tunnel and Priority Pol access-list CSM_FW_ACL_ remark rule-id 9998: RULE: DEFAULT TUNNEL ACTION RULE access-list CSM_FW_ACL_ advanced permit ipinip any any rule-id 9998 access-list CSM_FW_ACL_ advanced permit 41 any any rule-id 9998 access-list CSM_FW_ACL_ advanced permit gre any any rule-id 9998 access-list CSM_FW_ACL_ advanced permit udp any eq 3544 any range 1025 65535 rule-id 9998 access-list CSM_FW_ACL_ advanced permit udp any range 1025 65535 any eq 3544 rule-id 9998 access-list CSM_FW_ACL_ remark rule-id 268434433: ACCESS POLICY: AC-Policy - Mandatory access-list CSM_FW_ACL_ remark rule-id 268434433: L7 RULE: Allow-SSH-RDP-DMZ access-list CSM_FW_ACL_ advanced permit tcp object-group FMC_INLINE_src_rule_268434433 object le-id 268434433 access-list CSM_FW_ACL_ advanced permit tcp object-group FMC_INLINE_src_rule_268434433 object ndows rule-id 268434433 access-list CSM_FW_ACL_ advanced permit icmp object-group FMC_INLINE_src_rule_268434433 object access-list CSM_FW_ACL_ remark rule-id 268434435: ACCESS POLICY: AC-Policy - Mandatory access-list CSM_FW_ACL_ remark rule-id 268434435: L7 RULE: PI-To-PI access-list CSM_FW_ACL_ advanced permit tcp object-group PCS-Historian object-group TCP_high_pt-group PI-to-PI rule-id 268434435 access-list CSM_FW_ACL_ remark rule-id 268434436: ACCESS POLICY: AC-Policy - Mandatory access-list CSM_FW_ACL_ remark rule-id 268434436: L7 RULE: PI-to-PI-PCS access-list CSM_FW_ACL_ advanced permit tcp object PI-Server-DMZ object-group TCP_high_ports ot-group PI-to-PI rule-id 268434436 access-list CSM_FW_ACL_ remark rule-id 268435456: ACCESS POLICY: AC-Policy - Mandatory access-list CSM_FW_ACL_ remark rule-id 268435456: L7 RULE: CRS-PI-PI access-list CSM_FW_ACL_ advanced permit tcp object CRS-NAT-IP object-group TCP_high_ports objed 268435456 access-list CSM_FW_ACL_ advanced permit tcp object CRS-NAT-IP object-group TCP_high_ports objed 268435456 access-list CSM_FW_ACL_ advanced permit tcp object CRS-NAT-IP object-group TCP_high_ports objeI-Connector rule-id 268435456 access-list CSM_FW_ACL_ advanced permit tcp object CRS-NAT-IP object-group TCP_high_ports objeI-DCM rule-id 268435456 access-list CSM_FW_ACL_ remark rule-id 268435457: ACCESS POLICY: AC-Policy - Mandatory access-list CSM_FW_ACL_ remark rule-id 268435457: L7 RULE: CRS-PI-To-PI-2 access-list CSM_FW_ACL_ advanced permit tcp object PI-Server-DMZ object-group TCP_high_ports od 268435457 access-list CSM_FW_ACL_ advanced permit tcp object PI-Server-DMZ object-group TCP_high_ports oI-to-PI rule-id 268435457 access-list CSM_FW_ACL_ remark rule-id 268434438: ACCESS POLICY: AC-Policy - Mandatory access-list CSM_FW_ACL_ remark rule-id 268434438: L7 RULE: Allow-DNS-DMZ access-list CSM_FW_ACL_ advanced permit udp object DMZ-Network object LAN-AD01-DNS-Server obje68434438 access-list CSM_FW_ACL_ remark rule-id 268435458: ACCESS POLICY: AC-Policy - Mandatory access-list CSM_FW_ACL_ remark rule-id 268435458: L7 RULE: Veeam-Mgmt-Hosts access-list CSM_FW_ACL_ advanced permit icmp object Veeam object-group FMC_INLINE_dst_rule_268 access-list CSM_FW_ACL_ advanced permit tcp object Veeam object-group FMC_INLINE_dst_rule_2684ts rule-id 268435458 access-list CSM_FW_ACL_ advanced permit tcp object Veeam object-group FMC_INLINE_dst_rule_2684l-ports rule-id 268435458 access-list CSM_FW_ACL_ advanced permit tcp object Veeam object-group FMC_INLINE_dst_rule_2684rule-id 268435458 access-list CSM_FW_ACL_ advanced permit udp object Veeam object-group FMC_INLINE_dst_rule_2684rule-id 268435458 access-list CSM_FW_ACL_ advanced permit tcp object Veeam object-group FMC_INLINE_dst_rule_2684rule-id 268435458 access-list CSM_FW_ACL_ advanced permit udp object Veeam object-group FMC_INLINE_dst_rule_2684rule-id 268435458 access-list CSM_FW_ACL_ advanced permit tcp object Veeam object-group FMC_INLINE_dst_rule_2684ler-Ports rule-id 268435458 access-list CSM_FW_ACL_ advanced permit tcp object Veeam object-group FMC_INLINE_dst_rule_2684d 268435458 access-list CSM_FW_ACL_ advanced permit tcp object Veeam object-group FMC_INLINE_dst_rule_2684 access-list CSM_FW_ACL_ remark rule-id 268436480: ACCESS POLICY: AC-Policy - Mandatory access-list CSM_FW_ACL_ remark rule-id 268436480: L7 RULE: HyperV-Hosts-Veeam access-list CSM_FW_ACL_ advanced permit icmp object-group FMC_INLINE_src_rule_268436480 object access-list CSM_FW_ACL_ advanced permit tcp object-group FMC_INLINE_src_rule_268436480 object l-ports rule-id 268436480 access-list CSM_FW_ACL_ remark rule-id 268434434: ACCESS POLICY: AC-Policy - Mandatory access-list CSM_FW_ACL_ remark rule-id 268434434: L7 RULE: Internet-Access access-list CSM_FW_ACL_ advanced permit ip ifc inside any ifc outside any rule-id 268434434 access-list CSM_FW_ACL_ remark rule-id 268437504: ACCESS POLICY: AC-Policy - Mandatory access-list CSM_FW_ACL_ remark rule-id 268437504: L7 RULE: Symantec-DMZ-1 access-list CSM_FW_ACL_ advanced permit tcp object SymantecMgr object PI-Server-DMZ object-gro4 access-list CSM_FW_ACL_ advanced permit udp object SymantecMgr object PI-Server-DMZ object-gro4 access-list CSM_FW_ACL_ advanced permit tcp object SymantecMgr object PI-Server-DMZ eq 445 rul access-list CSM_FW_ACL_ advanced permit tcp object SymantecMgr object PI-Server-DMZ object-gro access-list CSM_FW_ACL_ remark rule-id 268437505: ACCESS POLICY: AC-Policy - Mandatory access-list CSM_FW_ACL_ remark rule-id 268437505: L7 RULE: Symantec-DMZ-2 access-list CSM_FW_ACL_ advanced permit tcp object PI-Server-DMZ object SymantecMgr object-gro access-list CSM_FW_ACL_ advanced permit tcp object PI-Server-DMZ object SymantecMgr object-gro access-list CSM_FW_ACL_ advanced permit tcp object PI-Server-DMZ object SymantecMgr object-gro access-list CSM_FW_ACL_ remark rule-id 268437506: ACCESS POLICY: AC-Policy - Mandatory access-list CSM_FW_ACL_ remark rule-id 268437506: L7 RULE: DMZ-Syslog access-list CSM_FW_ACL_ advanced permit udp object PI-Server-DMZ object Graylog object-group S access-list CSM_FW_ACL_ remark rule-id 268438528: ACCESS POLICY: AC-Policy - Mandatory access-list CSM_FW_ACL_ remark rule-id 268438528: L7 RULE: VPN-Rule access-list CSM_FW_ACL_ advanced permit tcp ifc fake_public_nccoe object VPN-Pool ifc inside o_268438528 object-group RDP-Windows rule-id 268438528 access-list CSM_FW_ACL_ remark rule-id 268434432: ACCESS POLICY: AC-Policy - Default access-list CSM_FW_ACL_ remark rule-id 268434432: L4 RULE: DEFAULT ACTION RULE access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268434432 event-log flow-start ! tcp-map UM_STATIC_TCP_MAP tcp-options range 6 7 allow tcp-options range 9 18 allow tcp-options range 20 255 allow urgent-flag allow ! no pager logging enable logging emblem logging list MANAGER_VPN_EVENT_LIST level errors class auth logging list MANAGER_VPN_EVENT_LIST level errors class vpn logging list MANAGER_VPN_EVENT_LIST level errors class vpnc logging list MANAGER_VPN_EVENT_LIST level errors class vpnfo logging list MANAGER_VPN_EVENT_LIST level errors class vpnlb logging list MANAGER_VPN_EVENT_LIST level errors class webfo logging list MANAGER_VPN_EVENT_LIST level errors class webvpn logging list MANAGER_VPN_EVENT_LIST level errors class ca logging list MANAGER_VPN_EVENT_LIST level errors class svc logging list MANAGER_VPN_EVENT_LIST level errors class ssl logging list MANAGER_VPN_EVENT_LIST level errors class dap logging list MANAGER_VPN_EVENT_LIST level errors class ipaa logging trap alerts logging FMC MANAGER_VPN_EVENT_LIST logging device-id hostname logging host inside 10.100.0.14 format emblem logging flash-minimum-free 1024 logging flash-maximum-allocation 3076 logging permit-hostdown logging class auth trap informational no logging message 106015 no logging message 313001 no logging message 313008 no logging message 106023 no logging message 710003 no logging message 302015 no logging message 302014 no logging message 302013 no logging message 302018 no logging message 302017 no logging message 302016 no logging message 302021 no logging message 302020 mtu outside 1500 mtu inside 1500 mtu fake_public_nccoe 1500 mtu management-network 1500 mtu dmz 1500 mtu diagnostic 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 8192 nat (inside,fake_public_nccoe) source static PCS-Network PCS-Network destination static VPN-Po ! object network IPv4-Private-10.0.0.0-8 nat (inside,outside) dynamic interface access-group CSM_FW_ACL_ global route outside 0.0.0.0 0.0.0.0 129.6.66.94 1 route inside 172.16.0.0 255.255.252.0 10.100.0.40 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:00:30 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 aaa-server Mgmt-Radius protocol radius aaa-server Mgmt-Radius host 10.100.2.3 key ***** authentication-port 1812 accounting-port 1813 user-identity default-domain LOCAL aaa proxy-limit disable aaa authentication login-history no snmp-server location no snmp-server contact no snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart no sysopt connection permit-vpn crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint Self-Signed enrollment self subject-name CN=Westman Chemicals keypair crl configure crypto ca trustpool policy crypto ca certificate chain Self-Signed certificate 857bb45c 308202e6 308201ce a0030201 02020485 7bb45c30 0d06092a 864886f7 0d01010b 05003035 311a3018 06035504 03131157 6573746d 616e2043 68656d69 63616c73 31173015 06092a86 4886f70d 01090216 08636973 636f6173 61301e17 0d313930 34313732 31303032 375a170d 32393034 31343231 30303237 5a303531 1a301806 03550403 13115765 73746d61 6e204368 656d6963 616c7331 17301506 092a8648 86f70d01 09021608 63697363 6f617361 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00a88a0e 92e7f8d8 296cadae 61371374 b747bc55 6c7f01a1 3572cb64 42a41544 a8d65a52 692a87ec 3497130f e883055a ff8f5d08 42961991 ac641e22 2898b149 7b14b7fa fc0358fe ba1d0671 66115e01 f8b86156 f8c64180 6fd0d68e 52c2d5ee 027e515c 680dbf94 3e44360d 6e1f92f7 c8285a60 91671a8a 2c527599 00e7988c 3dbb543f 8ff9156c 493d3533 3dc2fdf7 f8c1db45 9347ffb8 3dd454ad 7eaae0fb 283197a7 bc591a6c edcf0895 33130aa9 95b5dfde 269c3c10 5550f226 66adcd05 6ef09915 69fc6393 8d470618 720546cb 91cdb0ff fe7f255c 2cdd647e 393d5086 5fed339e 09ec613c cf31dac9 62e09151 54d26b46 1f87d737 9b73f15e 45a96c6b 37020301 0001300d 06092a86 4886f70d 01010b05 00038201 01001e61 20824765 e5d66e1c a66cab3a 6622481d 22a5b9f7 6878a912 dfa1f5a4 d3527582 e1de5cc3 a8feac77 e8c79739 3e01ba5b 9a649a99 bec9ff24 0e258c11 39f2f053 275067ef 184894d4 36d934e7 e6ce8aa8 5aece4ff 2ae67d78 5024acfe c858ca30 37d171bd 41aa51e4 80753f5c 0e64a644 b7153b78 264ba695 b81254db 55b975a8 7412835c 4075e650 d56d9772 7f5303d9 a53d0576 d93a8008 10b0a630 97e7afd7 4946c2bb 76556030 84dde1e0 d7bcf45d 58b63d32 7194fac5 e094a262 c0f08dea fb383302 4cf865fb a8ce8d07 37875150 0e4f3ea9 16542f10 6a6c3def 4a76fe05 b6d90559 8ed3528b 38810102 7f80df21 818d1d57 37abd55a 7d96cc6b 610f quit telnet timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl trust-point Self-Signed webvpn enable fake_public_nccoe anyconnect image disk0:/csm/anyconnect-win-4.7.01076-webdeploy-k9.pkg 1 regex "Windows" anyconnect image disk0:/csm/anyconnect-linux64-4.6.04056-webdeploy-k9.pkg 2 regex "Linux" anyconnect enable tunnel-group-list enable cache no disable error-recovery disable group-policy DfltGrpPolicy attributes vpn-idle-timeout 15 vpn-tunnel-protocol ikev2 ssl-client user-authentication-idle-timeout none webvpn anyconnect keep-installer none anyconnect modules value dart anyconnect ask none default anyconnect http-comp none activex-relay disable file-entry disable file-browsing disable url-entry disable deny-message none dynamic-access-policy-record DfltAccessPolicy tunnel-group AnyconnectRemoteAccessVPN type remote-access tunnel-group AnyconnectRemoteAccessVPN general-attributes address-pool VPN-Pool authentication-server-group Mgmt-Radius tunnel-group AnyconnectRemoteAccessVPN webvpn-attributes group-alias AnyconnectRemoteAccessVPN enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP parameters eool action allow nop action allow router-alert action allow policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp inspect icmp error inspect ip-options UM_STATIC_IP_OPTIONS_MAP class class-default set connection advanced-options UM_STATIC_TCP_MAP ! service-policy global_policy global smtp-server 129.6.x.x prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily snort preserve-connection Cryptochecksum:124bf484ca4adbbe8e2dfb2efc4e4465 : end