: Serial Number: FCH20867ND8 : Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores) : ASA Version 9.2(2)4 ! hostname BB-Borewall-FW domain-name bbds.balfreybar.com names ! interface GigabitEthernet0/0 shutdown no nameif security-level 0 ! interface GigabitEthernet0/1 channel-group 1 mode active no nameif no security-level no ip address ! interface GigabitEthernet0/2 channel-group 1 mode active no nameif no security-level no ip address ! interface GigabitEthernet0/3 channel-group 2 mode active no nameif no security-level no ip address ! interface GigabitEthernet0/4 channel-group 2 mode active no nameif no security-level no ip address ! interface GigabitEthernet0/5 description *OUTSIDE ISP* nameif Outside security-level 0 ip address 38.218.44.42 255.255.255.248 ! interface Management0/0 management-only nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Port-channel1 description ***Uplink to BB-Borewall switch *** lacp max-bundle 8 no nameif no security-level no ip address ! interface Port-channel1.10 description ***BB-Data-VLAN*** vlan 10 nameif DATA security-level 100 ip address 10.16.9.1 255.255.255.0 ! interface Port-channel1.20 description ***BB-Voice-VLAN*** vlan 20 nameif VOICE security-level 90 ip address 10.16.8.129 255.255.255.128 ! interface Port-channel1.30 description ***BB-WIFI-AP-VLAN*** vlan 30 nameif WIFI-AP security-level 50 ip address 10.16.8.33 255.255.255.224 ! interface Port-channel1.50 description ***BB-Network Management-VLAN*** vlan 50 nameif Network-Management security-level 99 ip address 10.16.8.1 255.255.255.224 ! interface Port-channel1.500 description ***BB-Server-VLAN*** vlan 500 nameif Servers security-level 98 ip address 10.16.8.65 255.255.255.192 ! interface Port-channel2 description ***Uplink to Switch*** lacp max-bundle 8 no nameif no security-level no ip address ! interface Port-channel2.100 description *** AM-DATA-VLAN*** vlan 100 nameif AM-VLAN security-level 10 ip address 192.168.2.1 255.255.255.0 ! boot system disk0:/asa922-4-smp-k8.bin ftp mode passive dns domain-lookup Outside dns server-group DefaultDNS name-server 8.8.8.8 name-server 8.8.4.4 domain-name bbds.balfreybar.com object network OBJ-Borewall subnet 10.16.8.0 255.255.254.0 description Borewall-LAN object network OBJ-Balfrey subnet 10.0.0.0 255.0.0.0 description Balfrey-Network object network OBJ-Oracle-subnet-1 subnet 141.143.0.0 255.255.0.0 object network OBJ-Oracle-subnet-2 subnet 141.147.0.0 255.255.0.0 object network AM-LAN subnet 192.168.2.0 255.255.255.0 object network BB-Data subnet 10.16.9.0 255.255.255.0 object network BB-Servers subnet 10.16.8.64 255.255.255.192 object network BB-Voice subnet 10.16.8.128 255.255.255.128 object network BB-WIFI-AP subnet 10.16.8.32 255.255.255.224 object network Network-Management subnet 10.16.8.0 255.255.255.224 object network Streetworks range 192.168.2.8 192.168.2.48 description BB-Streetworks user to RDP to AM network object network AM-External-IP host 193.128.0.155 object network Print_Server host 10.16.9.15 fqdn v4 myapps.microsoft.com object network obj_any subnet 0.0.0.0 0.0.0.0 object-group network ZScalerProxy description Cloud Based Proxy Server network-object 109.234.81.160 255.255.255.240 network-object 115.112.231.96 255.255.255.224 network-object 115.112.233.64 255.255.255.192 network-object 122.152.140.64 255.255.255.192 network-object 122.54.235.128 255.255.255.224 network-object 175.45.116.0 255.255.255.0 network-object 177.84.160.208 255.255.255.240 network-object 188.116.35.32 255.255.255.240 network-object 216.66.5.0 255.255.255.0 network-object 46.46.150.0 255.255.255.0 network-object 49.236.207.160 255.255.255.224 network-object 62.67.237.0 255.255.255.0 network-object 64.215.22.0 255.255.255.0 network-object 72.52.96.0 255.255.255.192 network-object 77.242.201.48 255.255.255.240 object-group network OBJ-Oracle network-object object OBJ-Oracle-subnet-1 network-object object OBJ-Oracle-subnet-2 object-group network DM_INLINE_NETWORK_1 network-object object OBJ-Balfrey group-object OBJ-Oracle object-group network DM_INLINE_NETWORK_2 network-object object OBJ-Balfrey group-object OBJ-Oracle object-group network DM_INLINE_NETWORK_3 network-object object OBJ-Balfrey group-object OBJ-Oracle object-group network DM_INLINE_NETWORK_4 network-object object OBJ-Balfrey group-object OBJ-Oracle object-group network DM_INLINE_NETWORK_5 network-object object OBJ-Balfrey group-object OBJ-Oracle object-group network DM_INLINE_NETWORK_6 network-object object OBJ-Balfrey group-object OBJ-Oracle object-group network DM_INLINE_NETWORK_7 network-object object OBJ-Balfrey group-object OBJ-Oracle object-group network DM_INLINE_NETWORK_10 network-object object OBJ-Balfrey group-object OBJ-Oracle object-group network DM_INLINE_NETWORK_8 network-object object OBJ-Balfrey group-object OBJ-Oracle object-group network DM_INLINE_NETWORK_9 network-object object OBJ-Balfrey group-object OBJ-Oracle object-group network DM_INLINE_NETWORK_11 network-object object OBJ-Balfrey group-object OBJ-Oracle object-group network DM_INLINE_NETWORK_12 network-object object BB-Data network-object object BB-WIFI-AP object-group service DM_INLINE_SERVICE_1 service-object tcp destination eq 3389 service-object udp destination eq 3389 object-group service DM_INLINE_TCP_1 tcp port-object eq 445 port-object eq 9100 port-object eq netbios-ssn port-object eq 49156 port-object eq 135 port-object eq 3389 object-group service DM_INLINE_TCP_2 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_3 tcp port-object eq www port-object eq https port-object eq 11004 port-object eq 11000 port-object eq 11003 port-object eq 11005 port-object eq 11002 port-object eq 11001 access-list VPN-INTERESTING-TRAFIC extended permit ip object OBJ-Borewall object-group DM_INLINE_NETWORK_1 access-list VOICE_access_in extended permit ip 10.16.8.128 255.255.255.128 object-group DM_INLINE_NETWORK_10 access-list WIFI-AP_access_in extended permit ip object BB-WIFI-AP object-group DM_INLINE_NETWORK_11 access-list Servers_access_in extended permit ip object OBJ-Borewall object OBJ-Balfrey access-list DATA_access_in extended permit ip object BB-Data object-group DM_INLINE_NETWORK_8 access-list DATA_access_in extended permit ip object BB-Data object-group ZScalerProxy access-list DATA_access_in extended permit object-group DM_INLINE_SERVICE_1 10.16.9.0 255.255.255.0 object Streetworks access-list DATA_access_in extended permit tcp 10.16.9.0 255.255.255.0 object emaps2.connect2ukpn.co.uk object-group DM_INLINE_TCP_3 access-list DATA_access_in extended permit tcp 10.16.9.0 255.255.255.0 object-group cag-ea.mwhtools.com eq https access-list DATA_access_in extended permit tcp 10.16.9.0 255.255.255.0 object-group thcoronalive1 eq 9100 access-list DATA_access_in extended permit tcp 10.16.9.0 255.255.255.0 object-group thcoronauat1 eq 9100 access-list DATA_access_in extended permit tcp 10.16.9.0 255.255.255.0 object-group thcoronalive1 eq 9001 access-list DATA_access_in extended permit tcp 10.16.9.0 255.255.255.0 object-group thcoronauat1 eq 9001 access-list Outside_cryptomap extended permit ip object OBJ-Borewall object OBJ-Balfrey access-list Network-Management_access_in extended permit ip object Network-Management object-group DM_INLINE_NETWORK_9 access-list AM-VLAN_access_in extended permit tcp 192.168.2.0 255.255.255.0 object Print_Server object-group DM_INLINE_TCP_1 access-list AM-VLAN_access_in extended deny ip 192.168.2.0 255.255.255.0 object OBJ-Borewall access-list AM-VLAN_access_in extended permit ip 192.168.2.0 255.255.255.0 any pager lines 24 logging enable logging asdm informational mtu Outside 1500 mtu management 1500 mtu DATA 1500 mtu VOICE 1500 mtu WIFI-AP 1500 mtu Network-Management 1500 mtu Servers 1500 mtu AM-VLAN 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-7221.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (AM-VLAN,Outside) source dynamic AM-LAN AM-External-IP description AM-Internet access nat (DATA,Outside) source static BB-Data BB-Data destination static DM_INLINE_NETWORK_7 DM_INLINE_NETWORK_7 no-proxy-arp nat (VOICE,Outside) source static BB-Voice BB-Voice destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 no-proxy-arp nat (WIFI-AP,Outside) source static BB-WIFI-AP BB-WIFI-AP destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp nat (Servers,Outside) source static BB-Servers BB-Servers destination static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 no-proxy-arp nat (Network-Management,Outside) source static Network-Management Network-Management destination static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 no-proxy-arp nat (DATA,Outside) source dynamic DM_INLINE_NETWORK_12 interface destination static ZScalerProxy ZScalerProxy nat (DATA,Outside) source dynamic BB-Data interface destination static DM_INLINE_NETWORK_13 DM_INLINE_NETWORK_13 nat (DATA,Outside) source dynamic BB-Data interface destination static cag-ea.mwhtools.com cag-ea.mwhtools.com ! object network obj_any nat (any,Outside) dynamic interface access-group DATA_access_in in interface DATA access-group VOICE_access_in in interface VOICE access-group WIFI-AP_access_in in interface WIFI-AP access-group Network-Management_access_in in interface Network-Management access-group Servers_access_in in interface Servers access-group AM-VLAN_access_in in interface AM-VLAN route Outside 0.0.0.0 0.0.0.0 138.248.4.41 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL http server enable http 192.168.1.0 255.255.255.0 management http 10.0.0.0 255.0.0.0 Network-Management http 0.0.0.0 0.0.0.0 Outside no snmp-server location no snmp-server contact crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto map Outside_map0 1 match address Outside_cryptomap crypto map Outside_map0 1 set pfs crypto map Outside_map0 1 set peer 138.248.2.143 crypto map Outside_map0 1 set ikev1 transform-set ESP-AES-256-SHA crypto map Outside_map0 1 set ikev2 pre-shared-key ***** crypto map Outside_map0 interface Outside crypto ca trustpool policy crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable Outside crypto ikev1 enable Outside crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 no ssh stricthostkeycheck ssh 0.0.0.0 0.0.0.0 Outside ssh 10.0.0.0 255.0.0.0 Network-Management ssh timeout 30 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access Network-Management dhcpd auto_config Outside ! dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes vpn-tunnel-protocol ikev1 username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15 tunnel-group 138.248.2.143 type ipsec-l2l tunnel-group 138.248.2.143 general-attributes default-group-policy GroupPolicy1 tunnel-group 138.248.2.143 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly 24 subscribe-to-alert-group configuration periodic monthly 24 subscribe-to-alert-group telemetry periodic daily Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e : end