Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.
Cisco - Internet Issues
Hi,
I was after a bit of help / advice.
In my office we have got a pair of Cisco 5510 ASA's, then we have two branch offices, one with a Cisco 5510 ASA and one with a Cisco 5505 ASA.
Now all three offices are experiencing the same issues, so I am starting to think it could be a config issue.
HQ (Pair of ASA's) has got a 10MB Uncontended Fixed Internet Service, so should be 10MB Each Way, but Download is 10MB but Upload is only 1.4MB.
Branch 1 (5510) has got a 10MB Uncontended Fixed Internet Service, so should be 10MB Each Way, but Download is 10MB but Upload is only about 1.8MB.
Branch 2 (5505) has got an 8MB Down 768K Upload Service and gets 8Mb Down but only .3MB Upload.
Can anyone shed any light to so config that would be causing these issues?
Thanks very much in advance.
Paul
I was after a bit of help / advice.
In my office we have got a pair of Cisco 5510 ASA's, then we have two branch offices, one with a Cisco 5510 ASA and one with a Cisco 5505 ASA.
Now all three offices are experiencing the same issues, so I am starting to think it could be a config issue.
HQ (Pair of ASA's) has got a 10MB Uncontended Fixed Internet Service, so should be 10MB Each Way, but Download is 10MB but Upload is only 1.4MB.
Branch 1 (5510) has got a 10MB Uncontended Fixed Internet Service, so should be 10MB Each Way, but Download is 10MB but Upload is only about 1.8MB.
Branch 2 (5505) has got an 8MB Down 768K Upload Service and gets 8Mb Down but only .3MB Upload.
Can anyone shed any light to so config that would be causing these issues?
Thanks very much in advance.
Paul
Asked:
Who is Participating?
most likely it's either an overhead issue (where are you measuring the bandwidth from? a workstation on the network, the router itself?) or your ISP is not telling you something...
Hi,
I have tested it from several machines, each on different segments of the network but experience exactly the same, also when I run a custom script that measures bandwidth between HQ and Branch A it also shows me poor results.
What do you suggest I look at?
I have tested it from several machines, each on different segments of the network but experience exactly the same, also when I run a custom script that measures bandwidth between HQ and Branch A it also shows me poor results.
What do you suggest I look at?
well, i'd say just connect a laptop directly to the net and go to speedtest.net. Who are the carriers? Theoretically if you have a 10MB/10MB internet circuit, considering overhead, even if you were running a complex IPSec VPN tunnel which exchanges keys constantly, you'd be getting the equivalent of 8MB/s. The numbers you gave are way below what can be considered standard overhead -- as long as you get those when you connect a laptop directly. if speedtest.net gives you 10mb each way, we'll look at other stuff such as the router performance etc.
Have a look at the dashboard on your ASA/ASDM and look at the top talkers and bandwidth utilization and see if you have anything suspicious. I've seen sites hacked and ending up having movie servers eating up all the upload bandwidth. Easy to spot if all your bandwidth is being used by 1 or 2 internal IP addresses.
If you have an older version of ASDM that does not give you the top talkers, it's a good excuse to upgrade to 8.x and ASDM 6.15
Is this an all-new service for all three sites? Has it ever performed as you expect?
Agree with DTAHARLEY above that your ISP may not be telling you something if they are limiting your upload speeds.
If you have an older version of ASDM that does not give you the top talkers, it's a good excuse to upgrade to 8.x and ASDM 6.15
Is this an all-new service for all three sites? Has it ever performed as you expect?
Agree with DTAHARLEY above that your ISP may not be telling you something if they are limiting your upload speeds.
Okay,
I have just carried out some tests with my laptop connected directly to the router.
I got 15MB Up and Down, so the issue lies within the Configuration internally.
What are the next things I can look at to get the fixed?
I have got 8.x and 6.15, but not 100% sure where I am looking to find the information you asked about.
Not a new service, but I have only recently taken over I.T. at the company so probably always been like this.
Thanks in advance.
Paul
I have just carried out some tests with my laptop connected directly to the router.
I got 15MB Up and Down, so the issue lies within the Configuration internally.
What are the next things I can look at to get the fixed?
I have got 8.x and 6.15, but not 100% sure where I am looking to find the information you asked about.
Not a new service, but I have only recently taken over I.T. at the company so probably always been like this.
Thanks in advance.
Paul
Open ASDM. Front page, Device Dashboard. Lower right quadrant is "outside" Interface Traffic Usage (Kbps) in graph form. This is a live 5 minute graph of input/output. Watch it for a few minutes and see how much bandwidth you are using overall.
On the Firewall Dashboard tab, lower right quadrant is a chart showing top talkers inbound and outbound. If it is not enabled, there will be a button to enable it. If it was not already enabled then you'll have to wait a couple hours or even till the next day to get meaningful data. You can see a pie chart of the last 1 hour, last 8 hours, last 24 hours. If you see any one host taking up the biggest slice of pie, then you start concentrating on that host. Attached is a picture of mine, showing one host taking up the vast majority of bandwidth. Note that in my case, this shows my PC as the culprit, but that's because I only have 4 computers on the network.
top10.jpg
On the Firewall Dashboard tab, lower right quadrant is a chart showing top talkers inbound and outbound. If it is not enabled, there will be a button to enable it. If it was not already enabled then you'll have to wait a couple hours or even till the next day to get meaningful data. You can see a pie chart of the last 1 hour, last 8 hours, last 24 hours. If you see any one host taking up the biggest slice of pie, then you start concentrating on that host. Attached is a picture of mine, showing one host taking up the vast majority of bandwidth. Note that in my case, this shows my PC as the culprit, but that's because I only have 4 computers on the network.
top10.jpg
Hi,
The thing that is interested / concerning is that if I look at the Outside Internet Traffic Usage Chart it says :
Input Kbps : 631
Output Kbps : 687
So it is nowhere near maxing out.
So this could indicate the issue lies elsewhere, what does everyone think?
The thing that is interested / concerning is that if I look at the Outside Internet Traffic Usage Chart it says :
Input Kbps : 631
Output Kbps : 687
So it is nowhere near maxing out.
So this could indicate the issue lies elsewhere, what does everyone think?
I am now just testing FTP a file to the ISP Public FTP Server.
100MB File, takes about 25 Minutes to Upload
Output Kbps hit 1476
100MB File, takes about 25 Minutes to Upload
Output Kbps hit 1476
Do you use a proxy or url filtering service? You'd have to post the whole firewall config for me to see anything that might possibly be a problem.
Can post the config, but will take me a while to edit the company specific details out.
We do use a Proxy, but I am testing this without the proxy.
We do use a Proxy, but I am testing this without the proxy.
Here is the config :
Result of the command: "sh run"
: Saved
:
ASA Version 8.0(4)
!
hostname asa5510-pri
domain-name company.com
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
name 192.168.0.0 LAN_Subnets
name 192.168.2200.0 BranchOffice1_LAN
name 192.168.210.0 Bloomberg_DMZ
name 192.168.220.0 Reuters_DMZ
name 192.168.230.0 DMZ
name 10.1.200.0 Telehouse
name 172.16.69.1 company01
name 172.16.69.2 company02
name 192.168.230.3 company03
name 172.16.69.7 company05
name 172.16.69.50 BliarsPC
name 172.16.69.81 BES
name 172.16.69.111 dc01
name 172.16.69.112 dc02
name 172.16.69.203 titan
name 172.16.69.209 freebsd01
name 172.16.69.225 TF-OASYS
name 172.16.69.229 server-om2
name 62.85.111.192 3rdParty11
name 210.17.177.16 3rdParty12
name 195.157.52.64 3rdParty13
name 192.168.230.4 Radianz-RT1
name 192.168.230.5 Radianz-HSRP
name 210.110.10.235 dc01-ext
name 193.109.254.0 ML1
name 195.245.230.0 ML2
name 195.216.0.0 ML3
name 212.125.64.0 ML4
name 62.231.128.0 ML5
name 62.173.108.0 ML6
name 85.158.136.0 ML7
name 194.106.220.0 ML8
name 194.205.110.128 ML9
name 212.125.74.44 ML10
name 212.125.75.0 ML11
name 216.82.240.0 ML12
name 112.187.165.245 Telehouse_Pix
name 210.110.10.232 WAN_Subnet
name 192.168.254.0 company_DR_LAN
name 172.16.69.234 company06
name 172.16.69.230 company-fm01
name 210.110.10.237 company-fm01-Ext
name 113.112.207.217 dc01-dr-ext
name 172.16.69.0 company_London_LAN
name 172.16.69.13 company-exch01
name 187.283.214.279 paul-pc-ext
name 192.168.2101.100 paul-pc-int
name 192.168.230.10 owa2007-int
name 172.16.69.11 company-pman01
name 187.283.214.282 company-pman01-ext
name 192.168.240.192 WiFi_Clients
name 192.168.110.0 Voice_LAN
name 192.168.120.0 Management_LAN
name 192.168.253.0 DR_Telco_LAN
name 172.16.69.6 company-ezeapp01
name 172.16.69.3 company-ezedb01
name 187.283.214.280 owa2007-ext
name 192.168.250.0 Voice_LAN_2
dns-guard
!
interface Ethernet0/0
description LAN
speed 100
duplex full
nameif inside
security-level 100
ip address 172.16.69.254 255.255.252.0 standby 172.16.69.253
ospf cost 10
!
interface Ethernet0/1
description Easynet Internet Line
speed 100
duplex full
nameif outside
security-level 0
ip address 210.110.10.234 255.255.255.248 standby 210.110.10.236
ospf cost 10
!
interface Ethernet0/2
shutdown
nameif backup
security-level 0
no ip address
ospf cost 10
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/3.10
description Bloomberg DMZ
vlan 10
nameif bloomberg
security-level 50
ip address 192.168.210.1 255.255.255.248 standby 192.168.210.6
ospf cost 10
!
interface Ethernet0/3.20
description Reuters DMZ
vlan 20
nameif reuters
security-level 50
ip address 192.168.220.1 255.255.255.0 standby 192.168.220.6
ospf cost 10
!
interface Ethernet0/3.30
description DMZ
vlan 30
nameif dmz
security-level 50
ip address 192.168.230.1 255.255.255.0 standby 192.168.230.6
ospf cost 10
!
interface Ethernet0/3.40
vlan 40
nameif wifi
security-level 50
ip address 192.168.240.1 255.255.255.0 standby 192.168.240.6
ospf cost 10
!
interface Ethernet0/3.50
shutdown
vlan 50
nameif fix
security-level 50
ip address 192.168.250.1 255.255.255.0
!
interface Management0/0
description LAN Failover Interface
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name company.com
object-group network 3rdPary1
description 3rdPary1 Networks
network-object 3rdParty12 255.255.255.240
network-object 3rdParty11 255.255.255.224
network-object 3rdParty13 255.255.255.240
object-group network Bloomberg
description Bloomberg Networks
network-object 69.184.0.0 255.255.0.0
network-object 199.105.176.0 255.255.255.0
network-object 199.105.184.0 255.255.255.0
network-object 205.183.246.0 255.255.255.0
network-object 208.134.161.0 255.255.255.0
object-group network MessageLabs
description MessageLabs Mail Servers
network-object ML1 255.255.254.0
network-object ML2 255.255.254.0
network-object ML3 255.255.224.0
network-object ML4 255.255.224.0
network-object ML5 255.255.224.0
network-object ML6 255.255.255.0
network-object ML7 255.255.248.0
network-object ML8 255.255.254.0
network-object ML9 255.255.255.224
network-object ML10 255.255.255.255
network-object ML11 255.255.255.224
network-object ML12 255.255.240.0
object-group network Radianz-Routers
description Internal Radianz Routers
network-object Radianz-RT1 255.255.255.255
network-object 192.168.230.6 255.255.255.255
network-object Radianz-HSRP 255.255.255.255
object-group network Radianz
description Radianz Networks
network-object 199.89.99.75 255.255.255.255
network-object 199.89.110.75 255.255.255.255
network-object 205.228.25.21 255.255.255.255
network-object 155.195.0.0 255.255.0.0
object-group network Servers_Public
description Server Public IP Addresses
network-object host dc01-ext
network-object host company-fm01-Ext
network-object host company-pman01-ext
object-group network RadianzGRP
network-object 205.167.31.193 255.255.255.255
network-object 205.167.31.194 255.255.255.255
network-object 205.167.31.195 255.255.255.255
network-object 205.167.31.196 255.255.255.255
network-object 205.167.31.197 255.255.255.255
network-object 205.167.31.198 255.255.255.255
object-group network DM_INLINE_NETWORK_1
network-object Voice_LAN 255.255.255.0
network-object Management_LAN 255.255.255.0
network-object DR_Telco_LAN 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_2
network-object company_London_LAN 255.255.252.0
network-object DMZ 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object host dc01
network-object host dc02
object-group network DM_INLINE_NETWORK_4
network-object host dc01
network-object host dc02
object-group service RDP tcp
port-object eq 3389
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
access-list outside_access_inside remark MessageLabs Inbound Mail
access-list outside_access_inside extended permit tcp object-group MessageLabs host 210.110.10.234 eq smtp
access-list outside_access_inside remark 3rdParty1 Remote Access
access-list outside_access_inside extended permit tcp object-group 3rdPary1 host company-pman01-ext eq 4899
access-list outside_access_inside extended permit icmp any WAN_Subnet 255.255.255.248 echo-reply inactive
access-list outside_access_inside extended permit icmp any WAN_Subnet 255.255.255.248 source-quench inactive
access-list outside_access_inside extended permit icmp any WAN_Subnet 255.255.255.248 unreachable inactive
access-list outside_access_inside extended permit icmp any WAN_Subnet 255.255.255.248 time-exceeded inactive
access-list outside_access_inside extended permit tcp any host 210.110.10.234 eq https
access-list outside_access_inside extended permit tcp any host 210.110.10.234 eq www
access-list outside_access_inside extended permit tcp host 10.1.200.1 host company03 eq smtp
access-list outside_access_inside extended permit tcp host 10.1.200.1 any eq smtp
access-list outside_access_inside extended permit ip any host owa2007-ext
access-list inside_access_outbound extended permit ip any any log notifications inactive
access-list inside_access_outbound extended permit ip host company01 any inactive
access-list inside_access_outbound extended permit ip host company02 any inactive
access-list inside_access_outbound extended permit ip host company05 any inactive
access-list inside_access_outbound extended permit tcp host company06 any inactive
access-list inside_access_outbound extended permit ip host dc01 any inactive
access-list inside_access_outbound extended permit ip host dc02 any inactive
access-list inside_access_outbound extended permit ip host titan any inactive
access-list inside_access_outbound extended permit ip host server-om2 any inactive
access-list inside_access_outbound extended permit tcp host company-fm01 any inactive
access-list inside_access_outbound extended permit tcp host 10.1.200.1 any inactive
access-list inside_access_outbound extended permit ip host 10.1.200.1 any inactive
access-list inside_access_outbound extended permit tcp host TF-OASYS any eq smtp inactive
access-list inside_access_outbound extended permit tcp host freebsd01 any eq smtp inactive
access-list inside_access_outbound extended permit tcp host titan any eq smtp inactive
access-list inside_access_outbound extended permit tcp host BliarsPC any eq smtp inactive
access-list inside_access_outbound extended permit tcp company_London_LAN 255.255.252.0 155.195.0.0 255.255.0.0 eq www inactive
access-list inside_access_outbound extended permit ip company_London_LAN 255.255.252.0 any
access-list inside_access_outbound extended permit tcp company_London_LAN 255.255.252.0 object-group Radianz eq https inactive
access-list inside_access_outbound extended permit icmp company_London_LAN 255.255.252.0 object-group Radianz inactive
access-list inside_access_outbound extended permit icmp company_London_LAN 255.255.252.0 DMZ 255.255.255.0 echo-reply inactive
access-list inside_access_outbound extended deny tcp company_London_LAN 255.255.252.0 any eq smtp inactive
access-list inside_access_outbound extended deny tcp company_London_LAN 255.255.252.0 any eq pop3 inactive
access-list inside_access_outbound extended deny tcp company_London_LAN 255.255.252.0 any eq netbios-ssn inactive
access-list inside_access_outbound extended deny udp company_London_LAN 255.255.252.0 any eq netbios-ns inactive
access-list inside_access_outbound extended deny udp company_London_LAN 255.255.252.0 any eq netbios-dgm inactive
access-list inside_access_outbound extended deny tcp company_London_LAN 255.255.252.0 any eq domain inactive
access-list inside_access_outbound extended deny udp company_London_LAN 255.255.252.0 any eq domain inactive
access-list inside_access_outbound extended deny tcp company_London_LAN 255.255.252.0 any eq 445 inactive
access-list inside_access_outbound extended permit ip host paul-pc-int any inactive
access-list bloomberg_outbound_nat0_ac
access-list bloomberg_outbound_nat0_ac
access-list bloomberg_access_inside extended permit icmp any any
access-list reuters_access_inside remark Reuters Allowed
access-list reuters_access_inside extended permit icmp any any
access-list reuters_access_inside extended permit tcp any any
access-list reuters_access_inside extended permit udp any any
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 155.195.0.0 255.255.0.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 company_London_LAN 255.255.252.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 67.56.0.0 255.254.0.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 65.62.0.0 255.254.0.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 159.220.192.0 255.255.240.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 198.206.64.0 255.255.192.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 198.210.128.0 255.255.128.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 204.109.128.0 255.255.128.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 206.60.0.0 255.255.0.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 75.124.0.0 255.255.0.0
access-list dmz_outbound_nat0_acl extended permit ip DMZ 255.255.255.0 Telehouse 255.255.255.0
access-list dmz_outbound_nat0_acl extended permit ip DMZ 255.255.255.0 BranchOffice1_LAN 255.255.255.0
access-list dmz_outbound_nat0_acl extended permit ip DMZ 255.255.255.0 company_London_LAN 255.255.252.0
access-list dmz_access_inside extended permit tcp host company03 host company05 eq smtp inactive
access-list dmz_access_inside extended permit tcp host company03 host company06 eq smtp inactive
access-list dmz_access_inside extended permit icmp host company03 host company01 inactive
access-list dmz_access_inside extended permit icmp host company03 host company02 inactive
access-list dmz_access_inside extended permit udp host company03 host company01 eq domain inactive
access-list dmz_access_inside extended permit tcp host company03 host company01 eq domain inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 inactive
access-list dmz_access_inside extended permit udp host company03 host dc01 inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 eq 135 inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 eq 50000 inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 eq ldap inactive
access-list dmz_access_inside extended permit udp host company03 host dc01 eq 88 inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 eq 88 inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 eq 3268 inactive
access-list dmz_access_inside extended permit udp host company03 host dc01 eq 389 inactive
access-list dmz_access_inside extended permit tcp host company03 host company05 eq 691 inactive
access-list dmz_access_inside extended permit tcp host company03 host company05 eq www inactive
access-list dmz_access_inside extended permit tcp host company03 host freebsd01 eq smtp inactive
access-list dmz_access_inside extended permit tcp host company03 host BliarsPC eq smtp inactive
access-list dmz_access_inside extended permit tcp DMZ 255.255.255.0 Telehouse 255.255.255.0 eq smtp inactive
access-list dmz_access_inside extended permit icmp DMZ 255.255.255.0 Telehouse 255.255.255.0 inactive
access-list dmz_access_inside extended permit icmp any host 10.1.200.1 inactive
access-list dmz_access_inside extended permit tcp any any
access-list dmz_access_inside extended permit udp any any
access-list dmz_access_inside extended permit icmp any any
access-list dmz_access_inside extended deny icmp DMZ 255.255.255.0 Reuters_DMZ 252.255.255.0 inactive
access-list dmz_access_inside extended deny tcp DMZ 255.255.255.0 Reuters_DMZ 255.255.255.0 inactive
access-list dmz_access_inside extended deny tcp DMZ 255.255.255.0 Bloomberg_DMZ 255.255.255.248 inactive
access-list dmz_access_inside extended deny udp DMZ 255.255.255.0 Reuters_DMZ 255.255.255.0 inactive
access-list dmz_access_inside extended deny udp DMZ 255.255.255.0 Bloomberg_DMZ 255.255.255.248 inactive
access-list dmz_access_inside extended deny icmp DMZ 255.255.255.0 Reuters_DMZ 255.255.255.0 inactive
access-list dmz_access_inside extended permit tcp DMZ 255.255.255.0 company_London_LAN 255.255.252.0 eq ssh inactive
access-list dmz_access_inside extended permit tcp host company03 host company-exch01 eq smtp inactive
access-list dmz_access_inside extended permit tcp host company03 host company-exch01 eq 691 inactive
access-list inside_oubbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 object-group Bloomberg
access-list inside_outbound_nat0_acl remark Disabled 12/05/2009 @ 12.55pm
access-list inside_outbound_nat0_acl extended permit ip any 192.168.80.128 255.255.255.192 inactive
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 BranchOffice1_LAN 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 Bloomberg_DMZ 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 Reuters_DMZ 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 DMZ 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 Telehouse 255.255.255.0
access-list inside_outbound_nat0_acl remark Disabled 12/05/2009 @ 12.56pm
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 object-group Radianz-Routers inactive
access-list inside_outbound_nat0_acl remark Disabled 12/05/2009 @ 12.56pm
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 object-group Radianz inactive
access-list inside_outbound_nat0_acl extended permit ip any Telehouse 255.255.255.0 inactive
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 company_DR_LAN 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip Voice_LAN 255.255.255.0 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip Management_LAN 255.255.255.0 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip any 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip object-group DM_INLINE_NETWORK_1 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip host company-ezeapp01 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip host company-ezedb01 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip Voice_LAN_2 255.255.255.0 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 192.168.240.0 255.255.255.0 inactive
access-list Group_VPN_splitTunnelAcl_1
access-list Group_VPN_splitTunnelAcl extended permit ip company_London_LAN 255.255.252.0 any
access-list outside_1_cryptomap extended permit ip any Telehouse 255.255.255.0
access-list outside_2_cryptomap extended permit ip company_London_LAN 255.255.252.0 BranchOffice1_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip company_London_LAN 255.255.252.0 company_DR_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip company_London_LAN 255.255.252.0 BranchOffice1_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 Telehouse 255.255.255.0
access-list inside_nat0_outbound extended permit ip company_London_LAN 255.255.252.0 192.168.2103.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip host company-ezeapp01 192.168.2103.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip host company-ezedb01 192.168.2103.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip Voice_LAN 255.255.255.0 192.168.2103.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip Voice_LAN_2 255.255.255.0 192.168.2103.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip Management_LAN 255.255.255.0 192.168.2103.128 255.255.255.224
access-list backup_nat0_outbound extended permit ip company_London_LAN 255.255.252.0 192.168.2103.128 255.255.255.224
access-list Group_VPN_splitTunnelAcl_2
access-list Eze_splitTunnelAcl standard permit host company-ezeapp01
access-list Eze_splitTunnelAcl standard permit host company-ezedb01
access-list CompanyX_Support_splitTunn
access-list CompanyX_Support_splitTunn
access-list outside_1_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_2 Telehouse 255.255.255.0
access-list Telco_Support_splitTunnelA
access-list Telco_Support_splitTunnelA
access-list Telco_Support_splitTunnelA
access-list outside_3_cryptomap extended permit ip company_London_LAN 255.255.252.0 company_DR_LAN 255.255.255.0
access-list Group_VPN_splitTunnelAcl_3
access-list CompanyX_Support_splitTunn
access-list CompanyX_Support_splitTunn
access-list Telco_Support_splitTunnelA
access-list Telco_Support_splitTunnelA
access-list Telco_Support_splitTunnelA
access-list WiFi_VPN_splitTunnelAcl standard permit company_London_LAN 255.255.252.0
pager lines 40
logging enable
logging standby
logging buffered errors
logging trap warnings
logging asdm emergencies
logging queue 1000
logging device-id hostname
logging host inside dc02
mtu inside 1500
mtu outside 1404
mtu backup 1500
mtu bloomberg 1500
mtu reuters 1500
mtu dmz 1500
mtu wifi 1500
mtu fix 1500
ip local pool Group_VPN_RAS 192.168.2103.128-192.168.2
failover
failover lan unit primary
failover lan interface failover Management0/0
failover interface ip failover 192.168.1.1 255.255.255.248 standby 192.168.1.2
no monitor-interface backup
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (backup) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Voice_LAN 255.255.255.0
nat (inside) 1 company_London_LAN 255.255.252.0
nat (backup) 0 access-list backup_nat0_outbound
nat (bloomberg) 0 access-list bloomberg_outbound_nat0_ac
nat (reuters) 0 access-list reuters_outbound_nat0_acl
nat (reuters) 1 Reuters_DMZ 255.255.255.0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
nat (dmz) 1 DMZ 255.255.255.0
nat (wifi) 1 WiFi_Clients 255.255.255.240
static (dmz,outside) tcp interface smtp company03 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 25000 company05 25000 netmask 255.255.255.255
static (inside,outside) tcp interface 1200 dc01 1200 netmask 255.255.255.255
static (inside,outside) dc01-ext dc01 netmask 255.255.255.255
static (inside,outside) company-fm01-Ext company-fm01 netmask 255.255.255.255
static (inside,outside) company-pman01-ext company-pman01 netmask 255.255.255.255
static (inside,dmz) company_London_LAN company_London_LAN netmask 255.255.252.0
static (inside,reuters) company_London_LAN company_London_LAN netmask 255.255.252.0
static (inside,bloomberg) company_London_LAN company_London_LAN netmask 255.255.252.0
static (dmz,outside) owa2007-ext owa2007-int netmask 255.255.255.255 dns
static (inside,outside) paul-pc-ext paul-pc-int netmask 255.255.255.255
access-group inside_access_outbound in interface inside
access-group outside_access_inside in interface outside
access-group bloomberg_access_inside in interface bloomberg
access-group reuters_access_inside in interface reuters
access-group dmz_access_inside in interface dmz
route outside 0.0.0.0 0.0.0.0 210.110.10.233 1
route reuters 65.62.0.0 255.254.0.0 192.168.220.254 1
route reuters 67.56.0.0 255.254.0.0 192.168.220.254 1
route bloomberg 69.184.0.0 255.255.0.0 192.168.210.4 1
route reuters 75.124.0.0 255.255.0.0 192.168.220.254 1
route reuters 155.195.0.0 255.255.0.0 192.168.220.254 1
route reuters 159.220.192.0 255.255.240.0 192.168.220.254 1
route inside Voice_LAN 255.255.255.0 172.16.69.5 1
route inside Management_LAN 255.255.255.0 172.16.69.5 1
route inside Voice_LAN_2 255.255.255.0 172.16.69.5 1
route inside DR_Telco_LAN 255.255.255.0 172.16.69.5 1
route reuters 198.206.64.0 255.255.192.0 192.168.220.254 1
route reuters 198.210.128.0 255.255.128.0 192.168.220.254 1
route dmz 199.89.99.75 255.255.255.255 Radianz-HSRP 1
route dmz 199.89.110.75 255.255.255.255 Radianz-HSRP 1
route bloomberg 199.105.176.0 255.255.255.0 192.168.210.4 1
route bloomberg 199.105.184.0 255.255.255.0 192.168.210.4 1
route reuters 204.109.128.0 255.255.128.0 192.168.220.254 1
route dmz 205.167.31.193 255.255.255.255 Radianz-HSRP 1
route dmz 205.167.31.194 255.255.255.255 Radianz-HSRP 1
route dmz 205.167.31.195 255.255.255.255 Radianz-HSRP 1
route dmz 205.167.31.196 255.255.255.255 Radianz-HSRP 1
route dmz 205.167.31.197 255.255.255.255 Radianz-HSRP 1
route dmz 205.167.31.198 255.255.255.255 Radianz-HSRP 1
route bloomberg 205.183.246.0 255.255.255.0 192.168.210.4 1
route dmz 205.228.25.21 255.255.255.255 Radianz-HSRP 1
route reuters 206.60.0.0 255.255.0.0 192.168.220.254 1
route bloomberg 208.134.161.0 255.255.255.0 192.168.210.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-reco
aaa-server radius protocol radius
aaa-server radius (inside) host dc01
key companyam
aaa-server radius (inside) host dc02
key companyam
radius-common-pw companyam
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http company_London_LAN 255.255.252.0 inside
snmp-server host inside company05 poll community public
snmp-server location Mayfair
snmp-server contact Paul Sheath
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 0
service resetoutside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map_1 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map_1 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES
-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 50 set security-association lifetime seconds 28800
crypto map outside_map 50 set security-association lifetime kilobytes 4608000
crypto map outside_map 70 set security-association lifetime seconds 28800
crypto map outside_map 70 set security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_1_cryptomap_1
crypto map outside_map0 1 set peer Telehouse_Pix
crypto map outside_map0 1 set transform-set ESP-3DES-MD5
crypto map outside_map0 1 set security-association lifetime seconds 28800
crypto map outside_map0 1 set security-association lifetime kilobytes 4608000
crypto map outside_map0 2 match address outside_2_cryptomap
crypto map outside_map0 2 set pfs
crypto map outside_map0 2 set peer 112.130.120.150
crypto map outside_map0 2 set transform-set ESP-3DES-MD5
crypto map outside_map0 2 set security-association lifetime seconds 28800
crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
crypto map outside_map0 3 match address outside_3_cryptomap
crypto map outside_map0 3 set pfs
crypto map outside_map0 3 set peer 113.112.207.216
crypto map outside_map0 3 set transform-set ESP-3DES-MD5
crypto map outside_map0 3 set security-association lifetime seconds 28800
crypto map outside_map0 3 set security-association lifetime kilobytes 4608000
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto map wifi_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wifi_map interface wifi
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable wifi
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet Telehouse 255.255.255.0 inside
telnet company_London_LAN 255.255.252.0 inside
telnet Telehouse 255.255.255.0 outside
telnet timeout 5
ssh company_London_LAN 255.255.252.0 inside
ssh timeout 10
console timeout 0
dhcpd address 192.168.240.193-192.168.24
dhcpd dns 4.2.2.2 interface wifi
dhcpd lease 33600 interface wifi
dhcpd ping_timeout 100 interface wifi
dhcpd enable wifi
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.43.244.18 source outside prefer
ntp server 128.102.16.2 source outside
group-policy Telco_Support internal
group-policy Telco_Support attributes
wins-server value 172.16.69.111 172.16.69.112
dns-server value 172.16.69.111 172.16.69.112
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Telco_Support_splitTunnelA
default-domain value abc.company.com
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-policy Group_VPN internal
group-policy Group_VPN attributes
wins-server value 172.16.69.111 172.16.69.112
dns-server value 172.16.69.111 172.16.69.112
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Group_VPN_splitTunnelAcl_3
default-domain value abc.company.com
split-dns value abc.company.com company.com company.co.uk
group-policy WiFi_VPN internal
group-policy WiFi_VPN attributes
wins-server value 172.16.69.111 172.16.69.112
dns-server value 172.16.69.111 172.16.69.112
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value WiFi_VPN_splitTunnelAcl
default-domain value abc.company.com
group-policy CompanyX_Support internal
group-policy CompanyX_Support attributes
wins-server value 172.16.69.111 172.16.69.112
dns-server value 172.16.69.111 172.16.69.112
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CompanyX_Support_splitTunn
default-domain value abc.company.com
username user1 password xxxxxxxxxxx encrypted privilege 15
username user2 password xxxxxxxxxxx encrypted privilege 15
username user3 password xxxxxxxxxxx encrypted privilege 0
username user3 attributes
vpn-group-policy Telco_Support
tunnel-group Group_VPN type remote-access
tunnel-group Group_VPN general-attributes
address-pool Group_VPN_RAS
authentication-server-grou
default-group-policy Group_VPN
tunnel-group Group_VPN ipsec-attributes
pre-shared-key *
tunnel-group 112.187.165.245 type ipsec-l2l
tunnel-group 112.187.165.245 ipsec-attributes
pre-shared-key *
tunnel-group 112.130.120.150 type ipsec-l2l
tunnel-group 112.130.120.150 ipsec-attributes
pre-shared-key *
tunnel-group 113.112.207.216 type ipsec-l2l
tunnel-group 113.112.207.216 ipsec-attributes
pre-shared-key *
tunnel-group Telco_Support type remote-access
tunnel-group Telco_Support general-attributes
address-pool Group_VPN_RAS
default-group-policy Telco_Support
tunnel-group Telco_Support ipsec-attributes
pre-shared-key *
tunnel-group CompanyX_Support type remote-access
tunnel-group CompanyX_Support general-attributes
address-pool Group_VPN_RAS
authentication-server-grou
default-group-policy CompanyX_Support
tunnel-group CompanyX_Support ipsec-attributes
pre-shared-key *
tunnel-group WiFi_VPN type remote-access
tunnel-group WiFi_VPN general-attributes
address-pool Group_VPN_RAS
authentication-server-grou
default-group-policy WiFi_VPN
tunnel-group WiFi_VPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7501a660817
: end
Result of the command: "sh run"
: Saved
:
ASA Version 8.0(4)
!
hostname asa5510-pri
domain-name company.com
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
name 192.168.0.0 LAN_Subnets
name 192.168.2200.0 BranchOffice1_LAN
name 192.168.210.0 Bloomberg_DMZ
name 192.168.220.0 Reuters_DMZ
name 192.168.230.0 DMZ
name 10.1.200.0 Telehouse
name 172.16.69.1 company01
name 172.16.69.2 company02
name 192.168.230.3 company03
name 172.16.69.7 company05
name 172.16.69.50 BliarsPC
name 172.16.69.81 BES
name 172.16.69.111 dc01
name 172.16.69.112 dc02
name 172.16.69.203 titan
name 172.16.69.209 freebsd01
name 172.16.69.225 TF-OASYS
name 172.16.69.229 server-om2
name 62.85.111.192 3rdParty11
name 210.17.177.16 3rdParty12
name 195.157.52.64 3rdParty13
name 192.168.230.4 Radianz-RT1
name 192.168.230.5 Radianz-HSRP
name 210.110.10.235 dc01-ext
name 193.109.254.0 ML1
name 195.245.230.0 ML2
name 195.216.0.0 ML3
name 212.125.64.0 ML4
name 62.231.128.0 ML5
name 62.173.108.0 ML6
name 85.158.136.0 ML7
name 194.106.220.0 ML8
name 194.205.110.128 ML9
name 212.125.74.44 ML10
name 212.125.75.0 ML11
name 216.82.240.0 ML12
name 112.187.165.245 Telehouse_Pix
name 210.110.10.232 WAN_Subnet
name 192.168.254.0 company_DR_LAN
name 172.16.69.234 company06
name 172.16.69.230 company-fm01
name 210.110.10.237 company-fm01-Ext
name 113.112.207.217 dc01-dr-ext
name 172.16.69.0 company_London_LAN
name 172.16.69.13 company-exch01
name 187.283.214.279 paul-pc-ext
name 192.168.2101.100 paul-pc-int
name 192.168.230.10 owa2007-int
name 172.16.69.11 company-pman01
name 187.283.214.282 company-pman01-ext
name 192.168.240.192 WiFi_Clients
name 192.168.110.0 Voice_LAN
name 192.168.120.0 Management_LAN
name 192.168.253.0 DR_Telco_LAN
name 172.16.69.6 company-ezeapp01
name 172.16.69.3 company-ezedb01
name 187.283.214.280 owa2007-ext
name 192.168.250.0 Voice_LAN_2
dns-guard
!
interface Ethernet0/0
description LAN
speed 100
duplex full
nameif inside
security-level 100
ip address 172.16.69.254 255.255.252.0 standby 172.16.69.253
ospf cost 10
!
interface Ethernet0/1
description Easynet Internet Line
speed 100
duplex full
nameif outside
security-level 0
ip address 210.110.10.234 255.255.255.248 standby 210.110.10.236
ospf cost 10
!
interface Ethernet0/2
shutdown
nameif backup
security-level 0
no ip address
ospf cost 10
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/3.10
description Bloomberg DMZ
vlan 10
nameif bloomberg
security-level 50
ip address 192.168.210.1 255.255.255.248 standby 192.168.210.6
ospf cost 10
!
interface Ethernet0/3.20
description Reuters DMZ
vlan 20
nameif reuters
security-level 50
ip address 192.168.220.1 255.255.255.0 standby 192.168.220.6
ospf cost 10
!
interface Ethernet0/3.30
description DMZ
vlan 30
nameif dmz
security-level 50
ip address 192.168.230.1 255.255.255.0 standby 192.168.230.6
ospf cost 10
!
interface Ethernet0/3.40
vlan 40
nameif wifi
security-level 50
ip address 192.168.240.1 255.255.255.0 standby 192.168.240.6
ospf cost 10
!
interface Ethernet0/3.50
shutdown
vlan 50
nameif fix
security-level 50
ip address 192.168.250.1 255.255.255.0
!
interface Management0/0
description LAN Failover Interface
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name company.com
object-group network 3rdPary1
description 3rdPary1 Networks
network-object 3rdParty12 255.255.255.240
network-object 3rdParty11 255.255.255.224
network-object 3rdParty13 255.255.255.240
object-group network Bloomberg
description Bloomberg Networks
network-object 69.184.0.0 255.255.0.0
network-object 199.105.176.0 255.255.255.0
network-object 199.105.184.0 255.255.255.0
network-object 205.183.246.0 255.255.255.0
network-object 208.134.161.0 255.255.255.0
object-group network MessageLabs
description MessageLabs Mail Servers
network-object ML1 255.255.254.0
network-object ML2 255.255.254.0
network-object ML3 255.255.224.0
network-object ML4 255.255.224.0
network-object ML5 255.255.224.0
network-object ML6 255.255.255.0
network-object ML7 255.255.248.0
network-object ML8 255.255.254.0
network-object ML9 255.255.255.224
network-object ML10 255.255.255.255
network-object ML11 255.255.255.224
network-object ML12 255.255.240.0
object-group network Radianz-Routers
description Internal Radianz Routers
network-object Radianz-RT1 255.255.255.255
network-object 192.168.230.6 255.255.255.255
network-object Radianz-HSRP 255.255.255.255
object-group network Radianz
description Radianz Networks
network-object 199.89.99.75 255.255.255.255
network-object 199.89.110.75 255.255.255.255
network-object 205.228.25.21 255.255.255.255
network-object 155.195.0.0 255.255.0.0
object-group network Servers_Public
description Server Public IP Addresses
network-object host dc01-ext
network-object host company-fm01-Ext
network-object host company-pman01-ext
object-group network RadianzGRP
network-object 205.167.31.193 255.255.255.255
network-object 205.167.31.194 255.255.255.255
network-object 205.167.31.195 255.255.255.255
network-object 205.167.31.196 255.255.255.255
network-object 205.167.31.197 255.255.255.255
network-object 205.167.31.198 255.255.255.255
object-group network DM_INLINE_NETWORK_1
network-object Voice_LAN 255.255.255.0
network-object Management_LAN 255.255.255.0
network-object DR_Telco_LAN 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_2
network-object company_London_LAN 255.255.252.0
network-object DMZ 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object host dc01
network-object host dc02
object-group network DM_INLINE_NETWORK_4
network-object host dc01
network-object host dc02
object-group service RDP tcp
port-object eq 3389
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
access-list outside_access_inside remark MessageLabs Inbound Mail
access-list outside_access_inside extended permit tcp object-group MessageLabs host 210.110.10.234 eq smtp
access-list outside_access_inside remark 3rdParty1 Remote Access
access-list outside_access_inside extended permit tcp object-group 3rdPary1 host company-pman01-ext eq 4899
access-list outside_access_inside extended permit icmp any WAN_Subnet 255.255.255.248 echo-reply inactive
access-list outside_access_inside extended permit icmp any WAN_Subnet 255.255.255.248 source-quench inactive
access-list outside_access_inside extended permit icmp any WAN_Subnet 255.255.255.248 unreachable inactive
access-list outside_access_inside extended permit icmp any WAN_Subnet 255.255.255.248 time-exceeded inactive
access-list outside_access_inside extended permit tcp any host 210.110.10.234 eq https
access-list outside_access_inside extended permit tcp any host 210.110.10.234 eq www
access-list outside_access_inside extended permit tcp host 10.1.200.1 host company03 eq smtp
access-list outside_access_inside extended permit tcp host 10.1.200.1 any eq smtp
access-list outside_access_inside extended permit ip any host owa2007-ext
access-list inside_access_outbound extended permit ip any any log notifications inactive
access-list inside_access_outbound extended permit ip host company01 any inactive
access-list inside_access_outbound extended permit ip host company02 any inactive
access-list inside_access_outbound extended permit ip host company05 any inactive
access-list inside_access_outbound extended permit tcp host company06 any inactive
access-list inside_access_outbound extended permit ip host dc01 any inactive
access-list inside_access_outbound extended permit ip host dc02 any inactive
access-list inside_access_outbound extended permit ip host titan any inactive
access-list inside_access_outbound extended permit ip host server-om2 any inactive
access-list inside_access_outbound extended permit tcp host company-fm01 any inactive
access-list inside_access_outbound extended permit tcp host 10.1.200.1 any inactive
access-list inside_access_outbound extended permit ip host 10.1.200.1 any inactive
access-list inside_access_outbound extended permit tcp host TF-OASYS any eq smtp inactive
access-list inside_access_outbound extended permit tcp host freebsd01 any eq smtp inactive
access-list inside_access_outbound extended permit tcp host titan any eq smtp inactive
access-list inside_access_outbound extended permit tcp host BliarsPC any eq smtp inactive
access-list inside_access_outbound extended permit tcp company_London_LAN 255.255.252.0 155.195.0.0 255.255.0.0 eq www inactive
access-list inside_access_outbound extended permit ip company_London_LAN 255.255.252.0 any
access-list inside_access_outbound extended permit tcp company_London_LAN 255.255.252.0 object-group Radianz eq https inactive
access-list inside_access_outbound extended permit icmp company_London_LAN 255.255.252.0 object-group Radianz inactive
access-list inside_access_outbound extended permit icmp company_London_LAN 255.255.252.0 DMZ 255.255.255.0 echo-reply inactive
access-list inside_access_outbound extended deny tcp company_London_LAN 255.255.252.0 any eq smtp inactive
access-list inside_access_outbound extended deny tcp company_London_LAN 255.255.252.0 any eq pop3 inactive
access-list inside_access_outbound extended deny tcp company_London_LAN 255.255.252.0 any eq netbios-ssn inactive
access-list inside_access_outbound extended deny udp company_London_LAN 255.255.252.0 any eq netbios-ns inactive
access-list inside_access_outbound extended deny udp company_London_LAN 255.255.252.0 any eq netbios-dgm inactive
access-list inside_access_outbound extended deny tcp company_London_LAN 255.255.252.0 any eq domain inactive
access-list inside_access_outbound extended deny udp company_London_LAN 255.255.252.0 any eq domain inactive
access-list inside_access_outbound extended deny tcp company_London_LAN 255.255.252.0 any eq 445 inactive
access-list inside_access_outbound extended permit ip host paul-pc-int any inactive
access-list bloomberg_outbound_nat0_ac
access-list bloomberg_outbound_nat0_ac
access-list bloomberg_access_inside extended permit icmp any any
access-list reuters_access_inside remark Reuters Allowed
access-list reuters_access_inside extended permit icmp any any
access-list reuters_access_inside extended permit tcp any any
access-list reuters_access_inside extended permit udp any any
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 155.195.0.0 255.255.0.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 company_London_LAN 255.255.252.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 67.56.0.0 255.254.0.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 65.62.0.0 255.254.0.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 159.220.192.0 255.255.240.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 198.206.64.0 255.255.192.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 198.210.128.0 255.255.128.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 204.109.128.0 255.255.128.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 206.60.0.0 255.255.0.0
access-list reuters_outbound_nat0_acl extended permit ip Reuters_DMZ 255.255.255.0 75.124.0.0 255.255.0.0
access-list dmz_outbound_nat0_acl extended permit ip DMZ 255.255.255.0 Telehouse 255.255.255.0
access-list dmz_outbound_nat0_acl extended permit ip DMZ 255.255.255.0 BranchOffice1_LAN 255.255.255.0
access-list dmz_outbound_nat0_acl extended permit ip DMZ 255.255.255.0 company_London_LAN 255.255.252.0
access-list dmz_access_inside extended permit tcp host company03 host company05 eq smtp inactive
access-list dmz_access_inside extended permit tcp host company03 host company06 eq smtp inactive
access-list dmz_access_inside extended permit icmp host company03 host company01 inactive
access-list dmz_access_inside extended permit icmp host company03 host company02 inactive
access-list dmz_access_inside extended permit udp host company03 host company01 eq domain inactive
access-list dmz_access_inside extended permit tcp host company03 host company01 eq domain inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 inactive
access-list dmz_access_inside extended permit udp host company03 host dc01 inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 eq 135 inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 eq 50000 inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 eq ldap inactive
access-list dmz_access_inside extended permit udp host company03 host dc01 eq 88 inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 eq 88 inactive
access-list dmz_access_inside extended permit tcp host company03 host dc01 eq 3268 inactive
access-list dmz_access_inside extended permit udp host company03 host dc01 eq 389 inactive
access-list dmz_access_inside extended permit tcp host company03 host company05 eq 691 inactive
access-list dmz_access_inside extended permit tcp host company03 host company05 eq www inactive
access-list dmz_access_inside extended permit tcp host company03 host freebsd01 eq smtp inactive
access-list dmz_access_inside extended permit tcp host company03 host BliarsPC eq smtp inactive
access-list dmz_access_inside extended permit tcp DMZ 255.255.255.0 Telehouse 255.255.255.0 eq smtp inactive
access-list dmz_access_inside extended permit icmp DMZ 255.255.255.0 Telehouse 255.255.255.0 inactive
access-list dmz_access_inside extended permit icmp any host 10.1.200.1 inactive
access-list dmz_access_inside extended permit tcp any any
access-list dmz_access_inside extended permit udp any any
access-list dmz_access_inside extended permit icmp any any
access-list dmz_access_inside extended deny icmp DMZ 255.255.255.0 Reuters_DMZ 252.255.255.0 inactive
access-list dmz_access_inside extended deny tcp DMZ 255.255.255.0 Reuters_DMZ 255.255.255.0 inactive
access-list dmz_access_inside extended deny tcp DMZ 255.255.255.0 Bloomberg_DMZ 255.255.255.248 inactive
access-list dmz_access_inside extended deny udp DMZ 255.255.255.0 Reuters_DMZ 255.255.255.0 inactive
access-list dmz_access_inside extended deny udp DMZ 255.255.255.0 Bloomberg_DMZ 255.255.255.248 inactive
access-list dmz_access_inside extended deny icmp DMZ 255.255.255.0 Reuters_DMZ 255.255.255.0 inactive
access-list dmz_access_inside extended permit tcp DMZ 255.255.255.0 company_London_LAN 255.255.252.0 eq ssh inactive
access-list dmz_access_inside extended permit tcp host company03 host company-exch01 eq smtp inactive
access-list dmz_access_inside extended permit tcp host company03 host company-exch01 eq 691 inactive
access-list inside_oubbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 object-group Bloomberg
access-list inside_outbound_nat0_acl remark Disabled 12/05/2009 @ 12.55pm
access-list inside_outbound_nat0_acl extended permit ip any 192.168.80.128 255.255.255.192 inactive
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 BranchOffice1_LAN 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 Bloomberg_DMZ 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 Reuters_DMZ 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 DMZ 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 Telehouse 255.255.255.0
access-list inside_outbound_nat0_acl remark Disabled 12/05/2009 @ 12.56pm
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 object-group Radianz-Routers inactive
access-list inside_outbound_nat0_acl remark Disabled 12/05/2009 @ 12.56pm
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 object-group Radianz inactive
access-list inside_outbound_nat0_acl extended permit ip any Telehouse 255.255.255.0 inactive
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 company_DR_LAN 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip Voice_LAN 255.255.255.0 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip Management_LAN 255.255.255.0 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip any 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip object-group DM_INLINE_NETWORK_1 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip host company-ezeapp01 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip host company-ezedb01 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip Voice_LAN_2 255.255.255.0 192.168.2103.128 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip company_London_LAN 255.255.252.0 192.168.240.0 255.255.255.0 inactive
access-list Group_VPN_splitTunnelAcl_1
access-list Group_VPN_splitTunnelAcl extended permit ip company_London_LAN 255.255.252.0 any
access-list outside_1_cryptomap extended permit ip any Telehouse 255.255.255.0
access-list outside_2_cryptomap extended permit ip company_London_LAN 255.255.252.0 BranchOffice1_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip company_London_LAN 255.255.252.0 company_DR_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip company_London_LAN 255.255.252.0 BranchOffice1_LAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 Telehouse 255.255.255.0
access-list inside_nat0_outbound extended permit ip company_London_LAN 255.255.252.0 192.168.2103.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip host company-ezeapp01 192.168.2103.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip host company-ezedb01 192.168.2103.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip Voice_LAN 255.255.255.0 192.168.2103.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip Voice_LAN_2 255.255.255.0 192.168.2103.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip Management_LAN 255.255.255.0 192.168.2103.128 255.255.255.224
access-list backup_nat0_outbound extended permit ip company_London_LAN 255.255.252.0 192.168.2103.128 255.255.255.224
access-list Group_VPN_splitTunnelAcl_2
access-list Eze_splitTunnelAcl standard permit host company-ezeapp01
access-list Eze_splitTunnelAcl standard permit host company-ezedb01
access-list CompanyX_Support_splitTunn
access-list CompanyX_Support_splitTunn
access-list outside_1_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_2 Telehouse 255.255.255.0
access-list Telco_Support_splitTunnelA
access-list Telco_Support_splitTunnelA
access-list Telco_Support_splitTunnelA
access-list outside_3_cryptomap extended permit ip company_London_LAN 255.255.252.0 company_DR_LAN 255.255.255.0
access-list Group_VPN_splitTunnelAcl_3
access-list CompanyX_Support_splitTunn
access-list CompanyX_Support_splitTunn
access-list Telco_Support_splitTunnelA
access-list Telco_Support_splitTunnelA
access-list Telco_Support_splitTunnelA
access-list WiFi_VPN_splitTunnelAcl standard permit company_London_LAN 255.255.252.0
pager lines 40
logging enable
logging standby
logging buffered errors
logging trap warnings
logging asdm emergencies
logging queue 1000
logging device-id hostname
logging host inside dc02
mtu inside 1500
mtu outside 1404
mtu backup 1500
mtu bloomberg 1500
mtu reuters 1500
mtu dmz 1500
mtu wifi 1500
mtu fix 1500
ip local pool Group_VPN_RAS 192.168.2103.128-192.168.2
failover
failover lan unit primary
failover lan interface failover Management0/0
failover interface ip failover 192.168.1.1 255.255.255.248 standby 192.168.1.2
no monitor-interface backup
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (backup) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Voice_LAN 255.255.255.0
nat (inside) 1 company_London_LAN 255.255.252.0
nat (backup) 0 access-list backup_nat0_outbound
nat (bloomberg) 0 access-list bloomberg_outbound_nat0_ac
nat (reuters) 0 access-list reuters_outbound_nat0_acl
nat (reuters) 1 Reuters_DMZ 255.255.255.0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
nat (dmz) 1 DMZ 255.255.255.0
nat (wifi) 1 WiFi_Clients 255.255.255.240
static (dmz,outside) tcp interface smtp company03 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 25000 company05 25000 netmask 255.255.255.255
static (inside,outside) tcp interface 1200 dc01 1200 netmask 255.255.255.255
static (inside,outside) dc01-ext dc01 netmask 255.255.255.255
static (inside,outside) company-fm01-Ext company-fm01 netmask 255.255.255.255
static (inside,outside) company-pman01-ext company-pman01 netmask 255.255.255.255
static (inside,dmz) company_London_LAN company_London_LAN netmask 255.255.252.0
static (inside,reuters) company_London_LAN company_London_LAN netmask 255.255.252.0
static (inside,bloomberg) company_London_LAN company_London_LAN netmask 255.255.252.0
static (dmz,outside) owa2007-ext owa2007-int netmask 255.255.255.255 dns
static (inside,outside) paul-pc-ext paul-pc-int netmask 255.255.255.255
access-group inside_access_outbound in interface inside
access-group outside_access_inside in interface outside
access-group bloomberg_access_inside in interface bloomberg
access-group reuters_access_inside in interface reuters
access-group dmz_access_inside in interface dmz
route outside 0.0.0.0 0.0.0.0 210.110.10.233 1
route reuters 65.62.0.0 255.254.0.0 192.168.220.254 1
route reuters 67.56.0.0 255.254.0.0 192.168.220.254 1
route bloomberg 69.184.0.0 255.255.0.0 192.168.210.4 1
route reuters 75.124.0.0 255.255.0.0 192.168.220.254 1
route reuters 155.195.0.0 255.255.0.0 192.168.220.254 1
route reuters 159.220.192.0 255.255.240.0 192.168.220.254 1
route inside Voice_LAN 255.255.255.0 172.16.69.5 1
route inside Management_LAN 255.255.255.0 172.16.69.5 1
route inside Voice_LAN_2 255.255.255.0 172.16.69.5 1
route inside DR_Telco_LAN 255.255.255.0 172.16.69.5 1
route reuters 198.206.64.0 255.255.192.0 192.168.220.254 1
route reuters 198.210.128.0 255.255.128.0 192.168.220.254 1
route dmz 199.89.99.75 255.255.255.255 Radianz-HSRP 1
route dmz 199.89.110.75 255.255.255.255 Radianz-HSRP 1
route bloomberg 199.105.176.0 255.255.255.0 192.168.210.4 1
route bloomberg 199.105.184.0 255.255.255.0 192.168.210.4 1
route reuters 204.109.128.0 255.255.128.0 192.168.220.254 1
route dmz 205.167.31.193 255.255.255.255 Radianz-HSRP 1
route dmz 205.167.31.194 255.255.255.255 Radianz-HSRP 1
route dmz 205.167.31.195 255.255.255.255 Radianz-HSRP 1
route dmz 205.167.31.196 255.255.255.255 Radianz-HSRP 1
route dmz 205.167.31.197 255.255.255.255 Radianz-HSRP 1
route dmz 205.167.31.198 255.255.255.255 Radianz-HSRP 1
route bloomberg 205.183.246.0 255.255.255.0 192.168.210.4 1
route dmz 205.228.25.21 255.255.255.255 Radianz-HSRP 1
route reuters 206.60.0.0 255.255.0.0 192.168.220.254 1
route bloomberg 208.134.161.0 255.255.255.0 192.168.210.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-reco
aaa-server radius protocol radius
aaa-server radius (inside) host dc01
key companyam
aaa-server radius (inside) host dc02
key companyam
radius-common-pw companyam
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http company_London_LAN 255.255.252.0 inside
snmp-server host inside company05 poll community public
snmp-server location Mayfair
snmp-server contact Paul Sheath
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 0
service resetoutside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map_1 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map_1 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES
-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 50 set security-association lifetime seconds 28800
crypto map outside_map 50 set security-association lifetime kilobytes 4608000
crypto map outside_map 70 set security-association lifetime seconds 28800
crypto map outside_map 70 set security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_1_cryptomap_1
crypto map outside_map0 1 set peer Telehouse_Pix
crypto map outside_map0 1 set transform-set ESP-3DES-MD5
crypto map outside_map0 1 set security-association lifetime seconds 28800
crypto map outside_map0 1 set security-association lifetime kilobytes 4608000
crypto map outside_map0 2 match address outside_2_cryptomap
crypto map outside_map0 2 set pfs
crypto map outside_map0 2 set peer 112.130.120.150
crypto map outside_map0 2 set transform-set ESP-3DES-MD5
crypto map outside_map0 2 set security-association lifetime seconds 28800
crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
crypto map outside_map0 3 match address outside_3_cryptomap
crypto map outside_map0 3 set pfs
crypto map outside_map0 3 set peer 113.112.207.216
crypto map outside_map0 3 set transform-set ESP-3DES-MD5
crypto map outside_map0 3 set security-association lifetime seconds 28800
crypto map outside_map0 3 set security-association lifetime kilobytes 4608000
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto map wifi_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wifi_map interface wifi
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable wifi
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet Telehouse 255.255.255.0 inside
telnet company_London_LAN 255.255.252.0 inside
telnet Telehouse 255.255.255.0 outside
telnet timeout 5
ssh company_London_LAN 255.255.252.0 inside
ssh timeout 10
console timeout 0
dhcpd address 192.168.240.193-192.168.24
dhcpd dns 4.2.2.2 interface wifi
dhcpd lease 33600 interface wifi
dhcpd ping_timeout 100 interface wifi
dhcpd enable wifi
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.43.244.18 source outside prefer
ntp server 128.102.16.2 source outside
group-policy Telco_Support internal
group-policy Telco_Support attributes
wins-server value 172.16.69.111 172.16.69.112
dns-server value 172.16.69.111 172.16.69.112
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Telco_Support_splitTunnelA
default-domain value abc.company.com
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-policy Group_VPN internal
group-policy Group_VPN attributes
wins-server value 172.16.69.111 172.16.69.112
dns-server value 172.16.69.111 172.16.69.112
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Group_VPN_splitTunnelAcl_3
default-domain value abc.company.com
split-dns value abc.company.com company.com company.co.uk
group-policy WiFi_VPN internal
group-policy WiFi_VPN attributes
wins-server value 172.16.69.111 172.16.69.112
dns-server value 172.16.69.111 172.16.69.112
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value WiFi_VPN_splitTunnelAcl
default-domain value abc.company.com
group-policy CompanyX_Support internal
group-policy CompanyX_Support attributes
wins-server value 172.16.69.111 172.16.69.112
dns-server value 172.16.69.111 172.16.69.112
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CompanyX_Support_splitTunn
default-domain value abc.company.com
username user1 password xxxxxxxxxxx encrypted privilege 15
username user2 password xxxxxxxxxxx encrypted privilege 15
username user3 password xxxxxxxxxxx encrypted privilege 0
username user3 attributes
vpn-group-policy Telco_Support
tunnel-group Group_VPN type remote-access
tunnel-group Group_VPN general-attributes
address-pool Group_VPN_RAS
authentication-server-grou
default-group-policy Group_VPN
tunnel-group Group_VPN ipsec-attributes
pre-shared-key *
tunnel-group 112.187.165.245 type ipsec-l2l
tunnel-group 112.187.165.245 ipsec-attributes
pre-shared-key *
tunnel-group 112.130.120.150 type ipsec-l2l
tunnel-group 112.130.120.150 ipsec-attributes
pre-shared-key *
tunnel-group 113.112.207.216 type ipsec-l2l
tunnel-group 113.112.207.216 ipsec-attributes
pre-shared-key *
tunnel-group Telco_Support type remote-access
tunnel-group Telco_Support general-attributes
address-pool Group_VPN_RAS
default-group-policy Telco_Support
tunnel-group Telco_Support ipsec-attributes
pre-shared-key *
tunnel-group CompanyX_Support type remote-access
tunnel-group CompanyX_Support general-attributes
address-pool Group_VPN_RAS
authentication-server-grou
default-group-policy CompanyX_Support
tunnel-group CompanyX_Support ipsec-attributes
pre-shared-key *
tunnel-group WiFi_VPN type remote-access
tunnel-group WiFi_VPN general-attributes
address-pool Group_VPN_RAS
authentication-server-grou
default-group-policy WiFi_VPN
tunnel-group WiFi_VPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7501a660817
: end
Looks like all pretty standard stuff. Nothing jumps out at me.
What does the CPU utilization look like? This looks like a lot of processing requirement for the 5510. How many total users?
You might consider upping the message-length max on the dns inspect policy from 512 to 640
Is there any difference in performance if the standby firewall is powered off completely?
Do you see any "mss exceeded" error messages in the logs?
What does the CPU utilization look like? This looks like a lot of processing requirement for the 5510. How many total users?
You might consider upping the message-length max on the dns inspect policy from 512 to 640
Is there any difference in performance if the standby firewall is powered off completely?
Do you see any "mss exceeded" error messages in the logs?
Hi,
I have had a look at the CPU Utilization and it sits fairly steady at 8%, so this looks to be fine.
We have 54 Users in total, so shouldn't be anything to hard for the unit to cope with.
I have changed the message-length as suggested, but that has not made any difference.
Will shortly try powering off the standby unit and see what happens.
I have had a look at the CPU Utilization and it sits fairly steady at 8%, so this looks to be fine.
We have 54 Users in total, so shouldn't be anything to hard for the unit to cope with.
I have changed the message-length as suggested, but that has not made any difference.
Will shortly try powering off the standby unit and see what happens.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
-
Course of the Month8 days, 19 hours left to enrollMonitoring and Operating a Private Cloud with System Center 2012 R2 273 lessons
Issue is now resolved.
The issue was having ports configured as auto/auto on the switch and router.
Changed to 100/full and all is good now.
Thanks for all yoru help though.