ASA Version 9.9(2) ! ip local pool VPN_IP_POOL_TEST 172.20.0.5-172.20.0.200 mask 255.255.255.0 ! interface GigabitEthernet0/0 nameif Inside security-level 100 ip address 172.17.1.37 255.255.255.252 ! interface GigabitEthernet0/1 nameif Outside_Ertel security-level 0 ip address A.A.A.A 255.255.255.0 ! interface GigabitEthernet0/2 nameif Outside_Beeline security-level 0 ip address B.B.B.B 255.255.255.252 ! interface GigabitEthernet0/3 nameif Administrative security-level 0 no ip address ! interface GigabitEthernet0/3.11 vlan 11 nameif SQUID security-level 100 ip address 10.10.10.10 255.255.255.248 ! interface GigabitEthernet0/3.12 vlan 12 nameif Beeline_pool security-level 100 ip address C.C.C.C 255.255.255.248 policy-route route-map Beeline_pool ! interface GigabitEthernet0/3.13 vlan 13 nameif Beeline_pool_2 security-level 0 ip address D.D.D.D 255.255.255.248 policy-route route-map Beeline_pool ! interface GigabitEthernet0/3.99 vlan 99 nameif Trade security-level 50 ip address 192.168.99.1 255.255.255.0 ! interface GigabitEthernet0/4 shutdown no nameif security-level 0 no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/7 nameif 3com_Management security-level 100 ip address 172.18.1.1 255.255.255.252 ! interface Management0/0 management-only nameif Management security-level 100 no ip address ! regex domainlis "\.yaplakal\.com" boot system disk0:/asa992-smp-k8.bin boot system disk0:/asa952-6-smp-k8.bin boot system disk0:/asa944-16-smp-k8.bin boot system disk0:/asa981-smp-k8.bin ftp mode passive clock timezone MSK/MSD 3 clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup Inside dns server-group DefaultDNS name-server 10.100.0.2 Inside domain-name mbaru.ru same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network MBA_Nets subnet 10.100.0.0 255.255.0.0 object service smtp service tcp destination eq smtp object network DC1 host 10.100.0.2 object network DC2 host 10.100.0.3 object network SQUID host 10.10.10.11 object service dns_tcp service tcp destination eq domain object service imap service tcp destination eq imap4 object service imap_ssl service tcp destination eq 993 object service smtp_ssl service tcp destination eq 465 object network Kalinina_Net subnet 10.100.64.0 255.255.192.0 object service pop3 service tcp destination eq pop3 object service pop3_ssl service tcp destination eq 995 object network Search host 10.100.0.7 object service sms service tcp destination range 8000 8001 object service dns_udp service udp destination eq domain object service web_mail service tcp destination eq 32000 object network Sharepoint host 10.100.0.112 object service fake_rdp service tcp destination eq 5589 object service rdp service tcp destination eq 3389 object network Shareman host 77.232.139.13 object service sharepoint_https service tcp destination eq https object network Fileserver host 10.100.0.45 object service ftp service tcp destination eq ftp object service ftp_data service tcp destination range 5500 5525 object network SMO host 88.135.48.181 object service isakmp_1 service udp destination eq isakmp object service isakmp_2 service udp destination eq 4500 object service tunnel service gre object network Konsul_Net subnet 10.100.60.0 255.255.252.0 object network Memfis_Net subnet 10.100.0.0 255.255.224.0 object network NETWORK_OBJ_172.16.0.0_24 subnet 172.16.0.0 255.255.255.0 object network VPN_POOL_TEST subnet 172.20.0.0 255.255.255.0 object network NETWORK_OBJ_172.20.0.0_25 subnet 172.20.0.0 255.255.255.128 object network VPN_NET subnet 172.20.0.0 255.255.255.0 object network iDRAC subnet 10.90.90.0 255.255.255.0 object network SSH host 10.100.0.110 description WIFI Controller object network Internet_Ertel subnet 0.0.0.0 0.0.0.0 object network MSK_Main host E.E.E.E object network MSK_Reserve host F.F.F.F object network Cisco_interface_for_MSK host 172.17.1.81 object network Cisco_interface_for_SMO host 172.17.1.77 object service ipsec_additional service udp destination eq 4500 object network All_MBA_Nets subnet 10.100.0.0 255.255.0.0 object network Asterisk_local host 10.100.0.5 object network Aterisk_beeline host M.M.M.M object network WINSRV12RDP7 range 10.100.28.1 10.100.28.100 object network WINSRV12RDP8 range 10.100.28.101 10.100.28.200 object network WINSRV12RDP3 range 10.100.30.1 10.100.30.100 object network WINSRV12RDP4 range 10.100.30.101 10.100.30.200 object network WINSRV12RDP5 range 10.100.29.1 10.100.29.100 object network WINSRV12RDP6 range 10.100.29.101 10.100.29.200 object network WINSRV12RDP9 range 10.100.27.1 10.100.27.100 object network WINSRV12RDP10 range 10.100.27.101 10.100.27.200 object network WINSRV12RDP11 range 10.100.26.1 10.100.26.100 object network WINSRV12RDP12 range 10.100.26.101 10.100.26.200 object network WINSRV12RDP13 range 10.100.25.1 10.100.25.100 object network WINSRV12RDP14 range 10.100.25.101 10.100.25.200 object network WINSRV12RDP15 range 10.100.24.1 10.100.24.100 object network WINSRV12RDP16 range 10.100.24.101 10.100.24.200 object network WINSRV12RDP1 range 10.100.31.1 10.100.31.100 object network WINSRV12RDP2 range 10.100.31.101 10.100.31.200 object network MEMFIS(SRV_AND_NET) range 10.100.0.1 10.100.0.255 object network MEMFIS(ADMINISTRATIVE) range 10.100.1.0 10.100.1.255 object network SMO(SRV_AND_NET) range 10.100.48.1 10.100.48.255 object network SMO(ADMINISTRATIVE) range 10.100.55.1 10.100.55.100 object network KALININA(ADMINISTRATIVE) range 10.100.65.1 10.100.67.255 object network MSK(ADMINISTRATIVE) subnet 10.100.58.0 255.255.255.0 object network MBAFIN_GUEST subnet 10.90.92.0 255.255.255.0 object network FAX host 213.85.168.52 object network Interlin host 188.94.208.10 object network MTT_ym host 80.75.132.66 object network Power host 178.238.120.178 object network Zebra host 213.145.43.128 object network MTT host 80.75.130.132 object network MTT_ufa host 80.75.130.147 object network Autoinform_beeline host G.G.G.G object service sharepoint_https_fake service tcp destination eq 444 object network MSK_WIFI_GUEST host 10.100.59.1 object network MSK_local subnet 10.100.58.0 255.255.255.0 object network SMTP host 10.100.0.2 object network SMO_local subnet 10.100.48.0 255.255.248.0 object network RD2 range 10.100.22.101 10.100.22.200 object network KALININA(SRV_AND_NET) range 10.100.64.1 10.100.64.255 object network SMSSENDER host 10.100.3.177 description Send sms pass object network MSK_wifi subnet 10.100.59.0 255.255.255.0 object network Sharepoint_https host 10.100.0.7 object network MSK_NEW subnet 10.100.60.0 255.255.252.0 object network MSK_NEW_WiFi host 10.100.57.1 object network MSK_wifi_NEW subnet 10.100.57.0 255.255.255.0 object network AnyConnectClients subnet 172.20.0.0 255.255.255.0 object network gitlab host 10.100.3.167 object service web_mail_src service tcp source eq 32000 object service smtp_src service tcp source eq smtp object service smtp_ssl_src service tcp source eq 465 object service imap_src service tcp source eq imap4 object service imap_ssl_src service tcp source eq 993 object service pop3_src service tcp source eq pop3 object service pop3_ssl_src service tcp source eq 995 object service sms_src service tcp source range 8000 8001 object service fake_rdp_src service tcp source eq 5589 destination range 1 65535 object service rdp_src service tcp source eq 3389 destination range 1 65535 object service ftp_src service tcp source eq ftp object service https_src service tcp source eq https object service https_444_src service tcp source eq 444 object service ftps_src service tcp source range 5500 5525 object network VPN subnet 172.20.0.0 255.255.255.0 object network BACKUP_SERVER host 10.100.4.27 object network Limited_IPs_Memfis range 10.100.2.0 10.100.2.255 object network Limited_IPs_Kalinina range 10.100.68.0 10.100.68.255 object network testpc host 10.100.3.252 object network ASA_SMO host 172.17.1.146 object network MSK_Old_Branch host F.F.F.F object network 10.100.67.37 host 10.100.67.37 object network Redis host 10.100.4.18 object service RTP_SIP service udp source range 10000 20000 description RTP object network Icewarp host 10.100.0.4 object network IP_Phone host 10.100.69.138 object network symantec_backup host 10.100.3.253 object network erptest host 10.100.31.201 object network 10.100.1.103 host 10.100.1.103 object network 10.100.1.107 host 10.100.1.107 object network VostokFinance_1 subnet 10.0.10.0 255.255.255.0 object network VostokFinance_2 subnet 10.2.0.0 255.255.0.0 object network VostokFinance_3 subnet 10.3.10.0 255.255.255.0 object network 10.100.3.52 host 10.100.3.52 object network 10.100.3.253 host 10.100.3.253 object network 10.100.49.13 host 10.100.49.13 object network WIN10SER host 10.100.3.121 object network Slackware14.2 host 10.100.3.248 object network Printserver host 10.100.4.65 object network 10.100.3.149 host 10.100.3.149 object network 10.100.4.4 host 10.100.4.4 object network 10.100.3.13 host 10.100.3.13 object network 10.100.3.194 host 10.100.3.194 object network 10.100.69.54 host 10.100.69.54 object network IP_ETAP host 37.112.57.61 object network Test host 10.100.67.63 description test object network FreeRadius host 10.10.10.9 object network Freeradius_res host 10.10.10.11 object network Dosugova host 10.100.1.16 object network logicinvest host 10.100.67.129 object service http_src service tcp source eq www destination range 1 65535 object service fake_http_src service tcp source eq 5050 destination range 1 65535 object network 10.100.31.205 host 10.100.31.205 object network 54.246.205.20 host 54.246.205.20 description Telemarket object network 54.246.211.170 host 54.246.211.170 description Telemarket object network 176.34.143.182 host 176.34.143.182 description Telemarket object service http_src_telemarket service tcp source eq 4546 object service http_dst_telemarket service tcp destination eq 4546 object network SMS_Traffic_prov host 212.24.56.100 description sms_status_resive object network 209.95.50.91 host 209.95.50.91 description Telemarket object network 54.171.177.117 host 54.171.177.117 description Telemarket object network CZinvest host 37.112.63.240 object service CZ_Sharepoint_http service tcp source eq 8088 object network DevinoMailSpamer1 range 212.193.97.32 212.193.97.239 object network DevinoMailSpamer2 range 194.226.179.64 194.226.179.239 object network 54.154.54.79 host 54.154.54.79 description Telemarket object network J.J.J.J host J.J.J.J description MSK object network trade_server host 192.168.99.2 object network TRADE_NETWOKR subnet 192.168.99.0 255.255.255.0 object network 54.154.99.68 host 54.154.99.68 object network Autoinform_local host 10.100.0.6 object network Other_Memfis_Net range 10.100.3.0 10.100.7.254 object network 10.100.69.21 host 10.100.69.21 object network 10.100.69.180 host 10.100.69.180 object network 10.100.69.52 host 10.100.69.52 object network 10.100.3.241 host 10.100.3.241 object network 10.100.69.35 host 10.100.69.35 object network 10.100.69.42 host 10.100.69.42 object network Support_RSBANK host 95.66.140.96 description support_rsbank object network RSbank_server host 10.100.3.241 object network Support_RSBANK_2 host 82.202.161.83 object network VD_Server host 10.30.2.88 object network 95.169.99.106 host 95.169.99.106 object network 95.169.99.104 host 95.169.99.104 object network 95.169.99.108 host 95.169.99.108 object network 95.169.99.107 host 95.169.99.107 object network Artem_Outside host 31.132.155.171 object network 31.132.155.171 host 31.132.155.171 object network 195.19.12.10 host 195.19.12.10 object network 10.11.0.0 subnet 10.11.0.0 255.255.0.0 object network 10.20.0.0 subnet 10.20.0.0 255.255.0.0 object network 10.21.0.0 subnet 10.21.0.0 255.255.0.0 object network 10.22.0.0 subnet 10.22.0.0 255.255.0.0 object network 10.23.0.0 subnet 10.23.0.0 255.255.0.0 object network 10.24.0.0 subnet 10.24.0.0 255.255.0.0 object network 10.25.40.0 subnet 10.25.40.0 255.255.255.0 object network 10.26.0.0 subnet 10.26.0.0 255.255.0.0 object network 10.27.0.0 subnet 10.27.0.0 255.255.0.0 object network 10.30.0.0 subnet 10.30.0.0 255.255.0.0 object network 10.32.0.0 subnet 10.32.0.0 255.255.0.0 object network 10.33.0.0 subnet 10.33.0.0 255.255.0.0 object network 10.50.0.0 subnet 10.50.0.0 255.255.0.0 object network 10.111.0.0 subnet 10.111.0.0 255.255.0.0 object network 10.112.0.0 subnet 10.112.0.0 255.255.0.0 object network 195.19.12.6 host 195.19.12.6 object network 10.40.0.0 subnet 10.40.0.0 255.255.0.0 object network 10.100.4.59 host 10.100.4.59 object network iBANK host 109.232.250.90 object network FSSP host 95.173.157.48 object network 37.18.20.234 host 37.18.20.234 object network 37.18.20.197 host 37.18.20.197 object network 37.18.20.231 host 37.18.20.231 object network Marianna host 10.100.67.96 object network 10.100.67.56 host 10.100.67.56 object network 1C8RDP host 10.100.0.15 object network W2K8R2IIS host 10.100.0.54 object network MILI_Scoring subnet 37.18.20.0 255.255.255.0 object network Minkov host 31.132.155.171 object service score service tcp destination eq 8989 object service score_src service tcp source eq 8989 object network mttapi host 80.75.132.103 object network 10.100.67.74 host 10.100.67.74 object network 176.99.4.174 host 176.99.4.174 object network 176.99.6.90 host 176.99.6.90 object network 151.248.118.155 host 151.248.118.155 object network SMS_Traffic_Status host 213.248.59.122 object network winsrv12backup host 10.100.3.230 object network SMS_Traffic_Status_2 host 212.92.99.146 object network SMS_Traffic_Status_3 host 212.92.99.210 object service score_src_test service tcp source eq 8990 object service score_test service tcp destination eq 8990 object service score_src2 service tcp source eq 9090 object service score2 service tcp destination eq 9090 object-group network DM_INLINE_NETWORK_15 network-object 10.0.0.0 255.255.255.0 network-object 10.2.0.0 255.255.255.0 network-object 10.3.0.0 255.255.255.0 object-group service RTP service-object object RTP_SIP object-group network DM_INLINE_NETWORK_5 network-object object Kalinina_Net network-object object Konsul_Net network-object object Memfis_Net object-group service DM_INLINE_SERVICE_1 service-object object imap service-object object imap_ssl service-object object pop3 service-object object pop3_ssl service-object object smtp service-object object smtp_ssl service-object object web_mail service-object object sms object-group service DM_INLINE_SERVICE_2 service-object object imap service-object object imap_ssl service-object object pop3 service-object object pop3_ssl service-object object smtp service-object object smtp_ssl service-object object web_mail object-group service DM_INLINE_SERVICE_3 service-object object ftp service-object object ftp_data object-group service DM_INLINE_SERVICE_4 service-object object rdp service-object object sharepoint_https object-group network DM_INLINE_NETWORK_2 network-object object MSK_Main network-object object SMO object-group network DM_INLINE_NETWORK_3 network-object object Aterisk_beeline network-object object Autoinform_beeline object-group service DM_INLINE_SERVICE_5 group-object RTP service-object udp destination eq bootpc service-object udp destination eq bootps service-object udp destination eq sip object-group icmp-type DM_INLINE_ICMP_1 icmp-object time-exceeded icmp-object unreachable object-group network asterisk_beeline_ip network-object object Aterisk_beeline network-object object Autoinform_beeline object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group network DM_INLINE_NETWORK_11 network-object object DC1 network-object object DC2 network-object host 10.100.1.107 object-group icmp-type DM_INLINE_ICMP_2 icmp-object time-exceeded icmp-object unreachable object-group network IP_USERS description ALL MBA USER INTERNET network-object object SMO(ADMINISTRATIVE) network-object object SMSSENDER network-object object KALININA(ADMINISTRATIVE) network-object object MEMFIS(ADMINISTRATIVE) network-object object Limited_IPs_Kalinina network-object object Limited_IPs_Memfis object-group network Terminal's_Servers network-object object WINSRV12RDP1 network-object object WINSRV12RDP10 network-object object WINSRV12RDP11 network-object object WINSRV12RDP12 network-object object WINSRV12RDP13 network-object object WINSRV12RDP14 network-object object WINSRV12RDP15 network-object object WINSRV12RDP16 network-object object WINSRV12RDP2 network-object object WINSRV12RDP3 network-object object WINSRV12RDP4 network-object object WINSRV12RDP5 network-object object WINSRV12RDP6 network-object object WINSRV12RDP7 network-object object WINSRV12RDP8 network-object object WINSRV12RDP9 object-group network DM_INLINE_NETWORK_4 group-object IP_USERS group-object Terminal's_Servers object-group network IP_with_Internet network-object object MEMFIS(SRV_AND_NET) network-object object MSK(ADMINISTRATIVE) network-object object SMO(ADMINISTRATIVE) network-object object SMO(SRV_AND_NET) network-object object KALININA(SRV_AND_NET) network-object object Redis network-object object SMSSENDER network-object object gitlab network-object object KALININA(ADMINISTRATIVE) network-object object MEMFIS(ADMINISTRATIVE) network-object object 10.100.3.52 network-object object trade_server network-object object 10.100.69.42 network-object object 10.100.4.59 network-object object erptest object-group network Limited_IPs_All network-object object Limited_IPs_Kalinina network-object object Limited_IPs_Memfis object-group network DM_INLINE_NETWORK_8 group-object IP_with_Internet network-object object RD2 group-object Limited_IPs_All object-group network DM_INLINE_NETWORK_12 network-object 0.0.0.0 0.0.0.0 network-object object Shareman object-group network DM_INLINE_NETWORK_7 network-object object MSK_Main network-object object MSK_Reserve object-group service DM_INLINE_TCP_9 tcp port-object eq www port-object eq https object-group service DM_INLINE_UDP_1 udp port-object eq 4500 port-object eq isakmp object-group service DM_INLINE_UDP_2 udp port-object eq 4500 port-object eq isakmp object-group network SIP_Service_Provider network-object object FAX network-object object Interlin network-object object MTT network-object object MTT_ufa network-object object MTT_ym network-object object Power network-object object Zebra object-group network DM_INLINE_NETWORK_13 network-object object MBAFIN_GUEST network-object object MBA_Nets network-object object SQUID network-object object FreeRadius network-object object TRADE_NETWOKR object-group network DM_INLINE_NETWORK_9 network-object object Aterisk_beeline network-object object Autoinform_beeline object-group service DM_INLINE_TCPUDP_1 tcp-udp port-object range 10000 65535 port-object eq sip object-group network DM_INLINE_NETWORK_14 network-object object MBAFIN_GUEST network-object object MBA_Nets network-object object SQUID network-object object FreeRadius network-object object TRADE_NETWOKR object-group service mail tcp port-object eq 465 port-object eq 993 port-object eq 995 port-object eq imap4 port-object eq pop3 port-object eq smtp port-object eq 32000 object-group service DM_INLINE_TCP_7 tcp port-object eq 8000 port-object eq 8001 object-group network CZ_Nets network-object object 10.11.0.0 network-object object 10.111.0.0 network-object object 10.112.0.0 network-object object 10.20.0.0 network-object object 10.21.0.0 network-object object 10.22.0.0 network-object object 10.23.0.0 network-object object 10.24.0.0 network-object object 10.26.0.0 network-object object 10.27.0.0 network-object object 10.30.0.0 network-object object 10.32.0.0 network-object object 10.33.0.0 network-object object 10.50.0.0 network-object object 10.40.0.0 network-object object 10.25.40.0 object-group network DM_INLINE_NETWORK_1 group-object Limited_IPs_All group-object IP_with_Internet network-object object MBAFIN_GUEST network-object object VPN group-object Terminal's_Servers network-object object RD2 group-object CZ_Nets object-group network DM_INLINE_NETWORK_6 network-object object KALININA(SRV_AND_NET) network-object object MEMFIS(SRV_AND_NET) network-object object SMO(SRV_AND_NET) object-group service Aster_rtp udp port-object range 10000 20000 object-group network DM_INLINE_NETWORK_10 network-object object DC1 network-object object DC2 network-object host 10.100.1.107 object-group service DM_INLINE_SERVICE_6 group-object RTP service-object udp destination eq bootpc service-object udp destination eq bootps service-object udp destination eq sip object-group service DM_INLINE_SERVICE_7 group-object RTP service-object tcp-udp destination eq domain service-object udp destination eq bootpc service-object udp destination eq bootps service-object udp destination eq sip object-group network Bypass_The_Firepower network-object object FreeRadius network-object object Freeradius_res network-object object Icewarp network-object object Search network-object object Fileserver network-object object Dosugova network-object object iBANK network-object object TRADE_NETWOKR network-object object 1C8RDP network-object object mttapi object-group user sf description dsf user LOCAL\admin object-group network DM_INLINE_NETWORK_18 network-object object VostokFinance_1 network-object object VostokFinance_2 network-object object VostokFinance_3 object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq https object-group network Telemarket network-object object 195.19.12.10 network-object object 195.19.12.6 network-object object 37.18.20.197 network-object object 37.18.20.231 network-object object 37.18.20.234 object-group service KMS_SER tcp-udp port-object eq 1688 object-group service DM_INLINE_UDP_3 udp port-object range 10000 20000 port-object eq sip object-group protocol DM_INLINE_PROTOCOL_1 protocol-object udp protocol-object tcp object-group network DM_INLINE_NETWORK_16 network-object host 10.100.0.50 network-object host 10.100.0.51 network-object host 10.100.0.66 network-object object Redis network-object object erptest object-group network RS_Bank_support_group network-object object Support_RSBANK network-object object Support_RSBANK_2 object-group network SMS network-object object 95.169.99.106 network-object object 95.169.99.104 network-object object 95.169.99.108 network-object object SMS_Traffic_prov network-object object 95.169.99.107 network-object object SMS_Traffic_Status network-object object SMS_Traffic_Status_2 network-object object SMS_Traffic_Status_3 object-group network DM_INLINE_NETWORK_17 network-object object Kalinina_Net network-object object Other_Memfis_Net object-group network Scoring network-object object MILI_Scoring network-object object Minkov network-object object 176.99.4.174 network-object object 176.99.6.90 network-object object 151.248.118.155 object-group service DM_INLINE_SERVICE_8 service-object object score service-object object score_test service-object object score2 access-list web-traffic extended permit ip object-group DM_INLINE_NETWORK_5 any access-list squid extended permit ip object SQUID any access-list Local_Net standard permit 10.100.0.0 255.255.0.0 access-list L2TP_group_splitTunnelAcl standard permit 10.100.0.0 255.255.0.0 access-list mba-vpn_splitTunnelAcl standard permit 10.100.0.0 255.255.0.0 access-list DefaultRAGroup_splitTunnelAcl standard permit 10.100.0.0 255.255.0.0 access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 10.100.0.0 255.255.0.0 access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 10.90.90.0 255.255.255.0 access-list mba-vpn_splitTunnelAcl_1 standard permit 10.100.0.0 255.255.0.0 access-list easy-vpn_splitTunnelAcl standard permit 10.100.0.0 255.255.0.0 access-list Outside_Beeline_access_in remark Allow traceroute cmd access-list Outside_Beeline_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 log disable access-list Outside_Beeline_access_in extended deny ip object-group SPAM any4 access-list Outside_Beeline_access_in extended permit object-group DM_INLINE_SERVICE_2 any object Icewarp access-list Outside_Beeline_access_in extended permit ip any object-group DM_INLINE_NETWORK_3 access-list Outside_Beeline_access_in extended permit object-group TCPUDP object-group SIP_Service_Provider object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_TCPUDP_1 access-list Outside_Ertel_access_in remark Allow traceroute cmd access-list Outside_Ertel_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2 log disable access-list Outside_Ertel_access_in extended deny ip object-group SPAM any4 access-list Outside_Ertel_access_in extended permit object-group DM_INLINE_SERVICE_1 any object Icewarp access-list Outside_Ertel_access_in extended permit object-group DM_INLINE_SERVICE_3 any object Fileserver access-list Outside_Ertel_access_in extended permit object-group DM_INLINE_SERVICE_8 object-group Scoring object W2K8R2IIS access-list Outside_Ertel_access_in extended permit object sms object-group SMS object Search access-list Outside_Ertel_access_in extended permit tcp object CZinvest object Sharepoint eq 8088 inactive access-list Outside_Ertel_access_in extended permit object-group DM_INLINE_SERVICE_4 object Shareman object Sharepoint access-list Outside_Ertel_access_in extended permit tcp object Shareman object Sharepoint eq https access-list Outside_Ertel_access_in extended permit tcp any object logicinvest eq www inactive access-list Outside_Ertel_access_in extended permit object http_dst_telemarket object-group Telemarket object Search access-list Outside_Ertel_access_in extended permit object rdp object-group RS_Bank_support_group object RSbank_server access-list SQUID_Redirect extended deny tcp 10.100.0.0 255.255.0.0 host 10.100.60.2 eq www access-list SQUID_Redirect extended permit ip object RD2 any access-list SQUID_Redirect extended permit ip object-group DM_INLINE_NETWORK_6 any access-list SQUID_Redirect extended deny tcp object-group IP_USERS any eq www access-list Outside_Ertel_mpc_13 extended permit ip object RD2 object MSK_NEW inactive access-list Outside_Ertel_mpc_13 extended permit object-group DM_INLINE_SERVICE_5 object MBA_Nets object MSK_NEW access-list Outside_Ertel_mpc_13 extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_10 any eq domain access-list Outside_Ertel_mpc_13 extended permit ip object TRADE_NETWOKR any access-list Inside_mpc extended permit tcp any object-group DM_INLINE_TCP_9 object MBA_Nets access-list Outside_Ertel_mpc_14 extended permit object-group DM_INLINE_PROTOCOL_1 object-group IP_USERS any range 1025 65535 access-list Outside_Beeline_mpc_4 extended permit object-group DM_INLINE_SERVICE_6 object MBA_Nets object MSK_NEW access-list Outside_Beeline_mpc_4 extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_11 any eq domain access-list Outside_Beeline_mpc_4 extended permit object-group TCPUDP object-group asterisk_beeline_ip eq sip any eq sip access-list Outside_Beeline_mpc_4 extended permit udp object-group asterisk_beeline_ip any range 10000 40000 access-list Outside_Beeline_mpc_10 extended permit object-group TCPUDP object-group IP_USERS any range 1 1024 access-list Outside_Beeline_mpc_11 extended permit object-group TCPUDP object-group IP_USERS any range 1025 65535 access-list Inside_access_in extended permit tcp object-group Terminal's_Servers any object-group DM_INLINE_TCP_1 access-list Inside_access_in extended permit ip object-group Terminal's_Servers host 193.232.167.126 access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_8 any access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_17 object trade_server access-list Inside_access_in extended permit ip object MBAFIN_GUEST any access-list Inside_access_in extended permit ip object Icewarp any access-list Inside_access_in extended permit ip object erptest any access-list Inside_access_in extended permit ip object iDRAC any access-list Inside_mpc_1 extended permit tcp any object Icewarp object-group mail access-list Inside_mpc_2 extended permit tcp any object Search object-group DM_INLINE_TCP_7 access-list Beeline_pool_mpc extended permit object-group TCPUDP any eq sip object Aterisk_beeline eq sip access-list Beeline_pool_mpc_1 extended permit object-group TCPUDP any range 10000 65535 object Aterisk_beeline range 10000 65535 access-list Outside_Ertel_mpc extended permit object-group DM_INLINE_PROTOCOL_1 object-group IP_USERS any range 1 1024 access-list Outside_Ertel_mpc_1 extended permit ip object All_MBA_Nets object MSK_NEW access-list SMO_VLAN_mpc extended permit udp object SMO object-group DM_INLINE_UDP_2 object Cisco_interface_for_SMO object-group DM_INLINE_UDP_1 access-list global_mpc extended permit ip object All_MBA_Nets any access-list Outside_Ertel_cryptomap_4 extended permit udp object DC1 object MSK_NEW_WiFi access-list Outside_Ertel_cryptomap_4 extended permit ip object DC1 object J.J.J.J access-list Outside_Ertel_cryptomap_4 extended permit ip object MBA_Nets object MSK_NEW access-list Outside_Ertel_cryptomap_4 extended permit ip object VPN_NET object MSK_NEW access-list Outside_Ertel_cryptomap_4 extended permit ip object 10.111.0.0 object MSK_NEW access-list Outside_Ertel_cryptomap_3 extended permit ip object MBA_Nets object MSK_NEW access-list global_mpc_2 extended deny ip object-group Bypass_The_Firepower any access-list global_mpc_2 extended deny ip any object-group Bypass_The_Firepower access-list global_mpc_2 extended deny ip object TRADE_NETWOKR object Asterisk_local access-list global_mpc_2 extended permit ip object-group DM_INLINE_NETWORK_1 any4 access-list global_mpc_2 extended permit ip any4 object All_MBA_Nets access-list Outside_Beeline_mpc extended permit ip object All_MBA_Nets object MSK_NEW access-list Inside_mpc_4 extended permit ip object MSK_NEW object MBA_Nets access-list Inside_mpc_3 extended permit object-group DM_INLINE_SERVICE_7 object MSK_NEW object MBA_Nets access-list Inside_mpc_3 extended permit ip any object TRADE_NETWOKR access-list Outside_Ertel_cryptomap_65535.65535 extended permit ip any any access-list VostokFinance extended permit ip 10.100.48.0 255.255.248.0 object-group DM_INLINE_NETWORK_15 access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns access-list RestrictedVPN extended permit tcp any object gitlab eq www access-list RestrictedVPN extended permit tcp any object gitlab eq ssh access-list RestrictedVPN extended permit object-group TCPUDP any object DC1 eq domain access-list RestrictedVPN extended permit ip any object-group DM_INLINE_NETWORK_16 access-list RestrictedVPN extended permit tcp any host 10.100.0.35 eq 1433 access-list Allow_All_VPN extended permit ip any object MBA_Nets access-list Inside_mpc_5 extended permit ip any object Fileserver access-list TEST_ETAP_IP standard permit host 10.100.67.63 access-list Trade_access_in extended permit udp object TRADE_NETWOKR object Asterisk_local object-group DM_INLINE_UDP_3 access-list Trade_access_in extended permit object-group TCPUDP object trade_server object DC2 object-group KMS_SER access-list Trade_access_in extended permit ip object TRADE_NETWOKR object Icewarp access-list Trade_access_in extended deny ip object TRADE_NETWOKR object MBA_Nets access-list Trade_access_in extended permit ip object TRADE_NETWOKR any access-list SYSADMIN4 standard permit host 10.100.67.71 access-list SYSADMIN4 standard permit host 10.100.1.103 access-list Redirect_test extended permit ip host 10.100.1.107 any access-list Redirect_test extended permit ip host 10.100.1.234 any access-list Redirect_test extended permit ip host 10.100.1.102 any access-list Outside_Ertel_cryptomap_10 extended permit ip object TRADE_NETWOKR object VD_Server access-list Outside_Ertel_CZ extended permit ip object MBA_Nets object-group CZ_Nets pager lines 24 logging enable logging emblem logging trap errors logging asdm debugging logging facility 17 logging device-id ipaddress Inside logging host SQUID 10.10.10.11 format emblem logging class auth trap informational logging class ids trap debugging logging class sys trap warnings logging class vpn trap informational logging class vpnc trap informational logging class webvpn trap informational mtu Inside 1500 mtu Outside_Ertel 1500 mtu Outside_Beeline 1500 mtu Administrative 1500 mtu SQUID 1500 mtu Beeline_pool 1500 mtu Beeline_pool_2 1500 mtu Trade 1500 mtu 3com_Management 1500 mtu Management 1500 no failover no monitor-interface SQUID no monitor-interface Beeline_pool no monitor-interface Beeline_pool_2 no monitor-interface Trade no monitor-interface service-module icmp unreachable rate-limit 10 burst-size 1 asdm image disk0:/asdm-791.bin asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (Outside_Ertel,Outside_Ertel) source static VPN_NET VPN_NET destination static MSK_NEW MSK_NEW no-proxy-arp route-lookup nat (Inside,Outside_Ertel) source static MBA_Nets MBA_Nets destination static VPN_NET VPN_NET no-proxy-arp route-lookup nat (Inside,Outside_Ertel) source static MBA_Nets MBA_Nets destination static MSK_local MSK_local no-proxy-arp route-lookup description MSK Identity NAT nat (Inside,Outside_Ertel) source static MBA_Nets MBA_Nets destination static MSK_wifi MSK_wifi no-proxy-arp route-lookup description MSK Wi-Fi Identity NAT nat (Trade,Outside_Ertel) source static TRADE_NETWOKR TRADE_NETWOKR destination static VD_Server VD_Server no-proxy-arp route-lookup description VD Identity nat (Inside,Outside_Ertel) source static MBA_Nets MBA_Nets destination static MSK_wifi_NEW MSK_wifi_NEW no-proxy-arp route-lookup nat (Inside,Outside_Beeline) source static MBA_Nets MBA_Nets destination static MSK_wifi_NEW MSK_wifi_NEW no-proxy-arp route-lookup nat (Inside,Outside_Ertel) source static MBA_Nets MBA_Nets destination static MSK_NEW MSK_NEW no-proxy-arp route-lookup nat (Inside,Outside_Beeline) source static MBA_Nets MBA_Nets destination static MSK_NEW MSK_NEW no-proxy-arp route-lookup nat (any,Outside_Ertel) source static MBA_Nets MBA_Nets destination static CZ_Nets CZ_Nets no-proxy-arp route-lookup nat (Inside,Outside_Ertel) source static Icewarp interface service web_mail_src web_mail_src no-proxy-arp description PORT MAP MAIL 32000 nat (Inside,Outside_Ertel) source static Icewarp interface service smtp_src smtp_src no-proxy-arp description PORT MAP SMTP 25 nat (Inside,Outside_Ertel) source static Icewarp interface service smtp_ssl_src smtp_ssl_src no-proxy-arp description PORT MAP SMTP 465 nat (Inside,Outside_Ertel) source static Icewarp interface service imap_src imap_src no-proxy-arp description PORT MAP IMAP 143 nat (Inside,Outside_Ertel) source static Icewarp interface service imap_ssl_src imap_ssl_src no-proxy-arp description PORT MAP IMAP 993 nat (Inside,Outside_Ertel) source static Icewarp interface service pop3_src pop3_src no-proxy-arp description PORT MAP POP3 110 nat (Inside,Outside_Ertel) source static Icewarp interface service pop3_ssl_src pop3_ssl_src no-proxy-arp description PORT MAP POP3 995 nat (Inside,Outside_Ertel) source static Search interface service sms_src sms_src no-proxy-arp description PORT MAP SMS 8000-8001 nat (Inside,Outside_Ertel) source static Search interface destination static Telemarket Telemarket service http_src_telemarket http_src_telemarket no-proxy-arp description PORT MAP Telemarket 4546 nat (Inside,Outside_Ertel) source static logicinvest interface service http_src fake_http_src no-proxy-arp inactive description PORT MAP LOGICINVEST HTTP 5050 nat (Inside,Outside_Ertel) source static Sharepoint interface destination static Shareman Shareman service rdp_src fake_rdp_src no-proxy-arp description PORT MAP SHAREPOINT RDP 5589 nat (Inside,Outside_Ertel) source static Sharepoint interface destination static Shareman Shareman service https_src https_444_src no-proxy-arp nat (Inside,Outside_Ertel) source static RSbank_server interface destination static RS_Bank_support_group RS_Bank_support_group service rdp_src fake_rdp_src no-proxy-arp description PORT MAP RSBank RDP 5589 nat (Inside,Outside_Ertel) source static Fileserver interface service ftp_src ftp_src no-proxy-arp nat (Inside,Outside_Ertel) source static Fileserver interface service ftps_src ftps_src no-proxy-arp nat (Inside,Outside_Beeline) source static Icewarp interface service smtp_src smtp_src no-proxy-arp description PORT MAP SMTP 25 nat (Inside,Outside_Beeline) source static Icewarp interface service smtp_ssl_src smtp_ssl_src no-proxy-arp description PORT MAP SMTP 465 nat (Inside,Outside_Beeline) source static Icewarp interface service imap_src imap_src no-proxy-arp description PORT MAP IMAP 143 nat (Inside,Outside_Beeline) source static Icewarp interface service imap_ssl_src imap_ssl_src no-proxy-arp description PORT MAP IMAP 993 nat (Inside,Outside_Beeline) source static Icewarp interface service pop3_src pop3_src no-proxy-arp description PORT MAP POP3 110 nat (Inside,Outside_Beeline) source static Icewarp interface service pop3_ssl_src pop3_ssl_src no-proxy-arp description PORT MAP POP3 995 nat (Inside,Outside_Beeline) source static Icewarp interface service web_mail_src web_mail_src no-proxy-arp description PORT MAP MAIL 32000 nat (Inside,Outside_Ertel) source static W2K8R2IIS interface destination static Scoring Scoring service score_src score_src no-proxy-arp description SCORING nat (Inside,Outside_Ertel) source static W2K8R2IIS interface destination static Scoring Scoring service score_src2 score_src2 no-proxy-arp description SCORING nat (Inside,Outside_Ertel) source static W2K8R2IIS interface destination static Scoring Scoring service score_src_test score_src_test no-proxy-arp description SCORING_TEST ! nat (any,Outside_Ertel) after-auto source dynamic DM_INLINE_NETWORK_14 interface description PAT Ertel nat (any,Outside_Beeline) after-auto source dynamic DM_INLINE_NETWORK_13 interface description PAT Beeline access-group Inside_access_in in interface Inside access-group Outside_Ertel_access_in in interface Outside_Ertel access-group Outside_Beeline_access_in in interface Outside_Beeline access-group Trade_access_in in interface Trade ! route-map Beeline_pool permit 1 match interface Beeline_pool set ip dscp ef set ip next-hop H.H.H.H ! route Outside_Ertel 0.0.0.0 0.0.0.0 I.I.I.I 1 track 1 route Outside_Beeline 0.0.0.0 0.0.0.0 H.H.H.H 2 route Inside 10.90.90.0 255.255.255.0 172.17.1.38 1 route Inside 10.90.92.0 255.255.255.0 172.17.1.38 1 route Inside 10.100.0.0 255.255.224.0 172.17.1.38 1 route Inside 10.100.48.0 255.255.248.0 172.17.1.38 1 route Inside 10.100.58.0 255.255.255.0 172.17.1.38 1 route Inside 10.100.64.0 255.255.192.0 172.17.1.38 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 aaa-server DC_RADIUS protocol radius aaa-server DC_RADIUS (Inside) host 10.100.0.2 key ytepyftim authentication-port 1812 accounting-port 1813 radius-common-pw ytepyftim aaa-server LDAP protocol ldap max-failed-attempts 2 aaa-server LDAP (Inside) host 10.100.0.2 ldap-base-dn DC=local,DC=test ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password XXXXXXXX ldap-login-dn CN=ASA,CN=Users,DC=local,DC=test server-type microsoft no user-identity enable user-identity default-domain LOCAL user-identity action netbios-response-fail remove-user-ip user-identity inactive-user-timer minutes 120 user-identity logout-probe netbios local-system probe-time minutes 10 retry-interval seconds 10 retry-count 2 user-not-needed user-identity poll-import-user-group-timer hours 1 user-identity user-not-found enable aaa authentication ssh console LOCAL aaa authentication login-history http server enable http 10.100.0.0 255.255.224.0 Management http 10.100.64.0 255.255.192.0 Management http 10.100.0.0 255.255.0.0 3com_Management http 10.100.64.0 255.255.192.0 Beeline_pool_2 http 10.100.0.0 255.255.0.0 Inside http redirect Outside_Ertel 80 http redirect Outside_Beeline 80 snmp-server host Inside 10.100.0.254 community public version 2c no snmp-server location no snmp-server contact sla monitor 1 type echo protocol ipIcmpEcho I.I.I.I interface Outside_Ertel num-packets 5 sla monitor schedule 1 life forever start-time now crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_Ertel_map 2 match address Outside_Ertel_cryptomap_4 crypto map Outside_Ertel_map 2 set peer J.J.J.J crypto map Outside_Ertel_map 2 set ikev1 transform-set ESP-AES-128-MD5 crypto map Outside_Ertel_map 2 set security-association lifetime seconds 3600 crypto map Outside_Ertel_map 10 match address Outside_Ertel_cryptomap_10 crypto map Outside_Ertel_map 10 set pfs crypto map Outside_Ertel_map 10 set peer K.K.K.K crypto map Outside_Ertel_map 10 set ikev1 transform-set ESP-AES-128-MD5 crypto map Outside_Ertel_map 10 set security-association lifetime seconds 1800 crypto map Outside_Ertel_map 20 match address Outside_Ertel_CZ crypto map Outside_Ertel_map 20 set pfs crypto map Outside_Ertel_map 20 set peer L.L.L.L crypto map Outside_Ertel_map 20 set ikev1 transform-set ESP-AES-128-SHA crypto map Outside_Ertel_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Outside_Ertel_map interface Outside_Ertel crypto map Outside_Ertel_map interface Outside_Beeline crypto ca trustpoint ASDM_TrustPoint0-1 validation-usage ipsec-client ssl-client ssl-server crl configure crypto ca trustpoint ASDM_TrustPoint1_vpn keypair ASDM_TrustPoint1_vpn crl configure crypto ca trustpoint ASDM_TrustPoint1_vpn-1 crl configure crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0 enrollment self fqdn none subject-name CN=172.17.1.37,CN=webvpn keypair ASDM_LAUNCHER crl configure crypto ca trustpoint ASDM_TrustPoint1_webvpn enrollment terminal subject-name CN=webvpn.mbafin.ru,C=RU keypair WEBVPN no validation-usage crl configure crypto ca trustpoint ASDM_TrustPoint1 enrollment terminal crl configure crypto ca trustpoint ASDM_TrustPoint_COMODO keypair ASDM_TrustPoint_COMODO crl configure crypto ca trustpoint ASDM_TrustPoint_COMODO-1 crl configure crypto ca trustpool policy crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable Outside_Ertel client-services port 443 crypto ikev2 enable Outside_Beeline client-services port 443 crypto ikev2 remote-access trustpoint ASDM_TrustPoint1_vpn crypto ikev1 enable Outside_Ertel crypto ikev1 enable Outside_Beeline crypto ikev1 policy 5 authentication pre-share encryption aes hash md5 group 2 lifetime 48000 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 client-update enable ! track 1 rtr 1 reachability telnet timeout 5 ssh stricthostkeycheck ssh 10.100.0.0 255.255.0.0 Inside ssh 10.100.64.0 255.255.192.0 Beeline_pool_2 ssh 10.100.0.0 255.255.0.0 3com_Management ssh 10.100.0.0 255.255.0.0 Management ssh timeout 15 ssh version 1 2 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access Inside vpn-sessiondb max-other-vpn-limit 250 vpn-sessiondb max-anyconnect-premium-or-essentials-limit 750 vpn load-balancing interface lbpublic Outside_Ertel interface lbprivate Inside priority-queue Inside priority-queue Outside_Ertel priority-queue Outside_Beeline priority-queue 3com_Management threat-detection basic-threat threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 dynamic-filter updater-client enable dynamic-filter use-database dynamic-filter enable interface Outside_Ertel dynamic-filter enable interface Outside_Beeline dynamic-filter drop blacklist interface Outside_Ertel dynamic-filter drop blacklist interface Outside_Beeline dynamic-filter whitelist address 109.232.250.90 255.255.255.255 address 87.118.199.38 255.255.255.255 name www.bankvrn.ru name ibank.bankvrn.ru dynamic-filter blacklist name yaplakal.com name pikabu.ru name yaplakal.ru name yap.ru name yaplakal.com.ru ntp server 10.100.0.2 ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Inside ssl trust-point ASDM_TrustPoint_COMODO Outside_Ertel ssl trust-point ASDM_TrustPoint_COMODO Outside_Beeline ssl trust-point ASDM_TrustPoint_COMODO Beeline_pool_2 ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Inside vpnlb-ip ssl trust-point ASDM_TrustPoint_COMODO domain vpn.mbafin.ru webvpn enable Outside_Ertel enable Outside_Beeline no anyconnect-essentials anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 7 anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 9 anyconnect image disk0:/anyconnect-linux-3.1.14018-k9.pkg 10 anyconnect image disk0:/anyconnect-linux-64-3.1.14018-k9.pkg 11 anyconnect profiles AnyConnect_client_profile disk0:/anyconnect_client_profile.xml anyconnect enable tunnel-group-list enable smart-tunnel network RD host rd.mbaru.ru smart-tunnel notification-icon cache disable error-recovery disable ssl-server-check warn-on-failure group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 10.100.0.2 vpn-tunnel-protocol ikev2 default-domain value mbaru.ru group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev2 group-policy easy-vpn internal group-policy easy-vpn attributes dns-server value 10.100.0.2 vpn-tunnel-protocol ikev1 split-tunnel-policy tunnelspecified split-tunnel-network-list value easy-vpn_splitTunnelAcl default-domain value mbaru.ru group-policy GroupPolicy_J.J.J.J internal group-policy GroupPolicy_J.J.J.J attributes vpn-tunnel-protocol ikev1 group-policy GroupPolicy_AnyConnect internal group-policy GroupPolicy_AnyConnect attributes wins-server none dns-server value 10.100.0.2 vpn-idle-timeout 600 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1 default-domain value mbaru.ru split-dns value 10.100.0.2 webvpn anyconnect profiles value AnyConnect_client_profile type user group-policy GroupPolicy_K.K.K.K internal group-policy GroupPolicy_K.K.K.K attributes vpn-tunnel-protocol ikev1 group-policy GroupPolicy_L.L.L.L internal group-policy GroupPolicy_L.L.L.L attributes vpn-tunnel-protocol ikev1 group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes vpn-tunnel-protocol l2tp-ipsec group-policy ClientlessGroupPolicy internal group-policy ClientlessGroupPolicy attributes vpn-tunnel-protocol l2tp-ipsec dynamic-access-policy-record DfltAccessPolicy action terminate dynamic-access-policy-record RestrictedVPN network-acl RestrictedVPN priority 1 dynamic-access-policy-record "Allow All" network-acl Allow_All_VPN quota management-session 100 username admin password 0on4306YzAN5BlzQ encrypted privilege 15 username root password EoNvB9LxLeNFLMGs1HmcLQ== nt-encrypted privilege 15 tunnel-group DefaultRAGroup general-attributes address-pool VPN_IP_POOL_TEST default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key heslox tunnel-group AnyConnect type remote-access tunnel-group AnyConnect general-attributes address-pool VPN_IP_POOL_TEST authentication-server-group LDAP default-group-policy GroupPolicy_AnyConnect tunnel-group AnyConnect webvpn-attributes group-alias AnyConnect enable tunnel-group easy-vpn type remote-access tunnel-group easy-vpn general-attributes address-pool VPN_IP_POOL_TEST authentication-server-group LDAP default-group-policy easy-vpn tunnel-group easy-vpn ipsec-attributes ikev1 pre-shared-key Qq123123 tunnel-group J.J.J.J type ipsec-l2l tunnel-group J.J.J.J general-attributes default-group-policy GroupPolicy_J.J.J.J tunnel-group J.J.J.J ipsec-attributes ikev1 pre-shared-key heslox tunnel-group K.K.K.K type ipsec-l2l tunnel-group K.K.K.K general-attributes default-group-policy GroupPolicy_K.K.K.K tunnel-group K.K.K.K ipsec-attributes ikev1 pre-shared-key heslox tunnel-group L.L.L.L type ipsec-l2l tunnel-group L.L.L.L general-attributes default-group-policy GroupPolicy_L.L.L.L tunnel-group L.L.L.L ipsec-attributes ikev1 pre-shared-key heslox tunnel-group MBAFServices type remote-access tunnel-group MBAFServices general-attributes authentication-server-group LDAP default-group-policy ClientlessGroupPolicy tunnel-group MBAFServices webvpn-attributes customization MBAFServices group-alias JetMoneySevices enable group-alias MBAFServices disable ! class-map HTTP_IN match access-list Inside_mpc class-map ASTER_RTP_IN match access-list Beeline_pool_mpc_1 class-map Outside_Ertel-class-shape match access-list Outside_Ertel_mpc_14 class-map IPSEC_SMO match access-list SMO_VLAN_mpc class-map type regex match-any SiteBlackList match regex domainlis class-map type inspect http match-all URLClass match response header allow regex class SiteBlackList class-map Outside_Beeline-class-shape match access-list Outside_Beeline_mpc_11 class-map ASTER_SIGNAL_IN match access-list Beeline_pool_mpc class-map CX_Proxy match access-list global_mpc_2 class-map type regex match-any Regex match regex _default_gnu-http-tunnel_arg match regex _default_firethru-tunnel_1 match regex _default_firethru-tunnel_2 match regex _default_msn-messenger match regex _default_GoToMyPC-tunnel_2 match regex _default_windows-media-player-tunnel match regex _default_x-kazaa-network match regex _default_shoutcast-tunneling-protocol match regex _default_gator match regex _default_aim-messenger match regex _default_gnu-http-tunnel_uri match regex _default_http-tunnel match regex _default_httport-tunnel match regex _default_GoToMyPC-tunnel match regex _default_icy-metadata match regex _default_yahoo-messenger class-map STATUS_IN match access-list Inside_mpc_2 class-map Outside_Beeline-class-shape-first match access-list Outside_Beeline_mpc_10 class-map MAIL_IN match access-list Inside_mpc_1 class-map Outside_Ertel-class-shape-first match access-list Outside_Ertel_mpc class-map Inside-class-prio match access-list Inside_mpc_3 class-map Outside_Ertel-class-shape-msk match access-list Outside_Ertel_mpc_1 class-map FTP_IN match access-list Inside_mpc_5 class-map Inside-class-shape-msk match access-list Inside_mpc_4 class-map DM_INLINE_Child-Class match access-list global_mpc class-map inspection_default match default-inspection-traffic class-map Outside_Beeline-class_shape-msk match access-list Outside_Beeline_mpc class-map type inspect http match-all asdm_high_security_methods match not request method get match not request method head class-map Outside_Beeline-class-priority match access-list Outside_Beeline_mpc_4 class-map Outside_Ertel-class-priority match access-list Outside_Ertel_mpc_13 ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map type inspect im IM parameters match protocol msn-im yahoo-im drop-connection log policy-map DM_INLINE_Child-Policy class DM_INLINE_Child-Class priority policy-map Inside-policy class Inside-class-prio priority class FTP_IN priority class Inside-class-shape-msk police output 15000000 15000 class MAIL_IN police output 10000000 5000 class HTTP_IN police output 30000000 15000 class STATUS_IN police output 10000000 150000 class class-default police output 30000000 15000 policy-map type inspect gtp default_gtp_map parameters policy-map global_policy class inspection_default inspect ctiqbe inspect dcerpc inspect esmtp inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect icmp inspect ils inspect ip-options inspect mgcp inspect netbios inspect rsh inspect rtsp inspect sip inspect skinny inspect snmp inspect sqlnet inspect sunrpc inspect tftp inspect waas inspect xdmcp inspect icmp error inspect pptp inspect dns preset_dns_map dynamic-filter-snoop inspect gtp default_gtp_map class CX_Proxy sfr fail-open policy-map type inspect http http_inspection parameters protocol-violation action drop-connection log class URLClass reset log policy-map Beeline_pool-policy class ASTER_SIGNAL_IN priority class ASTER_RTP_IN priority policy-map Outside_Beeline-policy class Outside_Beeline-class-priority priority class Outside_Beeline-class_shape-msk police output 15000000 15000 class Outside_Beeline-class-shape-first set connection per-client-max 1000 per-client-embryonic-max 100 set connection timeout idle 0:30:00 dcd 0:15:00 5 police output 15000000 150000 class Outside_Beeline-class-shape set connection per-client-max 1500 per-client-embryonic-max 300 set connection timeout idle 0:30:00 dcd 0:15:00 5 police output 10000000 1000000 class class-default police output 15000000 15000 policy-map Outside_Ertel-policy class Outside_Ertel-class-priority priority class Outside_Ertel-class-shape-msk police output 15000000 150000 class Outside_Ertel-class-shape-first police output 10000000 150000 set connection per-client-max 1000 per-client-embryonic-max 100 set connection timeout idle 0:30:00 dcd 0:15:00 5 class Outside_Ertel-class-shape set connection per-client-max 1500 per-client-embryonic-max 300 set connection timeout idle 0:30:00 dcd 0:15:00 5 police output 10000000 150000 class class-default police output 150000000 75000 policy-map type inspect http P2P parameters protocol-violation action drop-connection log class asdm_high_security_methods drop-connection match request header non-ascii drop-connection match request uri regex class Regex drop-connection log policy-map SMO_VLAN-policy class IPSEC_SMO priority ! service-policy global_policy global service-policy Inside-policy interface Inside service-policy Outside_Ertel-policy interface Outside_Ertel service-policy Outside_Beeline-policy interface Outside_Beeline : end