ASA Version 8.6(1)2 ! hostname ciscoasa names ! interface GigabitEthernet0/0 speed 1000 duplex full nameif outside security-level 0 ip address 200.190.70.66 255.255.255.248 ! interface GigabitEthernet0/1 speed 1000 duplex full nameif inside security-level 100 ip address 172.16.3.254 255.255.255.0 ! interface GigabitEthernet0/2 speed 1000 duplex full nameif dmz security-level 50 ip address 192.168.1.254 255.255.255.0 ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/7 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 0 ip address 10.1.95.11 255.255.255.0 management-only ! interface GigabitEthernet1/0 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! ftp mode passive dns server-group DefaultDNS domain-name zzzzzz object network obj-172.16.0.0-nonat subnet 172.16.0.0 255.255.0.0 object network obj-192.168.1.0-nonat subnet 192.168.1.0 255.255.255.0 object network obj-192.168.0.0-nonat subnet 192.168.0.0 255.255.0.0 object network obj-192.168.1.0-nonatdmz subnet 192.168.1.0 255.255.255.0 object network obj-192.168.201.0-nonatdmz subnet 192.168.1.0 255.255.255.0 object network obj-172.16.0.0-nonatdmz subnet 172.16.0.0 255.255.0.0 object network obj-192.168.1.0-dmz-vpn_private subnet 192.168.1.0 255.255.255.0 object network NETWORK_OBJ_192.168.210.224_27 subnet 192.168.210.224 255.255.255.224 object network internal-radius host 172.16.5.67 object-group network inside-subnet-source network-object 172.16.1.0 255.255.255.0 network-object 172.16.2.0 255.255.255.252 network-object 172.16.3.0 255.255.255.0 network-object 172.16.5.0 255.255.255.0 network-object 172.16.10.0 255.255.255.0 network-object 172.16.11.0 255.255.255.0 network-object 172.16.13.0 255.255.255.0 network-object 172.16.20.0 255.255.255.0 network-object 172.16.21.0 255.255.255.0 network-object 172.16.23.0 255.255.255.0 network-object 172.16.30.0 255.255.255.0 network-object 172.16.31.0 255.255.255.0 network-object 172.16.35.0 255.255.255.0 network-object 172.16.40.0 255.255.255.0 network-object 172.16.109.0 255.255.255.0 network-object 172.16.118.0 255.255.255.0 network-object 172.16.128.0 255.255.255.0 network-object 172.16.129.0 255.255.255.0 network-object 172.16.130.0 255.255.255.0 network-object 172.16.131.0 255.255.255.0 network-object 172.16.132.0 255.255.255.0 network-object 172.16.192.0 255.255.255.0 network-object 172.16.193.0 255.255.255.0 network-object 172.16.194.0 255.255.255.0 network-object 172.16.195.0 255.255.255.0 network-object 172.16.196.0 255.255.255.0 object-group network dmz-subnet-source network-object 192.168.1.0 255.255.255.0 access-list o_inside extended permit ah any any access-list o_inside extended permit esp any any access-list o_inside extended permit icmp any any access-list o_inside extended permit icmp any any echo access-list o_inside extended permit tcp any any eq imap4 access-list o_inside extended permit udp any any eq 143 ***access-list o_inside extended permit tcp/udp SPECIFIC inside network/pc device to access host in DMZ network (none related to VPN) access-list outside extended permit icmp any any echo-reply access-list outside extended permit icmp any any ***access-list outside extended permit tcp/udp SPECIFIC from outside network/pc device to access host in DMZ/inside network (none related to VPN) access-list o_dmz extended permit icmp any any echo-reply ***access-list o_dmz extended permit tcp/udp SPECIFIC from dmz network/pc device to access host in inside network (none related to VPN) access-list splittunnel standard permit 172.16.0.0 255.255.0.0 access-list splittunnel standard permit 192.168.1.0 255.255.255.0 access-list SYSTEM_DEFAULT_CRYPTO_MAP extended permit ip any object NETWORK_OBJ_192.168.210.224_27 pager lines 24 logging enable logging buffer-size 1048576 logging buffered debugging logging asdm informational mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu management 1500 ip local pool remote-vpn-pool 192.168.210.231-192.168.210.250 mask 255.255.255.224 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside icmp permit any dmz icmp permit any vpn_private icmp permit any vpn_public icmp permit any optusapn_temp asdm image disk0:/asdm-66114.bin no asdm history enable arp timeout 14400 nat (inside,any) source static obj-172.16.0.0-nonat obj-172.16.0.0-nonat destination static obj-192.168.1.0-nonat obj-192.168.1.0-nonat no-proxy-arp nat (inside,any) source static obj-172.16.0.0-nonat obj-172.16.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168.0.0-nonat no-proxy-arp nat (inside,any) source static obj-192.168.0.0-nonat obj-192.168.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168.0.0-nonat no-proxy-arp nat (inside,any) source static obj-192.168.0.0-nonat obj-192.168.0.0-nonat destination static obj-192.168.1.0-nonat obj-192.168.1.0-nonat no-proxy-arp nat (dmz,any) source static obj-192.168.1.0-nonatdmz obj-192.168.1.0-nonatdmz destination static obj-172.16.0.0-nonatdmz obj-172.16.0.0-nonatdmz no-proxy-arp nat (inside,outside) source static inside-subnet-source inside-subnet-source destination static NETWORK_OBJ_192.168.210.224_27 NETWORK_OBJ_192.168.210.224_27 no-proxy-arp route-lookup ! nat (inside,outside) after-auto source dynamic inside-subnet-source outside-host-global nat (inside,dmz) after-auto source dynamic inside-subnet-source dmz-host-global nat (dmz,outside) after-auto source dynamic dmz-subnet-source outside-host-global access-group outside in interface outside access-group o_inside in interface inside access-group o_dmz in interface dmz route outside 0.0.0.0 0.0.0.0 200.190.70.65 1 route inside 172.16.0.0 255.255.0.0 172.16.3.1 1 route inside 172.20.1.0 255.255.255.0 172.16.3.1 1 route inside 172.30.1.0 255.255.255.0 172.16.3.1 1 route inside 192.168.0.0 255.255.0.0 172.16.3.1 1 route outside 192.168.210.0 255.255.255.224 200.190.70.65 1 route outside 192.168.210.32 255.255.255.224 200.190.70.65 1 route outside 192.168.210.64 255.255.255.224 200.190.70.65 1 route outside 192.168.210.96 255.255.255.224 200.190.70.65 1 route outside 192.168.210.128 255.255.255.224 200.190.70.65 1 route outside 192.168.210.224 255.255.255.224 200.190.70.65 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server internal-radius protocol radius aaa-server internal-radius (inside) host 172.16.5.67 key zzzzzz radius-common-pw zzzzzz user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable http 172.16.0.0 255.255.0.0 inside http 172.16.0.0 255.255.0.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map ASA-VPN-SITE 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map ASA-VPN-SITE interface outside crypto ikev2 policy 10 encryption aes-256 aes-192 aes integrity sha group 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 172.16.1.0 255.255.255.0 inside telnet 172.16.3.0 255.255.255.0 inside telnet 172.16.0.0 255.255.0.0 management telnet timeout 20 ssh 172.16.0.0 255.255.0.0 inside ssh 172.16.3.0 255.255.255.0 inside ssh 0.0.0.0 0.0.0.0 management ssh timeout 30 ssh version 2 console timeout 30 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 172.16.3.1 webvpn enable outside anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 anyconnect enable group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 172.16.5.31 172.16.5.32 vpn-tunnel-protocol ikev1 l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value splittunnel default-domain value ZZZZZZ username user1 password zzzzzz encrypted username user1 attributes vpn-group-policy DefaultRAGroup vpn-tunnel-protocol ikev1 tunnel-group DefaultRAGroup general-attributes address-pool remote-vpn-pool default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key ZZZZZZ tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp inspect h323 h225 inspect h323 ras ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly 7 subscribe-to-alert-group configuration periodic monthly 7 subscribe-to-alert-group telemetry periodic daily Cryptochecksum:a225df4d313cd95bb3662bd3d70733fe