ASA Version 8.2(1) ! hostname GW domain-name fcf.com enable password gVL9GgyUpNaTkjPJ encrypted passwd 2KFQnbdIdI.2KYOU encrypted names name 192.168.17.100 DC name 192.168.18.10 Proxy name 192.168.26.13 Mail-Server-Internal description Mail-Server-Internal ! interface Ethernet0/0 nameif Outside security-level 0 ip address 81.70.70.194 255.255.255.248 ! interface Ethernet0/1 nameif Inside security-level 100 ip address 192.168.18.1 255.255.255.0 ! interface Ethernet0/2 nameif DMZ security-level 50 ip address 192.168.26.254 255.255.255.0 ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif mgn security-level 0 ip address 192.168.2.1 255.255.255.0 management-only ! ftp mode passive dns domain-lookup Inside dns domain-lookup DMZ dns server-group DefaultDNS name-server DC domain-name fcf.com object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq pop3 port-object eq https port-object eq 995 port-object eq 465 port-object eq 8443 port-object eq 7074 port-object eq 7075 port-object eq smtp object-group service DM_INLINE_TCP_2 tcp port-object eq www port-object eq pop3 port-object eq smtp port-object eq https port-object eq 995 port-object eq 465 object-group service DM_INLINE_TCP_0 tcp port-object eq 1000 port-object eq www port-object eq pop3 port-object eq smtp port-object eq 465 port-object eq 995 port-object eq https object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group network Out-ip network-object host 81.70.70.194 network-object host 81.70.70.195 object-group service DM_INLINE_TCP_3 tcp port-object eq 465 port-object eq 995 port-object eq https port-object eq pop3 object-group service mail-service tcp port-object eq 465 port-object eq 995 port-object eq pop3 port-object eq smtp object-group network outside_email network-object 81.70.70.192 255.255.255.248 object-group network inside_email object-group service AV tcp port-object eq 7074 port-object eq 8443 port-object eq 7075 port-object eq 27017 object-group service DM_INLINE_TCP_4 tcp port-object eq 27017 port-object eq 3389 port-object eq 7074 port-object eq 7075 port-object eq 8443 port-object eq smtp object-group service DM_INLINE_TCP_5 tcp port-object eq 465 port-object eq 875 port-object eq 995 port-object eq https port-object eq pop3 port-object eq smtp access-list 101 extended permit tcp any host 217.24.242.212 eq 3333 access-list 101 extended permit tcp any host 81.70.70.194 object-group DM_INLINE_TCP_0 access-list 101 extended permit tcp any interface Outside eq www access-list 101 extended permit tcp any 192.168.1.0 255.255.255.0 object-group DM_INLINE_TCP_2 access-list 101 extended permit tcp any interface Outside eq smtp access-list 101 extended permit tcp any interface Outside eq pop3 access-list 101 extended permit tcp any interface Outside eq 1000 access-list 101 extended permit tcp any interface Outside eq 465 access-list 101 extended permit tcp any interface Outside eq 995 access-list 101 extended permit tcp any interface Outside eq https access-list 101 extended permit tcp any 192.168.26.0 255.255.255.0 object-group DM_INLINE_TCP_2 access-list DMZ_access_in extended permit tcp any host Mail-Server-Internal object-group DM_INLINE_TCP_1 access-list DMZ_access_in extended permit object-group TCPUDP any any eq domain access-list DMZ_access_in extended permit ip any host 192.168.26.13 access-list 102 extended permit tcp any host 80.78.65.87 eq smtp access-list 102 extended permit tcp any host Mail-Server-Internal eq smtp access-list 102 extended permit tcp any host 192.168.1.1 eq www access-list 102 extended permit tcp any host 192.168.1.1 eq https access-list 102 extended permit tcp 192.168.17.0 255.255.255.0 any object-group AV access-list 102 extended permit ip any any access-list 102 extended permit tcp 192.168.26.0 255.255.255.0 any eq smtp access-list 102 extended deny tcp any host 192.168.1.1 eq smtp access-list 102 extended deny ip any host 104.244.14.252 log access-list 102 extended deny tcp 192.168.24.0 255.255.255.0 any eq smtp access-list 102 extended deny tcp 192.168.22.0 255.255.255.0 any eq smtp access-list 102 extended deny tcp 192.168.17.0 255.255.255.0 any eq smtp access-list 102 extended deny tcp 192.168.21.0 255.255.255.0 any eq smtp access-list vpn_f_splitTunnelAcl standard permit host DC access-list vpn_f_splitTunnelAcl standard permit host 192.168.17.121 access-list Inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.192 access-list Local_LAN_Access remark lejon lan printing access-list Local_LAN_Access standard permit host 0.0.0.0 access-list 103 extended permit tcp any host 81.70.70.195 object-group DM_INLINE_TCP_5 access-list 103 extended permit tcp any interface Outside eq 13000 access-list 103 extended permit tcp any interface Outside eq 14000 access-list 103 extended permit tcp any object-group DM_INLINE_TCP_3 object-group Out-ip access-list 103 extended permit ip any any access-list 103 extended permit tcp any interface Outside object-group DM_INLINE_TCP_4 pager lines 24 logging enable logging asdm informational mtu Outside 1500 mtu Inside 1500 mtu DMZ 1500 mtu mgn 1500 ip local pool fkcf-vpn 192.168.10.10-192.168.10.50 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-621.bin no asdm history enable arp timeout 14400 &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& global (Outside) 101 interface nat (Inside) 0 access-list Inside_nat0_outbound nat (Inside) 101 81.70.70.196 255.255.255.255 nat (Inside) 101 192.168.17.11 255.255.255.255 nat (Inside) 101 192.168.17.15 255.255.255.255 nat (Inside) 101 192.168.17.55 255.255.255.255 nat (Inside) 101 192.168.17.111 255.255.255.255 nat (Inside) 101 192.168.17.115 255.255.255.255 nat (Inside) 101 192.168.17.204 255.255.255.255 nat (Inside) 101 192.168.21.10 255.255.255.255 nat (Inside) 101 192.168.21.12 255.255.255.255 nat (Inside) 101 192.168.21.15 255.255.255.255 nat (Inside) 101 192.168.21.18 255.255.255.255 nat (Inside) 101 192.168.21.20 255.255.255.255 nat (Inside) 101 192.168.21.22 255.255.255.255 nat (Inside) 101 192.168.21.25 255.255.255.255 nat (Inside) 101 192.168.21.30 255.255.255.255 nat (Inside) 101 192.168.21.31 255.255.255.255 nat (Inside) 101 192.168.21.34 255.255.255.255 nat (Inside) 101 192.168.21.35 255.255.255.255 nat (Inside) 101 192.168.21.40 255.255.255.255 nat (Inside) 101 192.168.21.42 255.255.255.255 nat (Inside) 101 192.168.21.44 255.255.255.255 nat (Inside) 101 192.168.21.47 255.255.255.255 nat (Inside) 101 192.168.21.111 255.255.255.255 nat (Inside) 101 192.168.21.211 255.255.255.255 nat (Inside) 101 192.168.24.11 255.255.255.255 nat (Inside) 101 192.168.24.27 255.255.255.255 nat (Inside) 101 192.168.24.30 255.255.255.255 nat (Inside) 101 192.168.24.32 255.255.255.255 nat (Inside) 101 192.168.24.39 255.255.255.255 nat (Inside) 101 192.168.24.69 255.255.255.255 nat (Inside) 101 192.168.24.72 255.255.255.255 nat (Inside) 101 192.168.24.73 255.255.255.255 nat (Inside) 101 192.168.24.77 255.255.255.255 nat (Inside) 101 192.168.24.99 255.255.255.255 nat (Inside) 101 192.168.24.106 255.255.255.255 nat (Inside) 101 192.168.24.111 255.255.255.255 nat (Inside) 101 192.168.24.114 255.255.255.255 nat (Inside) 101 192.168.24.115 255.255.255.255 nat (Inside) 101 192.168.24.119 255.255.255.255 nat (Inside) 101 192.168.24.135 255.255.255.255 nat (Inside) 101 192.168.24.160 255.255.255.255 nat (Inside) 101 192.168.24.177 255.255.255.255 nat (Inside) 101 192.168.24.178 255.255.255.255 nat (Inside) 101 192.168.24.179 255.255.255.255 nat (Inside) 101 192.168.24.180 255.255.255.255 nat (Inside) 101 192.168.24.187 255.255.255.255 nat (Inside) 101 192.168.24.193 255.255.255.255 nat (Inside) 101 192.168.24.198 255.255.255.255 nat (Inside) 101 192.168.24.222 255.255.255.255 nat (Inside) 101 192.168.24.225 255.255.255.255 nat (Inside) 101 192.168.26.4 255.255.255.255 nat (Inside) 101 192.168.26.11 255.255.255.255 nat (Inside) 101 192.168.26.12 255.255.255.255 nat (Inside) 101 Mail-Server-Internal 255.255.255.255 nat (Inside) 101 192.168.26.14 255.255.255.255 nat (Inside) 101 192.168.26.16 255.255.255.255 nat (Inside) 101 192.168.26.18 255.255.255.255 nat (Inside) 101 192.168.26.32 255.255.255.255 nat (Inside) 101 192.168.26.47 255.255.255.255 nat (Inside) 101 192.168.26.107 255.255.255.255 nat (Inside) 101 192.168.26.108 255.255.255.255 nat (Inside) 101 192.168.26.109 255.255.255.255 nat (Inside) 101 192.168.26.128 255.255.255.255 nat (Inside) 101 192.168.26.149 255.255.255.255 nat (Inside) 101 192.168.26.160 255.255.255.255 nat (Inside) 101 192.168.26.177 255.255.255.255 nat (Inside) 101 192.168.26.193 255.255.255.255 nat (Inside) 101 192.168.17.0 255.255.255.0 nat (Inside) 101 192.168.18.0 255.255.255.0 nat (Inside) 101 192.168.17.26 255.255.25.255 nat (DMZ) 101 0.0.0.0 0.0.0.0 static (Inside,DMZ) 192.168.24.0 192.168.24.0 netmask 255.255.255.0 static (Inside,DMZ) 192.168.26.0 192.168.26.0 netmask 255.255.255.0 static (Inside,DMZ) 192.168.21.0 192.168.21.0 netmask 255.255.255.0 static (Inside,DMZ) 192.168.22.0 192.168.22.0 netmask 255.255.255.0 static (Inside,DMZ) 192.168.17.0 192.168.17.0 netmask 255.255.255.0 static (Inside,DMZ) 192.168.23.0 192.168.23.0 netmask 255.255.255.0 static (Inside,Outside) 81.70.70.195 Mail-Server-Internal netmask 255.255.255.255 dns access-group 103 in interface Outside access-group 102 in interface Inside access-group DMZ_access_in in interface DMZ route Outside 0.0.0.0 0.0.0.0 81.70.70.193 1 route Inside 192.168.16.0 255.255.240.0 192.168.18.254 1 route Inside Mail-Server-Internal 255.255.255.255 192.168.18.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL http server enable http 192.168.24.0 255.255.255.0 Inside http 192.168.2.0 255.255.255.0 mgn http 192.168.26.0 255.255.255.0 Inside http 192.168.17.0 255.255.255.0 Inside http authentication-certificate Inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Outside_map interface Outside crypto isakmp enable Outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 30 console timeout 0 management-access Inside threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy fkcf-vpn internal group-policy fkcf-vpn attributes wins-server value 192.168.17.100 dns-server value 192.168.17.100 vpn-tunnel-protocol IPSec split-tunnel-policy excludespecified split-tunnel-network-list value Local_LAN_Access default-domain value fcf.com tunnel-group fkcf-vpn type remote-access tunnel-group fkcf-vpn general-attributes address-pool fkcf-vpn default-group-policy fkcf-vpn tunnel-group fkcf-vpn ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:87b4aedc78266496ffb4aff751d5bfb6 : end GW# GW# ****************************************************************************************************************************************************** ***********************************************SW CONFIG*********************************************************************** interface FastEthernet0/1 description Link to Gigabit_A_sw1 switchport access vlan 50 switchport trunk encapsulation dot1q switchport mode access switchport nonegotiate ! interface FastEthernet0/2 ! interface FastEthernet0/3 description Tek Ndertesa Sigurise switchport access vlan 4 switchport mode access switchport mode trunk switchport nonegotiate ! interface FastEthernet0/4 description Link to Finance_S switchport access vlan 50 switchport mode access switchport nonegotiate switchport mode trunk ! interface FastEthernet0/5 description Link to Edge_B_stack switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode access switchport nonegotiate ! interface FastEthernet0/6 description Link to Administrata switchport access vlan 50 switchport trunk encapsulation dot1q switchport mode access switchport nonegotiate switchport mode trunk ! interface FastEthernet0/7 description Link to Access_E_sw1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-100 switchport mode trunk switchport nonegotiate ! interface FastEthernet0/8 description Link to Access_F_sw1 switchport access vlan 6 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-100 switchport mode trunk switchport nonegotiate spanning-tree portfast ! interface FastEthernet0/9 switchport access vlan 50 switchport mode access switchport nonegotiate ! interface FastEthernet0/10 switchport access vlan 50 switchport trunk encapsulation dot1q switchport mode access switchport nonegotiate ! interface FastEthernet0/11 ! interface FastEthernet0/12 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-100 switchport mode trunk ! interface FastEthernet0/13 description ASA1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-100 switchport mode trunk switchport nonegotiate ! interface FastEthernet0/14 ! interface FastEthernet0/15 switchport access vlan 70 switchport mode access switchport nonegotiate ! interface FastEthernet0/16 no switchport no ip address ! interface FastEthernet0/17 switchport access vlan 50 switchport mode access switchport nonegotiate ! interface FastEthernet0/18 switchport access vlan 70 switchport mode access ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 switchport access vlan 20 switchport mode access ! interface FastEthernet0/24 description UPLINK ! interface FastEthernet0/25 description Link to CCR switchport access vlan 10 switchport trunk encapsulation dot1q switchport mode access switchport nonegotiate ! interface FastEthernet0/26 ! interface FastEthernet0/27 ! interface FastEthernet0/28 switchport access vlan 20 switchport mode access switchport nonegotiate ! interface FastEthernet0/29 ! interface FastEthernet0/30 ! interface FastEthernet0/31 ! interface FastEthernet0/32 ! interface FastEthernet0/33 ! interface FastEthernet0/34 ! interface FastEthernet0/35 ! interface FastEthernet0/36 ! interface FastEthernet0/37 ! interface FastEthernet0/38 ! interface FastEthernet0/39 ! interface FastEthernet0/40 ! interface FastEthernet0/41 ! interface FastEthernet0/42 ! interface FastEthernet0/43 ! interface FastEthernet0/44 description Link to CCR switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-100 switchport mode trunk switchport nonegotiate ! interface FastEthernet0/45 ! interface FastEthernet0/46 ! interface FastEthernet0/47 ! interface FastEthernet0/48 switchport access vlan 50 switchport mode access switchport nonegotiate ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface GigabitEthernet0/3 ! interface GigabitEthernet0/4 ! interface Vlan1 description Network Management ip address 192.168.16.2 255.255.255.0 standby 0 ip 192.168.16.1 standby 0 priority 150 standby 0 preempt ! interface Vlan4 description Production_VLAN ip address 192.168.21.2 255.255.255.0 ip helper-address 192.168.17.100 standby 0 ip 192.168.21.1 standby 0 priority 150 standby 0 preempt ! interface Vlan6 description Finance_VLAN ip address 192.168.22.2 255.255.255.0 ip helper-address 192.168.17.100 standby 0 ip 192.168.22.1 standby 0 priority 150 standby 0 preempt ! interface Vlan7 description CCR_VLAN ip address 192.168.23.2 255.255.255.0 ip helper-address 192.168.17.100 standby 0 ip 192.168.23.1 standby 0 priority 150 standby 0 preempt ! interface Vlan10 description Training_VLAN ip address 192.168.24.2 255.255.255.0 ip helper-address 192.168.17.100 standby 0 ip 192.168.24.1 standby 0 priority 150 standby 0 preempt ! interface Vlan11 description peshore ip address 192.168.25.2 255.255.255.0 ip helper-address 192.168.17.100 standby 0 ip 192.168.25.1 standby 0 priority 150 standby 0 preempt ! interface Vlan20 description Temporary_VLAN ip address 192.168.26.2 255.255.255.0 ip helper-address 192.168.17.100 standby 0 ip 192.168.26.1 standby 0 priority 150 standby 0 preempt ! interface Vlan50 description Servers_VLAN ip address 192.168.17.2 255.255.255.0 standby 0 ip 192.168.17.1 standby 0 priority 150 standby 0 preempt ! interface Vlan70 description ISA outside VLAN ip address 192.168.18.253 255.255.255.0 standby 0 ip 192.168.18.254 standby 0 priority 150 standby 0 preempt ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.18.1 ip http server ip http secure-server ! ip access-list standard Fabrika ! snmp-server community fabrika RO snmp-server community Fabrika RW !