ASA Version 9.1(6)8 ! hostname CD-MON-FW01 names ! interface Ethernet0/0 description Internet Interface nameif OUTSIDE security-level 0 ip address 192.168.1.75 255.255.255.0 standby 192.168.1.76 ! interface Ethernet0/1 nameif INSIDE security-level 100 ip address 172.17.1.1 255.255.255.0 ! interface Ethernet0/1.56 description Interface for Monaghan vlan 56 nameif MonOffice security-level 100 ip address 172.17.56.1 255.255.255.0 ! interface Ethernet0/1.60 vlan 60 nameif Keyfob security-level 100 ! interface Ethernet0/1.62 description Interface for VoIP System vlan 62 nameif VoIP security-level 90 ip address 172.17.62.1 255.255.255.128 ! interface Ethernet0/2 description LAN Failover Interface ! interface Ethernet0/3 description STATE Failover Interface ! interface Management0/0 management-only nameif management security-level 100 ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2 ! ftp mode passive dns domain-lookup OUTSIDE dns domain-lookup INSIDE dns domain-lookup MonOffice dns server-group DefaultDNS name-server 8.8.8.8 name-server 172.16.0.50 domain-name ##### same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network DefaultRout subnet 0.0.0.0 0.0.0.0 object network BelNetwork subnet 172.16.0.0 255.255.0.0 object network MonNetwork subnet 172.17.0.0 255.255.0.0 access-list TO-BEL-CD extended permit ip object MonNetwork object BelNetwork pager lines 24 logging enable logging buffered debugging logging asdm debugging logging debug-trace logging flash-bufferwrap mtu OUTSIDE 1500 mtu INSIDE 1500 mtu MonOffice 1500 mtu Keyfob 1500 mtu VoIP 1500 mtu management 1500 failover failover lan unit primary failover lan interface folink Ethernet0/2 failover key ***** failover link sflink Ethernet0/3 failover interface ip folink 192.168.2.2 255.255.255.0 standby 192.168.2.3 failover interface ip sflink 192.168.4.1 255.255.255.0 standby 192.168.4.2 no monitor-interface management icmp unreachable rate-limit 1 burst-size 1 icmp permit 172.16.1.0 255.255.255.0 INSIDE icmp permit 172.16.56.0 255.255.255.0 INSIDE icmp permit 172.16.56.0 255.255.255.0 MonOffice no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (MonOffice,OUTSIDE) source dynamic any interface nat (VoIP,OUTSIDE) source dynamic any interface nat (INSIDE,OUTSIDE) source dynamic any interface nat (MonOffice,any) source static MonNetwork MonNetwork destination static BelNetwork BelNetwork no-proxy-arp route-lookup nat (INSIDE,any) source static MonNetwork MonNetwork destination static BelNetwork BelNetwork no-proxy-arp route-lookup nat (Keyfob,any) source static MonNetwork MonNetwork destination static BelNetwork BelNetwork no-proxy-arp route-lookup nat (VoIP,any) source static MonNetwork MonNetwork destination static BelNetwork BelNetwork no-proxy-arp route-lookup access-group MonOffice_access_in in interface MonOffice access-group Keyfob_access_in in interface Keyfob access-group VoIP_access_in in interface VoIP route INSIDE 172.16.50.0 255.255.254.0 172.16.1.15 1 route INSIDE 172.16.64.0 255.255.254.0 172.16.1.15 1 route INSIDE 192.168.3.0 255.255.255.0 172.16.1.15 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 10.0.0.0 255.255.255.0 management http 172.16.56.0 255.255.255.0 MonOffice http 172.16.56.0 255.255.255.0 INSIDE no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart sysopt noproxyarp OUTSIDE crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto map CasedD 1 match address TO-BEL-CD crypto map CasedD 1 set pfs group1 crypto map CasedD 1 set peer 192.168.1.50 crypto map CasedD 1 set ikev2 ipsec-proposal AES256 crypto map CasedD interface OUTSIDE crypto ca trustpool policy crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable OUTSIDE telnet timeout 5 no ssh stricthostkeycheck ssh 172.16.56.0 255.255.255.0 INSIDE ssh 172.16.1.0 255.255.255.0 INSIDE ssh 172.16.56.0 255.255.255.0 MonOffice ssh 10.0.0.0 255.255.255.0 management ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd address 172.17.1.20-172.17.1.22 INSIDE dhcpd dns 8.8.8.8 interface INSIDE dhcpd enable INSIDE ! dhcpd address 172.17.56.50-172.17.56.200 MonOffice dhcpd dns 172.16.0.50 8.8.8.8 interface MonOffice ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 23.99.222.162 prefer webvpn anyconnect-essentials tunnel-group 192.168.1.50 type ipsec-l2l tunnel-group 192.168.1.50 ipsec-attributes isakmp keepalive threshold 20 retry 10 ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ! class-map global-class match default-inspection-traffic class-map IPS match access-list IPS class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map MonOffice-policy class IPS ips inline fail-open policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options policy-map global-policy class global-class inspect ctiqbe inspect dcerpc inspect dns inspect esmtp inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect icmp inspect icmp error inspect ils inspect ip-options inspect ipsec-pass-thru inspect mgcp inspect netbios inspect pptp inspect rsh inspect rtsp inspect sip inspect skinny inspect snmp inspect sqlnet inspect sunrpc inspect tftp inspect waas inspect xdmcp policy-map INSIDE-policy class IPS ips inline fail-open ! service-policy global_policy global service-policy INSIDE-policy interface INSIDE service-policy MonOffice-policy interface MonOffice prompt hostname priority state no call-home reporting anonymous $ $ $ $ $ $ $ $ $ $ $ $