I've created a DMZ on ASA5510 8.4, it can access anything internal interface but cannot get out to internet or outside interface. I cannot manage the ASA from the DMZ subnet neither. Could you please help?
Thanks in advance.
here's the config:
: Saved
:
ASA Version 8.4(2)8
!
hostname ciscoasa
multicast-routing
names
dns-guard
!
interface Ethernet0/0
description xxxx shopInternet Connection
speed 100
duplex full
nameif outside
security-level 0
ip address 99.99.99.130 255.255.255.224
ospf cost 10
!
interface Ethernet0/1
description xxxx internal connection from firewall to switch
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
description xxxx DMZ
nameif DMZ
security-level 100
ip address 172.10.1.1 255.255.255.0
!
interface Ethernet0/3
description Management Service-EEEE-40
speed 100
duplex full
nameif E-40
security-level 0
ip address 10.40.86.248 255.255.255.0
!
interface Management0/0
description management
nameif management
security-level 100
ip address 192.168.199.1 255.255.255.0
ospf cost 10
management-only
!
boot system disk0:/asa842-8-k8.bin
boot system disk0:/asa824-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns domain-lookup management
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
name-server 208.67.222.222
name-server 208.67.220.220
name-server 66.28.0.45
name-server 66.28.0.61
domain-name xxxxshop.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-172.30.1.0
subnet 172.30.1.0 255.255.255.0
object network obj-10.40.86.0
subnet 10.40.86.0 255.255.255.0
object network obj-192.168.99.0
subnet 192.168.99.0 255.255.255.0
object network obj-192.168.1.13
host 192.168.1.13
object network obj-192.168.1.13-01
host 192.168.1.13
object network obj-192.168.1.13-02
host 192.168.1.13
object network obj-172.30.1.70
host 172.30.1.70
object network obj-192.168.106.144
host 192.168.106.144
object network obj-192.168.106.144-01
host 192.168.106.144
object network obj-192.168.106.144-02
host 192.168.106.144
object network obj-192.168.10.2
host 192.168.10.2
object network obj-172.30.1.50
host 172.30.1.50
object network obj-172.30.1.40
host 172.30.1.40
object network obj-192.168.1.10
host 192.168.1.10
object network obj-192.168.106.99
host 192.168.106.99
object network obj-172.30.1.102
host 172.30.1.102
object network obj-172.30.1.31
host 172.30.1.31
object network obj-172.30.1.40-01
host 172.30.1.40
object network obj-172.30.1.50-01
host 172.30.1.50
object network obj-172.30.1.101
host 172.30.1.101
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
object network obj_any-06
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.0.0
object service ftp
service tcp source range ftp-data ftp destination range ftp-data ftp
object network obj-192.168.1.15
host 192.168.1.15
object network obj-192.168.1.15-01
host 192.168.1.15
object network NETWORK_OBJ_172.30.1.0_24
subnet 172.30.1.0 255.255.255.0
object network NETWORK_OBJ_172.31.2.0_24
subnet 172.31.2.0 255.255.255.0
object network obj-172.10.1.136
host 172.10.1.136
description VCS Express 01 NIC 01
object network obj-172.10.1.0
subnet 172.10.1.0 255.255.255.0
description DMZ
object network obj_any-08
subnet 0.0.0.0 0.0.0.0
object network obj-172.10.1.150
host 172.10.1.150
object-group service ExchangeOWA tcp
description Exchange Web and Mobile Access
port-object eq smtp
port-object eq https
port-object eq www
object-group network admin-ip
network-object host 192.168.1.199
network-object 172.30.1.0 255.255.255.0
network-object host 192.168.106.99
network-object host Snapstream_ott
network-object host 192.168.1.251
network-object host 192.168.1.190
network-object host 192.168.1.193
network-object host 192.168.1.10
network-object host 192.168.1.11
network-object host 192.168.1.14
network-object host 192.168.1.15
network-object host 192.168.1.6
network-object host 192.168.1.7
network-object host 192.168.1.8
network-object host 192.168.1.9
network-object host 192.168.2.199
network-object host 192.168.1.13
network-object 192.168.99.0 255.255.255.0
network-object 172.10.1.0 255.255.255.0
object-group network approved-ip
network-object host 99.99.99.141
network-object 172.30.1.0 255.255.255.0
object-group network tms-ip
object-group service VNC tcp
description VNC
port-object eq 5900
object-group network DM_INLINE_NETWORK_2
network-object 172.30.1.0 255.255.255.0
network-object 192.168.0.0 255.255.0.0
object-group service VNC-Listen tcp
description VNC-Listen Ports
port-object eq 5500
object-group service Streaming-ASF tcp-udp
description Streaming-ASF
port-object eq 1755
object-group service Streaming-ASF-TCP tcp
description Streaming-ASF-TCP
port-object eq 1755
object-group service DM_INLINE_TCP_1 tcp
group-object Streaming-ASF
port-object eq www
group-object Streaming-ASF-TCP
port-object eq rtsp
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_5
object-group network DM_INLINE_NETWORK_4
network-object host 172.19.4.50
network-object 192.168.123.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object host 172.19.4.50
network-object 192.168.123.0 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object host 172.19.4.50
network-object 192.168.123.0 255.255.255.0
object-group network DM_INLINE_NETWORK_8
network-object host 99.99.99.141
network-object host 99.99.99.144
object-group service DM_INLINE_TCP_2 tcp
port-object eq 8129
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_9
object-group service DM_INLINE_TCP_3 tcp
port-object eq ftp
port-object eq ftp-data
object-group network BypassFacebook
network-object host 192.168.1.182
network-object host 192.168.1.183
network-object host 192.168.1.184
network-object host 192.168.1.188
network-object host 192.168.1.189
network-object host 192.168.1.190
network-object host 192.168.1.193
network-object host 192.168.1.194
network-object host 192.168.1.195
network-object host 192.168.1.196
network-object host 192.168.1.199
network-object host 192.168.1.200
object-group network Facebook
network-object 69.63.176.0 255.255.240.0
network-object 66.220.144.0 255.255.240.0
object-group network DM_INLINE_NETWORK_1
network-object host 10.40.86.102
network-object host 10.40.86.31
network-object host 10.40.86.40
network-object host 10.40.86.50
network-object host 10.40.86.101
object-group network DM_INLINE_NETWORK_3
network-object object obj-172.30.1.0
network-object object obj-192.168.0.0
object-group network DM_INLINE_NETWORK_12
network-object 10.4.86.0 255.255.255.0
network-object 10.40.86.0 255.255.255.0
network-object 10.70.86.0 255.255.255.0
network-object 10.96.86.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp-udp destination eq sip
service-object tcp destination eq 1721
service-object tcp destination eq h323
service-object udp destination eq 1719
service-object tcp-udp destination eq www
service-object tcp destination eq https
service-object udp destination eq www
service-object udp destination eq ntp
object-group network DM_INLINE_NETWORK_1_2
network-object host 172.30.1.102
network-object host 172.30.1.31
network-object host 172.30.1.40
network-object host 172.30.1.50
network-object host 172.30.1.101
object-group network DM_INLINE_NETWORK_10
access-list inside_nat0_outbound_1 extended permit ip 172.30.1.0 255.255.255.0 10.40.86.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_3 192.168.99.0 255.255.255.0
access-list dzm extended permit ip any any
access-list dzm extended permit icmp any any
access-list ouside extended permit ip any any
access-list cont_in extended permit ip host 99.99.99.135 any
access-list Split_tunnel_ACL standard permit 192.168.0.0 255.255.0.0
access-list Split_tunnel_ACL standard permit 172.30.1.0 255.255.255.0
access-list inside extended permit tcp host 192.168.1.13 any eq smtp
access-list inside extended permit tcp any object-group DM_INLINE_NETWORK_9 eq smtp
access-list inside extended deny tcp any any eq smtp
access-list inside extended deny tcp any any eq pop3
access-list inside extended permit tcp any object-group DM_INLINE_NETWORK_5 eq pptp
access-list inside extended deny tcp any any eq pptp
access-list inside extended permit tcp object-group BypassFacebook object-group Facebook eq https
access-list inside extended deny tcp any object-group Facebook eq https
access-list inside extended permit ip any any
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 192.168.99.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 172.19.4.50
access-list E-40_access_out extended permit ip any any
access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_12 172.30.1.0 255.255.255.0
access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_4 host 192.168.1.18 inactive
access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_6 host 192.168.1.19 inactive
access-list inside-out-acl extended deny ip object-group DM_INLINE_NETWORK_7 any inactive
access-list inside-out-acl extended permit ip any any
access-list throttle_frontline extended permit ip host 74.213.162.33 any inactive
access-list throttle_frontline extended permit ip any host 74.213.162.33 inactive
access-list outside remark Migration, ACE (line 3) expanded: permit tcp any object-group DM_INLINE_NETWORK_8
access-list outside extended permit tcp any host 99.99.99.141 eq 8129
access-list outside extended permit tcp any host 172.30.1.70 eq www
access-list outside extended permit tcp any host 99.99.99.141 eq https
access-list outside extended permit tcp any host 192.168.106.144 eq 8129
access-list outside extended permit tcp any host 192.168.106.144 eq www
access-list outside extended permit tcp any host 192.168.106.144 eq https
access-list outside remark Migration: End of expansion
access-list outside remark Migration, ACE (line 4) expanded: permit tcp any host 99.99.99.133 object-group ExchangeOWA
access-list outside extended permit tcp any host 192.168.1.13 eq smtp
access-list outside extended permit tcp any host 192.168.1.13 eq https
access-list outside extended permit tcp any host 192.168.1.13 eq www
access-list outside extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.1.15 object-group DM_INLINE_TCP_3
access-list outside remark Migration: End of expansion
access-list outside extended permit ip any host 192.168.106.99
access-list outside extended permit tcp any host 192.168.1.10 eq pptp
access-list outside extended permit gre any host 192.168.1.10
access-list outside extended permit tcp any host 192.168.10.2 eq telnet inactive
access-list outside extended permit tcp any host 172.30.1.40 object-group DM_INLINE_TCP_1
access-list outside extended permit ip object-group tms-ip host 172.30.1.50
access-list outside extended permit ip any host 172.10.1.150
access-list outside extended permit icmp any any echo-reply
access-list outside_cryptomap extended permit ip 172.30.1.0 255.255.255.0 172.31.2.0 255.255.255.0
access-list DMZ_access_out extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in_1 extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap debugging
logging asdm informational
logging facility 19
logging host inside 192.168.1.15 format emblem
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu E-40 1500
mtu management 1500
ip local pool xxxx-pool 192.168.99.1-192.168.99.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-172.30.1.0 obj-172.30.1.0 destination static obj-10.40.86.0 obj-10.40.86.0 no-proxy-arp
nat (inside,outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static obj-192.168.99.0 obj-192.168.99.0 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.30.1.0_24 NETWORK_OBJ_172.30.1.0_24 destination static NETWORK_OBJ_172.31.2.0_24 NETWORK_OBJ_172.31.2.0_24 no-proxy-arp route-lookup
!
object network obj-192.168.1.13
nat (inside,outside) static 99.99.99.133 service tcp smtp smtp
object network obj-192.168.1.13-01
nat (inside,outside) static 99.99.99.133 service tcp object network obj-192.168.1.13-02
nat (inside,outside) static 99.99.99.133 service tcp https https
object network obj-172.30.1.70
nat (inside,outside) static 99.99.99.141 service tcp object network obj-192.168.106.144
nat (inside,outside) static 99.99.99.144 service tcp object network obj-192.168.106.144-01
nat (inside,outside) static 99.99.99.144 service tcp https https
object network obj-192.168.106.144-02
nat (inside,outside) static 99.99.99.144 service tcp 8129 8129
object network obj-192.168.10.2
nat (inside,outside) static 99.99.99.132 service tcp telnet telnet
object network obj-172.30.1.50
nat (inside,outside) static 99.99.99.134
object network obj-172.30.1.40
nat (inside,outside) static 99.99.99.139
object network obj-192.168.1.10
nat (inside,outside) static 99.99.99.137
object network obj-192.168.106.99
nat (inside,outside) static 99.99.99.140
object network obj-172.30.1.102
nat (inside,E-40) static 10.40.86.102
object network obj-172.30.1.31
nat (inside,E-40) static 10.40.86.31
object network obj-172.30.1.40-01
nat (inside,E-40) static 10.40.86.40
object network obj-172.30.1.50-01
nat (inside,E-40) static 10.40.86.50
object network obj-172.30.1.101
nat (inside,E-40) static 10.40.86.101
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any-01
nat (inside,outside) dynamic obj-0.0.0.0
object network obj_any-02
nat (inside,DMZ) dynamic obj-0.0.0.0
object network obj_any-03
nat (inside,E-40) dynamic obj-0.0.0.0
object network obj_any-04
nat (management,outside) dynamic obj-0.0.0.0
object network obj_any-05
nat (management,DMZ) dynamic obj-0.0.0.0
object network obj_any-06
nat (management,E-40) dynamic obj-0.0.0.0
object network obj-192.168.1.15
nat (inside,outside) static 99.99.99.138 service tcp ftp ftp
object network obj-192.168.1.15-01
nat (inside,outside) static 99.99.99.138 service tcp ftp-data ftp-data
object network obj_any-08
nat (DMZ,outside) dynamic interface
access-group outside in interface outside
access-group inside in interface inside
access-group inside-out-acl out interface inside
access-group DMZ_access_in_1 in interface DMZ control-plane
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group 40_access_in in interface E-40
access-group E-40_access_out out interface E-40
route outside 0.0.0.0 0.0.0.0 99.99.99.129 1
route E-40 10.4.86.0 255.255.255.0 10.40.86.249 1
route E-40 10.70.86.0 255.255.255.0 10.40.86.249 1
route E-40 10.96.86.0 255.255.255.0 10.40.86.249 1
route DMZ 172.10.1.0 255.255.255.0 192.168.10.2 1
route inside 172.20.20.0 255.255.255.0 192.168.10.2 1
route inside 172.30.1.0 255.255.255.0 192.168.10.2 1
route inside 192.168.1.0 255.255.255.0 192.168.10.2 1
route inside 192.168.2.0 255.255.255.0 192.168.10.2 1
route inside 192.168.3.0 255.255.255.0 192.168.10.2 1
route inside 192.168.6.0 255.255.255.0 192.168.10.2 1
route inside 192.168.99.0 255.255.255.0 192.168.10.2 255
route inside 192.168.101.0 255.255.255.0 192.168.10.2 1
route inside 192.168.102.0 255.255.255.0 192.168.10.2 1
route inside 192.168.103.0 255.255.255.0 192.168.10.2 1
route inside 192.168.106.0 255.255.255.0 192.168.10.2 1
route inside 192.168.201.0 255.255.255.0 192.168.10.2 1
route inside 0.0.0.0 0.0.0.0 192.168.10.2 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
http 172.10.1.0 255.255.255.0 DMZ
http 192.168.199.0 255.255.255.0 management
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.0.0 255.255.0.0 inside
telnet 172.10.1.0 255.255.255.0 DMZ
telnet 192.168.199.0 255.255.255.0 management
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh 172.10.1.0 255.255.255.0 DMZ
ssh 192.168.199.0 255.255.255.0 management
ssh timeout 10
console timeout 0
management-access inside
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 10
dhcpd address 192.168.199.101-192.168.199.109 management
dhcpd dns 192.168.1.10 192.168.1.11 interface management
dhcpd domain xxxxshop.com interface management
dhcpd enable management
!
priority-queue outside
priority-queue inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.1.10 source inside
ntp server 129.6.15.29 source outside prefer
ntp server 129.6.15.28 source outside preferEEEE
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.4.0202-k9.pkg 18
anyconnect image disk0:/anyconnect-macosx-i386-2.4.0196-k9.pkg 20 regex "Intel Mac OS X"
anyconnect image disk0:/anyconnect-linux-2.4.0202-k9.pkg 21 regex "Linux"
anyconnect enable
cache
disable
group-policy xxxxIPsec internal
group-policy xxxxIPsec attributes
dns-server value 192.168.1.13
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_tunnel_ACL
default-domain value xxxxshop.com
group-policy DfltGrpPolicy attributes
dns-server value 192.168.1.10 192.168.1.11
vpn-idle-timeout 10
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_tunnel_ACL
default-domain value xxxxshop.com
webvpn
url-list value xxxxApps
anyconnect ask enable default webvpn
hidden-shares visible
group-policy GroupPolicy_198.103.180.120 internal
group-policy GroupPolicy_198.103.180.120 attributes
vpn-tunnel-protocol ikev1
tunnel-groupppp DefaultRAGroup general-attributes
address-pool xxxx-pool
authentication-server-group radius LOCAL
tunnel-group DefaultRAGroup webvpn-attributes
group-alias DefaultRA enable
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool xxxx-pool
authentication-server-group radius LOCAL
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias DefaultWeb enable
tunnel-group xxxxIPsec type remote-access
tunnel-group xxxxIPsec general-attributes
address-pool xxxx-pool
authentication-server-group radius LOCAL
default-group-policy xxxxIPsec
tunnel-group xxxxIPsec webvpn-attributes
group-alias xxxxIPSec enable
group-alias IPSec disable
tunnel-group xxxxIPsec ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group xxxxSSL type remote-access
tunnel-group xxxxSSL general-attributes
address-pool xxxx-pool
authentication-server-group radius LOCAL
tunnel-group xxxxSSL webvpn-attributes
group-alias xxxxSSL enable
group-url enable
tunnel-group 1.1.1.120 type ipsec-l2l
tunnel-group 1.1.1.120 general-attributes
default-group-policy GroupPolicy_1.1.1.120
tunnel-group 1.1.1.120 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
class-map csc-class
match access-list cscTraffic
class-map throttle_frontline
match access-list throttle_frontline
!
!
policy-map type inspect sip DefaultSIP
parameters
max-forwards-validation action drop log
policy-map throttle-policy
class throttle_frontline
police input 600000 2000
police output 600000 2000
policy-map global-policy
class global-class
inspect pptp
inspect ftp
inspect ipsec-pass-thru
inspect xdmcp
inspect h323 h225
inspect h323 ras
inspect sip
class csc-class
csc fail-open
policy-map type inspect h323 DefaultH323
parameters
!
service-policy global-policy global
service-policy throttle-policy interface outside
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
asdm image disk0:/asdm-645-206.bin
asdm location 192.168.100.0 255.255.255.192 outside
asdm location 192.168.0.0 255.255.0.0 inside
asdm location 192.168.123.0 255.255.255.0 inside
asdm location 192.168.123.0 255.255.255.0 outside
asdm location 192.168.111.0 255.255.255.0 inside
asdm location 192.168.10.0 255.255.255.0 outside
asdm location 192.168.10.254 255.255.255.255 outside
asdm location 99.99.99.133 255.255.255.255 outside
asdm location 192.168.1.16 255.255.255.255 inside
asdm location 172.30.1.0 255.255.255.0 inside
asdm location 172.30.1.50 255.255.255.255 inside
asdm location 192.168.1.13 255.255.255.255 insideEEEE
no asdm history enable
Thanks in advance.
here's the config:
: Saved
:
ASA Version 8.4(2)8
!
hostname ciscoasa
multicast-routing
names
dns-guard
!
interface Ethernet0/0
description xxxx shopInternet Connection
speed 100
duplex full
nameif outside
security-level 0
ip address 99.99.99.130 255.255.255.224
ospf cost 10
!
interface Ethernet0/1
description xxxx internal connection from firewall to switch
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
description xxxx DMZ
nameif DMZ
security-level 100
ip address 172.10.1.1 255.255.255.0
!
interface Ethernet0/3
description Management Service-EEEE-40
speed 100
duplex full
nameif E-40
security-level 0
ip address 10.40.86.248 255.255.255.0
!
interface Management0/0
description management
nameif management
security-level 100
ip address 192.168.199.1 255.255.255.0
ospf cost 10
management-only
!
boot system disk0:/asa842-8-k8.bin
boot system disk0:/asa824-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns domain-lookup management
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
name-server 208.67.222.222
name-server 208.67.220.220
name-server 66.28.0.45
name-server 66.28.0.61
domain-name xxxxshop.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-172.30.1.0
subnet 172.30.1.0 255.255.255.0
object network obj-10.40.86.0
subnet 10.40.86.0 255.255.255.0
object network obj-192.168.99.0
subnet 192.168.99.0 255.255.255.0
object network obj-192.168.1.13
host 192.168.1.13
object network obj-192.168.1.13-01
host 192.168.1.13
object network obj-192.168.1.13-02
host 192.168.1.13
object network obj-172.30.1.70
host 172.30.1.70
object network obj-192.168.106.144
host 192.168.106.144
object network obj-192.168.106.144-01
host 192.168.106.144
object network obj-192.168.106.144-02
host 192.168.106.144
object network obj-192.168.10.2
host 192.168.10.2
object network obj-172.30.1.50
host 172.30.1.50
object network obj-172.30.1.40
host 172.30.1.40
object network obj-192.168.1.10
host 192.168.1.10
object network obj-192.168.106.99
host 192.168.106.99
object network obj-172.30.1.102
host 172.30.1.102
object network obj-172.30.1.31
host 172.30.1.31
object network obj-172.30.1.40-01
host 172.30.1.40
object network obj-172.30.1.50-01
host 172.30.1.50
object network obj-172.30.1.101
host 172.30.1.101
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
object network obj_any-06
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.0.0
object service ftp
service tcp source range ftp-data ftp destination range ftp-data ftp
object network obj-192.168.1.15
host 192.168.1.15
object network obj-192.168.1.15-01
host 192.168.1.15
object network NETWORK_OBJ_172.30.1.0_24
subnet 172.30.1.0 255.255.255.0
object network NETWORK_OBJ_172.31.2.0_24
subnet 172.31.2.0 255.255.255.0
object network obj-172.10.1.136
host 172.10.1.136
description VCS Express 01 NIC 01
object network obj-172.10.1.0
subnet 172.10.1.0 255.255.255.0
description DMZ
object network obj_any-08
subnet 0.0.0.0 0.0.0.0
object network obj-172.10.1.150
host 172.10.1.150
object-group service ExchangeOWA tcp
description Exchange Web and Mobile Access
port-object eq smtp
port-object eq https
port-object eq www
object-group network admin-ip
network-object host 192.168.1.199
network-object 172.30.1.0 255.255.255.0
network-object host 192.168.106.99
network-object host Snapstream_ott
network-object host 192.168.1.251
network-object host 192.168.1.190
network-object host 192.168.1.193
network-object host 192.168.1.10
network-object host 192.168.1.11
network-object host 192.168.1.14
network-object host 192.168.1.15
network-object host 192.168.1.6
network-object host 192.168.1.7
network-object host 192.168.1.8
network-object host 192.168.1.9
network-object host 192.168.2.199
network-object host 192.168.1.13
network-object 192.168.99.0 255.255.255.0
network-object 172.10.1.0 255.255.255.0
object-group network approved-ip
network-object host 99.99.99.141
network-object 172.30.1.0 255.255.255.0
object-group network tms-ip
object-group service VNC tcp
description VNC
port-object eq 5900
object-group network DM_INLINE_NETWORK_2
network-object 172.30.1.0 255.255.255.0
network-object 192.168.0.0 255.255.0.0
object-group service VNC-Listen tcp
description VNC-Listen Ports
port-object eq 5500
object-group service Streaming-ASF tcp-udp
description Streaming-ASF
port-object eq 1755
object-group service Streaming-ASF-TCP tcp
description Streaming-ASF-TCP
port-object eq 1755
object-group service DM_INLINE_TCP_1 tcp
group-object Streaming-ASF
port-object eq www
group-object Streaming-ASF-TCP
port-object eq rtsp
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_5
object-group network DM_INLINE_NETWORK_4
network-object host 172.19.4.50
network-object 192.168.123.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object host 172.19.4.50
network-object 192.168.123.0 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object host 172.19.4.50
network-object 192.168.123.0 255.255.255.0
object-group network DM_INLINE_NETWORK_8
network-object host 99.99.99.141
network-object host 99.99.99.144
object-group service DM_INLINE_TCP_2 tcp
port-object eq 8129
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_9
object-group service DM_INLINE_TCP_3 tcp
port-object eq ftp
port-object eq ftp-data
object-group network BypassFacebook
network-object host 192.168.1.182
network-object host 192.168.1.183
network-object host 192.168.1.184
network-object host 192.168.1.188
network-object host 192.168.1.189
network-object host 192.168.1.190
network-object host 192.168.1.193
network-object host 192.168.1.194
network-object host 192.168.1.195
network-object host 192.168.1.196
network-object host 192.168.1.199
network-object host 192.168.1.200
object-group network Facebook
network-object 69.63.176.0 255.255.240.0
network-object 66.220.144.0 255.255.240.0
object-group network DM_INLINE_NETWORK_1
network-object host 10.40.86.102
network-object host 10.40.86.31
network-object host 10.40.86.40
network-object host 10.40.86.50
network-object host 10.40.86.101
object-group network DM_INLINE_NETWORK_3
network-object object obj-172.30.1.0
network-object object obj-192.168.0.0
object-group network DM_INLINE_NETWORK_12
network-object 10.4.86.0 255.255.255.0
network-object 10.40.86.0 255.255.255.0
network-object 10.70.86.0 255.255.255.0
network-object 10.96.86.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp-udp destination eq sip
service-object tcp destination eq 1721
service-object tcp destination eq h323
service-object udp destination eq 1719
service-object tcp-udp destination eq www
service-object tcp destination eq https
service-object udp destination eq www
service-object udp destination eq ntp
object-group network DM_INLINE_NETWORK_1_2
network-object host 172.30.1.102
network-object host 172.30.1.31
network-object host 172.30.1.40
network-object host 172.30.1.50
network-object host 172.30.1.101
object-group network DM_INLINE_NETWORK_10
access-list inside_nat0_outbound_1 extended permit ip 172.30.1.0 255.255.255.0 10.40.86.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_3 192.168.99.0 255.255.255.0
access-list dzm extended permit ip any any
access-list dzm extended permit icmp any any
access-list ouside extended permit ip any any
access-list cont_in extended permit ip host 99.99.99.135 any
access-list Split_tunnel_ACL standard permit 192.168.0.0 255.255.0.0
access-list Split_tunnel_ACL standard permit 172.30.1.0 255.255.255.0
access-list inside extended permit tcp host 192.168.1.13 any eq smtp
access-list inside extended permit tcp any object-group DM_INLINE_NETWORK_9 eq smtp
access-list inside extended deny tcp any any eq smtp
access-list inside extended deny tcp any any eq pop3
access-list inside extended permit tcp any object-group DM_INLINE_NETWORK_5 eq pptp
access-list inside extended deny tcp any any eq pptp
access-list inside extended permit tcp object-group BypassFacebook object-group Facebook eq https
access-list inside extended deny tcp any object-group Facebook eq https
access-list inside extended permit ip any any
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 192.168.99.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 172.19.4.50
access-list E-40_access_out extended permit ip any any
access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_12 172.30.1.0 255.255.255.0
access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_4 host 192.168.1.18 inactive
access-list inside-out-acl extended permit ip object-group DM_INLINE_NETWORK_6 host 192.168.1.19 inactive
access-list inside-out-acl extended deny ip object-group DM_INLINE_NETWORK_7 any inactive
access-list inside-out-acl extended permit ip any any
access-list throttle_frontline extended permit ip host 74.213.162.33 any inactive
access-list throttle_frontline extended permit ip any host 74.213.162.33 inactive
access-list outside remark Migration, ACE (line 3) expanded: permit tcp any object-group DM_INLINE_NETWORK_8
access-list outside extended permit tcp any host 99.99.99.141 eq 8129
access-list outside extended permit tcp any host 172.30.1.70 eq www
access-list outside extended permit tcp any host 99.99.99.141 eq https
access-list outside extended permit tcp any host 192.168.106.144 eq 8129
access-list outside extended permit tcp any host 192.168.106.144 eq www
access-list outside extended permit tcp any host 192.168.106.144 eq https
access-list outside remark Migration: End of expansion
access-list outside remark Migration, ACE (line 4) expanded: permit tcp any host 99.99.99.133 object-group ExchangeOWA
access-list outside extended permit tcp any host 192.168.1.13 eq smtp
access-list outside extended permit tcp any host 192.168.1.13 eq https
access-list outside extended permit tcp any host 192.168.1.13 eq www
access-list outside extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.1.15 object-group DM_INLINE_TCP_3
access-list outside remark Migration: End of expansion
access-list outside extended permit ip any host 192.168.106.99
access-list outside extended permit tcp any host 192.168.1.10 eq pptp
access-list outside extended permit gre any host 192.168.1.10
access-list outside extended permit tcp any host 192.168.10.2 eq telnet inactive
access-list outside extended permit tcp any host 172.30.1.40 object-group DM_INLINE_TCP_1
access-list outside extended permit ip object-group tms-ip host 172.30.1.50
access-list outside extended permit ip any host 172.10.1.150
access-list outside extended permit icmp any any echo-reply
access-list outside_cryptomap extended permit ip 172.30.1.0 255.255.255.0 172.31.2.0 255.255.255.0
access-list DMZ_access_out extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in_1 extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap debugging
logging asdm informational
logging facility 19
logging host inside 192.168.1.15 format emblem
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu E-40 1500
mtu management 1500
ip local pool xxxx-pool 192.168.99.1-192.168.99.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-172.30.1.0 obj-172.30.1.0 destination static obj-10.40.86.0 obj-10.40.86.0 no-proxy-arp
nat (inside,outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static obj-192.168.99.0 obj-192.168.99.0 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.30.1.0_24 NETWORK_OBJ_172.30.1.0_24 destination static NETWORK_OBJ_172.31.2.0_24 NETWORK_OBJ_172.31.2.0_24 no-proxy-arp route-lookup
!
object network obj-192.168.1.13
nat (inside,outside) static 99.99.99.133 service tcp smtp smtp
object network obj-192.168.1.13-01
nat (inside,outside) static 99.99.99.133 service tcp object network obj-192.168.1.13-02
nat (inside,outside) static 99.99.99.133 service tcp https https
object network obj-172.30.1.70
nat (inside,outside) static 99.99.99.141 service tcp object network obj-192.168.106.144
nat (inside,outside) static 99.99.99.144 service tcp object network obj-192.168.106.144-01
nat (inside,outside) static 99.99.99.144 service tcp https https
object network obj-192.168.106.144-02
nat (inside,outside) static 99.99.99.144 service tcp 8129 8129
object network obj-192.168.10.2
nat (inside,outside) static 99.99.99.132 service tcp telnet telnet
object network obj-172.30.1.50
nat (inside,outside) static 99.99.99.134
object network obj-172.30.1.40
nat (inside,outside) static 99.99.99.139
object network obj-192.168.1.10
nat (inside,outside) static 99.99.99.137
object network obj-192.168.106.99
nat (inside,outside) static 99.99.99.140
object network obj-172.30.1.102
nat (inside,E-40) static 10.40.86.102
object network obj-172.30.1.31
nat (inside,E-40) static 10.40.86.31
object network obj-172.30.1.40-01
nat (inside,E-40) static 10.40.86.40
object network obj-172.30.1.50-01
nat (inside,E-40) static 10.40.86.50
object network obj-172.30.1.101
nat (inside,E-40) static 10.40.86.101
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any-01
nat (inside,outside) dynamic obj-0.0.0.0
object network obj_any-02
nat (inside,DMZ) dynamic obj-0.0.0.0
object network obj_any-03
nat (inside,E-40) dynamic obj-0.0.0.0
object network obj_any-04
nat (management,outside) dynamic obj-0.0.0.0
object network obj_any-05
nat (management,DMZ) dynamic obj-0.0.0.0
object network obj_any-06
nat (management,E-40) dynamic obj-0.0.0.0
object network obj-192.168.1.15
nat (inside,outside) static 99.99.99.138 service tcp ftp ftp
object network obj-192.168.1.15-01
nat (inside,outside) static 99.99.99.138 service tcp ftp-data ftp-data
object network obj_any-08
nat (DMZ,outside) dynamic interface
access-group outside in interface outside
access-group inside in interface inside
access-group inside-out-acl out interface inside
access-group DMZ_access_in_1 in interface DMZ control-plane
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group 40_access_in in interface E-40
access-group E-40_access_out out interface E-40
route outside 0.0.0.0 0.0.0.0 99.99.99.129 1
route E-40 10.4.86.0 255.255.255.0 10.40.86.249 1
route E-40 10.70.86.0 255.255.255.0 10.40.86.249 1
route E-40 10.96.86.0 255.255.255.0 10.40.86.249 1
route DMZ 172.10.1.0 255.255.255.0 192.168.10.2 1
route inside 172.20.20.0 255.255.255.0 192.168.10.2 1
route inside 172.30.1.0 255.255.255.0 192.168.10.2 1
route inside 192.168.1.0 255.255.255.0 192.168.10.2 1
route inside 192.168.2.0 255.255.255.0 192.168.10.2 1
route inside 192.168.3.0 255.255.255.0 192.168.10.2 1
route inside 192.168.6.0 255.255.255.0 192.168.10.2 1
route inside 192.168.99.0 255.255.255.0 192.168.10.2 255
route inside 192.168.101.0 255.255.255.0 192.168.10.2 1
route inside 192.168.102.0 255.255.255.0 192.168.10.2 1
route inside 192.168.103.0 255.255.255.0 192.168.10.2 1
route inside 192.168.106.0 255.255.255.0 192.168.10.2 1
route inside 192.168.201.0 255.255.255.0 192.168.10.2 1
route inside 0.0.0.0 0.0.0.0 192.168.10.2 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
http 172.10.1.0 255.255.255.0 DMZ
http 192.168.199.0 255.255.255.0 management
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.0.0 255.255.0.0 inside
telnet 172.10.1.0 255.255.255.0 DMZ
telnet 192.168.199.0 255.255.255.0 management
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh 172.10.1.0 255.255.255.0 DMZ
ssh 192.168.199.0 255.255.255.0 management
ssh timeout 10
console timeout 0
management-access inside
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 10
dhcpd address 192.168.199.101-192.168.199.109 management
dhcpd dns 192.168.1.10 192.168.1.11 interface management
dhcpd domain xxxxshop.com interface management
dhcpd enable management
!
priority-queue outside
priority-queue inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.1.10 source inside
ntp server 129.6.15.29 source outside prefer
ntp server 129.6.15.28 source outside preferEEEE
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.4.0202-k9.pkg 18
anyconnect image disk0:/anyconnect-macosx-i386-2.4.0196-k9.pkg 20 regex "Intel Mac OS X"
anyconnect image disk0:/anyconnect-linux-2.4.0202-k9.pkg 21 regex "Linux"
anyconnect enable
cache
disable
group-policy xxxxIPsec internal
group-policy xxxxIPsec attributes
dns-server value 192.168.1.13
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_tunnel_ACL
default-domain value xxxxshop.com
group-policy DfltGrpPolicy attributes
dns-server value 192.168.1.10 192.168.1.11
vpn-idle-timeout 10
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_tunnel_ACL
default-domain value xxxxshop.com
webvpn
url-list value xxxxApps
anyconnect ask enable default webvpn
hidden-shares visible
group-policy GroupPolicy_198.103.180.120 internal
group-policy GroupPolicy_198.103.180.120 attributes
vpn-tunnel-protocol ikev1
tunnel-groupppp DefaultRAGroup general-attributes
address-pool xxxx-pool
authentication-server-group radius LOCAL
tunnel-group DefaultRAGroup webvpn-attributes
group-alias DefaultRA enable
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool xxxx-pool
authentication-server-group radius LOCAL
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias DefaultWeb enable
tunnel-group xxxxIPsec type remote-access
tunnel-group xxxxIPsec general-attributes
address-pool xxxx-pool
authentication-server-group radius LOCAL
default-group-policy xxxxIPsec
tunnel-group xxxxIPsec webvpn-attributes
group-alias xxxxIPSec enable
group-alias IPSec disable
tunnel-group xxxxIPsec ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group xxxxSSL type remote-access
tunnel-group xxxxSSL general-attributes
address-pool xxxx-pool
authentication-server-group radius LOCAL
tunnel-group xxxxSSL webvpn-attributes
group-alias xxxxSSL enable
group-url enable
tunnel-group 1.1.1.120 type ipsec-l2l
tunnel-group 1.1.1.120 general-attributes
default-group-policy GroupPolicy_1.1.1.120
tunnel-group 1.1.1.120 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
class-map csc-class
match access-list cscTraffic
class-map throttle_frontline
match access-list throttle_frontline
!
!
policy-map type inspect sip DefaultSIP
parameters
max-forwards-validation action drop log
policy-map throttle-policy
class throttle_frontline
police input 600000 2000
police output 600000 2000
policy-map global-policy
class global-class
inspect pptp
inspect ftp
inspect ipsec-pass-thru
inspect xdmcp
inspect h323 h225
inspect h323 ras
inspect sip
class csc-class
csc fail-open
policy-map type inspect h323 DefaultH323
parameters
!
service-policy global-policy global
service-policy throttle-policy interface outside
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
asdm image disk0:/asdm-645-206.bin
asdm location 192.168.100.0 255.255.255.192 outside
asdm location 192.168.0.0 255.255.0.0 inside
asdm location 192.168.123.0 255.255.255.0 inside
asdm location 192.168.123.0 255.255.255.0 outside
asdm location 192.168.111.0 255.255.255.0 inside
asdm location 192.168.10.0 255.255.255.0 outside
asdm location 192.168.10.254 255.255.255.255 outside
asdm location 99.99.99.133 255.255.255.255 outside
asdm location 192.168.1.16 255.255.255.255 inside
asdm location 172.30.1.0 255.255.255.0 inside
asdm location 172.30.1.50 255.255.255.255 inside
asdm location 192.168.1.13 255.255.255.255 insideEEEE
no asdm history enable
