: Saved : ASA Version 9.1(1) ! terminal width 400 hostname HQ-ASA domain-name secure-x.local enable password 8Ry2YjIyt7RRXU24 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd 2KFQnbNIdI.2KYOU encrypted names ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 192.0.2.1 255.255.255.0 ! interface GigabitEthernet0/1 no nameif no security-level no ip address ! interface GigabitEthernet0/1.4 vlan 4 nameif inside security-level 100 ip address 10.10.1.1 255.255.255.0 ! interface GigabitEthernet0/1.250 vlan 250 nameif Guest security-level 30 ip address 10.10.250.1 255.255.255.0 ! interface GigabitEthernet0/2 nameif DMZ security-level 50 ip address 172.16.1.1 255.255.255.0 ! interface GigabitEthernet0/3 nameif Site-To-Site ip address 172.16.2.1 255.255.255.0 ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif management security-level 90 ip address 10.10.2.1 255.255.255.0 ! regex XAMPP "[xX][aA][mM][pP][pP]" boot system disk0:/asa911-smp-k8.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns domain-lookup outside dns domain-lookup inside dns domain-lookup Guest dns domain-lookup DMZ dns domain-lookup Site-To-Site dns domain-lookup management dns server-group DefaultDNS name-server 10.10.3.20 domain-name secure-x.local object network VLAN9 subnet 10.10.9.0 255.255.255.0 object network DMZ-SRV host 172.16.1.50 object network HQ-ESA host 172.16.1.55 object network HQ-SRV host 10.10.3.20 object network TRANSLATED-DMZ-SRV host 192.0.2.50 object network TRANSLATED-HQ-ESA host 192.0.2.55 object network TREANSLATED-HQ-SRV host 192.0.2.20 object network Internal-Networks subnet 10.10.0.0 255.255.0.0 object network TRANSLATED-INSIDE-HOSTS host 192.0.2.100 object network ORIGINAL-PARTNER subnet 10.10.10.0 255.255.255.0 object network REAL-VLAN10 subnet 10.10.10.0 255.255.255.0 object network TRANSLATED-PARTNER subnet 10.200.10.0 255.255.255.0 object network TRANSLATED-VLAN10 subnet 10.100.10.0 255.255.255.0 object network General subnet 10.10.9.0 255.255.255.0 description VLAN 9 object network HQ-WAS host 10.10.1.50 object network IT subnet 10.10.10.0 255.255.255.0 description VLAN 10 object network Management subnet 10.10.2.0 255.255.255.0 description VLAN 2 object network Sales subnet 10.10.11.0 255.255.255.0 description VLAN 11 object-group network INTERNAL-NETWORKS network-object object General network-object object IT network-object object Sales object-group network INTERNAL-SERVERS network-object object HQ-SRV network-object object HQ-WAS object-group service DMZ-SRV-SERVICES service-object icmp service-object tcp destination eq domain service-object tcp destination eq ftp service-object tcp destination eq www service-object tcp destination eq https service-object udp destination eq domain object-group service HQ-SRV-SERVICES service-object icmp service-object tcp destination eq 3268 service-object tcp destination eq ldap service-object tcp destination eq smtp service-object udp destination eq domain access-list global_access extended permit object-group DMZ-SRV-SERVICES any object DMZ-SRV access-list global_access extended deny ip any any access-list Site-To-Site extended permit ip any any access-list inside_access_in extended permit ip object Management any access-list inside_access_in extended permit ip object-group INTERNAL-SERVERS any access-list inside_access_in extended permit ip object-group INTERNAL-NETWORKS any access-list DMZ_access_in extended permit object-group HQ-SRV-SERVICES object HQ-ESA object HQ-SRV access-list DMZ_access_in extended deny ip any object-group INTERNAL-SERVERS access-list DMZ_access_in extended deny ip any object-group INTERNAL-NETWORKS access-list DMZ_access_in extended permit ip any any access-list outside_access_in extended permit tcp any object HQ-ESA eq smtp access-list outside_access_in extended permit icmp any4 any4 time-exceeded access-list outside_mpc extended permit tcp any object DMZ-SRV eq www access-list outside_mpc_1 extended permit tcp any object DMZ-SRV eq ftp pager lines 24 logging enable logging buffered debugging logging trap debugging logging asdm debugging logging host inside 10.10.2.40 flow-export destination inside 10.10.2.40 9996 mtu outside 1500 mtu inside 1500 mtu Guest 1500 mtu DMZ 1500 mtu Site-To-Site 1500 mtu management 1500 ip verify reverse-path interface outside ip verify reverse-path interface inside ip verify reverse-path interface Guest ip verify reverse-path interface DMZ ip verify reverse-path interface Site-To-Site no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-713.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,Site-To-Site) source static REAL-VLAN10 TRANSLATED-VLAN10 destination static TRANSLATED-PARTNER ORIGINAL-PARTNER ! object network VLAN9 nat (inside,outside) dynamic interface object network DMZ-SRV nat (DMZ,outside) static TRANSLATED-DMZ-SRV object network HQ-ESA nat (DMZ,outside) static TRANSLATED-HQ-ESA object network HQ-SRV nat (inside,outside) static TREANSLATED-HQ-SRV object network Internal-Networks nat (inside,outside) dynamic TRANSLATED-INSIDE-HOSTS access-group outside_access_in in interface outside access-group inside_access_in in interface inside access-group DMZ_access_in in interface DMZ access-group Site-To-Site in interface Site-To-Site access-group global_access global ! router ospf 1 network 10.10.1.0 255.255.255.0 area 0 network 172.16.1.0 255.255.255.0 area 0 network 172.16.2.0 255.255.255.0 area 0 log-adj-changes default-information originate always ! route outside 0.0.0.0 0.0.0.0 192.0.2.2 1 route inside 10.10.2.20 255.255.255.255 10.10.1.2 1 route inside 10.10.2.30 255.255.255.255 10.10.1.2 1 route inside 10.10.2.40 255.255.255.255 10.10.1.2 1 route inside 10.10.10.0 255.255.255.0 10.10.1.2 1 route Site-To-Site 10.10.10.0 255.255.255.0 172.16.2.3 2 route Site-To-Site 10.200.10.0 255.255.255.0 172.16.2.3 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server MY-RADIUS protocol radius aaa-server MY-RADIUS (inside) host 10.10.2.20 key ***** aaa-server CDA protocol radius ad-agent-mode aaa-server CDA (inside) host 10.10.2.30 key ***** user-identity default-domain LOCAL aaa authentication http console LOCAL aaa authentication ssh console MY-RADIUS LOCAL aaa accounting ssh console MY-RADIUS aaa authorization exec authentication-server http server enable http 10.10.2.40 255.255.255.255 management snmp-server group Authentication&Encryption v3 priv snmp-server user admin Authentication&Encryption v3 encrypted auth sha f7:63:05:d0:d3:a2:50:1c:ce:5e:e6:95:8f:c9:74:dd:0b:27:48:38 priv aes 128 f7:63:05:d0:d3:a2:50:1c:ce:5e:e6:95:8f:c9:74:dd snmp-server host management 10.10.2.40 version 3 admin snmp-server location Secure-X HQ snmp-server contact Admin snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet 10.10.2.40 255.255.255.255 management telnet timeout 5 ssh 10.10.2.40 255.255.255.255 management ssh timeout 5 ssh version 2 console timeout 0 management-access management dhcpd dns 172.16.1.50 ! dhcpd address 10.10.250.10-10.10.250.200 Guest dhcpd enable Guest ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-filter updater-client enable dynamic-filter use-database dynamic-filter enable interface outside dynamic-filter drop blacklist interface outside dynamic-filter whitelist name sp-srv.sp.public dynamic-filter blacklist name bot-sparta.no-ip.org name superzarabotok-gid.ru ntp authentication-key 1 md5 ***** ntp trusted-key 1 ntp server 192.0.2.2 key 1 source outside webvpn anyconnect-essentials username admin password ZkK/jbnFTT6F2Fub encrypted privilege 15 ! class-map ALL_TRAFFIC match any class-map inspection_default match default-inspection-traffic class-map HTTP-TO-DMZ-SRV match access-list outside_mpc class-map FTP-TO-DMZ-SRV match access-list outside_mpc_1 ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map type inspect http DENY_XAMPP_ACCESS parameters protocol-violation action drop-connection match request uri regex XAMPP drop-connection log policy-map type inspect ftp DENY_FTP_DELETE parameters mask-banner mask-syst-reply match request-command dele rmd reset log policy-map global_policy class inspection_default inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp inspect ftp inspect dns preset_dns_map dynamic-filter-snoop class ALL_TRAFFIC flow-export event-type all destination 10.10.2.40 set connection decrement-ttl policy-map OUTSIDE-POLICY class HTTP-TO-DMZ-SRV inspect http DENY_XAMPP_ACCESS class FTP-TO-DMZ-SRV inspect ftp strict DENY_FTP_DELETE ! service-policy global_policy global service-policy OUTSIDE-POLICY interface outside prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly 22 subscribe-to-alert-group configuration periodic monthly 22 subscribe-to-alert-group telemetry periodic daily Cryptochecksum:60b76a9b215819a80cd3ff660f905287 : end [OK]