asa1# show running-config ASA Version 9.6(3)1 ! hostname asa1 domain-name lab.local enable password *password* encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names ip local pool AnyC-Pool 172.17.2.1-172.17.2.126 mask 255.255.255.128 ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address 1.1.1.2 255.255.255.0 ! interface GigabitEthernet1/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 nameif dmz security-level 50 ip address 172.18.0.1 255.255.255.0 ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 nameif inside security-level 100 ip address 172.16.61.23 255.255.255.0 ! interface Management1/1 management-only nameif management security-level 0 no ip address ! boot system disk0:/asa963-1-lfbff-k8.SPA ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup inside dns server-group DefaultDNS name-server 172.16.56.200 inside name-server 172.16.56.201 inside domain-name lab.local same-security-traffic permit inter-interface same-security-traffic permit intra-interface object service ASDM service tcp destination eq 8443 description Spec for ASDM object network AnyC-Pool subnet 172.17.2.0 255.255.255.128 description Pool for AnyC client object network FW-Inside host 172.16.61.23 object network asa1-local subnet 172.16.0.0 255.255.0.0 object network cloud-moln subnet 10.206.8.0 255.255.255.0 object network Inside-Net subnet 172.16.61.0 255.255.255.0 object network asa1-local2 subnet 172.17.2.0 255.255.255.128 object service RDP service tcp destination eq 3389 object network dmz subnet 172.18.0.0 255.255.255.0 object network asa2-local subnet 192.168.1.0 255.255.255.0 object-group network azure-networks description Azure-Virtual-Netwok network-object 10.100.0.0 255.255.255.0 object-group network onprem-networks description On-premises Network network-object 172.16.72.0 255.255.255.0 object-group network DM_INLINE_NETWORK_1 network-object object asa1-local access-list outside_cryptomap extended permit ip object-group onprem-networks object-group azure-networks access-list inside_access_in extended permit ip any any access-list Labb-Demo standard permit 172.16.0.0 255.255.0.0 access-list Labb-Demo standard permit 10.89.0.0 255.255.0.0 access-list Labb-Demo standard permit 10.90.0.0 255.255.0.0 access-list Labb-Demo standard permit 192.168.112.0 255.255.255.0 access-list outside_cryptomap_1 extended permit ip object Inside-Net object cloud-moln access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns access-list outside_cryptomap_65535.65535 extended permit ip object AnyC-Pool object asa1-local access-list outside_cryptomap_3 extended permit ip object-group DM_INLINE_NETWORK_1 object asa2-local pager lines 24 logging enable logging asdm debugging mtu outside 1500 mtu inside 1500 mtu management 1500 mtu dmz 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-762-150.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (inside,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks no-proxy-arp route-lookup nat (outside,outside) source dynamic AnyC-Pool interface nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static asa2-local asa2-local no-proxy-arp route-lookup nat (inside,outside) source dynamic any interface nat (inside,outside) source static any any destination static asa1-local2 asa1-local2 no-proxy-arp route-lookup ! object network dmz nat (dmz,outside) dynamic interface access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 route inside 10.89.0.0 255.255.0.0 172.16.61.1 1 route inside 10.90.0.0 255.255.0.0 172.16.61.1 1 route inside 172.16.0.0 255.255.0.0 172.16.61.1 1 route inside 172.17.1.0 255.255.255.0 172.16.61.1 1 route inside 192.168.112.0 255.255.255.0 172.16.61.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 aaa-server AD-LDAP protocol ldap aaa-server AD-LDAP (inside) host dc01.lab.local ldap-base-dn DC=lab,DC=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=asaldap,CN=Managed Service Accounts,DC=lab,DC=local sasl-mechanism digest-md5 server-type microsoft aaa-server AD-LDAP (inside) host dc02.lab.local ldap-base-dn DC=lab,DC=local ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=asaldap,CN=Managed Service Accounts,DC=lab,DC=local sasl-mechanism digest-md5 server-type auto-detect aaa-server NPS protocol radius aaa-server NPS (inside) host vm.lab.local key ***** user-identity default-domain LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL aaa authentication enable console LOCAL aaa authorization command LOCAL aaa authorization exec LOCAL auto-enable aaa authorization http console LOCAL sysopt connection tcpmss 1350 sysopt connection preserve-vpn-flows service sw-reset-button crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec security-association lifetime seconds 3600 crypto ipsec security-association lifetime kilobytes 102400000 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000 crypto map outside_map0 1 match address outside_cryptomap crypto map outside_map0 1 set pfs group5 crypto map outside_map0 1 set peer 3.3.3.3 crypto map outside_map0 1 set ikev1 transform-set ESP-AES-256-SHA crypto map outside_map0 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map0 1 set security-association lifetime seconds 3600 crypto map outside_map0 2 match address outside_cryptomap_3 crypto map outside_map0 2 set peer 2.2.2.2 crypto map outside_map0 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map0 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map0 2 set security-association lifetime seconds 28800 crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map0 interface outside crypto ca trustpoint ASDM_TrustPoint0 enrollment terminal crl configure crypto ca trustpoint ASDM_TrustPoint2 enrollment terminal crl configure crypto ca trustpoint ASDM_TrustPoint3 enrollment terminal crl configure crypto ca trustpoint ASDM_TrustPoint4 enrollment terminal crl configure crypto ca trustpoint ASDM_TrustPoint5 keypair ASDM_TrustPoint5 crl configure crypto ca trustpoint ASDM_TrustPoint1 enrollment terminal subject-name CN=vpn.demo.cloud.se crl configure crypto ca trustpoint ASDM_TrustPoint6 crl configure crypto ca trustpoint ASDM_TrustPoint7 crl configure crypto ca trustpoint ASDM_TrustPoint8 crl configure crypto ca trustpool policy crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev2 remote-access trustpoint ASDM_TrustPoint1 crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 5 lifetime 28800 crypto ikev1 policy 2 authentication pre-share encryption 3des hash sha group 2 lifetime 28800 crypto ikev1 policy 5 authentication pre-share encryption aes-256 hash sha group 2 lifetime 28800 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh stricthostkeycheck ssh 0.0.0.0 0.0.0.0 inside ssh timeout 60 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside dhcp-client client-id interface outside threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 130.237.211.2 source outside ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5" ssl trust-point ASDM_TrustPoint1 outside ssl trust-point ASDM_TrustPoint1 inside ssl trust-point ASDM_TrustPoint1 dmz webvpn enable outside anyconnect image disk0:/anyconnect-win-4.4.03034-webdeploy-k9.pkg 1 regex "Windows NT" anyconnect image disk0:/anyconnect-macos-4.4.03034-webdeploy-k9.pkg 2 regex "Intel Mac OS X" anyconnect image disk0:/anyconnect-macosx-i386-4.3.05017-k9.pkg 3 regex "Intel Mac OS X" anyconnect image disk0:/anyconnect-win-4.3.05017-k9.pkg 4 regex "Windows NT" anyconnect profiles Labbet disk0:/labbet.xml anyconnect profiles Labbet-nosplit disk0:/labbet-nosplit.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 172.16.56.200 172.16.56.201 vpn-tunnel-protocol l2tp-ipsec split-tunnel-policy tunnelall ipv6-split-tunnel-policy tunnelall split-tunnel-network-list none default-domain value lab.local group-policy DfltGrpPolicy attributes dns-server value 172.16.56.200 172.16.56.201 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value Labb-Demo default-domain value lab.local webvpn url-list value Test anyconnect profiles value Labbet type user anyconnect ask none default anyconnect group-policy GroupPolicy_2.2.2.2 internal group-policy GroupPolicy_2.2.2.2 attributes vpn-idle-timeout none vpn-filter none vpn-tunnel-protocol ikev1 ikev2 group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes vpn-tunnel-protocol ikev1 ikev2 group-policy GroupPolicy_nosp internal group-policy GroupPolicy_nosp attributes wins-server none dns-server value 172.16.56.200 172.16.56.201 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelall default-domain value lab.local webvpn anyconnect profiles value Labbet-nosplit type user dynamic-access-policy-record DfltAccessPolicy tunnel-group DefaultRAGroup general-attributes address-pool AnyC-Pool authentication-server-group NPS default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key ***** tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2 tunnel-group DefaultWEBVPNGroup general-attributes address-pool AnyC-Pool authentication-server-group AD-LDAP tunnel-group 3.3.3.3 type ipsec-l2l tunnel-group 3.3.3.3 general-attributes default-group-policy GroupPolicy1 tunnel-group 3.3.3.3 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group nosp type remote-access tunnel-group nosp general-attributes address-pool AnyC-Pool authentication-server-group AD-LDAP default-group-policy GroupPolicy_nosp tunnel-group nosp webvpn-attributes group-alias nosp disable group-url https://1.1.1.2/nosp enable tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 2.2.2.2 general-attributes default-group-policy GroupPolicy_2.2.2.2 tunnel-group 2.2.2.2 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ! class-map global-class match any class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect dns preset_dns_map inspect icmp class global-class sfr fail-open monitor-only policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512 no tcp-inspection ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly 15 subscribe-to-alert-group configuration periodic monthly 15 subscribe-to-alert-group telemetry periodic daily