ASA Version 9.8(2) ! hostname *redacted* enable password *redacted* names ip local pool ACONNECT-POOL 10.10.10.1-10.10.10.254 mask 255.255.255.0 ip local pool VPNPool 10.10.20.40-10.10.20.200 mask 255.255.255.0 ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address dhcp setroute ! interface GigabitEthernet1/2 bridge-group 1 nameif inside_1 security-level 100 ! interface GigabitEthernet1/3 bridge-group 1 nameif inside_2 security-level 100 ! interface GigabitEthernet1/4 bridge-group 1 nameif inside_3 security-level 100 ! interface GigabitEthernet1/5 bridge-group 1 nameif inside_4 security-level 100 ! interface GigabitEthernet1/6 bridge-group 1 nameif inside_5 security-level 100 ! interface GigabitEthernet1/7 bridge-group 1 nameif inside_6 security-level 100 ! interface GigabitEthernet1/8 bridge-group 1 nameif inside_7 security-level 100 ! interface Management1/1 management-only no nameif no security-level no ip address ! interface BVI1 nameif inside security-level 100 ip address 10.10.0.1 255.255.255.0 ! ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any1 subnet 0.0.0.0 0.0.0.0 object network obj_any2 subnet 0.0.0.0 0.0.0.0 object network obj_any3 subnet 0.0.0.0 0.0.0.0 object network obj_any4 subnet 0.0.0.0 0.0.0.0 object network obj_any5 subnet 0.0.0.0 0.0.0.0 object network obj_any6 subnet 0.0.0.0 0.0.0.0 object network obj_any7 subnet 0.0.0.0 0.0.0.0 object network NETWORK_OBJ_10.10.0.0_24 subnet 10.10.0.0 255.255.255.0 object network OBJ-ANYCONNECT-SUBNET subnet 10.10.10.0 255.255.255.0 object network NETWORK_OBJ_10.10.10.0_24 subnet 10.10.10.0 255.255.255.0 object network ANYCONNECT subnet 10.10.10.0 255.255.255.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list main standard permit 10.10.0.0 255.255.255.0 access-list inside_access_in remark remote desktop access-list inside_access_in extended permit ip any any log disable access-list inside_access_in remark remote desktop access-list inside_access_in extended permit object-group TCPUDP any any eq 3389 access-list inside_access_in remark remote desktop access-list inside_access_in remark remote desktop access-list outside_access_in remark remote desktop access-list outside_access_in extended permit object-group TCPUDP any any eq 3389 access-list outside_access_in extended permit object-group TCPUDP interface outside interface inside eq 3389 access-list outside_access_in remark remote desktop access-list SPLIT-TUNNEL standard permit 10.10.10.0 255.255.255.0 access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol pager lines 24 logging asdm informational mtu outside 1500 mtu inside_1 1500 mtu inside_2 1500 mtu inside_3 1500 mtu inside_4 1500 mtu inside_5 1500 mtu inside_6 1500 mtu inside_7 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside icmp permit any inside asdm image disk0:/asdm-782.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (inside_1,outside) source dynamic obj_any1 interface ! object network obj_any1 nat (inside_1,outside) dynamic interface object network obj_any2 nat (inside_2,outside) dynamic interface object network obj_any3 nat (inside_3,outside) dynamic interface object network obj_any4 nat (inside_4,outside) dynamic interface object network obj_any5 nat (inside_5,outside) dynamic interface object network obj_any6 nat (inside_6,outside) dynamic interface object network obj_any7 nat (inside_7,outside) dynamic interface access-group outside_access_in in interface outside access-group inside_access_in in interface inside timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication login-history http server enable http 10.10.0.0 255.255.255.0 inside_2 http 10.10.0.0 255.255.255.0 inside_3 http 10.10.0.0 255.255.255.0 inside_4 http 10.10.0.0 255.255.255.0 inside_1 no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa keypair topaz proxy-ldc-issuer crl configure crypto ca trustpool policy crypto ca certificate chain _SmartCallHome_ServerCA certificate ca *redacted* crypto ca certificate chain ASDM_TrustPoint0 *redacted* crypto ikev2 enable outside client-services port 443 crypto ikev2 enable inside_1 client-services port 443 crypto ikev2 enable inside client-services port 443 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config outside ! dhcpd address 10.10.0.10-10.10.0.240 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl trust-point ASDM_TrustPoint0 outside ssl trust-point ASDM_TrustPoint0 inside_1 ssl trust-point ASDM_TrustPoint0 inside_2 ssl trust-point ASDM_TrustPoint0 inside_3 ssl trust-point ASDM_TrustPoint0 inside_4 ssl trust-point ASDM_TrustPoint0 inside_5 ssl trust-point ASDM_TrustPoint0 inside_6 ssl trust-point ASDM_TrustPoint0 inside_7 ssl trust-point ASDM_TrustPoint0 inside webvpn enable outside enable inside_1 enable inside_2 enable inside anyconnect image disk0:/anyconnect-win-4.7.00136-webdeploy-k9.pkg 1 regex "Windows CE" anyconnect image disk0:/anyconnect-macos-4.7.00136-webdeploy-k9.pkg 2 regex "Intel Mac OS X" anyconnect image disk0:/anyconnect-linux64-4.7.00136-webdeploy-k9.pkg 3 regex "Linux" anyconnect profiles TopazEmployees_client_profile disk0:/TopazEmployees_client_profile.xml anyconnect profiles TopazRemote_client_profile disk0:/TopazRemote_client_profile.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless group-policy GroupPolicy_ANYCONNECT-PROFILE internal group-policy GroupPolicy_ANYCONNECT-PROFILE attributes dns-server value 8.8.8.8 8.8.4.4 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT-TUNNEL default-domain value topazlabs.local webvpn anyconnect profiles value TopazEmployees_client_profile type user group-policy GroupPolicy_TopazRemote internal group-policy GroupPolicy_TopazRemote attributes wins-server none dns-server value 8.8.8.8 8.8.4.4 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT-TUNNEL default-domain value topazlabs.local webvpn anyconnect profiles value TopazRemote_client_profile type user group-policy GroupPolicy_TopazEmployees internal group-policy GroupPolicy_TopazEmployees attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value main default-domain value topazlabs.local webvpn anyconnect profiles value TopazEmployees_client_profile type user dynamic-access-policy-record DfltAccessPolicy username *redacted* tunnel-group TopazEmployees type remote-access tunnel-group TopazEmployees general-attributes address-pool VPNPool default-group-policy GroupPolicy_TopazEmployees tunnel-group TopazEmployees webvpn-attributes group-alias TopazEmployees enable tunnel-group ANYCONNECT-PROFILE type remote-access tunnel-group ANYCONNECT-PROFILE general-attributes default-group-policy GroupPolicy_ANYCONNECT-PROFILE tunnel-group ANYCONNECT-PROFILE webvpn-attributes group-alias ANYCONNECT-PROFILE disable group-alias TopazEmployee enable tunnel-group TopazRemote type remote-access tunnel-group TopazRemote general-attributes default-group-policy GroupPolicy_TopazRemote tunnel-group TopazRemote webvpn-attributes group-alias TopazRemote enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context call-home reporting anonymous