: Serial Number: JAD193
: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.12(1)
!
hostname LWASA1
domain-name
enable password ***** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
no names

name 10.245.245.0 VPN_IP_Pool
name 10.16.235.0 HS_ATPAP
name 10.15.2.192 ssweb
dns-guard
no mac-address auto
ip local pool company_name-VPN-Pool 10.245.245.10-10.245.245.199 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 3.3.3.66 255.255.255.192
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.15.2.251 255.255.255.0
!
interface GigabitEthernet1/3
nameif voice
security-level 90
ip address 192.168.20.251 255.255.255.0
!
interface GigabitEthernet1/4
description Corp WiFi Interface
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4.33
description Printer
vlan 33
nameif Printers
security-level 100
ip address 10.15.33.251 255.255.255.0
!
interface GigabitEthernet1/5
nameif LW_WiFi
security-level 100
ip address 10.15.3.251 255.255.255.0
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6.4
description HR Department
vlan 4
nameif HR_Dept
security-level 100
ip address 10.15.4.251 255.255.255.0
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa9-12-1-lfbff-k8.SPA
boot system disk0:/asa9101-lfbff-k8.SPA
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup voice
dns domain-lookup LW_WiFi
dns domain-lookup HR_Dept
dns server-group DefaultDNS
domain-name company_name.corp
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VPN_IP_Pool
subnet 10.245.245.0 255.255.255.0
object network company_name_Internal_Range
subnet 10.15.2.0 255.255.255.0
object network obj-10.0.0.0
subnet 10.0.0.0 255.0.0.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ScreenConnect
object network 3.3.3.86
host 3.3.3.86
object network 3.3.3.67
host 3.3.3.67
object network 3.3.3.94
host 3.3.3.94
object service aamon
service tcp destination eq 10101
object service aamob1
service udp destination eq isakmp
description AA Mobility
object service aamob2
service udp destination eq 4500
description AA Mobility
object network ForecastTool
host 10.15.2.54
description Internal Address of Forecast Tool
object network ForecastTool-Ext
host 3.3.3.69
description External Address of Forecast Tool
object service forecasttl
service tcp destination eq www
description Allow port 7171 on forecast tool
object network NETWORK_OBJ_10.245.245.0_24
subnet 10.245.245.0 255.255.255.0
object network Spiceworks
host 10.15.2.183
description Internal Address of Spiceworks Site
object network Printer-External-IP
host 3.3.3.70
description Printer IP
object service Spiceworks-9675
service tcp destination eq 9675
description Permit TCP 9675
object network company_name_Voice_Range
subnet 192.168.20.0 255.255.255.0
description voice IP range
object network Voice_NAT
host 3.3.3.71
description Voice_NAT
object network Google_DNS_1
host 8.8.8.8
description Google_DNS_1
object network Google_DNS_2
host 8.8.4.4
description Google_DNS_2
object network Guest_External_Interface
host 192.168.100.1
description Guest External Interface
object network Guest_NAT_IP
host 3.3.3.70
description Guest NAT IP
object service DHCP_Relay
service udp destination eq bootps
object network GoverLAN-Ext
host 3.3.3.75
description External IP of GoverLAN
object network GoverLAN
host 10.15.2.5
description Internal IP of GoverLAN
object service GoverLAN-agents
service tcp destination eq 15155
description Allow GoverLAN agents to 15155
object network DMZ_NAT_IP
host 3.3.3.79
object network DMZ_Internal_Range
subnet 192.168.10.0 255.255.255.0
object network DMZ-2_Internal_Range
subnet 172.16.52.0 255.255.255.0
object network DMZ-2_NAT_IP
host 3.3.3.81
object network Nextiva_Block_1
subnet 208.73.144.0 255.255.248.0
object network DMZ_Radius
host 192.168.10.254
object service RDP-Service
service tcp source eq 3395
object network nextiva_background_images
subnet 151.101.48.0 255.255.255.0
description website
object network Nextiva_Block_2
subnet 208.89.108.0 255.255.252.0
object service LWNAS_443
service tcp source range 1 65000 destination eq https
description LWNAS
object network LWNAS
host 10.15.2.55
object network Guest-Network
subnet 192.168.100.0 255.255.255.0
description Guest-Network
object network LWNAS-EXT
host 3.3.3.74
description External Address of LWNAS
object network VPN
host 3.3.3.66
description VPN public IP
object network LW_WiFi
subnet 10.15.3.0 255.255.255.0
description LW_WiFi
object network HR_Dept
subnet 10.15.4.0 255.255.255.0
description HR department
object network HR_Public_IP
host 3.3.3.68
description HR
object service Radius
service udp source range 0 50000 destination eq 1814
object network NETWORK_OBJ_10.30.97.0_24
subnet 10.30.97.0 255.255.255.0
object network NETWORK_OBJ_10.15.2.0_24
subnet 10.15.2.0 255.255.255.0
object network Printers
subnet 10.15.33.0 255.255.255.0
description Printer VLAN
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp-udp
port-object eq 3389
object-group network Google_DNS_Group
network-object object Google_DNS_1
network-object object Google_DNS_2
object-group service DM_INLINE_TCP_20 tcp
port-object eq ftp
port-object eq ftp-data
object-group network DM_INLINE_NETWORK_2
object-group service DM_INLINE_SERVICE_12
service-object icmp
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group network PrivateNetworks
network-object 10.0.0.0 255.0.0.0
object-group network USG_Networks_To_Block
description Guest - Networks to block
network-object object company_name_Internal_Range
network-object object company_name_Voice_Range
network-object object VPN_IP_Pool
network-object 10.15.3.0 255.255.255.0
network-object 10.15.4.0 255.255.255.0
network-object object HR_Dept
network-object object HR_Public_IP
network-object 10.0.0.0 255.0.0.0
object-group service time-servers udp
port-object eq ntp
object-group network Nextiva_IP_Ranges
network-object object Nextiva_Block_1
group-object Google_DNS_Group
network-object object Nextiva_Block_2
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq sip
service-object udp destination eq sip
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp
service-object object LWNAS_443
object-group service mDNS udp
description udp 5353
port-object eq 5353
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list inside_nat0_outbound extended permit ip any object VPN_IP_Pool
access-list outside_access_in extended deny udp any object DMZ_Radius eq 5353
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any 10.15.2.0 255.255.255.0
access-list outside_access_in extended permit object forecasttl any4 object ForecastTool
access-list outside_access_in extended permit ip any object LWNAS
access-list 110 extended permit ip 10.0.0.0 255.0.0.0 object VPN_IP_Pool
access-list inside_access_in_1 extended permit ip 10.15.2.0 255.255.255.0 any
access-list inside_access_in extended permit ip any any
access-list ASA-Sourcefire extended permit ip any any inactive
access-list company_name-VPN-Split-Tunnel standard permit 10.15.0.0 255.255.0.0
access-list voice_access_in extended deny ip object-group PrivateNetworks any
access-list voice_access_in extended permit tcp 192.168.20.0 255.255.255.0 object nextiva_background_images object-group DM_INLINE_TCP_1
access-list voice_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.20.0 255.255.255.0 any
access-list voice_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.20.0 255.255.255.0 object-group Nextiva_IP_Ranges
access-list voice_access_in extended permit udp any any eq ntp
access-list voice_access_in extended deny ip any any log debugging
access-list voice_access_in extended deny icmp any any inactive
access-list USG_access_in extended deny ip any object-group USG_Networks_To_Block
access-list USG_access_in extended deny ip object Guest_External_Interface object-group USG_Networks_To_Block
access-list USG_access_in extended deny icmp object Guest_External_Interface object-group USG_Networks_To_Block
access-list USG_access_in extended deny icmp object Guest-Network any
access-list USG_access_in extended permit ip object Guest_External_Interface any
access-list USG_access_in extended permit icmp object Guest_External_Interface any
access-list USG_access_in extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ-2_access_in extended deny ip any any inactive
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list from_outside extended permit icmp any any echo
access-list LW_WiFi_access_in extended deny ip any 192.168.20.0 255.255.255.0
access-list LW_WiFi_access_in extended deny ip any 10.15.4.0 255.255.255.0
access-list LW_WiFi_access_in extended permit ip any any
access-list HR_Dept_access_in extended deny ip any 192.168.100.0 255.255.255.0
access-list HR_Dept_access_in extended deny ip any 192.168.20.0 255.255.255.0
access-list HR_Dept_access_in extended deny ip any 10.15.3.0 255.255.255.0
access-list HR_Dept_access_in extended permit ip any any
access-list Printers_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
!
tcp-map tmap
invalid-ack allow
seq-past-window allow
tcp-options md5 clear
!
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 200
logging buffered debugging
logging trap warnings
logging asdm debugging
logging host inside 10.15.2.226
mtu outside 1500
mtu inside 1500
mtu voice 1500
mtu Printers 1500
mtu LW_WiFi 1500
mtu HR_Dept 1500
no failover
no monitor-interface Printers
no monitor-interface HR_Dept
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-7121.bin
no asdm history enable
arp timeout 14400
arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.245.245.0_24 NETWORK_OBJ_10.245.245.0_24 no-proxy-arp route-lookup
nat (voice,outside) source static company_name_Voice_Range Voice_NAT description Voice_NAT_Rule
nat (HR_Dept,any) source static HR_Dept HR_Public_IP
nat (LW_WiFi,any) source static LW_WiFi 3.3.3.67
!
object network obj_any
nat (inside,outside) dynamic interface
object network ForecastTool
nat (inside,outside) static ForecastTool-Ext
object network LWNAS
nat (inside,outside) static LWNAS-EXT service tcp 5001 https
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside control-plane
access-group inside_access_in in interface inside
access-group voice_access_in in interface voice
access-group Printers_access_in in interface Printers
access-group LW_WiFi_access_in in interface LW_WiFi
access-group HR_Dept_access_in in interface HR_Dept
route outside 0.0.0.0 0.0.0.0 3.3.3.65 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:05:00 sip-invite 0:05:00 sip-disconnect 0:05:00
timeout sip-provisional-media 0:05:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server LDAP protocol ldap
reactivation-mode depletion deadtime 1
max-failed-attempts 5
aaa-server LDAP (inside) host 10.15.2.1
server-port 636
ldap-base-dn DC=company_name,DC=corp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=administrator,CN=Users,DC=company_name,DC=corp
ldap-over-ssl enable
server-type microsoft
aaa-server LDAP (inside) host 10.15.2.6
server-port 636
ldap-base-dn DC=company_name,DC=corp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=administrator,CN=Users,DC=company_name,DC=corp
ldap-over-ssl enable
server-type microsoft
aaa-server LDAP (inside) host 10.15.2.3
server-port 636
ldap-base-dn DC=company_name,DC=corp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=administrator,CN=Users,DC=company_name,DC=corp
ldap-over-ssl enable
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication login-history
http server enable 8443
http 10.15.2.0 255.255.255.0 inside
snmp-server host inside 10.15.2.73 community ***** version 2c
snmp-server host inside 10.15.2.22 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
sysopt connection tcpmss 1300
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=10.15.2.251,CN=LWASA1
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
enrollment self
fqdn none
subject-name CN=10.15.2.251,CN=LWASA1
crl configure
crypto ca trustpoint SSL-VPN
enrollment terminal
fqdn vpn.company_name.com
subject-name CN=*.company_name.com,OU=NA,O=company_name,C=US,St=KS,L=Wichita,EA=it@company_name.com
crl configure
crypto ca trustpoint VPN
enrollment terminal
crl configure
crypto ca trustpoint Intermediate
enrollment terminal
crl configure
crypto ca trustpoint Intermediate_2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint0
keypair SSL-VPN
crl configure
crypto ca trustpoint SSL-Trustpoint
enrollment terminal
subject-name CN=LWASA1
keypair SSL-Cert
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=*.company_name.com,O=company_name,C=US,St=KS,L=Wichita,EA=admin@company_name.com
keypair SSL-Cert_VPN
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 

quit
crypto ca certificate chain Intermediate
certificate ca 2b2e6eead975366c
f9d487c1 c28cb7e7 e20f3019 3786ace0 dc4203e6 94a89dae fd0f2451 94ce9208
d1fc50f0 03407b88 59ed0edd ac50728c 003aaae3 db63349f
f8067101 e28220d4 fe6fbdb1
quit
crypto ca certificate chain Intermediate_2
certificate ca 2766ee56eb49f38eabd770a2fc84de2230201 02021027 66ee56eb 49f38eab d770a2fc 84de2230
3b0b19f6 a1b16c86 3e5caac4 2e82cbf9 0796ba48 4d90f294 c8a973a2 eb067b23
9ddea2f3 4d559f7a 61459818 68
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 00e012bc3f3cc8d9315b2
30820558 30820440 a0030201 02021100 e012bc3f 3cc8d931 5b22fe41 ffe8c359
6c014973 4fd69341 e873
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 10.15.2.0 255.255.255.0 inside
ssh timeout 5
ssh cipher encryption high
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcprelay server 10.15.2.1 inside
dhcprelay enable voice
dhcprelay enable LW_WiFi
dhcprelay enable HR_Dept
dhcprelay setroute voice
dhcprelay setroute LW_WiFi
dhcprelay setroute HR_Dept
dhcprelay timeout 60
priority-queue outside
tx-ring-limit 256
priority-queue voice
tx-ring-limit 256
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter use-database
dynamic-filter enable
dynamic-filter whitelist
name usps.com
ntp server 208.80.96.96
ntp server 10.15.2.1 source inside prefer
ntp server 184.105.192.247
ntp server 50.116.38.157
ntp server 72.249.38.88
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default fips
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-GCM-SHA384"
ssl cipher dtlsv1 fips
ssl dh-group group24
ssl ecdh-group group20
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable outside
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect image disk0:/anyconnect-win-4.7.01076-webdeploy-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macos-4.7.01076-webdeploy-k9.pkg 2 regex "Intel Mac OS X"
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
webvpn
anyconnect ssl rekey method ssl
group-policy GroupPolicy_company_name internal
group-policy GroupPolicy_company_name attributes
wins-server none
dns-server value 10.15.2.1 10.15.2.9
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value company_name-VPN-Split-Tunnel
default-domain value company_name.corp
webvpn
anyconnect ssl rekey method ssl
dynamic-access-policy-record DfltAccessPolicy
user-message "No access for you!! :("
action terminate
dynamic-access-policy-record Cisco_VPN_Users
description "Cisco VPN Users LDAP Group"
quota management-session 4
username admin password ***** encrypted privilege 15
tunnel-group company_name type remote-access
tunnel-group company_name general-attributes
address-pool company_name-VPN-Pool
authentication-server-group LDAP LOCAL
default-group-policy GroupPolicy_company_name
tunnel-group company_name webvpn-attributes
group-alias company_name enable
!
class-map MiCloud-Signaling
match dscp af31
class-map MiCloud-Voice
match dscp ef
class-map Voice
match dscp ef
class-map inspecttion_default
class-map Sourcefire-class
match access-list ASA-Sourcefire
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map p1_priority
class Voice
priority
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect pptp
class Sourcefire-class
sfr fail-open
policy-map MiCloud-QoS-Parent
class class-default
police output 99614500
police input 99614500
policy-map global-policy
class inspection_default
inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map MiCloud-QoS
class MiCloud-Voice
class MiCloud-Signaling
!
service-policy global_policy global
service-policy MiCloud-QoS-Parent interface outside
service-policy MiCloud-QoS-Parent interface voice
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 27
subscribe-to-alert-group configuration periodic monthly 27
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:5f43
: end
LWASA1#

Thanks for posting the config. I see GigabitEthernet1/4.33 seems to be the new sub interface that you created. I do not find any address translation involving that interface or its subnet. Can you clarify the status of this config and whether it represents a working environment or an environment with problems? If so what are the problems?

HTH

Rick 

Richard,

I did take the nat config off of that interface is it seemed to break other things such as users printing and depending upon where it was in the list it would break internet for other vlans.

I did this morning add a new nat rule for that interface and put it at the very bottom (on asdm) I did a "add nat rule after network object" and that seemed to do the trick. However I still don't understand why putting this rule towards the top would break things as it's not a nat rule for a /16 but for a /24. I have a nat rule above it that is for a /8 network and it translates to the outside interface. I'm puzzled as to the ordering of nat rules I guess.

Thanks

We now have the config as a starting place in understanding the issue. But without knowing the specifics of the translation rule that you tried to add, and where it got added we are not able to identify the issue.

HTH

Rick

Here are the current rules.

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.245.245.0_24 NETWORK_OBJ_10.245.245.0_24 no-proxy-arp route-lookup
nat (voice,outside) source static Lodgeworks_Voice_Range Voice_NAT description Voice_NAT_Rule
nat (HR_Dept,any) source static HR_Dept HR_Public_IP
nat (LW_WiFi,any) source static LW_WiFi 3.3.3.67
!
object network obj_any
nat (inside,outside) dynamic interface
object network ForecastTool
nat (inside,outside) static ForecastTool-Ext
object network LWNAS
nat (inside,outside) static LWNAS-EXT service tcp 5001 https
!
nat (Printers,outside) after-auto source static Printers Printer-External-IP
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside control-plane
access-group inside_access_in in interface inside
access-group voice_access_in in interface voice
access-group Printers_access_in in interface Printers
access-group LW_WiFi_access_in in interface LW_WiFi
access-group HR_Dept_access_in in interface HR_Dept

Thanks again for the replies

Thanks for the additional information. I am having trouble seeing how this translate would have negative impact on other vlans.

I do notice one thing that could become a problem. You have this

object network Printer-External-IP
host 3.3.3.70
description Printer IP

and you have this

object network Guest_NAT_IP
host 3.3.3.70
description Guest NAT IP

Since I do not see Guest_NAT_IP being used it is not currently an issue. But it has potential to become one.

But I am having difficulty seeing your attempted translation as a problem.

HTH

Rick

The Guest_nat object is no longer in use, but I'll delete it.

The current config works, but when I had it setup before with the Nat rule up higher on the list it broke other VLANs and I'm not sure why as this is a /24 network not a /16 or /8.

It is a good practice to remove objects when they are no longer used. Especially since it is for a specific /24 and since I do not find overlapping addressing I have trouble understanding how this was a problem. I don't doubt that it was and that indicates that there is some aspect of what you were doing that we do not understand at this point.

HTH

Rick