! PIX Version 7.0(4) ! hostname PIX-FW domain-name XXXX.com enable password XXXXXXXXXXXXXX encrypted no names ! interface Ethernet0 nameif outside security-level 0 ip address XXX.XXX.XXX.XXX 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 10.13.37.1 255.255.254.0 ! interface Ethernet2 speed 100 duplex full nameif vendornet security-level 30 ip address 172.16.2.1 255.255.255.0 ! interface Ethernet3 nameif dmz security-level 80 ip address 172.16.1.1 255.255.255.0 ! ! interface Ethernet5 speed 100 duplex full nameif XO security-level 10 ip address YYY.YYY.YY.YYY 255.255.255.240 ! passwd xxxxxxxxxxxxx encrypted boot system flash:/pix704.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring same-security-traffic permit intra-interface access-list acl_in remark armada ssh access-list acl_in extended permit tcp host 10.13.37.245 host 10.2.12.202 access-list acl_in remark ping inside access-list acl_in extended permit icmp 10.13.36.0 255.255.254.0 10.2.0.0 255.255.255.192 access-list nonat extended permit ip 10.13.36.0 255.255.254.0 10.2.0.0 255.255.192.0 access-list XO_cryptomap_40_1 extended permit ip 10.13.36.0 255.255.254.0 10.2.0.0 255.255.192.0 access-list XO_cryptomap_40_1 extended permit ip XXX.XXX.XXX.0 255.255.255.0 10.2.0.0 255.255.192.0 access-list XO_cryptomap_40_1 extended permit ip 172.16.2.0 255.255.255.0 10.2.0.0 255.255.192.0 access-list XO_access_in extended permit icmp 10.2.0.0 255.255.192.0 10.13.36.0 255.255.254.0 access-list XO_access_in remark allow from any ssh to armada access-list XO_access_in extended permit tcp host 10.2.12.202 eq ssh host 10.13.37.245 access-list UK-ACL remark allow ICMP access-list UK-ACL extended permit icmp 10.13.36.0 255.255.254.0 10.2.0.0 255.255.192.0 access-list UK-ACL remark from armada access-list UK-ACL extended permit tcp host 10.13.37.245 host 10.2.12.202 eq ssh access-list UK-ACL remark allow all to armada access-list UK-ACL extended permit tcp host 10.2.12.202 host 10.13.37.245 access-list UK-ACL extended deny tcp any any pager lines 20 logging enable logging timestamp logging trap warnings logging host inside 10.13.37.202 logging host inside 10.13.37.125 logging host inside 10.13.37.196 mtu outside 1500 mtu inside 1500 mtu vendornet 1500 mtu dmz 1500 mtu XO 1500 no failover monitor-interface outside monitor-interface inside arp timeout 14400 global (outside) 5 interface nat (outside) 0 access-list outside_nat0_outbound nat (inside) 0 access-list nonat nat (inside) 4 10.13.36.0 255.255.254.0 nat (dmz) 0 access-list dmz_nonat access-group acl_out in interface outside access-group acl_in in interface inside access-group vendor in interface vendornet access-group acl_dmz in interface dmz access-group XO_access_in in interface XO route XO 10.2.0.0 255.255.192.0 YYY.YYY.YYY.YYY 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none group-policy UK_POLICY internal group-policy UK_POLICY attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter value UK-ACL vpn-tunnel-protocol IPSec password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none http server enable http 10.13.37.125 255.255.255.255 inside http 10.13.37.126 255.255.255.255 inside http 10.13.37.123 255.255.255.255 inside crypto ipsec transform-set avalanche esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto map XO_map 40 match address XO_cryptomap_40_1 crypto map XO_map 40 set peer YYY.YYY.YYY.YYY crypto map XO_map 40 set transform-set avalanche crypto map XO_map 65535 ipsec-isakmp dynamic XO_dyn_map crypto map XO_map interface XO isakmp identity address isakmp enable outside isakmp enable XO isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash sha isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 isakmp nat-traversal 20 tunnel-group remote1 type ipsec-ra tunnel-group remote1 general-attributes address-pool (outside) vpn1 address-pool vpn1 default-group-policy remote1 tunnel-group remote1 ipsec-attributes tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l tunnel-group XXX.XXX.XXX.XXX general-attributes default-group-policy UK_POLICY tunnel-group XXX.XXX.XXX ipsec-attributes no vpn-addr-assign aaa no vpn-addr-assign dhcp telnet timeout 5 ssh 10.13.37.125 255.255.255.255 inside ssh 10.13.37.126 255.255.255.255 inside ssh timeout 20 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect ils inspect netbios inspect rsh inspect rtsp inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global : end