access-list inside_nat0_outbound extended permit ip 10.122.112.64 255.255.255.192 10.122.112.32 255.255.255.240 access-list inside_nat0_outbound extended permit ip 10.122.112.128 255.255.255.128 10.122.112.32 255.255.255.240 access-list inside_nat0_outbound extended permit ip 10.122.113.0 255.255.255.0 10.122.112.32 255.255.255.240 access-list inside_nat0_outbound extended permit ip 10.122.114.0 255.255.255.0 10.122.112.32 255.255.255.240 access-list inside_nat0_outbound extended permit ip 10.122.115.0 255.255.255.0 10.122.112.32 255.255.255.240 access-list inside_nat0_outbound extended permit ip 10.122.112.0 255.255.255.224 10.122.112.32 255.255.255.240 access-list inside_nat0_outbound extended permit ip 10.122.0.0 255.255.0.0 172.16.16.0 255.255.255.0 access-list HKMC_nat0_outbound extended permit ip any 10.122.112.32 255.255.255.240 access-list HKMC_nat0_outbound extended permit ip any 172.16.17.0 255.255.255.0 access-list HMCIS_splitTunnelAcl standard permit 10.122.0.0 255.255.0.0 access-list outside_in extended permit icmp any any access-list outside_in extended permit tcp any host 89.207.90.102 eq smtp access-list outside_in extended permit tcp any host 89.207.90.102 eq https access-list outside_in extended permit ip any host 89.207.90.105 access-list block extended permit ip object-group it any access-list block extended permit ip object-group servers any access-list block extended permit ip object-group cisco any access-list block extended permit object-group users_protocol object-group users object-group for_users any access-list block extended permit object-group users_protocol object-group users any object-group for_users ! snmp-map hmcis_snmp_map deny version 1 deny version 2c deny version 2 ! ip local pool HMCIS_IP_POOL 10.122.112.33-10.122.112.47 mask 255.255.255.240 ip local pool rolf_pool 10.200.1.1-10.200.1.20 mask 255.255.255.0 ip local pool ITDepartment 172.16.16.1-172.16.16.20 mask 255.255.255.0 ip local pool rolf 172.16.16.21-172.16.16.100 mask 255.255.255.0 ip local pool web_vpn 172.16.17.1-172.16.17.255 mask 255.255.255.0 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 10.122.112.64 255.255.255.192 nat (inside) 1 10.122.112.128 255.255.255.128 nat (inside) 1 10.122.113.0 255.255.255.0 nat (inside) 1 10.122.114.0 255.255.255.0 nat (inside) 1 10.122.115.0 255.255.255.0 nat (HKMC) 0 access-list HKMC_nat0_outbound static (inside,outside) tcp 89.207.90.102 smtp 10.122.113.14 smtp netmask 255.255.255.255 static (inside,outside) 89.207.90.102 10.122.113.14 netmask 255.255.255.255 static (inside,outside) 89.207.90.105 10.122.114.251 netmask 255.255.255.255 access-group outside_in in interface outside route outside 0.0.0.0 0.0.0.0 89.207.90.99 1 route HKMC 10.0.0.0 255.0.0.0 10.10.10.10 1 route inside 10.122.112.64 255.255.255.192 10.122.112.1 1 route inside 10.122.112.128 255.255.255.128 10.122.112.1 1 route inside 10.122.113.0 255.255.255.0 10.122.112.1 1 route inside 10.122.114.0 255.255.255.0 10.122.112.1 1 route inside 10.122.115.0 255.255.255.0 10.122.112.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa-server radius protocol radius reactivation-mode depletion deadtime 5 aaa-server radius host 10.122.113.11 retry-interval 3 key Hmcis#02 aaa-server radius host 10.122.113.12 retry-interval 5 timeout 20 key Hmcis#02 aaa authentication ssh console LOCAL aaa authentication enable console radius LOCAL aaa local authentication attempts max-fail 5 service resetoutside crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map0 60 set pfs crypto dynamic-map outside_dyn_map0 60 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map0 80 set pfs crypto dynamic-map outside_dyn_map0 80 set transform-set ESP-3DES-SHA crypto map outside_map0 65535 ipsec-isakmp dynamic outside_dyn_map0 crypto map outside_map0 interface outside crypto ca trustpoint self enrollment self subject-name CN=89.207.90.97,CN=int.hmcis.ru crl configure crypto ca certificate map test_cert 50 crypto ca certificate chain self certificate 31 30820250 308201b9 2a864886 f70d0101 04050030 6e311530 13060355 5453f00c e5eebe11 b9d798f2 550f6a98 quit crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 30 crypto isakmp disconnect-notify no vpn-addr-assign aaa no vpn-addr-assign dhcp threat-detection basic-threat threat-detection statistics access-list ntp authenticate ntp server 194.87.0.20 ntp server 193.124.22.65 ntp server 207.46.232.182 tftp-server inside 10.122.114.245 / ssl encryption 3des-sha1 aes256-sha1 aes128-sha1 rc4-sha1 ssl trust-point self inside ssl trust-point self outside webvpn enable outside enable inside csd image disk0:/securedesktop_asa-3.3.0.118-k9.pkg csd enable svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1 svc enable tunnel-group-list enable onscreen-keyboard all certificate-group-map test_cert 50 test group-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec group-policy HMCIS internal group-policy HMCIS attributes wins-server value 10.122.113.11 10.122.113.12 dns-server value 10.122.113.11 10.122.113.12 vpn-simultaneous-logins 100 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value HMCIS_splitTunnelAcl default-domain value int.hmcis.ru group-policy for_test internal group-policy for_test attributes dns-server value 10.122.113.11 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn default-domain value hmcis.ru address-pools value ITDepartment group-policy ITDepartment internal group-policy ITDepartment attributes wins-server value 10.122.113.11 10.122.113.12 dns-server value 10.122.113.11 10.122.113.12 vpn-simultaneous-logins 5 vpn-tunnel-protocol IPSec webvpn password-storage enable group-lock value ITDepartment split-tunnel-policy tunnelspecified split-tunnel-network-list value HMCIS_splitTunnelAcl default-domain value int.hmcis.ru tunnel-group ITDepartment type remote-access tunnel-group ITDepartment general-attributes address-pool ITDepartment authentication-server-group radius LOCAL default-group-policy ITDepartment tunnel-group ITDepartment ipsec-attributes pre-shared-key Hmcis#02 tunnel-group HMCIS type remote-access tunnel-group HMCIS general-attributes address-pool HMCIS_IP_POOL address-pool rolf authentication-server-group radius LOCAL default-group-policy HMCIS tunnel-group HMCIS ipsec-attributes pre-shared-key 1234 tunnel-group training_center type ipsec-l2l tunnel-group hmcis_webvpn type remote-access tunnel-group test type remote-access tunnel-group test general-attributes address-pool ITDepartment authentication-server-group radius accounting-server-group radius default-group-policy for_test tunnel-group test webvpn-attributes authentication certificate override-svc-download radius-reject-message tunnel-group-map default-group DefaultL2LGroup ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global smtp-server 10.122.113.14 prompt hostname context compression svc Cryptochecksum:585b67d1faa2e27e01e162381c0b4eb2 : end