=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.06.17 19:46:38 =~=~=~=~=~=~=~=~=~=~=~= sh run : Saved : ASA Version 8.2(2) ! hostname FW1 domain-name company.local enable password i1paLt620PRcbQyA encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address *.*.*.* 255.255.255.192 ! interface Vlan3 shutdown no forward interface Vlan1 nameif dmz security-level 50 no ip address ! interface Vlan10 description IP Phones nameif PHONE security-level 100 ip address 192.168.10.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport trunk allowed vlan 1,10 switchport mode trunk ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 switchport access vlan 10 ! interface Ethernet0/5 switchport access vlan 10 ! interface Ethernet0/6 switchport access vlan 2 speed 100 duplex full ! interface Ethernet0/7 ! boot system disk0:/asa822-k8.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server *.*.*.* domain-name company.local same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service RDP tcp port-object eq 3389 object-group service Blackberry tcp port-object eq 3101 access-list outside_access_in extended permit icmp any any access-list outside_access_in extended permit tcp any host *.*.*.* eq smtp access-list outside_access_in extended permit tcp any host *.*.*.* eq www access-list outside_access_in extended permit tcp any host *.*.*.* eq https access-list outside_access_in extended permit tcp any host *.*.*.* eq 3101 access-list outside_access_in extended permit tcp any host *.*.*.* eq 8005 access-list outside_access_in extended permit tcp any host *.*.*.* eq ftp inactive access-list outside_access_in extended permit tcp any host *.*.*.* eq https access-list outside_access_in extended permit tcp any host *.*.*.* eq 3101 access-list outside_access_in extended permit tcp any host *.*.*.* eq smtp access-list outside_access_in extended permit tcp any host *.*.*.* eq 2195 access-list outside_access_in extended permit tcp any host *.*.*.* eq 5223 access-list Common_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.192 255.255.255.224 access-list Common_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0 access-list inside_access_in extended permit tcp host 192.168.1.15 any eq smtp access-list inside_access_in extended deny tcp any any eq smtp access-list inside_access_in extended permit ip any any access-list inside_nat extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list PHONE_access_in extended permit ip any any pager lines 24 logging enable logging timestamp logging buffered debugging logging trap debugging logging asdm informational logging host inside 192.168.1.11 logging permit-hostdown no logging message 106015 no logging message 313001 no logging message 313008 no logging message 106023 no logging message 710003 no logging message 106100 no logging message 302015 no logging message 302014 no logging message 302013 no logging message 302018 no logging message 302017 no logging message 302016 no logging message 302021 no logging message 302020 flow-export destination inside 192.168.1.149 2055 mtu inside 1500 mtu outside 1500 mtu dmz 1500 mtu PHONE 1500 ip local pool RemotePool 192.168.1.201-192.168.1.220 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any PHONE asdm image disk0:/asdm-625-53.bin no asdm history enable arp timeout 14400 global (outside) 1 interface global (PHONE) 10 interface global (PHONE) 10 192.168.10.254 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (PHONE) 10 0.0.0.0 0.0.0.0 static (inside,outside) tcp *.*.*.* 3101 192.168.1.8 3101 netmask 255.255.255.255 static (inside,outside) tcp *.*.*.* 8005 192.168.1.6 8005 netmask 255.255.255.255 static (inside,outside) tcp *.*.*.* ftp 192.168.1.5 ftp netmask 255.255.255.255 static (inside,outside) tcp *.*.*.* smtp 192.168.1.15 smtp netmask 255.255.255.255 static (inside,outside) tcp *.*.*.* www 192.168.1.15 www netmask 255.255.255.255 dns static (inside,outside) tcp *.*.*.* https 192.168.1.15 https netmask 255.255.255.255 dns static (inside,outside) tcp *.*.*.* https 192.168.1.8 https netmask 255.255.255.255 static (inside,outside) *.*.*.* 192.168.1.15 netmask 255.255.255.255 dns static (inside,PHONE) 192.168.1.1 192.168.1.1 netmask 255.255.255.255 access-group inside_access_in in interface inside access-group outside_access_in in interface outside access-group PHONE_access_in in interface PHONE route outside 0.0.0.0 0.0.0.0 *.*.*.* 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs group1 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 console timeout 0 dhcpd dns 192.168.1.10 255.255.255.0 dhcpd auto_config outside ! dhcpd address 192.168.1.100-192.168.1.199 inside dhcpd dns 192.168.1.10 192.168.1.11 interface inside dhcpd enable inside ! dhcpd address 192.168.10.100-192.168.10.200 PHONE dhcpd enable PHONE ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 webvpn group-policy Common internal group-policy Common attributes wins-server value 192.168.1.6 dns-server value 192.168.1.6 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value Common_splitTunnelAcl default-domain value company.local username *** password .w/eNc7DGi3APSQV encrypted username *** password qHqy3xodsatJIVSQ encrypted privilege 0 username *** password Hq0f2WZ1/i60YrO/ encrypted privilege 15 username *** password W9x2nmUAp9GsBo7l encrypted username *** attributes service-type remote-access username *** password zN2fn9qG2ClXk7TE encrypted privilege 0 tunnel-group Common type remote-access tunnel-group Common general-attributes address-pool RemotePool default-group-policy Common tunnel-group Common ipsec-attributes pre-shared-key ***** ! class-map global-class class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect ftp inspect ip-options inspect dns preset_dns_map class class-default flow-export event-type all destination 192.168.1.149 ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com <--- More ---> destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:09d964128ddaf95b8cb337a0cc14b792 : end FW1#