ASA5516X-FW01/act# sh run ... : Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores) : ASA Version 9.7(1)8 ! hostname ASA5516X-FW01 asp rule-engine transactional-commit access-group asp rule-engine transactional-commit nat names ! interface GigabitEthernet1/1 no nameif no security-level no ip address ! interface GigabitEthernet1/2 no nameif no security-level no ip address ! interface GigabitEthernet1/3 description *** ISP2 400/400 Fibre Link *** speed 1000 duplex full nameif ISP2_OUTSIDE security-level 0 ip address 2.2.2.2 255.255.255.252 ! interface GigabitEthernet1/4 description *** ISP1 500/500 Fibre Link *** speed 1000 duplex full nameif ISP1_OUTSIDE security-level 0 ip address 1.1.1.2 255.255.255.252 ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 description *** OOB ASA MANAGEMENT *** management-only nameif MANAGEMENT security-level 100 ip address 10.7.1.30 255.255.255.0 standby 10.7.1.31 ! interface GigabitEthernet1/8 description LAN/STATE Failover Interface ! interface Management1/1 description *** DEDICATED OOB MANAGEMENT - FirePOWER ONLY *** management-only nameif FIREPOWER_MANAGEMENT security-level 100 no ip address ! interface Redundant1 description *** REDUNDANT INTERFACE GROUP TO BNE_CORE_STACK *** member-interface GigabitEthernet1/1 member-interface GigabitEthernet1/2 nameif COMPANY_INSIDE security-level 100 ip address 10.7.80.10 255.255.255.0 standby 10.7.80.11 ! interface Tunnel1 description *** BNE_ISP2 TO HO_ISP2 VTI *** nameif BNE_ISP2_HO_ISP2_VTI ip address 192.168.253.34 255.255.255.252 tunnel source interface ISP2_OUTSIDE tunnel destination A tunnel mode ipsec ipv4 tunnel protection ipsec profile COMPANY_IPSEC_VTI_PROFILE ! interface Tunnel2 description *** BNE_ISP2 TO HO_ISP1 VTI *** shutdown nameif BNE_ISP2_HO_ISP1_VTI ip address 192.168.253.38 255.255.255.252 tunnel source interface ISP2_OUTSIDE tunnel destination B tunnel mode ipsec ipv4 tunnel protection ipsec profile COMPANY_IPSEC_VTI_PROFILE ! interface Tunnel3 description *** BNE_ISP1 TO HO_ISP2 VTI *** shutdown nameif BNE_ISP1_HO_ISP2_VTI ip address 192.168.253.42 255.255.255.252 tunnel source interface ISP1_OUTSIDE tunnel destination C tunnel mode ipsec ipv4 tunnel protection ipsec profile COMPANY_IPSEC_VTI_PROFILE ! interface Tunnel4 description *** BNE_ISP1 TO HO_ISP1 VTI *** shutdown nameif BNE_ISP1_HO_ISP1_VTI ip address 192.168.253.46 255.255.255.252 tunnel source interface ISP1_OUTSIDE tunnel destination D tunnel mode ipsec ipv4 tunnel protection ipsec profile COMPANY_IPSEC_VTI_PROFILE ! interface Tunnel5 description *** BNE_ISP2 TO MEL_ISP2 VTI *** nameif BNE_ISP2_MEL_ISP2_VTI ip address 192.168.252.34 255.255.255.252 tunnel source interface ISP2_OUTSIDE tunnel destination E tunnel mode ipsec ipv4 tunnel protection ipsec profile COMPANY_IPSEC_VTI_PROFILE ! ... boot system disk0:/asa971-8-lfbff-k8.SPA ftp mode passive dns domain-lookup MANAGEMENT dns domain-lookup COMPANY_INSIDE dns server-group BNE_DNS_COM name-server 192.168.7.4 COMPANY_INSIDE name-server 192.168.2.4 COMPANY_INSIDE name-server 192.168.3.4 COMPANY_INSIDE domain-name company.com dns server-group BNE_DNS_CORP name-server 192.168.7.4 COMPANY_INSIDE name-server 192.168.2.4 COMPANY_INSIDE name-server 192.168.3.4 COMPANY_INSIDE domain-name company.corp dns-group BNE_DNS_CORP same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network SEA_ADMIN subnet 192.168.220.0 255.255.255.0 object network APEG_RSR_ADMIN subnet 172.16.36.0 255.255.255.0 object network APEG_RSR_CCTV subnet 172.16.33.0 255.255.255.0 object network APEG_QV_ADMIN subnet 172.16.35.0 255.255.255.0 object network APEG_QV_CCTV subnet 172.16.45.0 255.255.255.0 object network APEG_MFW_NZ_STAFF subnet 192.168.222.0 255.255.255.0 object network APEG_MFW_NZ_MANAGEMENT subnet 10.11.10.0 255.255.255.0 object network APEG_HO_ADMIN_PRI subnet 172.16.40.0 255.255.255.0 object network APEG_HO_ADMIN_SEC subnet 172.16.36.0 255.255.255.0 object network MLB_ADMIN subnet 192.168.3.0 255.255.255.0 object network MLB_MANAGEMENT subnet 10.3.1.0 255.255.255.0 object network MLB_SUMMARY subnet 10.3.0.0 255.255.0.0 object network MLB_STAFF subnet 10.3.10.0 255.255.255.0 object network MLB_VOICE subnet 10.3.30.0 255.255.255.0 object network CBR_ADMIN subnet 192.168.4.0 255.255.255.0 object network CBR_MANAGEMENT subnet 10.4.1.0 255.255.255.0 object network CBR_SUMMARY subnet 10.4.0.0 255.255.0.0 object network CBR_STAFF subnet 10.4.10.0 255.255.255.0 object network CBR_VOICE subnet 10.4.30.0 255.255.255.0 object network ADL_ADMIN subnet 192.168.5.0 255.255.255.0 object network ADL_MANAGEMENT subnet 10.5.1.0 255.255.255.0 object network ADL_SUMMARY subnet 10.5.0.0 255.255.0.0 object network ADL_STAFF subnet 10.5.10.0 255.255.255.0 object network ADL_VOICE subnet 10.5.30.0 255.255.255.0 object network PER_ADMIN subnet 192.168.6.0 255.255.255.0 object network PER_MANAGEMENT subnet 10.6.1.0 255.255.255.0 object network PER_SUMMARY subnet 10.6.0.0 255.255.0.0 object network PER_STAFF subnet 10.6.10.0 255.255.255.0 object network PER_VOICE subnet 10.6.30.0 255.255.255.0 object network BNE_ADMIN subnet 192.168.7.0 255.255.255.0 object network BNE_MANAGEMENT subnet 10.7.1.0 255.255.255.0 object network BNE_SUMMARY subnet 10.7.0.0 255.255.0.0 object network BNE_STAFF subnet 10.7.10.0 255.255.255.0 object network BNE_VOICE subnet 10.7.30.0 255.255.255.0 object network AKL_ADMIN subnet 192.168.9.0 255.255.255.0 object network AKL_MANAGEMENT subnet 10.9.1.0 255.255.255.0 object network AKL_SUMMARY subnet 10.9.0.0 255.255.0.0 object network AKL_STAFF subnet 10.9.10.0 255.255.255.0 object network AKL_VOICE subnet 10.9.30.0 255.255.255.0 object network HK_ADMIN subnet 192.168.10.0 255.255.255.0 object network HK_MANAGEMENT subnet 10.10.1.0 255.255.255.0 object network HK_SUMMARY subnet 10.10.0.0 255.255.0.0 object network HK_STAFF subnet 10.10.10.0 255.255.255.0 object network HK_VOICE subnet 10.10.30.0 255.255.255.0 object network SIN_ADMIN subnet 192.168.13.0 255.255.255.0 object network SIN_MANAGEMENT subnet 10.13.1.0 255.255.255.0 object network SIN_SUMMARY subnet 10.13.0.0 255.255.0.0 object network SIN_STAFF subnet 10.13.10.0 255.255.255.0 object network SIN_VOICE subnet 10.13.30.0 255.255.255.0 object network WEL_ADMIN subnet 192.168.14.0 255.255.255.0 object network WEL_MANAGEMENT subnet 10.14.1.0 255.255.255.0 object network WEL_SUMMARY subnet 10.14.0.0 255.255.0.0 object network WEL_STAFF subnet 10.14.10.0 255.255.255.0 object network WEL_VOICE subnet 10.14.30.0 255.255.255.0 object network HO_ADMIN subnet 192.168.2.0 255.255.255.0 object network HO_MANAGEMENT subnet 10.2.1.0 255.255.255.0 object network HO_SUMMARY subnet 10.2.0.0 255.255.0.0 object network HO_STAFF subnet 10.2.10.0 255.255.255.0 object network HO_VOICE subnet 10.2.30.0 255.255.255.0 object network HO_DMZ_VLAN50 subnet 10.100.2.0 255.255.255.0 object network HO_DMZ_VLAN60 subnet 10.100.20.0 255.255.255.0 object network OPTUS_DC subnet 172.16.100.0 255.255.254.0 object network INTERNET subnet 0.0.0.0 0.0.0.0 object network ISP2_OUTBOUND_NAT subnet 0.0.0.0 0.0.0.0 object network ISP1_OUTBOUND_NAT subnet 0.0.0.0 0.0.0.0 object network BNE-VC01 host 192.168.7.12 object network BNE-VC02 host 192.168.7.11 object network BNE-FTP01_FTP host 192.168.7.21 object-group network PBR_LOCAL_DENY description Denies PBR routing for all local networks network-object object ADL_ADMIN network-object object ADL_SUMMARY network-object object AKL_ADMIN network-object object AKL_SUMMARY network-object object SEA_ADMIN network-object object APEG_HO_ADMIN_PRI network-object object APEG_HO_ADMIN_SEC network-object object APEG_MFW_NZ_MANAGEMENT network-object object APEG_MFW_NZ_STAFF network-object object APEG_QV_ADMIN network-object object APEG_QV_CCTV network-object object APEG_RSR_ADMIN network-object object APEG_RSR_CCTV network-object object CBR_ADMIN network-object object CBR_SUMMARY network-object object HK_ADMIN network-object object HK_SUMMARY network-object object MLB_ADMIN network-object object MLB_SUMMARY network-object object OPTUS_DC network-object object PER_ADMIN network-object object PER_SUMMARY network-object object SIN_ADMIN network-object object SIN_SUMMARY network-object object HO_ADMIN network-object object HO_SUMMARY network-object object WEL_ADMIN network-object object WEL_SUMMARY object-group service h323-rtp tcp-udp description H323 TCP/UDP Media Stream port-object range 60000 64999 object-group service DM_INLINE_TCP_1 tcp group-object h323-rtp port-object eq h323 object-group network DM_INLINE_NETWORK_3 network-object object BNE-VC01 network-object object BNE-VC02 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service ftp-all tcp description FTP, FTP-DATS and passive FTP port range port-object range 51000 51200 port-object eq ftp port-object eq ftp-data object-group icmp-type icmp-all description All ICMP Types icmp-object echo-reply icmp-object time-exceeded icmp-object traceroute icmp-object unreachable object-group network DM_INLINE_NETWORK_1 network-object object BNE-VC01 network-object object BNE-VC02 access-list ISP2_OUTSIDE_access_in remark Allow return ICMP traffic access-list ISP2_OUTSIDE_access_in extended permit icmp any any object-group icmp-all access-list ISP2_OUTSIDE_access_in remark Allow inbound FTP to BNE-FTP01 access-list ISP2_OUTSIDE_access_in extended permit tcp any object BNE-FTP01_FTP object-group ftp-all access-list ISP2_OUTSIDE_access_in remark Allow inbound H323 Signalling connections to BRN VC Units 1 & 2 access-list ISP2_OUTSIDE_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq h323 access-list ISP2_OUTSIDE_access_in remark Allow inbound H323-RTP connections to Brisbane VC Units 1 & 2 access-list ISP2_OUTSIDE_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_3 object-group h323-rtp access-list ISP2_OUTSIDE_access_in remark Deny all inbound access not stated above access-list ISP2_OUTSIDE_access_in extended deny ip any any access-list ISP1_OUTSIDE_access_in remark Allow return ICMP traffic access-list ISP1_OUTSIDE_access_in extended permit icmp any any object-group icmp-all access-list ISP1_OUTSIDE_access_in remark Deny all inbound access not stated above access-list ISP1_OUTSIDE_access_in extended deny ip any any pager lines 24 ... flow-export destination MANAGEMENT 192.168.2.61 2055 mtu ISP2_OUTSIDE 1500 mtu ISP1_OUTSIDE 1500 mtu MANAGEMENT 1500 mtu FIREPOWER_MANAGEMENT 1500 mtu COMPANY_INSIDE 1500 failover failover lan unit primary failover lan interface FAILOVER GigabitEthernet1/8 failover interface-policy 2 failover key ***** failover replication http failover link FAILOVER GigabitEthernet1/8 failover interface ip FAILOVER 192.168.254.13 255.255.255.252 standby 192.168.254.14 no monitor-interface MANAGEMENT no monitor-interface FIREPOWER_MANAGEMENT no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 icmp permit any ISP2_OUTSIDE icmp permit any ISP1_OUTSIDE icmp permit any MANAGEMENT icmp permit any COMPANY_INSIDE asdm image disk0:/asdm-771.bin asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ! object network ISP2_OUTBOUND_NAT nat (COMPANY_INSIDE,ISP2_OUTSIDE) dynamic interface object network ISP1_OUTBOUND_NAT nat (COMPANY_INSIDE,ISP1_OUTSIDE) dynamic interface object network BNE-VC01 nat (COMPANY_INSIDE,ISP2_OUTSIDE) static F net-to-net object network BNE-VC02 nat (COMPANY_INSIDE,ISP2_OUTSIDE) static G net-to-net object network BNE-FTP01_FTP nat (COMPANY_INSIDE,ISP2_OUTSIDE) static H net-to-net access-group ISP2_OUTSIDE_access_in in interface ISP2_OUTSIDE access-group ISP1_OUTSIDE_access_in in interface ISP1_OUTSIDE route ISP2_OUTSIDE 0.0.0.0 0.0.0.0 2.2.2.1 20 track 200 route ISP1_OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1 track 300 route MANAGEMENT 0.0.0.0 0.0.0.0 10.7.1.1 1 route ISP1_OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 230 route ISP2_OUTSIDE 0.0.0.0 0.0.0.0 2.2.2.1 231 route BNE_ISP2_HO_ISP2_VTI 10.2.0.0 255.255.0.0 192.168.253.33 1 route BNE_ISP2_MEL_ISP2_VTI 10.3.0.0 255.255.0.0 192.168.252.33 1 route BNE_ISP2_HO_ISP2_VTI 10.4.0.0 255.255.0.0 192.168.253.33 1 route BNE_ISP2_HO_ISP2_VTI 10.5.0.0 255.255.0.0 192.168.253.33 1 route BNE_ISP2_HO_ISP2_VTI 10.6.0.0 255.255.0.0 192.168.253.33 1 route COMPANY_INSIDE 10.7.0.0 255.255.0.0 10.7.80.1 1 route BNE_ISP2_HO_ISP2_VTI 10.9.0.0 255.255.0.0 192.168.253.33 1 route BNE_ISP2_HO_ISP2_VTI 10.10.0.0 255.255.0.0 192.168.253.33 1 route BNE_ISP2_MEL_ISP2_VTI 10.11.10.0 255.255.255.0 192.168.252.33 1 route BNE_ISP2_HO_ISP2_VTI 10.13.0.0 255.255.0.0 192.168.253.33 1 route BNE_ISP2_HO_ISP2_VTI 10.14.0.0 255.255.0.0 192.168.253.33 1 route BNE_ISP2_HO_ISP2_VTI 10.15.0.0 255.255.0.0 192.168.253.33 1 route BNE_ISP2_HO_ISP2_VTI 10.16.0.0 255.255.0.0 192.168.253.33 1 route BNE_ISP2_MEL_ISP2_VTI 10.50.0.0 255.255.0.0 192.168.252.33 1 route BNE_ISP2_MEL_ISP2_VTI 10.51.0.0 255.255.0.0 192.168.252.33 1 route BNE_ISP2_MEL_ISP2_VTI 10.52.0.0 255.255.0.0 192.168.252.33 1 route BNE_ISP2_MEL_ISP2_VTI 10.53.0.0 255.255.0.0 192.168.252.33 1 route BNE_ISP2_HO_ISP2_VTI 172.16.0.0 255.255.0.0 192.168.253.33 1 route BNE_ISP2_MEL_ISP2_VTI 172.16.31.0 255.255.255.0 192.168.252.33 1 route BNE_ISP2_MEL_ISP2_VTI 172.16.32.0 255.255.255.0 192.168.252.33 1 route BNE_ISP2_MEL_ISP2_VTI 172.16.33.0 255.255.255.0 192.168.252.33 1 route BNE_ISP2_MEL_ISP2_VTI 172.16.36.0 255.255.255.0 192.168.252.33 1 route BNE_ISP2_MEL_ISP2_VTI 172.16.37.0 255.255.255.0 192.168.252.33 1 route BNE_ISP2_MEL_ISP2_VTI 172.16.40.0 255.255.255.0 192.168.252.33 1 route BNE_ISP2_MEL_ISP2_VTI 172.16.45.0 255.255.255.0 192.168.252.33 1 route BNE_ISP2_HO_ISP2_VTI 172.24.0.0 255.255.192.0 192.168.253.33 1 route BNE_ISP2_HO_ISP2_VTI 192.168.2.0 255.255.255.0 192.168.253.33 1 route BNE_ISP2_MEL_ISP2_VTI 192.168.3.0 255.255.255.0 192.168.252.33 1 route BNE_ISP2_HO_ISP2_VTI 192.168.4.0 255.255.255.0 192.168.253.33 1 route BNE_ISP2_HO_ISP2_VTI 192.168.5.0 255.255.255.0 192.168.253.33 1 route BNE_ISP2_HO_ISP2_VTI 192.168.6.0 255.255.255.0 192.168.253.33 1 route COMPANY_INSIDE 192.168.7.0 255.255.255.0 10.7.80.1 1 route BNE_ISP2_HO_ISP2_VTI 192.168.9.0 255.255.255.0 192.168.253.33 1 route BNE_ISP2_HO_ISP2_VTI 192.168.10.0 255.255.255.0 192.168.253.33 1 route BNE_ISP2_HO_ISP2_VTI 192.168.13.0 255.255.255.0 192.168.253.33 1 route BNE_ISP2_HO_ISP2_VTI 192.168.14.0 255.255.255.0 192.168.253.33 1 route BNE_ISP2_HO_ISP2_VTI 192.168.15.0 255.255.255.0 192.168.253.33 1 route BNE_ISP2_HO_ISP2_VTI 192.168.20.0 255.255.255.0 192.168.253.33 1 route BNE_ISP2_MEL_ISP2_VTI 192.168.30.0 255.255.255.0 192.168.252.33 1 route BNE_ISP2_MEL_ISP2_VTI 192.168.50.0 255.255.255.0 192.168.252.33 1 route BNE_ISP2_MEL_ISP2_VTI 192.168.51.0 255.255.255.0 192.168.252.33 1 route BNE_ISP2_MEL_ISP2_VTI 192.168.52.0 255.255.255.0 192.168.252.33 1 route BNE_ISP2_MEL_ISP2_VTI 192.168.53.0 255.255.255.0 192.168.252.33 1 route BNE_ISP2_MEL_ISP2_VTI 192.168.223.0 255.255.255.0 192.168.252.33 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:30 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 ... sla monitor 200 type echo protocol ipIcmpEcho 8.8.8.8 interface ISP2_OUTSIDE sla monitor schedule 200 life forever start-time now sla monitor 300 type echo protocol ipIcmpEcho 8.8.8.8 interface ISP1_OUTSIDE sla monitor schedule 300 life forever start-time now service sw-reset-button ... ! track 200 rtr 200 reachability ! track 300 rtr 300 reachability ... ! class-map IPS_ALL_TRAFFIC description Perform IPS redirection on all traffic match any ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map COMPANY_IPS_POLICY description Redirect all traffic to FirePOWER IPS Module class IPS_ALL_TRAFFIC flow-export event-type all destination 192.168.2.61 inspect icmp set connection decrement-ttl sfr fail-open ! service-policy COMPANY_IPS_POLICY global prompt hostname context state domain service call-home call-home reporting anonymous call-home ... : end