: Saved : : Serial Number: XXXXX : Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2400 MHz, 1 CPU (4 cores) : Written by username at 06:00:33.715 CST Fri Jul 16 2021 ! ASA Version 9.14(1)30 ! hostname vpn domain-name mydomain.com enable password zzzzz service-module 0 keepalive-timeout 4 service-module 0 keepalive-counter 6 service-module ips keepalive-timeout 4 service-module ips keepalive-counter 6 service-module cxsc keepalive-timeout 4 service-module cxsc keepalive-counter 6 service-module sfr keepalive-timeout 4 service-module sfr keepalive-counter 6 names no mac-address auto ip local pool VPNPOOL 192.168.3.49-192.168.3.62 ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address dhcp setroute ! interface GigabitEthernet0/1 nameif inside1 security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface GigabitEthernet0/2 nameif inside2 security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface GigabitEthernet0/3 nameif inside3 security-level 100 ip address 192.168.3.1 255.255.255.0 ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/7 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only shutdown no nameif no security-level no ip address ! boot system disk0:/asa9-14-1-30-smp-k8.bin ftp mode passive clock timezone CST -6 dns domain-lookup outside dns domain-lookup inside1 dns domain-lookup inside2 dns domain-lookup inside3 dns server-group DefaultDNS domain-name mydomain.com same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network VPN-NETWORK subnet 192.168.3.48 255.255.255.240 object network INSIDE1-NETWORK subnet 192.168.1.0 255.255.255.0 object network INSIDE2-NETWORK subnet 192.168.2.0 255.255.255.0 object network INSIDE3-NETWORK subnet 192.168.3.0 255.255.255.0 access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns pager lines 24 logging asdm informational mtu outside 1500 mtu inside1 1500 mtu inside2 1500 mtu inside3 1500 no failover no failover wait-disable no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-792-152.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (inside1,outside) source static INSIDE1-NETWORK INSIDE1-NETWORK destination static VPN-NETWORK VPN-NETWORK no-proxy-arp route-lookup nat (inside1,outside) source static INSIDE2-NETWORK INSIDE2-NETWORK destination static VPN-NETWORK VPN-NETWORK no-proxy-arp route-lookup nat (inside1,outside) source static INSIDE3-NETWORK INSIDE3-NETWORK destination static VPN-NETWORK VPN-NETWORK no-proxy-arp route-lookup ! object network VPN-NETWORK nat (any,outside) dynamic interface ! nat (inside1,outside) after-auto source dynamic any interface nat (inside2,outside) after-auto source dynamic any interface nat (inside3,outside) after-auto source dynamic any interface timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL aaa authentication serial console LOCAL aaa authentication login-history http server enable http 192.168.1.0 255.255.255.0 inside1 http 192.168.2.0 255.255.255.0 inside2 http 192.168.3.0 255.255.255.0 inside3 no snmp-server location no snmp-server contact crypto ipsec ikev2 ipsec-proposal AESGCM256 protocol esp encryption aes-gcm-256 protocol esp integrity sha-1 crypto ipsec ikev2 ipsec-proposal AESGCM192 protocol esp encryption aes-gcm-192 protocol esp integrity sha-1 crypto ipsec ikev2 ipsec-proposal AESGCM protocol esp encryption aes-gcm protocol esp integrity sha-1 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-512 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-512 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-512 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map DYNMAP 1 set pfs group21 crypto dynamic-map DYNMAP 1 set ikev2 ipsec-proposal AESGCM256 AESGCM192 AESGCM AES256 AES192 AES crypto dynamic-map DYNMAP 1 set reverse-route crypto map CRYPTOMAP 65535 ipsec-isakmp dynamic DYNMAP crypto map CRYPTOMAP interface outside crypto ca trustpoint SELF_TRUSTPOINT enrollment self fqdn vpn.mydomain.com subject-name CN=vpn.mydomain.com keypair SSLVPNKEYPAIR crl configure crypto ca trustpool policy crypto ca certificate chain SELF_TRUSTPOINT certificate 00000 11111111 22222222 33333333 44444444 55555555 66666666 77777777 88888888 quit crypto isakmp nat-traversal 3600 crypto ikev2 policy 10 encryption aes-gcm-256 integrity null group 21 prf sha512 lifetime seconds 86400 crypto ikev2 policy 20 encryption aes-gcm-192 integrity null group 21 prf sha512 lifetime seconds 86400 crypto ikev2 policy 30 encryption aes-gcm integrity null group 21 prf sha512 lifetime seconds 86400 crypto ikev2 policy 40 encryption aes-256 integrity sha512 group 21 prf sha512 lifetime seconds 86400 crypto ikev2 policy 50 encryption aes-192 integrity sha512 group 21 prf sha512 lifetime seconds 86400 crypto ikev2 policy 60 encryption aes integrity sha512 group 21 prf sha512 lifetime seconds 86400 crypto ikev2 enable outside client-services port 443 crypto ikev2 remote-access trustpoint SELF_TRUSTPOINT telnet timeout 5 ssh stricthostkeycheck ssh timeout 10 ssh version 2 ssh key-exchange group dh-group14-sha256 ssh 192.168.1.0 255.255.255.0 inside1 ssh 192.168.2.0 255.255.255.0 inside2 ssh 192.168.3.0 255.255.255.0 inside3 console timeout 0 management-access inside3 dhcp-client client-id interface outside dhcpd address 192.168.1.128-192.168.1.191 inside1 dhcpd dns 208.67.222.222 208.67.220.220 interface inside1 dhcpd lease 2880 interface inside1 dhcpd domain mydomain.com interface inside1 dhcpd enable inside1 ! dhcpd address 192.168.2.128-192.168.2.191 inside2 dhcpd dns 192.168.2.69 208.67.220.220 interface inside2 dhcpd lease 2880 interface inside2 dhcpd domain mydomain.com interface inside2 dhcpd enable inside2 ! dhcpd address 192.168.3.128-192.168.3.191 inside3 dhcpd dns 192.168.2.69 208.67.220.220 interface inside3 dhcpd lease 2880 interface inside3 dhcpd enable inside3 ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 132.163.97.4 source outside ssl server-version tlsv1.2 dtlsv1.2 ssl client-version tlsv1.2 ssl cipher dtlsv1.2 high ssl trust-point SELF_TRUSTPOINT ssl trust-point SELF_TRUSTPOINT inside3 webvpn enable outside http-headers hsts-server enable max-age 31536000 include-sub-domains no preload hsts-client enable x-content-type-options x-xss-protection content-security-policy anyconnect-essentials anyconnect image disk0:/anyconnect-win-4.10.00093-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-macos-4.10.00093-webdeploy-k9.pkg 2 anyconnect image disk0:/anyconnect-linux64-4.10.00093-webdeploy-k9.pkg 3 anyconnect profiles VPNPROFILE_client_profile disk0:/VPNPROFILE_client_profile.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy GroupPolicy_VPNPROFILE internal group-policy GroupPolicy_VPNPROFILE attributes wins-server none dns-server value 192.168.2.69 vpn-tunnel-protocol ikev2 ssl-client default-domain value mydomain.com split-dns value mydomain.com split-tunnel-all-dns enable webvpn anyconnect profiles value VPNPROFILE type user dynamic-access-policy-record DfltAccessPolicy dynamic-access-policy-record DYNACCPOL username myuserid password xxxxxxxx xxx privilege 15 tunnel-group VPNPROFILE type remote-access tunnel-group VPNPROFILE general-attributes address-pool VPNPOOL default-group-policy GroupPolicy_VPNPROFILE tunnel-group VPNPROFILE webvpn-attributes group-alias VPNPROFILE enable tunnel-group VPNPROFILE ipsec-attributes ikev1 trust-point SELF_TRUSTPOINT ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect snmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:33333333 : end