access-list TRIGGER extended permit tcp any object-group H_auth object-group TCP_client_auth
access-list NONAT remark # this is a nat rule, only permit's are allowed access-list NONAT remark # no nat inside our networks access-list NONAT extended permit ip object-group N_RFC1918 object-group N_RFC1918
access-list POLICY remark # counterpart of trigger rule access-list POLICY extended permit tcp any object-group H_auth object-group TCP_client_auth
access-list HIDING remark # this is a nat rule, only permit's are allowed access-list HIDING extended permit ip object-group N_RFC1918 any
access-list IPS extended permit ip any any
tcp-map mss exceed-mss allow !
pager lines 22 logging enable logging console critical logging monitor errors logging buffered critical logging trap errors logging facility 16 logging host secure 172.26.31.142 logging permit-hostdown mtu inside_data 1500 mtu web 1500 mtu secure 1500 mtu sprint 1500 mtu outside 1500 ip verify reverse-path interface inside_data ip verify reverse-path interface web ip verify reverse-path interface secure ip verify reverse-path interface sprint ip verify reverse-path interface outside asdm image disk0:/asdm502.bin no asdm history enable arp outside {mac-outside interface} {hiding IP) arp timeout 14400 global outside 1 {hiding ip} netmask 255.255.255.0 nat (inside_data) 0 access-list NONAT nat (inside_voice) 0 access-list NONAT nat (sprint) 0 access-list NONAT nat (secure) 0 access-list NONAT nat (inside_data) 1 access-list HIDING route inside_data 172.26.25.0 255.255.255.0 172.26.24.5 1 route inside_data 172.26.22.0 255.255.255.0 172.26.24.5 1 route inside_data 172.26.16.0 255.255.255.0 172.26.24.5 1 route sprint 172.16.0.0 255.240.0.0 172.26.24.10 1 route sprint 10.0.0.0 255.0.0.0 172.26.24.10 1 route sprint 192.168.0.0 255.255.0.0 172.26.24.10 1
access-group POLICY in interface inside_data per-user-override access-group POLICY in interface inside_voice access-group POLICY in interface web access-group POLICY in interface secure per-user-override access-group POLICY in interface sprint per-user-override access-group POLICY in interface outside
class-map my-ips-class match access-list IPS class-map VoIP match dscp cs3 ef class-map inspection_default match default-inspection-traffic class-map mss-map match access-list MSS-exceptions
policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect rtsp inspect SKINny inspect tftp inspect sip inspect icmp inspect ctiqbe inspect dns inspect http class mss-map set connection advanced-options mss class my-ips-class ips promiscuous fail-open policy-map qos class VoIP priority policy-map my-ips-policy class my-ips-class ips promiscuous fail-open
service-policy global_policy global ntp server 202.108.158.139
rdca4fwep
========================================================================== shafw01(config)# sh run : Saved : ASA Version 7.0(4) ! hostname shafw01 domain-name heraeus.com enable password .68HJO4Qmg83HE2S encrypted names ! interface GigabitEthernet0/0 no nameif no security-level no ip address ! interface GigabitEthernet0/0.150 vlan 150 nameif inside_data security-level 50 ip address 172.26.24.18 255.255.255.240 ! interface GigabitEthernet0/0.151 vlan 151 nameif inside_voice security-level 50 ip address 10.48.8.1 255.255.255.0 ! interface GigabitEthernet0/1 no nameif no security-level no ip address ! interface GigabitEthernet0/1.161 vlan 161 nameif web security-level 50 ip address 172.26.30.1 255.255.255.0 ! interface GigabitEthernet0/1.163 vlan 163 nameif secure security-level 50 ip address 172.26.31.1 255.255.255.0 ! interface GigabitEthernet0/2 description LAN/STATE Failover interface for futer! shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 no nameif no security-level no ip address ! interface GigabitEthernet0/3.154 vlan 154 nameif sprint security-level 50 ip address 172.26.24.9 255.255.255.0 ! interface Management0/0 nameif outside security-level 50 ip address 222.66.83.18 255.255.255.240 ! passwd 2KFQnbNIdI.2KYOU encrypted boot system disk0:/0 boot system disk0:/asa704-k8.bin ftp mode passive clock timezone cet 8 dns domain-lookup inside_data dns name-server 172.26.16.17 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group icmp-type icmp_echo_request icmp-object echo object-group icmp-type icmp_echo_reply object-group network h_china_ntpserver network-object host 202.108.158.139 object-group network h_auth42 network-object host 172.26.31.42 network-object host 172.26.24.19 object-group network N_RFC1918 network-object 10.0.0.0 255.0.0.0 network-object 172.16.0.0 255.240.0.0 network-object 192.168.0.0 255.255.0.0 object-group network n_VLAN108_16 network-object 172.26.16.0 255.255.255.0 object-group network n_VLAN105_22 network-object 172.26.22.0 255.255.255.0 object-group network n_VLAN106_25 network-object 172.26.25.0 255.255.255.0 object-group network n_VLAN163_31 network-object 172.26.31.0 255.255.255.0 object-group network n_VLAN108_18 network-object 172.26.18.0 255.255.255.0 object-group network N_RDCA_S_C group-object n_VLAN108_18 group-object n_VLAN108_16 group-object n_VLAN105_22 object-group service tcp_http tcp port-object eq www object-group service tcp_https tcp port-object eq https object-group service tcp_telnet tcp port-object eq telnet object-group service TCP_client_auth tcp group-object tcp_http group-object tcp_https group-object tcp_telnet object-group service tcp_http_8080 tcp port-object eq 8080 object-group service tcp_ftp tcp port-object eq ftp object-group service tcp_ntp tcp port-object eq 123 object-group service udp_ntp udp port-object eq ntp object-group service tcp_smtp tcp port-object eq smtp object-group service tcp_ssh tcp port-object eq ssh object-group network H_auth group-object h_auth42 object-group network H_ntp_servers group-object h_china_ntpserver object-group service TCP_webservice tcp group-object tcp_http group-object tcp_https access-list HIDING extended permit ip object-group N_RFC1918 any access-list HIDING remark # this is a nat rule, only permit's are allowed access-list NONAT extended permit ip object-group N_RFC1918 object-group N_RFC1918 access-list POLICY remark # counterpart of trigger rule access-list POLICY extended permit tcp any object-group H_auth object-group TCP_client_auth access-list POLICY remark # # ntp access-list POLICY extended permit tcp any object-group H_ntp_servers object-group tcp_ntp access-list POLICY extended permit udp any object-group H_ntp_servers object-group udp_ntp access-list POLICY remark # RDCA-webbrowsing rule access-list POLICY extended permit tcp object-group N_RDCA_S_C any object-group TCP_webservice log access-list POLICY remark # All Internal Network is allowed access-list POLICY remark # All Internal Network Traffic is allowed access-list POLICY extended permit ip object-group N_RFC1918 object-group N_RFC1918 log access-list POLICY extended deny ip any any log access-list IPS extended permit ip any any pager lines 24 logging enable logging buffer-size 10000 logging console critical logging monitor errors logging buffered errors logging trap errors logging facility 16 logging host secure 172.26.31.142 logging permit-hostdown mtu inside_data 1500 mtu inside_voice 1500 mtu web 1500 mtu secure 1500 mtu sprint 1500 mtu outside 1500 ip verify reverse-path interface inside_data ip verify reverse-path interface web ip verify reverse-path interface secure ip verify reverse-path interface sprint ip verify reverse-path interface outside no failover asdm image disk0:/asdm504.bin no asdm history enable arp outside 222.66.83.19 0013.c482.3ffc arp timeout 14400 global (outside) 1 222.66.83.19 netmask 255.255.255.255 nat (inside_data) 0 access-list NONAT nat (inside_data) 1 access-list HIDING nat (inside_voice) 0 access-list NONAT nat (secure) 0 access-list NONAT nat (sprint) 0 access-list NONAT access-group POLICY in interface inside_data access-group POLICY in interface web access-group POLICY in interface sprint access-group POLICY in interface outside route inside_data 172.26.23.0 255.255.255.0 172.26.24.17 1 route inside_data 172.26.10.0 255.255.255.0 172.26.24.17 1 route inside_data 172.26.25.0 255.255.255.0 172.26.24.17 1 route inside_data 172.26.22.0 255.255.255.0 172.26.24.17 1 route inside_data 172.26.16.0 255.255.255.0 172.26.24.17 1 route inside_data 172.26.18.0 255.255.255.0 172.26.24.17 1 route sprint 172.16.0.0 255.240.0.0 172.26.24.10 1 route sprint 10.0.0.0 255.0.0.0 172.26.24.10 1 route sprint 192.168.0.0 255.255.0.0 172.26.24.10 1 route outside 0.0.0.0 0.0.0.0 222.66.83.17 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute username wafersys password N3432S3svONQ.rWm encrypted username rdcafwadmin password iqtp6BSrFydQnyAe encrypted aaa authentication ssh console LOCAL no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart virtual telnet 172.26.24.19 auth-prompt prompt Please enter your username and password auth-prompt accept Authentication succeeded. auth-prompt reject Authentication failed. Try again. telnet timeout 5 ssh scopy enable ssh 172.22.161.0 255.255.255.0 inside_data ssh 172.22.163.0 255.255.255.0 inside_data ssh 172.26.18.0 255.255.255.0 inside_data ssh timeout 60 ssh version 2 console timeout 0 management-access inside_data ! class-map my-ips-class match access-list IPS class-map Voip match dscp cs3 ef class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp class my-ips-class ips promiscuous fail-open policy-map qos class Voip priority policy-map my-ips-policy class my-ips-class ips promiscuous fail-open ! service-policy global_policy global ntp server 202.108.158.139 Cryptochecksum:c46fbf0ead94c0a5c60d415f8b5ce82b : end shafw01(config)# sh ver
Cisco Adaptive Security Appliance Software Version 7.0(4) Device Manager Version 5.0(4)
Compiled on Thu 13-Oct-05 21:43 by builders System image file is "disk0:/asa704-k8.bin" Config file at boot was "startup-config"
Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 25 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 2 GTP/GPRS : Disabled VPN Peers : 300
This platform has a Base license.
Serial Number: JMX0949K06H Running Activation Key: 0x7626e778 0xf831bcc6 0x445328fc 0x84003414 0x0e1bcb8a Configuration register is 0x1 Configuration last modified by enable_15 at 16:29:59.641 cet Thu Feb 16 2006 shafw01(config)# shafw01(config)# shafw01(config)# shafw01(config)# shafw01(config)# sh int ip brief shafw01(config)# sh int ip brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES unset up up GigabitEthernet0/0.150 172.26.24.18 YES CONFIG up up GigabitEthernet0/0.151 10.48.8.1 YES CONFIG up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/1.161 172.26.30.1 YES CONFIG up up GigabitEthernet0/1.163 172.26.31.1 YES CONFIG up up GigabitEthernet0/2 unassigned YES unset administratively down down GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet0/3.154 172.26.24.9 YES CONFIG up up Internal-Control0/0 127.0.1.1 YES unset up up Internal-Data0/0 unassigned YES unset up up Management0/0 222.66.83.18 YES CONFIG up up shafw01(config)#
