topic Re: Cisco ASA Policy-Based Routing in Network Security https://community.cisco.com/t5/network-security/cisco-asa-policy-based-routing/m-p/3335506#M969891 <P>Thank you so much!</P> <P>&nbsp;</P> <P>Can i ask you one more thing?</P> <P>&nbsp;</P> <P>I have an working Site to Site VPN Tunnel between two sites. The above site is working fine.</P> <P>What do i have to change on the asa at site B to access the same 10.0.0.0 subnet ?</P> <P>&nbsp;</P> <P>Kind regards,</P> <P>&nbsp;</P> <P>Robbert</P> Wed, 21 Feb 2018 23:32:43 GMT Robbert Tol 2018-02-21T23:32:43Z Cisco ASA Policy-Based Routing https://community.cisco.com/t5/network-security/cisco-asa-policy-based-routing/m-p/3335373#M969886 <P>Hi There,</P> <P>&nbsp;</P> <P>I have an urgent problem, on which i cannot figure out how to deal with it.</P> <P>&nbsp;</P> <P>I have an asa5506-X with two internal VLAN's (VLAN 10, VLAN 20 Guest Network)</P> <P>I Have one normal WAN Connection to the internet. I also have an special 2nd intranet connection (WAN) to an dealer network.</P> <P>On the dealer network there are some subnets (example 10.39.10.0/24, 192.200.0.0/24 and 10.150.1.0/24) which has some servers which i have to been able to reach.</P> <P>&nbsp;</P> <P>In other words;</P> <P>When an computer in the normal production VLAN10 wants to do normal internet browsing (except the dealernetwork subnets), traffic has to been sent over WAN1. If one of the dealer networks is been addressed, the traffic should flow over WAN2.</P> <P>&nbsp;</P> <P>ASA Config</P> <P>V9.6.1</P> <P>&nbsp;</P> <P>VLAN10 IP: 192.168.100.1</P> <P>VLAN20 IP: 192.168.250.1</P> <P>WAN1 IP: 1.1.1.1</P> <P>WAN2 IP (Dealer network): 10.49.240.10&nbsp;</P> <P>&nbsp;</P> <P>Please advise how i quickly can make the config complete, so that we can address the dealer network. We are now replacing our old Zyxell Zywall for an Cisco ASA. The Zywall had no problems with the two WAN interfaces.&nbsp;</P> <P>&nbsp;</P> <P>Kind Regards,</P> <P>&nbsp;</P> <P>Robbert</P> Fri, 21 Feb 2020 15:23:41 GMT https://community.cisco.com/t5/network-security/cisco-asa-policy-based-routing/m-p/3335373#M969886 Robbert Tol 2020-02-21T15:23:41Z Re: Cisco ASA Policy-Based Routing https://community.cisco.com/t5/network-security/cisco-asa-policy-based-routing/m-p/3335487#M969887 <P>Can you describe the network in terms of the Interfaces they are behind, for example:&nbsp;</P> <P>&nbsp;</P> <P><SPAN>10.39.10.0/24&nbsp; &nbsp;- e0/0 (Native usually VLAN1)</SPAN></P> <P><SPAN>192.200.0.0/24 - e0/0.10 (VLAN10)&nbsp;</SPAN></P> <P><SPAN>10.150.1.0/24&nbsp; -&nbsp; e0/0.20 (VLAN20)</SPAN></P> <P>&nbsp;</P> <P><SPAN>WAN1 - e0/1</SPAN></P> <P><SPAN>WAN2 - e0/2</SPAN></P> <P>&nbsp;</P> <P><SPAN>From what I'm reading you would not use PBR, you just need to have the correct route statements as well as insure your NAT statements are correct.</SPAN></P> Wed, 21 Feb 2018 23:30:11 GMT https://community.cisco.com/t5/network-security/cisco-asa-policy-based-routing/m-p/3335487#M969887 Professor_Pickles 2018-02-21T23:30:11Z Re: Cisco ASA Policy-Based Routing https://community.cisco.com/t5/network-security/cisco-asa-policy-based-routing/m-p/3335490#M969888 <P class="p1">interface GigabitEthernet1/1</P> <P class="p1">description Inside LAN Interface ASA5506-X</P> <P class="p1">no nameif</P> <P class="p1">no security-level</P> <P class="p1">no ip address</P> <P class="p1">!</P> <P class="p1">interface GigabitEthernet1/1.1</P> <P class="p1">description VLAN10 Interface LAN Netwerk</P> <P class="p1">vlan 10</P> <P class="p1">nameif VLAN10</P> <P class="p1">security-level 100</P> <P class="p1">ip address 192.168.100.1 255.255.255.0</P> <P class="p1">policy-route route-map PON_MAP</P> <P class="p1">!</P> <P class="p1">interface GigabitEthernet1/1.2</P> <P class="p1">description&nbsp; VLAN20 Interface Guest Netwerk</P> <P class="p1">vlan 20</P> <P class="p1">nameif VLAN20</P> <P class="p1">security-level 25</P> <P class="p1">ip address 192.168.250.1 255.255.255.0</P> <P class="p1">!</P> <P class="p1">interface GigabitEthernet1/2</P> <P class="p1">description WAN Interface Tele2 Fiber Internet</P> <P class="p1">speed 100</P> <P class="p1">duplex full</P> <P class="p1">nameif WAN</P> <P class="p1">security-level 0</P> <P class="p1">ip address 1.7.102.94 255.255.255.248</P> <P class="p1">!</P> <P class="p1">interface GigabitEthernet1/3</P> <P class="p1">description PON WAN Interface</P> <P class="p1">nameif WAN_PON</P> <P class="p1">security-level 0</P> <P class="p1">ip address 10.49.240.10 255.255.255.0</P> <P class="p1">&nbsp;</P> <P class="p1">route WAN 0.0.0.0 0.0.0.0 1.7.202.89 1</P> <P class="p1">route WAN_PON 10.0.0.0 255.0.0.0 10.49.240.1 1</P> <P class="p1">route VLAN10 192.168.4.0 255.255.255.0 192.168.100.253 1</P> <P class="p1">route WAN_PON 192.200.0.0 255.255.0.0 10.49.240.1 1</P> Wed, 21 Feb 2018 22:50:56 GMT https://community.cisco.com/t5/network-security/cisco-asa-policy-based-routing/m-p/3335490#M969888 Robbert Tol 2018-02-21T22:50:56Z Re: Cisco ASA Policy-Based Routing https://community.cisco.com/t5/network-security/cisco-asa-policy-based-routing/m-p/3335492#M969889 <P class="p1">object network VLAN10_Subnet</P> <P class="p1">subnet 192.168.100.0 255.255.255.0</P> <P class="p1">object network VLAN10_Subnet</P> <P class="p1">nat (VLAN10,WAN) dynamic interface</P> Wed, 21 Feb 2018 22:52:31 GMT https://community.cisco.com/t5/network-security/cisco-asa-policy-based-routing/m-p/3335492#M969889 Robbert Tol 2018-02-21T22:52:31Z Re: Cisco ASA Policy-Based Routing https://community.cisco.com/t5/network-security/cisco-asa-policy-based-routing/m-p/3335503#M969890 <P>I'm seeing GAP in your configuration. So, in order for the users at 192.168.100.0/24 network to reach the 10.0.0.0/8 you'll need to make a few changes:</P> <P>&nbsp;</P> <P>Create&nbsp;an object for the remote 10.0.0.0/8 network or use one if you have it</P> <PRE>object network obj-net-10 subnet 10.0.0.0 255.0.0.0</PRE> <P>&nbsp;</P> <P>Your will need this NAT statement, make sure I've got the correct source/dst interfaces.</P> <PRE>! nat (VLAN10,WAN_PON) source static VLAN10_Subnet VLAN10_Subnet destination static obj-net-10 obj-net-10 no-proxy-arp route-lookup</PRE> <P>This will essentially perform a no-NAT on your SRC/DST networks.</P> <P>&nbsp;</P> Wed, 21 Feb 2018 23:31:00 GMT https://community.cisco.com/t5/network-security/cisco-asa-policy-based-routing/m-p/3335503#M969890 Professor_Pickles 2018-02-21T23:31:00Z Re: Cisco ASA Policy-Based Routing https://community.cisco.com/t5/network-security/cisco-asa-policy-based-routing/m-p/3335506#M969891 <P>Thank you so much!</P> <P>&nbsp;</P> <P>Can i ask you one more thing?</P> <P>&nbsp;</P> <P>I have an working Site to Site VPN Tunnel between two sites. The above site is working fine.</P> <P>What do i have to change on the asa at site B to access the same 10.0.0.0 subnet ?</P> <P>&nbsp;</P> <P>Kind regards,</P> <P>&nbsp;</P> <P>Robbert</P> Wed, 21 Feb 2018 23:32:43 GMT https://community.cisco.com/t5/network-security/cisco-asa-policy-based-routing/m-p/3335506#M969891 Robbert Tol 2018-02-21T23:32:43Z Re: Cisco ASA Policy-Based Routing https://community.cisco.com/t5/network-security/cisco-asa-policy-based-routing/m-p/3335510#M969892 <P>Similar steps:</P> <P>&nbsp;</P> <OL> <LI>Identify source network IP subnet and create an object to track it.</LI> <LI>Identify the Interface name that the source subnet is behind, make a note of it.</LI> <LI>Repeat 1&amp;2 for the DST network, which I think you mentioned DST&nbsp;is the 10 so create an object for that.</LI> <LI>Finally create a NAT statement like the one I did above using the appropriate objects in src and dst</LI> </OL> <P>r/Phil</P> Wed, 21 Feb 2018 23:59:55 GMT https://community.cisco.com/t5/network-security/cisco-asa-policy-based-routing/m-p/3335510#M969892 Professor_Pickles 2018-02-21T23:59:55Z Re: Cisco ASA Policy-Based Routing https://community.cisco.com/t5/network-security/cisco-asa-policy-based-routing/m-p/3335555#M969893 <P>Sorry, but the solution doesn't work <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>I am an newby in Cisco ASA and before the customer had two Zyxel Firewall's which had any problems with the Site to site VPN's and the second WAN on the HQ Location. Also tried your suggestion.</P> <P>&nbsp;</P> <P>HQ Config:</P> <P class="p1">&nbsp;</P> <P class="p2">hostname ASA5506X-VDL</P> <P class="p2">domain-name company.local</P> <P class="p2">enable password $sha512$5000$IvpLaK7wslmhXCYc77Z2Dg==$IMVR8WShj36y5fUcEe0Uqg== pbkdf2</P> <P class="p2">names</P> <P class="p2">no mac-address auto</P> <P class="p2">ip local pool VPN_DHCP_Pool 192.168.10.1-192.168.10.200 mask 255.255.255.0</P> <P class="p1">&nbsp;</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/1</P> <P class="p2">description Inside LAN Interface ASA5506-X</P> <P class="p2">no nameif</P> <P class="p2">no security-level</P> <P class="p2">no ip address</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/1.1</P> <P class="p2">description company VLAN10 Interface LAN Netwerk</P> <P class="p2">vlan 10</P> <P class="p2">nameif VLAN10</P> <P class="p2">security-level 100</P> <P class="p2">ip address 192.168.100.1 255.255.255.0</P> <P class="p2">policy-route route-map PON_MAP</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/1.2</P> <P class="p2">description company VLAN20 Interface Guest Netwerk</P> <P class="p2">vlan 20</P> <P class="p2">nameif VLAN20</P> <P class="p2">security-level 25</P> <P class="p2">ip address 192.168.250.1 255.255.255.0</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/2</P> <P class="p2">description WAN Interface Tele2 Fiber Internet</P> <P class="p2">speed 100</P> <P class="p2">duplex full</P> <P class="p2">nameif WAN</P> <P class="p2">security-level 0</P> <P class="p2">ip address 1.1.1.94 255.255.255.248</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/3</P> <P class="p2">description PON WAN Interface</P> <P class="p2">nameif WAN_PON</P> <P class="p2">security-level 0</P> <P class="p2">ip address 10.49.240.10 255.255.255.0</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/4</P> <P class="p2">shutdown</P> <P class="p2">no nameif</P> <P class="p2">no security-level</P> <P class="p2">no ip address</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/5</P> <P class="p2">shutdown</P> <P class="p2">no nameif</P> <P class="p2">no security-level</P> <P class="p2">no ip address</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/6</P> <P class="p2">shutdown</P> <P class="p2">no nameif</P> <P class="p2">no security-level</P> <P class="p2">no ip address</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/7</P> <P class="p2">shutdown</P> <P class="p2">no nameif</P> <P class="p2">no security-level</P> <P class="p2">no ip address</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/8</P> <P class="p2">shutdown</P> <P class="p2">no nameif</P> <P class="p2">no security-level</P> <P class="p2">no ip address</P> <P class="p2">!</P> <P class="p2">interface Management1/1</P> <P class="p2">management-only</P> <P class="p2">no nameif</P> <P class="p2">no security-level</P> <P class="p2">no ip address</P> <P class="p2">boot system disk0:/asa964-lfbff-k8.SPA</P> <P class="p2">ftp mode passive</P> <P class="p2">dns domain-lookup VLAN10</P> <P class="p2">dns domain-lookup VLAN20</P> <P class="p2">dns domain-lookup WAN</P> <P class="p2">dns domain-lookup WAN_PON</P> <P class="p2">dns server-group DefaultDNS</P> <P class="p2">name-server 8.8.8.8</P> <P class="p2">name-server 8.8.4.4</P> <P class="p2">name-server 10.150.1.3</P> <P class="p2">name-server 192.168.100.21</P> <P class="p2">domain-name company.local</P> <P class="p2">same-security-traffic permit inter-interface</P> <P class="p2">same-security-traffic permit intra-interface</P> <P class="p2">object network Gonzo_LAN</P> <P class="p2">host 192.168.100.22</P> <P class="p2">description Microsoft Exchange 2010 Server company</P> <P class="p2">object network Gonzo_WAN</P> <P class="p2">host 1.1.1.90</P> <P class="p2">description Microsoft Exchange 2010 Server company WAN Address</P> <P class="p2">object network Gonzo_LAN_SMTP</P> <P class="p2">host 192.168.100.22</P> <P class="p2">object network Gonzo_LAN_HTTPS</P> <P class="p2">host 192.168.100.22</P> <P class="p2">object network Camera_LAN</P> <P class="p2">host 192.168.100.10</P> <P class="p2">object network Camera_WAN</P> <P class="p2">host 1.1.1.92</P> <P class="p2">object network Camera_LAN_554</P> <P class="p2">host 192.168.100.10</P> <P class="p2">object network Camera_LAN_8000</P> <P class="p2">host 192.168.100.10</P> <P class="p2">object network Camera_LAN_8099</P> <P class="p2">host 192.168.100.10</P> <P class="p2">object network Hyper_LAN</P> <P class="p2">host 192.168.100.250</P> <P class="p2">object network Hyper_WAN</P> <P class="p2">host 1.1.1.91</P> <P class="p2">object network Hyper_LAN_HTTPS</P> <P class="p2">host 192.168.100.250</P> <P class="p2">object network Hyper_LAN_17990</P> <P class="p2">host 192.168.100.250</P> <P class="p2">object network Zoetermeer_LAN</P> <P class="p2">subnet 192.168.1.0 255.255.255.0</P> <P class="p2">object network Zoetermeer_WAN</P> <P class="p2">host 2.2.2.98</P> <P class="p2">object network VLAN10_Subnet</P> <P class="p2">subnet 192.168.100.0 255.255.255.0</P> <P class="p2">description VLAN10 company LAN Subnet</P> <P class="p2">object network VLAN20_Subnet</P> <P class="p2">subnet 192.168.250.0 255.255.255.0</P> <P class="p2">description VLAN20 company Guest Subnet</P> <P class="p2">object network NETWORK_OBJ_192.168.10.0_24</P> <P class="p2">subnet 192.168.10.0 255.255.255.0</P> <P class="p2">object network NETWORK_OBJ_192.168.100.0_24</P> <P class="p2">subnet 192.168.100.0 255.255.255.0</P> <P class="p2">object network PON_192_200_0_0</P> <P class="p2">subnet 192.200.0.0 255.255.0.0</P> <P class="p2">object network PON_10_0_0_0</P> <P class="p2">subnet 10.0.0.0 255.0.0.0</P> <P class="p2">object network VLAN10_PON</P> <P class="p2">subnet 192.168.100.0 255.255.255.0</P> <P class="p2">object-group service Gonzo_Services</P> <P class="p2">service-object tcp destination eq https</P> <P class="p2">service-object tcp destination eq smtp</P> <P class="p2">object-group service Camera_Services</P> <P class="p2">service-object tcp destination eq rtsp</P> <P class="p2">service-object tcp destination eq 8000</P> <P class="p2">service-object tcp destination eq 8099</P> <P class="p2">object-group service Hyper_Services</P> <P class="p2">service-object tcp destination eq https</P> <P class="p2">service-object tcp destination eq 17990</P> <P class="p2">object-group network PON_Network_Group</P> <P class="p2">network-object object PON_10_0_0_0</P> <P class="p2">network-object object PON_192_200_0_0</P> <P class="p2">access-list outside_inside extended permit icmp any any echo</P> <P class="p2">access-list outside_inside extended permit udp any any range 33434 33523</P> <P class="p2">access-list outside_inside extended permit icmp any any time-exceeded</P> <P class="p2">access-list outside_inside extended permit icmp any any source-quench</P> <P class="p2">access-list outside_inside extended permit icmp any any echo-reply</P> <P class="p2">access-list outside_inside extended permit icmp any any unreachable</P> <P class="p2">access-list outside_inside extended permit object-group Gonzo_Services any object Gonzo_LAN</P> <P class="p2">access-list outside_inside extended permit object-group Camera_Services any object Camera_LAN</P> <P class="p2">access-list outside_inside extended permit object-group Hyper_Services any object Hyper_LAN</P> <P class="p2">access-list outside_inside extended deny ip any any</P> <P class="p2">access-list ICMPACL extended permit icmp any any</P> <P class="p2">access-list outbound extended permit tcp host 192.168.100.22 any eq smtp</P> <P class="p2">access-list outbound extended deny tcp any any eq smtp</P> <P class="p2">access-list outbound extended permit ip any any</P> <P class="p2">access-list PON_Inside extended permit icmp any any echo</P> <P class="p2">access-list PON_Inside extended permit udp any any range 33434 33523</P> <P class="p2">access-list PON_Inside extended permit icmp any any time-exceeded</P> <P class="p2">access-list PON_Inside extended permit icmp any any source-quench</P> <P class="p2">access-list PON_Inside extended permit icmp any any echo-reply</P> <P class="p2">access-list PON_Inside extended permit icmp any any unreachable</P> <P class="p2">access-list Split_Tunnel standard permit 192.168.100.0 255.255.255.0</P> <P class="p2">access-list Split_Tunnel standard permit 192.168.4.0 255.255.255.0</P> <P class="p2">access-list WAN_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object Zoetermeer_LAN</P> <P class="p2">access-list ACL_PONNET standard permit 10.0.0.0 255.0.0.0</P> <P class="p2">pager lines 24</P> <P class="p2">logging enable</P> <P class="p2">logging asdm informational</P> <P class="p2">mtu VLAN10 1500</P> <P class="p2">mtu VLAN20 1500</P> <P class="p2">mtu WAN 1500</P> <P class="p2">mtu WAN_PON 1500</P> <P class="p2">icmp unreachable rate-limit 1 burst-size 1</P> <P class="p2">asdm image disk0:/asdm-791-151.bin</P> <P class="p2">no asdm history enable</P> <P class="p2">arp timeout 14400</P> <P class="p2">no arp permit-nonconnected</P> <P class="p2">arp rate-limit 16384</P> <P class="p2">nat (VLAN10,WAN) source static any any destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup</P> <P class="p2">nat (VLAN10,WAN) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static Zoetermeer_LAN Zoetermeer_LAN no-proxy-arp route-lookup</P> <P class="p2">!</P> <P class="p2">object network Gonzo_LAN</P> <P class="p2">nat (VLAN10,WAN) static Gonzo_WAN</P> <P class="p2">object network Gonzo_LAN_SMTP</P> <P class="p2">nat (VLAN10,WAN) static Gonzo_WAN service tcp smtp smtp</P> <P class="p2">object network Gonzo_LAN_HTTPS</P> <P class="p2">nat (VLAN10,WAN) static Gonzo_WAN service tcp https https</P> <P class="p2">object network Camera_LAN_554</P> <P class="p2">nat (VLAN10,WAN) static Camera_WAN service tcp rtsp rtsp</P> <P class="p2">object network Camera_LAN_8000</P> <P class="p2">nat (VLAN10,WAN) static Camera_WAN service tcp 8000 8000</P> <P class="p2">object network Camera_LAN_8099</P> <P class="p2">nat (VLAN10,WAN) static Camera_WAN service tcp 8099 8099</P> <P class="p2">object network Hyper_LAN_HTTPS</P> <P class="p2">nat (VLAN10,WAN) static Hyper_WAN service tcp https https</P> <P class="p2">object network Hyper_LAN_17990</P> <P class="p2">nat (VLAN10,WAN) static Hyper_WAN service tcp 17990 17990</P> <P class="p2">object network VLAN10_Subnet</P> <P class="p2">nat (VLAN10,WAN) dynamic interface</P> <P class="p2">object network VLAN20_Subnet</P> <P class="p2">nat (VLAN20,WAN) static Camera_WAN</P> <P class="p2">object network VLAN10_PON</P> <P class="p2">nat (VLAN10,WAN_PON) static interface</P> <P class="p2">access-group outside_inside in interface WAN</P> <P class="p2">access-group PON_Inside in interface WAN_PON</P> <P class="p2">!</P> <P class="p2">route-map PON_MAP permit 10</P> <P class="p2">match ip address ACL_PONNET</P> <P class="p2">set interface WAN_PON</P> <P class="p2">set ip default next-hop 10.49.240.1</P> <P class="p1">&nbsp;</P> <P class="p2">!</P> <P class="p2">route WAN 0.0.0.0 0.0.0.0 1.1.1.89 1</P> <P class="p2">route WAN_PON 10.0.0.0 255.0.0.0 10.49.240.1 1</P> <P class="p2">route VLAN10 192.168.4.0 255.255.255.0 192.168.100.253 1</P> <P class="p2">route WAN_PON 192.200.0.0 255.255.0.0 10.49.240.1 1</P> <P class="p2">timeout xlate 3:00:00</P> <P class="p2">timeout pat-xlate 0:00:30</P> <P class="p2">timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02</P> <P class="p2">timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P> <P class="p2">timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P> <P class="p2">timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P> <P class="p2">timeout tcp-proxy-reassembly 0:01:00</P> <P class="p2">timeout floating-conn 0:00:00</P> <P class="p2">timeout conn-holddown 0:00:15</P> <P class="p2">aaa-server Radius-Kermit protocol radius</P> <P class="p2">aaa-server Radius-Kermit (VLAN10) host 192.168.100.21</P> <P class="p2">key *****</P> <P class="p2">radius-common-pw vdL!nd3n2018?</P> <P class="p2">user-identity default-domain LOCAL</P> <P class="p2">aaa authentication ssh console LOCAL</P> <P class="p2">http server enable</P> <P class="p2">http 192.168.100.0 255.255.255.0 VLAN10</P> <P class="p2">no snmp-server location</P> <P class="p2">no snmp-server contact</P> <P class="p2">service sw-reset-button</P> <P class="p1">&nbsp;</P> <P class="p2">******* REMOVED CRYPTO LINES FOR LENGTH ********</P> <P class="p1">&nbsp;</P> <P class="p2">crypto ikev2 enable WAN client-services port 443</P> <P class="p2">crypto ikev2 remote-access trustpoint vpn_company-groep_nl</P> <P class="p2">crypto ikev1 enable WAN</P> <P class="p2">crypto ikev1 policy 10</P> <P class="p2">authentication pre-share</P> <P class="p2">encryption aes-256</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 20</P> <P class="p2">authentication rsa-sig</P> <P class="p2">encryption aes-256</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 40</P> <P class="p2">authentication pre-share</P> <P class="p2">encryption aes-192</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 50</P> <P class="p2">authentication rsa-sig</P> <P class="p2">encryption aes-192</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 70</P> <P class="p2">authentication pre-share</P> <P class="p2">encryption aes</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 80</P> <P class="p2">authentication rsa-sig</P> <P class="p2">encryption aes</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 100</P> <P class="p2">authentication pre-share</P> <P class="p2">encryption 3des</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 110</P> <P class="p2">authentication rsa-sig</P> <P class="p2">encryption 3des</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 130</P> <P class="p2">authentication pre-share</P> <P class="p2">encryption des</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 140</P> <P class="p2">authentication rsa-sig</P> <P class="p2">encryption des</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">telnet timeout 5</P> <P class="p2">no ssh stricthostkeycheck</P> <P class="p2">ssh 192.168.100.0 255.255.255.0 VLAN10</P> <P class="p2">ssh timeout 5</P> <P class="p2">ssh cipher encryption all</P> <P class="p2">ssh key-exchange group dh-group1-sha1</P> <P class="p2">console timeout 0</P> <P class="p1">&nbsp;</P> <P class="p2">dhcpd dns 8.8.8.8 8.8.4.4</P> <P class="p2">!</P> <P class="p2">dhcpd address 192.168.250.10-192.168.250.200 VLAN20</P> <P class="p2">dhcpd enable VLAN20</P> <P class="p2">!</P> <P class="p2">threat-detection basic-threat</P> <P class="p2">threat-detection statistics access-list</P> <P class="p2">no threat-detection statistics tcp-intercept</P> <P class="p2">ssl trust-point vpn_company-groep_nl VLAN10</P> <P class="p2">ssl trust-point vpn_company-groep_nl VLAN20</P> <P class="p2">ssl trust-point vpn_company-groep_nl WAN</P> <P class="p2">ssl trust-point vpn_company-groep_nl WAN_PON</P> <P class="p2">webvpn</P> <P class="p2">enable WAN</P> <P class="p2">anyconnect image disk0:/anyconnect-macos-4.5.01044-webdeploy-k9.pkg 1</P> <P class="p2">anyconnect image disk0:/anyconnect-win-4.5.01044-webdeploy-k9.pkg 2</P> <P class="p2">anyconnect profiles ASA5506-X_company_client_profile disk0:/ASA5506-X_company_client_profile.xml</P> <P class="p2">anyconnect enable</P> <P class="p2">tunnel-group-list enable</P> <P class="p2">cache</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>disable</P> <P class="p2">error-recovery disable</P> <P class="p2">group-policy "GroupPolicy_ASA5506-X company" internal</P> <P class="p2">group-policy "GroupPolicy_ASA5506-X company" attributes</P> <P class="p2">wins-server none</P> <P class="p2">dns-server value 192.168.100.21</P> <P class="p2">vpn-tunnel-protocol ikev2 ssl-client</P> <P class="p2">split-tunnel-policy excludespecified</P> <P class="p2">split-tunnel-network-list value Split_Tunnel</P> <P class="p2">default-domain value company.local</P> <P class="p2">webvpn</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>anyconnect profiles value ASA5506-X_company_client_profile type user</P> <P class="p2">group-policy GroupPolicy_2.2.2.98 internal</P> <P class="p2">group-policy GroupPolicy_2.2.2.98 attributes</P> <P class="p2">vpn-tunnel-protocol ikev1 ikev2</P> <P class="p2">dynamic-access-policy-record DfltAccessPolicy</P> <P class="p2">username admin password $sha512$5000$mXimwUYVhPk6HBnK+ct8NQ==$sj3JFxcM4u/aw/0LN3W9FQ== pbkdf2 privilege 15</P> <P class="p2">tunnel-group "ASA5506-X company" type remote-access</P> <P class="p2">tunnel-group "ASA5506-X company" general-attributes</P> <P class="p2">address-pool VPN_DHCP_Pool</P> <P class="p2">authentication-server-group Radius-Kermit</P> <P class="p2">default-group-policy "GroupPolicy_ASA5506-X company"</P> <P class="p2">tunnel-group "ASA5506-X company" webvpn-attributes</P> <P class="p2">group-alias "ASA5506-X company" enable</P> <P class="p2">tunnel-group 2.2.2.98 type ipsec-l2l</P> <P class="p2">tunnel-group 2.2.2.98 general-attributes</P> <P class="p2">default-group-policy GroupPolicy_2.2.2.98</P> <P class="p2">tunnel-group 2.2.2.98 ipsec-attributes</P> <P class="p2">ikev1 pre-shared-key *****</P> <P class="p2">ikev2 remote-authentication pre-shared-key *****</P> <P class="p2">ikev2 local-authentication pre-shared-key *****</P> <P class="p2">!</P> <P class="p2">class-map inspection_default</P> <P class="p2">match default-inspection-traffic</P> <P class="p2">!</P> <P class="p2">!</P> <P class="p2">policy-map type inspect dns preset_dns_map</P> <P class="p2">parameters</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>message-length maximum client auto</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>message-length maximum 512</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>no tcp-inspection</P> <P class="p2">policy-map global_policy</P> <P class="p2">class inspection_default</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect dns preset_dns_map</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect ftp</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect h323 h225</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect h323 ras</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect rsh</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect rtsp</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect sqlnet</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect skinny</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect sunrpc</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect xdmcp</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect sip</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect netbios</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect tftp</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect ip-options</P> <P class="p2">!</P> <P class="p2">service-policy global_policy global</P> <P class="p2">prompt hostname context</P> <P class="p2">no call-home reporting anonymous</P> <P class="p2">Cryptochecksum:e6f9318f1bbd2d0e7efbbfcf31235c35</P> <P class="p2">&nbsp;</P> <P class="p2">ASA Branche Office</P> <P class="p1">&nbsp;</P> <P class="p2"><SPAN class="s1">ASA Version 9.6(4) </SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">hostname ASA5506X-ZTM</SPAN></P> <P class="p2"><SPAN class="s1">domain-name company.local</SPAN></P> <P class="p2"><SPAN class="s1">enable password $sha512$5000$q37wopLLpi3FeO/gR9nBag==$iiYKD04GYsEvzb6hpHu6QQ== pbkdf2</SPAN></P> <P class="p2"><SPAN class="s1">names</SPAN></P> <P class="p2"><SPAN class="s1">no mac-address auto</SPAN></P> <P class="p1">&nbsp;</P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface GigabitEthernet1/1</SPAN></P> <P class="p2"><SPAN class="s1"> description WAN Interface Address company Zoetermeer</SPAN></P> <P class="p2"><SPAN class="s1"> nameif outside</SPAN></P> <P class="p2"><SPAN class="s1"> security-level 0</SPAN></P> <P class="p2"><SPAN class="s1"> ip address 6.6.6.98 255.255.255.252 </SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface GigabitEthernet1/2</SPAN></P> <P class="p2"><SPAN class="s1"> description LAN Interface company Zoetermeer</SPAN></P> <P class="p2"><SPAN class="s1"> nameif inside</SPAN></P> <P class="p2"><SPAN class="s1"> security-level 100</SPAN></P> <P class="p2"><SPAN class="s1"> ip address 192.168.1.254 255.255.255.0 </SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface GigabitEthernet1/3</SPAN></P> <P class="p2"><SPAN class="s1"> shutdown</SPAN></P> <P class="p2"><SPAN class="s1"> no nameif</SPAN></P> <P class="p2"><SPAN class="s1"> security-level 100</SPAN></P> <P class="p2"><SPAN class="s1"> no ip address</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface GigabitEthernet1/4</SPAN></P> <P class="p2"><SPAN class="s1"> shutdown</SPAN></P> <P class="p2"><SPAN class="s1"> no nameif</SPAN></P> <P class="p2"><SPAN class="s1"> security-level 100</SPAN></P> <P class="p2"><SPAN class="s1"> no ip address</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface GigabitEthernet1/5</SPAN></P> <P class="p2"><SPAN class="s1"> shutdown</SPAN></P> <P class="p2"><SPAN class="s1"> no nameif</SPAN></P> <P class="p2"><SPAN class="s1"> security-level 100</SPAN></P> <P class="p2"><SPAN class="s1"> no ip address</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface GigabitEthernet1/6</SPAN></P> <P class="p2"><SPAN class="s1"> shutdown</SPAN></P> <P class="p2"><SPAN class="s1"> no nameif</SPAN></P> <P class="p2"><SPAN class="s1"> security-level 100</SPAN></P> <P class="p2"><SPAN class="s1"> no ip address</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface GigabitEthernet1/7</SPAN></P> <P class="p2"><SPAN class="s1"> shutdown</SPAN></P> <P class="p2"><SPAN class="s1"> no nameif</SPAN></P> <P class="p2"><SPAN class="s1"> security-level 100</SPAN></P> <P class="p2"><SPAN class="s1"> no ip address</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface GigabitEthernet1/8</SPAN></P> <P class="p2"><SPAN class="s1"> shutdown</SPAN></P> <P class="p2"><SPAN class="s1"> no nameif</SPAN></P> <P class="p2"><SPAN class="s1"> security-level 100</SPAN></P> <P class="p2"><SPAN class="s1"> no ip address</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface Management1/1</SPAN></P> <P class="p2"><SPAN class="s1"> management-only</SPAN></P> <P class="p2"><SPAN class="s1"> no nameif</SPAN></P> <P class="p2"><SPAN class="s1"> no security-level</SPAN></P> <P class="p2"><SPAN class="s1"> no ip address</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">boot system disk0:/asa964-lfbff-k8.SPA</SPAN></P> <P class="p2"><SPAN class="s1">ftp mode passive</SPAN></P> <P class="p2"><SPAN class="s1">dns domain-lookup outside</SPAN></P> <P class="p2"><SPAN class="s1">dns domain-lookup inside</SPAN></P> <P class="p2"><SPAN class="s1">dns server-group DefaultDNS</SPAN></P> <P class="p2"><SPAN class="s1"> name-server 8.8.8.8 inside</SPAN></P> <P class="p2"><SPAN class="s1"> name-server 192.168.100.21 </SPAN></P> <P class="p2"><SPAN class="s1"> name-server 8.8.4.4 </SPAN></P> <P class="p2"><SPAN class="s1"> domain-name company.local</SPAN></P> <P class="p2"><SPAN class="s1">same-security-traffic permit inter-interface</SPAN></P> <P class="p2"><SPAN class="s1">same-security-traffic permit intra-interface</SPAN></P> <P class="p2"><SPAN class="s1">object network Internal_LAN</SPAN></P> <P class="p2"><SPAN class="s1"> subnet 192.168.1.0 255.255.255.0</SPAN></P> <P class="p2"><SPAN class="s1">object network Waddinxveen</SPAN></P> <P class="p2"><SPAN class="s1"> subnet 192.168.100.0 255.255.255.0</SPAN></P> <P class="p2"><SPAN class="s1"> description Waddinxveen Subnet HQ</SPAN></P> <P class="p2"><SPAN class="s1">object network NETWORK_OBJ_192.168.1.0_24</SPAN></P> <P class="p2"><SPAN class="s1"> subnet 192.168.1.0 255.255.255.0</SPAN></P> <P class="p2"><SPAN class="s1">access-list outside_inside extended permit icmp any any echo </SPAN></P> <P class="p2"><SPAN class="s1">access-list outside_inside extended permit udp any any range 33434 33523 </SPAN></P> <P class="p2"><SPAN class="s1">access-list outside_inside extended permit icmp any any time-exceeded </SPAN></P> <P class="p2"><SPAN class="s1">access-list outside_inside extended permit icmp any any source-quench </SPAN></P> <P class="p2"><SPAN class="s1">access-list outside_inside extended permit icmp any any echo-reply </SPAN></P> <P class="p2"><SPAN class="s1">access-list outside_inside extended permit icmp any any unreachable </SPAN></P> <P class="p2"><SPAN class="s1">access-list outside_inside extended deny ip any any </SPAN></P> <P class="p2"><SPAN class="s1">access-list ICMPACL extended permit icmp any any </SPAN></P> <P class="p2"><SPAN class="s1">access-list outbound extended permit tcp host 192.168.100.22 any eq smtp </SPAN></P> <P class="p2"><SPAN class="s1">access-list outbound extended deny tcp any any eq smtp </SPAN></P> <P class="p2"><SPAN class="s1">access-list outbound extended permit ip any any </SPAN></P> <P class="p2"><SPAN class="s1">access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Waddinxveen </SPAN></P> <P class="p2"><SPAN class="s1">pager lines 24</SPAN></P> <P class="p2"><SPAN class="s1">logging asdm informational</SPAN></P> <P class="p2"><SPAN class="s1">mtu outside 1500</SPAN></P> <P class="p2"><SPAN class="s1">mtu inside 1500</SPAN></P> <P class="p2"><SPAN class="s1">icmp unreachable rate-limit 1 burst-size 1</SPAN></P> <P class="p2"><SPAN class="s1">asdm image disk0:/asdm-791-151.bin</SPAN></P> <P class="p2"><SPAN class="s1">no asdm history enable</SPAN></P> <P class="p2"><SPAN class="s1">arp timeout 14400</SPAN></P> <P class="p2"><SPAN class="s1">arp permit-nonconnected</SPAN></P> <P class="p2"><SPAN class="s1">arp rate-limit 8192</SPAN></P> <P class="p2"><SPAN class="s1">nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Waddinxveen Waddinxveen no-proxy-arp route-lookup</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">object network Internal_LAN</SPAN></P> <P class="p2"><SPAN class="s1"> nat (inside,outside) dynamic interface</SPAN></P> <P class="p2"><SPAN class="s1">access-group outside_inside in interface outside</SPAN></P> <P class="p2"><SPAN class="s1">route outside 0.0.0.0 0.0.0.0 6.6.6.97 1</SPAN></P> <P class="p2"><SPAN class="s1">timeout xlate 3:00:00</SPAN></P> <P class="p2"><SPAN class="s1">timeout pat-xlate 0:00:30</SPAN></P> <P class="p2"><SPAN class="s1">timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02</SPAN></P> <P class="p2"><SPAN class="s1">timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</SPAN></P> <P class="p2"><SPAN class="s1">timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</SPAN></P> <P class="p2"><SPAN class="s1">timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</SPAN></P> <P class="p2"><SPAN class="s1">timeout tcp-proxy-reassembly 0:01:00</SPAN></P> <P class="p2"><SPAN class="s1">timeout floating-conn 0:00:00</SPAN></P> <P class="p2"><SPAN class="s1">timeout conn-holddown 0:00:15</SPAN></P> <P class="p2"><SPAN class="s1">user-identity default-domain LOCAL</SPAN></P> <P class="p2"><SPAN class="s1">aaa authentication ssh console LOCAL </SPAN></P> <P class="p2"><SPAN class="s1">http server enable</SPAN></P> <P class="p2"><SPAN class="s1">http 192.168.1.0 255.255.255.0 inside</SPAN></P> <P class="p2"><SPAN class="s1">http 192.168.100.0 255.255.255.0 inside</SPAN></P> <P class="p2"><SPAN class="s1">no snmp-server location</SPAN></P> <P class="p2"><SPAN class="s1">no snmp-server contact</SPAN></P> <P class="p2"><SPAN class="s1">service sw-reset-button</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac </SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev2 ipsec-proposal DES</SPAN></P> <P class="p2"><SPAN class="s1"> protocol esp encryption des</SPAN></P> <P class="p2"><SPAN class="s1"> protocol esp integrity sha-1 md5</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev2 ipsec-proposal 3DES</SPAN></P> <P class="p2"><SPAN class="s1"> protocol esp encryption 3des</SPAN></P> <P class="p2"><SPAN class="s1"> protocol esp integrity sha-1 md5</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev2 ipsec-proposal AES</SPAN></P> <P class="p2"><SPAN class="s1"> protocol esp encryption aes</SPAN></P> <P class="p2"><SPAN class="s1"> protocol esp integrity sha-1 md5</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev2 ipsec-proposal AES192</SPAN></P> <P class="p2"><SPAN class="s1"> protocol esp encryption aes-192</SPAN></P> <P class="p2"><SPAN class="s1"> protocol esp integrity sha-1 md5</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev2 ipsec-proposal AES256</SPAN></P> <P class="p2"><SPAN class="s1"> protocol esp encryption aes-256</SPAN></P> <P class="p2"><SPAN class="s1"> protocol esp integrity sha-1 md5</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec security-association pmtu-aging infinite</SPAN></P> <P class="p2"><SPAN class="s1">crypto map outside_map 1 match address outside_cryptomap</SPAN></P> <P class="p2"><SPAN class="s1">crypto map outside_map 1 set peer 62.177.202.94 </SPAN></P> <P class="p2"><SPAN class="s1">crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</SPAN></P> <P class="p2"><SPAN class="s1">crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES</SPAN></P> <P class="p2"><SPAN class="s1">crypto map outside_map interface outside</SPAN></P> <P class="p2"><SPAN class="s1">crypto ca trustpool policy</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev2 policy 1</SPAN></P> <P class="p2"><SPAN class="s1"> encryption aes-256</SPAN></P> <P class="p2"><SPAN class="s1"> integrity sha</SPAN></P> <P class="p2"><SPAN class="s1"> group 5 2</SPAN></P> <P class="p2"><SPAN class="s1"> prf sha</SPAN></P> <P class="p2"><SPAN class="s1"> lifetime seconds 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev2 policy 10</SPAN></P> <P class="p2"><SPAN class="s1"> encryption aes-192</SPAN></P> <P class="p2"><SPAN class="s1"> integrity sha</SPAN></P> <P class="p2"><SPAN class="s1"> group 5 2</SPAN></P> <P class="p2"><SPAN class="s1"> prf sha</SPAN></P> <P class="p2"><SPAN class="s1"> lifetime seconds 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev2 policy 20</SPAN></P> <P class="p2"><SPAN class="s1"> encryption aes</SPAN></P> <P class="p2"><SPAN class="s1"> integrity sha</SPAN></P> <P class="p2"><SPAN class="s1"> group 5 2</SPAN></P> <P class="p2"><SPAN class="s1"> prf sha</SPAN></P> <P class="p2"><SPAN class="s1"> lifetime seconds 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev2 policy 30</SPAN></P> <P class="p2"><SPAN class="s1"> encryption 3des</SPAN></P> <P class="p2"><SPAN class="s1"> integrity sha</SPAN></P> <P class="p2"><SPAN class="s1"> group 5 2</SPAN></P> <P class="p2"><SPAN class="s1"> prf sha</SPAN></P> <P class="p2"><SPAN class="s1"> lifetime seconds 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev2 policy 40</SPAN></P> <P class="p2"><SPAN class="s1"> encryption des</SPAN></P> <P class="p2"><SPAN class="s1"> integrity sha</SPAN></P> <P class="p2"><SPAN class="s1"> group 5 2</SPAN></P> <P class="p2"><SPAN class="s1"> prf sha</SPAN></P> <P class="p2"><SPAN class="s1"> lifetime seconds 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev2 enable outside</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 enable outside</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 10</SPAN></P> <P class="p2"><SPAN class="s1"> authentication pre-share</SPAN></P> <P class="p2"><SPAN class="s1"> encryption aes-256</SPAN></P> <P class="p2"><SPAN class="s1"> hash sha</SPAN></P> <P class="p2"><SPAN class="s1"> group 2</SPAN></P> <P class="p2"><SPAN class="s1"> lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 20</SPAN></P> <P class="p2"><SPAN class="s1"> authentication rsa-sig</SPAN></P> <P class="p2"><SPAN class="s1"> encryption aes-256</SPAN></P> <P class="p2"><SPAN class="s1"> hash sha</SPAN></P> <P class="p2"><SPAN class="s1"> group 2</SPAN></P> <P class="p2"><SPAN class="s1"> lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 40</SPAN></P> <P class="p2"><SPAN class="s1"> authentication pre-share</SPAN></P> <P class="p2"><SPAN class="s1"> encryption aes-192</SPAN></P> <P class="p2"><SPAN class="s1"> hash sha</SPAN></P> <P class="p2"><SPAN class="s1"> group 2</SPAN></P> <P class="p2"><SPAN class="s1"> lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 50</SPAN></P> <P class="p2"><SPAN class="s1"> authentication rsa-sig</SPAN></P> <P class="p2"><SPAN class="s1"> encryption aes-192</SPAN></P> <P class="p2"><SPAN class="s1"> hash sha</SPAN></P> <P class="p2"><SPAN class="s1"> group 2</SPAN></P> <P class="p2"><SPAN class="s1"> lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 70</SPAN></P> <P class="p2"><SPAN class="s1"> authentication pre-share</SPAN></P> <P class="p2"><SPAN class="s1"> encryption aes</SPAN></P> <P class="p2"><SPAN class="s1"> hash sha</SPAN></P> <P class="p2"><SPAN class="s1"> group 2</SPAN></P> <P class="p2"><SPAN class="s1"> lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 80</SPAN></P> <P class="p2"><SPAN class="s1"> authentication rsa-sig</SPAN></P> <P class="p2"><SPAN class="s1"> encryption aes</SPAN></P> <P class="p2"><SPAN class="s1"> hash sha</SPAN></P> <P class="p2"><SPAN class="s1"> group 2</SPAN></P> <P class="p2"><SPAN class="s1"> lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 100</SPAN></P> <P class="p2"><SPAN class="s1"> authentication pre-share</SPAN></P> <P class="p2"><SPAN class="s1"> encryption 3des</SPAN></P> <P class="p2"><SPAN class="s1"> hash sha</SPAN></P> <P class="p2"><SPAN class="s1"> group 2</SPAN></P> <P class="p2"><SPAN class="s1"> lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 110</SPAN></P> <P class="p2"><SPAN class="s1"> authentication rsa-sig</SPAN></P> <P class="p2"><SPAN class="s1"> encryption 3des</SPAN></P> <P class="p2"><SPAN class="s1"> hash sha</SPAN></P> <P class="p2"><SPAN class="s1"> group 2</SPAN></P> <P class="p2"><SPAN class="s1"> lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 130</SPAN></P> <P class="p2"><SPAN class="s1"> authentication pre-share</SPAN></P> <P class="p2"><SPAN class="s1"> encryption des</SPAN></P> <P class="p2"><SPAN class="s1"> hash sha</SPAN></P> <P class="p2"><SPAN class="s1"> group 2</SPAN></P> <P class="p2"><SPAN class="s1"> lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 140</SPAN></P> <P class="p2"><SPAN class="s1"> authentication rsa-sig</SPAN></P> <P class="p2"><SPAN class="s1"> encryption des</SPAN></P> <P class="p2"><SPAN class="s1"> hash sha</SPAN></P> <P class="p2"><SPAN class="s1"> group 2</SPAN></P> <P class="p2"><SPAN class="s1"> lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">telnet timeout 5</SPAN></P> <P class="p2"><SPAN class="s1">no ssh stricthostkeycheck</SPAN></P> <P class="p2"><SPAN class="s1">ssh 192.168.1.0 255.255.255.0 inside</SPAN></P> <P class="p2"><SPAN class="s1">ssh 192.168.100.0 255.255.255.0 inside</SPAN></P> <P class="p2"><SPAN class="s1">ssh timeout 5</SPAN></P> <P class="p2"><SPAN class="s1">ssh cipher encryption all</SPAN></P> <P class="p2"><SPAN class="s1">ssh key-exchange group dh-group1-sha1</SPAN></P> <P class="p2"><SPAN class="s1">console timeout 0</SPAN></P> <P class="p1">&nbsp;</P> <P class="p2"><SPAN class="s1">dhcpd address 192.168.1.100-192.168.1.225 inside</SPAN></P> <P class="p2"><SPAN class="s1">dhcpd dns 192.168.100.21 8.8.8.8 interface inside</SPAN></P> <P class="p2"><SPAN class="s1">dhcpd enable inside</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">threat-detection basic-threat</SPAN></P> <P class="p2"><SPAN class="s1">threat-detection statistics access-list</SPAN></P> <P class="p2"><SPAN class="s1">no threat-detection statistics tcp-intercept</SPAN></P> <P class="p2"><SPAN class="s1">group-policy GroupPolicy_62.177.202.94 internal</SPAN></P> <P class="p2"><SPAN class="s1">group-policy GroupPolicy_62.177.202.94 attributes</SPAN></P> <P class="p2"><SPAN class="s1"> vpn-tunnel-protocol ikev1 ikev2 </SPAN></P> <P class="p2"><SPAN class="s1">dynamic-access-policy-record DfltAccessPolicy</SPAN></P> <P class="p2"><SPAN class="s1">username admin password $sha512$5000$XJhfzyR/fvZjzfGSUQEdwA==$N5789JoSOE9DfuSXz6HO9Q== pbkdf2 privilege 15</SPAN></P> <P class="p2"><SPAN class="s1">tunnel-group 62.177.202.94 type ipsec-l2l</SPAN></P> <P class="p2"><SPAN class="s1">tunnel-group 62.177.202.94 general-attributes</SPAN></P> <P class="p2"><SPAN class="s1"> default-group-policy GroupPolicy_62.177.202.94</SPAN></P> <P class="p2"><SPAN class="s1">tunnel-group 62.177.202.94 ipsec-attributes</SPAN></P> <P class="p2"><SPAN class="s1"> ikev1 pre-shared-key *****</SPAN></P> <P class="p2"><SPAN class="s1"> ikev2 remote-authentication pre-shared-key *****</SPAN></P> <P class="p2"><SPAN class="s1"> ikev2 local-authentication pre-shared-key *****</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">class-map inspection_default</SPAN></P> <P class="p2"><SPAN class="s1"> match default-inspection-traffic</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">policy-map type inspect dns preset_dns_map</SPAN></P> <P class="p2"><SPAN class="s1"> parameters</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>message-length maximum client auto</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>message-length maximum 512</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>no tcp-inspection</SPAN></P> <P class="p2"><SPAN class="s1">policy-map global_policy</SPAN></P> <P class="p2"><SPAN class="s1"> class inspection_default</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect dns preset_dns_map </SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect ftp </SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect h323 h225 </SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect h323 ras </SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect rsh </SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect rtsp </SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect sqlnet </SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect skinny&nbsp;</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect sunrpc </SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect xdmcp </SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect sip&nbsp;</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect netbios </SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect tftp </SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>inspect ip-options </SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">service-policy global_policy global</SPAN></P> <P class="p2"><SPAN class="s1">prompt hostname context </SPAN></P> <P class="p2"><SPAN class="s1">no call-home reporting anonymous</SPAN></P> <P class="p2"><SPAN class="s1">Cryptochecksum:32c6a0af3e4f1738ea72b27db186581f</SPAN></P> Thu, 22 Feb 2018 01:47:24 GMT https://community.cisco.com/t5/network-security/cisco-asa-policy-based-routing/m-p/3335555#M969893 Robbert Tol 2018-02-22T01:47:24Z