PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto interface ethernet4 auto interface ethernet5 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security90 nameif ethernet3 corp_net security95 nameif ethernet4 lcs security98 nameif ethernet5 tuas security99 clock timezone SGT 8 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 222 dmz_pix name 65 outside_adsl name 66 outside_pix name 10.84.2.2 inside_pix name 217 dmz_notes_01 name 218 dmz_notes_02 name 10.84.2.11 inside_notes_01 name 10.84.2.12 inside_notes_02 name 10.84.3.1 corp_net_pix name 10.84.3.2 corp_net_gw name 10.84.4.2 lcs_net_gw name 10.84.4.5 ctx_svr name 10.84.4.6 lcs_svr name 10.84.2.23 rbmi_svr name 10.84.2.24 mail_svr name 10.84.6.2 tuas_gw name 10.84.6.1 tuas_router object-group service allowed_tcp_svc tcp port-object eq www port-object eq https port-object eq ftp port-object eq ssh port-object eq smtp port-object eq telnet port-object eq domain port-object eq 49164 port-object eq 1533 port-object eq lotusnotes port-object eq 8080 port-object eq pcanywhere-data port-object eq 8051 port-object eq 10000 port-object eq 522 port-object eq 81 port-object eq 1731 port-object eq ldap port-object eq h323 port-object eq 1053 port-object eq 3389 object-group service allowed_udp_svc udp port-object eq domain port-object eq isakmp port-object eq 10000 port-object eq 4500 port-object eq 4000 port-object eq pcanywhere-status port-object eq 62515 port-object eq ntp object-group icmp-type allowed_icmp icmp-object echo icmp-object echo-reply icmp-object unreachable object-group network lan_inside network-object 10.84.2.0 255.255.255.0 object-group network lan_dmz network-object object-group network dmz_notes_svr network-object host dmz_notes_01 network-object host dmz_notes_02 object-group network inside_notes_svr network-object host inside_notes_01 network-object host inside_notes_02 object-group network lan_cn network-object 10.0.0.0 255.0.0.0 object-group network lan_corp network-object 10.84.3.0 255.255.255.0 object-group network inside_notes_svr_real network-object inside_notes_01 255.255.255.255 network-object inside_notes_02 255.255.255.255 object-group network dmz_notes_svr_real network-object dmz_notes_01 255.255.255.255 network-object dmz_notes_02 255.255.255.255 object-group service allowed_tcp_svc_all tcp description Allow all port-object range 1 65535 object-group service allowed_udp_svc_all udp port-object range 1 65535 object-group network inside_notes_svr_real_ref network-object inside_notes_01 255.255.255.255 network-object inside_notes_02 255.255.255.255 object-group network lcs_server network-object host ctx_svr network-object host lcs_svr object-group network dc_server network-object host rbmi_svr network-object host mail_svr object-group network tuas_network network-object 10.84.1.0 255.255.255.0 object-group network tuas_to_inside_allowed_ip network-object rbmi_svr 255.255.255.255 network-object mail_svr 255.255.255.255 network-object inside_notes_01 255.255.255.255 network-object inside_notes_02 255.255.255.255 object-group network sap_server network-object 10.84.2.16 255.255.255.255 network-object 10.84.2.17 255.255.255.255 object-group network hp_pool network-object 192.168.1.0 255.255.255.0 access-list acl_inside permit tcp any 10.0.0.0 255.0.0.0 object-group allowed_tcp_svc_all access-list acl_inside permit udp any 10.0.0.0 255.0.0.0 object-group allowed_udp_svc_all access-list acl_inside permit tcp object-group lan_inside any object-group allowed_tcp_svc access-list acl_inside permit udp object-group lan_inside any object-group allowed_udp_svc access-list acl_inside permit icmp object-group lan_inside any object-group allowed_icmp access-list acl_dmz permit tcp object-group lan_dmz object-group inside_notes_svr eq lotusnotes access-list acl_dmz permit icmp any any object-group allowed_icmp access-list acl_dmz permit udp any any object-group allowed_udp_svc access-list acl_dmz permit tcp any any object-group allowed_tcp_svc access-list no_nat_dmz permit ip 10.84.2.0 255.255.255.0 203.125.30.216 255.255.255.248 access-list no_nat_dmz_out permit ip 203.125.30.216 255.255.255.248 203.125.249.64 255.255.255.252 access-list acl_outside permit tcp any object-group dmz_notes_svr eq lotusnotes access-list acl_outside permit icmp any object-group lan_dmz object-group allowed_icmp access-list acl_outside permit tcp any host outside_pix eq smtp access-list acl_outside permit tcp any host outside_pix eq lotusnotes access-list acl_outside permit gre any any access-list acl_outside permit udp any any eq pcanywhere-status access-list acl_outside permit tcp any any eq lotusnotes access-list acl_outside permit tcp any any eq pcanywhere-data access-list acl_outside permit icmp any host outside_pix object-group allowed_icmp access-list acl_outside permit icmp any 192.168.1.8 255.255.255.252 object-group allowed_icmp access-list acl_outside permit tcp any any eq 3389 access-list no_nat_corp permit ip 10.84.2.0 255.255.255.0 10.84.3.0 255.255.255.0 access-list acl_corp permit icmp object-group lan_corp any object-group allowed_icmp access-list acl_corp permit tcp object-group lan_corp object-group inside_notes_svr_real_ref eq lotusnotes access-list acl_corp permit icmp any any access-list acl_corp permit tcp any any object-group allowed_tcp_svc_all access-list acl_corp permit udp any any object-group allowed_udp_svc_all access-list acl_corp permit icmp any any object-group allowed_icmp access-list no_nat_vpn permit ip 10.84.2.0 255.255.255.0 172.16.10.0 255.255.255.0 access-list no_nat_vpn permit ip 10.84.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list split_tunnel permit ip 10.84.2.0 255.255.255.0 172.16.10.0 255.255.255.0 access-list split_tunnel permit ip 10.84.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list acl_lcs permit icmp any any object-group allowed_icmp access-list acl_lcs permit tcp any any object-group allowed_tcp_svc_all access-list acl_lcs permit udp any any object-group allowed_udp_svc_all access-list acl_tuas permit tcp object-group tuas_network object-group tuas_to_inside_allowed_ip object-group allowed_tcp_svc_all access-list acl_tuas permit udp object-group tuas_network object-group tuas_to_inside_allowed_ip object-group allowed_udp_svc_all access-list acl_tuas deny tcp object-group tuas_network object-group lan_inside object-group allowed_tcp_svc_all access-list acl_tuas deny udp object-group tuas_network object-group lan_inside object-group allowed_udp_svc_all access-list acl_tuas permit tcp any 10.0.0.0 255.0.0.0 object-group allowed_tcp_svc_all access-list acl_tuas permit udp any 10.0.0.0 255.0.0.0 object-group allowed_udp_svc_all access-list acl_tuas permit icmp any 10.0.0.0 255.0.0.0 object-group allowed_icmp access-list acl_tuas permit tcp object-group tuas_network any object-group allowed_tcp_svc access-list acl_tuas permit udp object-group tuas_network any object-group allowed_udp_svc access-list acl_tuas permit icmp object-group tuas_network any object-group allowed_icmp pager lines 24 logging on mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu corp_net 1500 mtu lcs 1500 mtu tuas 1500 ip address outside outside_pix 255.255.255.252 ip address inside inside_pix 255.255.255.0 ip address dmz dmz_pix 255.255.255.248 ip address corp_net corp_net_pix 255.255.255.0 ip address lcs lcs_net_gw 255.255.255.0 ip address tuas tuas_gw 255.255.255.248 ip audit info action alarm ip audit attack action alarm ip local pool VPN_POOL 172.16.10.1-172.16.10.20 ip local pool CN_VPN_POOL 10.84.2.8-10.84.2.10 ip local pool HP_POOL 192.168.1.1-192.168.1.5 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address dmz no failover ip address corp_net no failover ip address lcs no failover ip address tuas pdm location 10.84.2.0 255.255.255.255 inside pdm location inside_notes_01 255.255.255.255 inside pdm location inside_notes_02 255.255.255.255 inside pdm location 172.16.10.0 255.255.255.224 inside pdm location 10.0.0.0 255.0.0.0 corp_net pdm location dmz_notes_01 255.255.255.255 dmz pdm location dmz_notes_02 255.255.255.255 dmz pdm location 15.0.0.0 255.0.0.0 outside pdm location 16.0.0.0 255.0.0.0 outside pdm location 172.16.10.0 255.255.255.0 outside pdm location 10.84.5.0 255.255.255.0 corp_net pdm location 10.0.0.0 255.0.0.0 inside pdm location 10.84.3.13 255.255.255.255 corp_net pdm location 145.225.0.0 255.255.0.0 corp_net pdm location 10.0.0.0 255.0.0.0 lcs pdm location ctx_svr 255.255.255.255 corp_net pdm location lcs_svr 255.255.255.255 corp_net pdm location 145.255.0.0 255.255.0.0 corp_net pdm location 10.84.1.0 255.255.255.0 tuas pdm group lan_inside inside pdm group inside_notes_svr_real inside pdm group lan_corp corp_net pdm group lan_dmz dmz pdm group inside_notes_svr dmz reference inside_notes_svr_real pdm group dmz_notes_svr_real dmz pdm group dmz_notes_svr outside reference dmz_notes_svr_real pdm group inside_notes_svr_real_ref corp_net reference inside_notes_svr_real pdm group lan_cn lcs pdm group lcs_server corp_net pdm logging critical 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list no_nat_vpn nat (inside) 1 10.84.2.0 255.255.255.0 0 0 nat (lcs) 1 10.84.4.0 255.255.255.0 0 0 nat (tuas) 1 10.84.1.0 255.255.255.0 0 0 static (inside,outside) tcp outside_pix 3389 10.84.2.15 3389 netmask 255.255.255 .255 0 0 static (inside,corp_net) 10.84.2.0 10.84.2.0 netmask 255.255.255.0 0 0 static (inside,dmz) 10.84.2.0 10.84.2.0 netmask 255.255.255.0 0 0 static (inside,lcs) 10.84.2.0 10.84.2.0 netmask 255.255.255.0 0 0 static (lcs,corp_net) 10.84.4.0 10.84.4.0 netmask 255.255.255.0 0 0 static (inside,tuas) 10.84.2.0 10.84.2.0 netmask 255.255.255.0 0 0 static (tuas,corp_net) 10.84.1.0 10.84.1.0 netmask 255.255.255.0 0 0 static (tuas,lcs) 10.84.1.0 10.84.1.0 netmask 255.255.255.0 0 0 static (tuas,dmz) 10.84.1.0 10.84.1.0 netmask 255.255.255.0 0 0 static (tuas,inside) 10.84.1.0 10.84.1.0 netmask 255.255.255.0 0 0 access-group acl_outside in interface outside access-group acl_inside in interface inside access-group acl_dmz in interface dmz access-group acl_corp in interface corp_net access-group acl_lcs in interface lcs access-group acl_tuas in interface tuas route outside 0.0.0.0 0.0.0.0 outside_adsl 1 route corp_net 10.0.0.0 255.0.0.0 corp_net_gw 1 route tuas 10.84.1.0 255.255.255.0 tuas_router 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa-server hp_access protocol radius aaa-server hp_access max-failed-attempts 3 aaa-server hp_access deadtime 10 aaa-server hp_access (inside) host mail_svr cisco123 timeout 5 http server enable http 15.0.0.0 255.0.0.0 outside http 16.0.0.0 255.0.0.0 outside http 10.84.2.0 255.255.255.255 inside http 10.84.2.0 255.255.255.0 inside http 172.16.10.0 255.255.255.224 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set STRONG1 esp-des esp-md5-hmac crypto ipsec transform-set HP_TRAFFIC esp-des esp-md5-hmac crypto dynamic-map DYNAMIC_VPN 10 set transform-set STRONG1 crypto dynamic-map HPDYNMAP_VPN 10 set transform-set HP_TRAFFIC crypto map ga_VPN 30 ipsec-isakmp dynamic DYNAMIC_VPN crypto map HP_VPN 30 ipsec-isakmp dynamic HPDYNMAP_VPN crypto map HP_VPN client authentication hp_access crypto map HP_VPN interface outside isakmp enable outside isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup ga_vpn address-pool VPN_POOL vpngroup ga_vpn wins-server 10.84.2.19 10.84.2.21 vpngroup ga_vpn split-tunnel split_tunnel vpngroup ga_vpn idle-time 1800 vpngroup ga_vpn user-idle-timeout 18000 vpngroup ga_vpn password ******** vpngroup cn_vpn address-pool CN_VPN_POOL vpngroup cn_vpn wins-server 10.84.2.19 vpngroup cn_vpn idle-time 1800 vpngroup cn_vpn password ******** vpngroup hp_vpn address-pool HP_POOL vpngroup hp_vpn dns-server rbmi_svr vpngroup hp_vpn wins-server 10.84.2.19 vpngroup hp_vpn idle-time 1800 vpngroup hp_vpn password ******** telnet 0.0.0.0 0.0.0.0 inside telnet 0.0.0.0 0.0.0.0 tuas telnet timeout 60 ssh 15.0.0.0 255.0.0.0 outside ssh 16.0.0.0 255.0.0.0 outside ssh 172.16.10.0 255.255.255.224 outside ssh 10.84.2.0 255.255.255.0 inside ssh 172.16.10.0 255.255.255.224 inside ssh timeout 60 console timeout 0 terminal width 80 Cryptochecksum:50d1f1dff5ad0cb2f7f10aeb44b390d1 : end [OK]