Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need help allowing 445/SMB traffic 1

Status
Not open for further replies.
hinesjrh

hinesjrh

MIS
Jan 4, 2005
260
US
I have a PIX 515 running on 6.3(5) which is located at my central site. I have 55 remote locations which are connected back to me via a private routed network (VPN). I need to allow port 443 (SMB) traffic for both TCP and UDP for a printer application we are implementing, where users will scan in documents at the remote sites and the docs will be sent to a central repository server at my location. This central server is in my "inside" network. If I am not mistaken all traffic will be on this inside network (not DMZ, not outside, etc.). I thought I needed to add a couple of statements to allow both TCP and UDP 445 traffic from any inside 10.0.0.0 255.0.0.0 to the central server at 10.1.0.92 255.255.255.255. However, when attempted to add the first statement via the PDM the app tells me that "No communication is allowed between two interfaces that have the same security value"

I could use some help to allow this 445 traffic. What am I doing wrong?
 
Sort by date Sort by votes
To be sure - Post a scrubbed config but -
I believe the reason your ACL is being rejected is that your internal subnet (or the DMZ) is included in the subnet block. Try to put each subnet in separately (I know it is a lot of work.)


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
I have changed the appropriate IP's and names where I felt they should be for security.

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto
interface ethernet4 vlan6 physical
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 ADS security45
nameif ethernet4 Guest security25
nameif ethernet5 eai security45
enable password xxx encrypted
passwd xxxxx encrypted
hostname BRDR
domain-name xxxcentral
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
fixup protocol h323 h225 1719-1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 443
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.253.0.3 Cisco2924
name 67.229.254.73 SharepointEXT
name 10.1.0.128 SQL
name 10.1.0.172 ATSQL
name 10.253.0.116 ATIISCERT
name 10.1.0.170 atssqlcert
name 10.253.0.104 ATSIIS2.2
name 10.253.0.103 ATSIIS1.2
name 10.253.0.102 ATSIIS2.1
name 10.253.0.100 ATSIIS1.1
name 10.1.0.154 DC3
name 10.1.0.152 DC2
name 10.1.0.143 backup2
name 67.229.254.236 EAI2
name 10.1.0.150 DC1
name 10.253.0.67 SPAM
name 10.253.0.175 Guest6
name 10.253.0.174 Guest5
name 10.253.0.173 Guest4
name 10.253.0.172 Guest3
name 10.253.0.171 Guest2
name 10.253.0.170 Guest1
name 10.253.0.178 Guest9
name 10.253.0.177 Guest8
name 10.253.0.176 Guest7
name 161.195.66.3 Aramarkfood
name 161.195.0.0 AramarkNet
name 10.1.3.0 VPNClients
name 10.1.1.3 printer3black
name 10.1.1.8 printer8black
name 10.1.1.7 printer7black
name 10.1.1.6 printer6black
name 10.1.1.5 printer5black name 10.1.1.4 printer4black
name 10.1.1.2 printer2black
name 10.1.1.1 printer1black
name 10.1.1.12 printer2color
name 10.1.1.11 printer1color
name 10.1.1.10 printer10black
name 10.1.1.9 printer9black
name 67.229.254.0 outsideback
name 10.1.0.129 IPP
name 10.1.0.130 Printserver
name 10.1.0.66 mail1
name 10.1.0.65 mail
name 10.253.0.65 OWA
name 10.26.0.0 Walton
name 12.172.251.117 FollettAlliance
name 10.253.0.78 EXIIS1
name 10.253.0.74 EXIIS2
name 10.1.2.114 atsmonitor
name 10.253.0.80 ALSQL1
name 10.20.1.0 HelpDesk2
name 10.20.10.0 HelpDesk
name 10.1.0.120 Websense10.1.0.120
name 66.292.95.100 IncidentMonitor
name 66.292.95.96 IncMonitor name 14.30.0.0 Internal
name 10.253.0.93 Odyssey
name 10.253.0.90 exiis100
name 12.107.106.100 FollettforDestiny
name 14.20.0.0
name 10.30.10.0 HelpDesk3
name 10.253.0.96 CRM500
name 14.30.96.0 HelpDeskAnalysts
name 67.229.254.254 Cisco3845Inet
name 10.253.0.88 EXIIS101
name 10.253.0.76 ExtAtschoolCluster
name 10.1.4.118 TFTPServer
name 10.253.0.94 PRINTMON100
name 208.154.174.154 quoianet.com
name 209.67.27.247 BLOCK_whitehouse.com
name 206.24.105.142 BLOCK_xxx.com
name 207.21.232.104 BLOCK_friendgreeting.com
name 208.236.11.91 BLOCK_lady.com
name 209.10.26.51 BLOCK_penthouse.com
name 206.251.29.10 BLOCK_playboy.com
name 159.153.194.3 BLOCK_electronicarts_simcity
object-group network DMZservers
description Servers in the DMZ
network-object 10.253.0.70 255.255.255.255 network-object NHASPAM 255.255.255.255
network-object 10.253.0.84 255.255.255.255
network-object 10.253.0.115 255.255.255.255
network-object ATIISCERT 255.255.255.255
network-object ATSIIS1.1 255.255.255.255
network-object ATSIIS2.1 255.255.255.255
network-object ATSIIS1.2 255.255.255.255
network-object ATSIIS2.2 255.255.255.255
network-object 10.253.0.125 255.255.255.255
network-object 10.253.0.126 255.255.255.255
network-object 10.253.0.123 255.255.255.255
network-object 10.253.0.124 255.255.255.255
network-object 10.253.0.81 255.255.255.255
network-object 10.253.0.85 255.255.255.255
network-object 10.253.0.82 255.255.255.255
network-object 10.253.0.92 255.255.255.255
network-object 10.253.0.86 255.255.255.255
network-object 10.253.0.117 255.255.255.255
network-object Odyssey 255.255.255.255
object-group network DCs
description Windows 2000 Active Directory Controllers
network-object DC2 255.255.255.255
network-object DC3 255.255.255.255
network-object DC1 255.255.255.255
object-group service WindowsAuthentication tcp-udp
description W2K servers authentication to AD (ports)
port-object eq 88
port-object eq 389
port-object eq 135
port-object eq domain
port-object eq 445
port-object eq 123
port-object range 137 139
port-object eq 42
port-object eq 1512
port-object eq 636
port-object range 3268 3269
port-object range 1024 65535
object-group network DCs_ref
network-object DC2 255.255.255.255
network-object DC3 255.255.255.255
network-object DC1 255.255.255.255
object-group network ATSIIS
description Atschool Web Servers
network-object ATSIIS1.1 255.255.255.255
network-object ATSIIS1.2 255.255.255.255
object-group service WINS udp
description WINS NetBios resolution Services port-object range netbios-ns 139
object-group network AramarkFoodServices
description Aramark food services clients
network-object Guest1 255.255.255.255
network-object Guest2 255.255.255.255
network-object Guest3 255.255.255.255
network-object Guest4 255.255.255.255
network-object Guest5 255.255.255.255
network-object Guest6 255.255.255.255
network-object Guest7 255.255.255.255
network-object Guest8 255.255.255.255
network-object Guest9 255.255.255.255
object-group service TCPAramarkfood tcp
description Aramark Food Services VPN
port-object eq 259
port-object eq 265
port-object eq 264
object-group network printers
description Corporate Printers
network-object printer1black 255.255.255.255
network-object printer2black 255.255.255.255
network-object printer3black 255.255.255.255
network-object printer4black 255.255.255.255
network-object printer5black 255.255.255.255 network-object printer6black 255.255.255.255
network-object printer7black 255.255.255.255
network-object printer8black 255.255.255.255
network-object printer9black 255.255.255.255
network-object printer10black 255.255.255.255
network-object printer1color 255.255.255.255
network-object printer2color 255.255.255.255
object-group network SharePoint
description Sharepoint servers
network-object 10.253.0.87 255.255.255.255
network-object 10.253.0.84 255.255.255.255
object-group service SasserVirus tcp
description Block all Sasser ports
port-object eq 9996
port-object eq 5554
port-object eq 9995
object-group network IPP
description IPP Printer Server
network-object IPP 255.255.255.255
network-object Printserver 255.255.255.255
object-group network IPP_ref
network-object IPP 255.255.255.255
network-object Printserver 255.255.255.255
object-group service WebAccess tcp description Web Access ports
port-object eq ssh
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq domain
object-group network Mailservers
description Inside located mail servers
network-object mail 255.255.255.255
network-object mail1 255.255.255.255
object-group network MailserversDMZ
description DMZ located mail servers
network-object OWA 255.255.255.255
object-group network Mailservers_ref
network-object nhamail 255.255.255.255
network-object nhamail1 255.255.255.255
object-group network ExternalWebfarm
description ATSEXIIS1and2
network-object EXIIS2 255.255.255.255
network-object ExtAtschoolCluster 255.255.255.255
network-object EXIIS1 255.255.255.255
object-group network ATSSQLservers
description ATS SQL Servers
network-object atssqlcert 255.255.255.255
network-object ATSQL 255.255.255.255
object-group network ATSSQLservers_ref
network-object atssqlcert 255.255.255.255
network-object ATSQL 255.255.255.255
object-group service FileAccess tcp
description File Access
port-object eq 137
port-object eq 135
object-group service H.245CapabilityExchange tcp
description For Tandberg Video over IP
port-object range 5555 5560
object-group service VideoUDP udp
description Video, Audio, Data/FECC (UDP) for Tandberg Video over IP
port-object range 2326 2406
access-list cdsmail deny tcp host 209.370.107.215 host 67.229.254.65 eq smtp
access-list dtp deny icmp any host 67.229.254.65 echo-reply
access-list outside_acl remark for Outside
access-list outside_acl permit tcp any host 67.229.254.80 eq www
access-list outside_acl remark H.245 Capability Exchange (TCP) for Tandberg Video over IP
access-list outside_acl permit tcp any object-group H.245CapabilityExchange any object-group H.245CapabilityExchange
access-list outside_acl remark Video, Audio, Data/FECC (UDP) for Tandberg Video over IP
access-list outside_acl permit udp any object-group VideoUDP any object-group VideoUDP
access-list outside_acl remark Block Love-San Virus
access-list outside_acl deny udp any any eq tftp log
access-list outside_acl remark Block all Sasser related Ports
access-list outside_acl deny tcp any any object-group SasserVirus log
access-list outside_acl remark Follett Alliance
access-list outside_acl remark to alsql1
access-list outside_acl permit tcp host FollettAlliance any eq 5151
access-list outside_acl permit icmp any any
access-list outside_acl remark VPN
access-list outside_acl permit tcp any host 67.229.254.94 eq pptp
access-list outside_acl remark DNS to OWA from outside
access-list outside_acl permit udp any host 67.229.254.65 eq domain
access-list outside_acl remark Web to OWA
access-list outside_acl permit tcp any host 67.229.254.65 eq www
access-list outside_acl remark VPN
access-list outside_acl permit gre any host 67.229.254.123
access-list outside_acl remark External access allowed to our FTP site/server (06/02/2005)
access-list outside_acl permit tcp any host 67.229.254.95 eq ftp log 2
access-list outside_acl remark External access allowed to this server for purposes of applications.xxxzzz.com 4/24/06
access-list outside_acl permit tcp any host 67.229.254.96 eq www
access-list outside_acl remark Allow external access via SSL / https to star.xxxzzz.com on NHACRM500 10/23/2006.
access-list outside_acl permit tcp any host 67.229.254.96 eq https
access-list outside_acl remark Http access to NHASPAM from outside
access-list outside_acl permit tcp any host 67.229.254.67 eq www
access-list outside_acl permit tcp any host 67.229.254.67 eq smtp access-list outside_acl permit tcp any host 67.229.254.67 eq 8009
access-list outside_acl remark Atschool access from outside
access-list outside_acl permit tcp any host 67.229.254.76 eq www
access-list outside_acl remark Atschool SSL from outside
access-list outside_acl permit tcp any host 67.229.254.76 eq https
access-list outside_acl permit tcp any host 67.229.254.81 eq www
access-list outside_acl remark Allow HTTPS traffic from outside to alcert.
access-list outside_acl permit tcp any host 67.229.254.81 eq https
access-list outside_acl permit tcp any host 67.229.254.82 eq www
access-list outside_acl permit tcp any host 67.229.254.82 eq https log
access-list outside_acl remark HTTP to OWA web cluster
access-list outside_acl permit tcp any host 67.229.254.83 eq www
access-list outside_acl remark OWA SSL from the outside to the web cluster
access-list outside_acl permit tcp any host 67.229.254.83 eq https
access-list outside_acl remark Web Access from Outside to Sharepoint
access-list outside_acl permit tcp any host 67.229.254.84 eq www
access-list outside_acl remark Secure Web Access to Sharepoint from Outside
access-list outside_acl permit tcp any host 67.229.254.84 eq https
access-list outside_acl remark Aramark VPN
access-list outside_acl permit tcp host Aramarkfood any range 264 265
access-list outside_acl remark Aramark VPN
access-list outside_acl permit tcp host Aramarkfood any eq 259
access-list outside_acl remark Aramark VPN
access-list outside_acl permit udp host Aramarkfood any eq 2746 access-list outside_acl remark Aramark VPN
access-list outside_acl permit udp host Aramarkfood any eq isakmp
access-list outside_acl remark Aramark VPN
access-list outside_acl permit ah host Aramarkfood any
access-list outside_acl remark Aramark VPN
access-list outside_acl permit esp host Aramarkfood any
access-list outside_acl deny tcp any host 67.229.254.84 eq pptp
access-list outside_acl deny udp any host 67.229.254.84 eq isakmp
access-list outside_acl remark Allows HTTP to ALCERT from any outside
access-list outside_acl permit tcp any host 67.229.254.85 eq www
access-list outside_acl remark http access to ts from outside
access-list outside_acl permit tcp any host 67.229.254.86 eq www
access-list outside_acl remark Https from outside to ts
access-list outside_acl permit tcp any host 67.229.254.86 eq https
access-list outside_acl remark Allows external DNS to SPAM via UDP
access-list outside_acl permit udp any host 67.229.254.67 eq domain
access-list outside_acl permit udp any host 67.229.254.126 eq domain
access-list outside_acl permit udp any host 67.229.254.125 eq domain
access-list outside_acl remark Access to Web server
access-list outside_acl permit tcp any host 67.229.254.90 eq www
access-list outside_acl remark 443 for SSL for generic webserver
access-list outside_acl permit tcp any host 67.229.254.90 eq https
access-list outside_acl remark projects.xxxzzz.com (D Fernandez) @Task
access-list outside_acl permit tcp any host 67.229.254.90 eq 8080
access-list outside_acl remark External access allowed to odyssey.xxxzzz.com (07/25/06)
access-list outside_acl permit tcp any host 67.229.254.93 eq www
access-list outside_acl remark External access allowed to Destiny on port 81 [08/11/2006]
access-list outside_acl permit tcp any host 67.229.254.93 eq 81
access-list outside_acl remark Allows external DNS servers to communicate via TCP/53 with NHASPAM
access-list outside_acl permit tcp any host 67.229.254.67 eq domain
access-list outside_acl remark External web access to this server allowed from the Internet 04/17/07.
access-list outside_acl permit tcp any host 67.229.254.88 eq www
access-list outside_acl remark External web access to this server allowed from the Internet 04/17/07.
access-list outside_acl permit tcp any host 67.229.254.88 eq https
access-list outside_acl remark Outside access to NHAPRINTMON100
access-list outside_acl permit tcp any host 67.229.254.194 eq www
access-list dmz_acl permit icmp any any
access-list dmz_acl remark IPP access to DMZ
access-list dmz_acl permit tcp any object-group IPP_ref eq www
access-list dmz_acl remark Allow DMZ to use AD to internal DCs
access-list dmz_acl permit tcp object-group DMZservers object-group DCs_ref object-group WindowsAuthentication
access-list dmz_acl permit icmp object-group DMZservers any
access-list dmz_acl remark Allow DNS to DMZ servers
access-list dmz_acl permit udp object-group DMZservers object-group DCs_ref object-group WindowsAuthentication
access-list dmz_acl remark Allow DMZ to do AD to internal DC on UDP
access-list dmz_acl permit udp object-group DMZservers object-group DCs_ref eq domain
access-list dmz_acl remark Allow DCs to talk to DMZ
access-list dmz_acl permit tcp object-group DMZservers object-group DCs_ref eq domain access-list dmz_acl remark Allow all UDP traffic from NHADNS to inside DCs
access-list dmz_acl remark UDP Quick Fix
access-list dmz_acl remark TCP quick fix
access-list dmz_acl remark Allow all UDP traffic from NHADNS to inside DCs
access-list dmz_acl remark Allow all UDP traffic from NHADNS to inside DCs
access-list dmz_acl remark Allow all UDP traffic from NHADNS to inside DCs
access-list dmz_acl remark Allow DNS TCP to DMZ servers
access-list dmz_acl remark Allow WINS from DMZ to Inside
access-list dmz_acl remark Allow all UDP traffic from NHADNS to inside DCs
access-list dmz_acl remark Allow DNS TCP to DMZ servers
access-list dmz_acl remark Allow all UDP traffic from NHADNS to inside DCs
access-list dmz_acl remark Allow DNS TCP to DMZ servers
access-list dmz_acl remark Allow UDP ports from DMZ to DCs
access-list dmz_acl remark Allow WINS from DMZ to Inside
access-list dmz_acl remark Allow TCP ports from DMZ to DCs
access-list dmz_acl remark Quick Fix for DMZ
access-list dmz_acl remark Quick Fix for DMZ servers UDP
access-list dmz_acl remark Quick Fix TCP
access-list dmz_acl remark UDP Quick Fix
access-list dmz_acl remark TCP quick fix
access-list dmz_acl remark UDP Quick Fix
access-list dmz_acl remark TCP quick fix
access-list dmz_acl permit tcp 10.253.0.0 255.255.0.0 host DC1 eq 135
access-list dmz_acl permit tcp 10.253.0.0 255.255.0.0 host DC1 eq netbios-ssn access-list dmz_acl permit udp 10.253.0.0 255.255.0.0 host DC1 eq netbios-dgm
access-list dmz_acl remark Anything in DMZ authenticate to DC1
access-list dmz_acl permit tcp 10.253.0.0 255.255.0.0 host DC1 eq 445
access-list dmz_acl permit tcp 10.253.0.0 255.255.0.0 host DC1 lt 65500
access-list dmz_acl remark Log results for traffic between DMZ and Inside mail servers
access-list dmz_acl permit ip object-group MailserversDMZ object-group Mailservers_ref log
access-list dmz_acl remark DMZ Mailservers to inside DCs
access-list dmz_acl permit ip object-group MailserversDMZ object-group DCs_ref
access-list dmz_acl permit udp host OWA any eq netbios-dgm
access-list dmz_acl permit udp host OWA any eq netbios-ns
access-list dmz_acl permit tcp host OWA any eq netbios-ssn
access-list dmz_acl permit udp host OWA any lt 65535
access-list dmz_acl remark Allow SNMP from SPAM to printers.
access-list dmz_acl permit udp host SPAM 10.0.0.0 255.0.0.0 eq snmp
access-list dmz_acl remark SMTP to mailfrontier
access-list dmz_acl permit tcp host 10.253.0.72 any eq smtp
access-list dmz_acl permit udp host 10.253.0.70 host NHADC1 eq netbios-dgm
access-list dmz_acl permit tcp host 10.253.0.70 host NHADC1 eq netbios-ssn
access-list dmz_acl remark Let everything in from Web Cluster
access-list dmz_acl permit ip object-group ExternalWebfarm any
access-list dmz_acl remark EX Cluster access to SQL Servers.
access-list dmz_acl permit tcp object-group ExternalWebfarm object-group ATSSQLservers_ref eq sqlnet
access-list dmz_acl remark File access to atsmonitor
access-list dmz_acl permit tcp object-group ExternalWebfarm host atsmonitor object-group FileAccess
access-list dmz_acl remark Port 80 to atsmonitor
access-list dmz_acl permit tcp object-group ExternalWebfarm host atsmonitor eq www
access-list dmz_acl remark RPC discovery for MSMQ access
access-list dmz_acl permit tcp object-group ExternalWebfarm host atsmonitor eq 135
access-list dmz_acl remark MQIS traffic
access-list dmz_acl permit tcp object-group ExternalWebfarm host atsmonitor eq 2101
access-list dmz_acl remark For MSMQ queue managers operations
access-list dmz_acl permit udp object-group ExternalWebfarm host atsmonitor eq 3527
access-list dmz_acl remark MSMQ accessfor full send and receive access
access-list dmz_acl permit tcp object-group ExternalWebfarm host atsmonitor eq 2103
access-list dmz_acl remark MSMQ accessfor full send and receive access
access-list dmz_acl permit tcp object-group ExternalWebfarm host atsmonitor eq 2105
access-list dmz_acl remark Queue managers full access
access-list dmz_acl permit tcp object-group ExternalWebfarm host atsmonitor eq 3527
access-list dmz_acl remark LDAP Access from clustered IP ext web farm to DCs inside.
access-list dmz_acl permit tcp host ExtAtschoolCluster object-group DCs_ref eq ldap log
access-list dmz_acl remark LDAP Access from clustered IP ext web farm to DCs inside.
access-list dmz_acl permit udp host 10.253.0.81 host NHADC1 eq netbios-dgm
access-list dmz_acl remark ALcert to NHASQL on MSSQL
access-list dmz_acl permit tcp host 10.253.0.81 host NHASQL eq 1433
access-list dmz_acl permit udp host 10.253.0.82 host NHADC1 eq netbios-dgm
access-list dmz_acl remark SQL from aliis to nhasql
access-list dmz_acl permit tcp host 10.253.0.82 host NHASQL eq 1433
access-list dmz_acl permit tcp host 10.253.0.83 any eq netbios-ssn access-list dmz_acl remark NHASPS1 to NHASQL sharepoint
access-list dmz_acl permit tcp object-group SharePoint host NHASQL eq 1433
access-list dmz_acl remark SPS1 to SQL
access-list dmz_acl permit tcp object-group SharePoint host NHASQL eq 3067
access-list dmz_acl remark NHASPS1 to SQL
access-list dmz_acl permit tcp object-group SharePoint host SQL eq 28985
access-list dmz_acl remark Sharepoint to SQL
access-list dmz_acl remark TS to SQL for team services
access-list dmz_acl permit tcp host 10.253.0.86 host NHASQL eq 1433
access-list dmz_acl remark LDAP connection from ts to DC1
access-list dmz_acl permit tcp host 10.253.0.86 host NHADC1 eq ldap
access-list dmz_acl remark Kerberose connection from ts to NADC1
access-list dmz_acl permit tcp host 10.253.0.86 host NHADC1 eq kerberos
access-list dmz_acl remark SMTP mail outgoig from ts to outside
access-list dmz_acl permit tcp host 10.253.0.86 any eq smtp
access-list dmz_acl remark NHATS to SQL
access-list dmz_acl permit tcp host 10.253.0.86 host NHASQL eq 1603
access-list dmz_acl remark NHATS to NHASQL
access-list dmz_acl permit udp host 10.253.0.86 host NHASQL eq 1603
access-list dmz_acl remark NHATS to NHASQL
access-list dmz_acl permit udp host 10.253.0.86 host SQL eq 2741
access-list dmz_acl remark NHATS to SQL
access-list dmz_acl permit tcp host 10.253.0.86 host NHASQL
access-list dmz_acl permit udp host 10.253.0.95 host DC1 eq netbios-dgm access-list dmz_acl permit tcp host 10.253.0.95 host NHADC1 eq netbios-ssn
access-list dmz_acl permit udp host CRM500 host DC1 eq netbios-dgm
access-list dmz_acl permit tcp host CRM500 host DC1 eq netbios-ssn
access-list dmz_acl remark SQL access to ATSSQL from ATSIIS (DMZ)
access-list dmz_acl permit tcp object-group ATSIIS host ATSQL eq 1433
access-list dmz_acl remark ATIISCERT (2nd IP) to ATSSQLCERT for testing purposes.
access-list dmz_acl permit tcp host ATSIIS1.1 host atssqlcert eq 1433
access-list dmz_acl remark All ATSIIS servers to inside ATSSQLCERT
access-list dmz_acl permit tcp object-group ATSIIS host atssqlcert eq 1433
access-list dmz_acl remark ATSIIS1 to ATSSQLCERT on SQL
access-list dmz_acl permit tcp host 10.253.0.115 host atssqlcert eq 1433
access-list dmz_acl remark ATIISCERT to ATSSQLCERT for testing purposes.
access-list dmz_acl permit tcp host ATIISCERT host atssqlcert eq 1433
access-list dmz_acl permit udp host 10.253.0.125 host DC1 eq netbios-dgm
access-list dmz_acl remark Allow all TCP to go from DNS to inside DCs
access-list dmz_acl permit tcp host 10.253.0.126 object-group DCs_ref
access-list dmz_acl remark Allow DCs to talk to DMZ
access-list dmz_acl permit udp host 10.253.0.126 object-group DCs_ref
access-list dmz_acl permit tcp host 10.253.0.125 host DC1 eq netbios-ssn
access-list dmz_acl permit tcp host 10.253.0.126 any eq 135
access-list dmz_acl permit udp host 10.253.0.126 host NHADC1 eq netbios-dgm
access-list dmz_acl permit tcp host 10.253.0.126 host NHADC1 eq netbios-ssn
access-list dmz_acl remark Allow HD1 to talk to SQL inside from DMZ.
access-list dmz_acl permit tcp host 10.253.0.70 host SQL eq 1433 access-list dmz_acl permit ip any any
access-list dmz_acl remark Allow odyssey (nhaiis150) traffic to any internal source
access-list dmz_acl permit tcp host Odyssey eq 255.0.0.0
access-list inside_acl remark Video, Audio, Data/FECC (UDP) for Tandberg Video over IP
access-list inside_acl permit udp any object-group VideoUDP any object-group VideoUDP
access-list inside_acl remark NHASQL to NHASPS1 for Sharepoint
access-list inside_acl permit tcp host NHASQL host 10.253.0.84 eq 1433
access-list inside_acl remark NHASQL to NHASPS1
access-list inside_acl permit tcp host NHASQL host 10.253.0.84 eq 3067
access-list inside_acl remark quick fix IP
access-list inside_acl permit udp object-group DCs object-group DMZservers object-group WindowsAuthentication
access-list inside_acl remark AD to the DMZ
access-list inside_acl permit tcp object-group DCs object-group DMZservers object-group WindowsAuthentication
access-list inside_acl remark Log results for mail traffic inside to DMZ
access-list inside_acl permit ip object-group Mailservers object-group MailserversDMZ log
access-list inside_acl remark Webmin access to guest server.
access-list inside_acl permit ip object-group DCs object-group MailserversDMZ log
access-list inside_acl remark Webmin on gserver
access-list inside_acl permit tcp Walton 255.255.255.0 any eq citrix-ica
access-list inside_acl remark Follett Alliance Software
access-list inside_acl permit tcp any host FollettAlliance eq 5151 log
access-list inside_acl remark Allow inside traffic to reach odyssey (iis150)
access-list inside_acl permit tcp 10.0.0.0 255.0.0.0 host Odyssey eq www
access-list inside_acl remark DCs to DMZ mail servers
access-list inside_acl remark Webmin access to guest server.
access-list inside_acl remark AOIS access to Walton
access-list inside_acl deny tcp any host 66.115.177.40 eq www
access-list inside_acl deny tcp any host 66.115.177.42 eq www
access-list inside_acl deny tcp any host 66.115.177.44 eq www
access-list inside_acl deny tcp any host 66.115.177.45 eq www
access-list inside_acl deny tcp any host BLOCK_xxx.com eq www
access-list inside_acl deny tcp any host BLOCK_playboy.com eq www
access-list inside_acl deny tcp any host BLOCK_friendgreeting.com eq www
access-list inside_acl deny tcp any host BLOCK_lady.com eq www
access-list inside_acl deny tcp any host BLOCK_penthouse.com eq www
access-list inside_acl deny tcp any host BLOCK_whitehouse.com eq www
access-list inside_acl deny tcp any host 216.177.72.146 eq www
access-list inside_acl deny tcp any host 216.213.37.65 eq www
access-list inside_acl remark Block Love-San Virus
access-list inside_acl deny udp any any eq tftp log
access-list inside_acl remark Block port for Bagel.b virus
access-list inside_acl deny tcp any any eq 8866
access-list inside_acl remark Block access to SIMS ON-Line
access-list inside_acl deny ip any host BLOCK_electronicarts_simcity log
access-list inside_acl permit ip any any
access-list inside_acl permit icmp any any
access-list eai_acl permit icmp 10.250.0.0 255.255.0.0 10.0.0.0 255.0.0.0 echo-reply
access-list eai_acl deny ip any 10.0.0.0 255.0.0.0 access-list eai_acl permit ip any any
access-list inside_outbound_nat0_acl permit ip any VPNClients 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 HelpDesk 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 HelpDesk2 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 HelpDesk3 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 host IncidentMonitor
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 255.255.0.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 Internal 255.255.0.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 IncMonitor 255.255.255.224
access-list Guest_access_in permit ip any any
access-list ADS_access_in permit ip any any
access-list ADS_access_in permit icmp any any
access-list ADS_access_in remark Map drives to SCHBKUP from ADS
access-list ADS_access_in permit tcp any any object-group WindowsAuthentication log
access-list ADS_access_in remark ADS to Inside web
access-list ADS_access_in remark FUll access from ADS server to nhaschbkup.
access-list ADS_access_in remark FUll access from ADS server to nhaschbkup.
access-list outside_cryptomap_20 remark Help Desk
access-list outside_cryptomap_20 permit ip 10.0.0.0 255.0.0.0 HelpDesk 255.255.255.0
access-list outside_cryptomap_40 remark Help Desk
access-list outside_cryptomap_40 permit ip 10.0.0.0 255.0.0.0 HelpDesk2 255.255.255.0
access-list outside_cryptomap_40 remark HelpDesk 07/18/2006
access-list outside_cryptomap_40 permit ip 10.0.0.0 255.0.0.0 255.255.0.0
access-list outside_cryptomap_40 remark
access-list outside_cryptomap_40 permit ip 10.0.0.0 255.0.0.0 Internal 255.255.0.0
access-list outside_cryptomap_40 remark Incident Monitor2
access-list outside_cryptomap_40 permit ip 10.0.0.0 255.0.0.0 IncMonitor 255.255.255.224
access-list outside_cryptomap_40 remark access to our DMZ & Sharepoint
access-list outside_cryptomap_40 permit ip 10.253.0.0 255.255.0.0 255.255.0.0
access-list outside_cryptomap_40 remark Allows access to our DMZ & Sharepoint 8/18/2006
access-list outside_cryptomap_40 permit ip 10.253.0.0 255.255.0.0 Internal 255.255.0.0
access-list outside_cryptomap_60 remark Help Desk
access-list outside_cryptomap_60 permit ip 10.0.0.0 255.0.0.0 HelpDesk3 255.255.255.0
access-list dmz_nat0_outbound permit ip 10.253.0.0 255.255.0.0 HelpDesk 255.255.255.0
access-list dmz_nat0_outbound permit ip 10.0.0.0 255.0.0.0 HelpDesk2 255.255.255.0
access-list dmz_nat0_outbound permit ip 10.253.0.0 255.255.0.0 HelpDesk3 255.255.255.0
access-list dmz_nat0_outbound permit ip 10.253.0.0 255.255.0.0 255.255.0.0
access-list dmz_nat0_outbound permit ip 10.253.0.0 255.255.0.0 Internal 255.255.0.0
access-list outside_cryptomap_30 remark HelpDesk access to our DMZ
access-list outside_cryptomap_30 permit ip 10.253.0.0 255.255.0.0 HelpDesk 255.255.255.0
access-list outside_cryptomap_30 remark New July 10, 2006 when xxx changed the IP address of their Incident Monitor application
access-list outside_cryptomap_30 permit ip 10.0.0.0 255.0.0.0 host IncidentMonitor
access-list outside_cryptomap_50 remark HelpDesk access to our DMZ
access-list outside_cryptomap_50 permit ip 10.253.0.0 255.255.0.0 HelpDesk2 255.255.255.0
access-list outside_cryptomap_70 remark HelpDesk access to our DMZ
access-list outside_cryptomap_70 permit ip 10.253.0.0 255.255.0.0 HelpDesk3 255.255.255.0
pager lines 24
logging on
logging timestamp
logging monitor emergencies
logging trap errors
logging history critical
logging facility 19
logging device-id ipaddress inside
logging host inside TFTPServer
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu ADS 1500
mtu Guest 1500
mtu eai 1500
ip address outside 67.229.254.53 255.255.255.0
ip address inside 10.1.0.2 255.255.252.0
ip address dmz 10.253.0.1 255.255.0.0
no ip address ADS
ip address Guest 192.268.1.1 255.255.255.0
ip address eai 10.250.0.1 255.255.0.0
ip audit name Attack attack action alarm
ip audit name Information info action alarm
ip audit info action alarm
ip audit attack action alarm
ip local pool PIXVPN 10.1.3.10-10.1.3.20
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address ADS
no failover ip address Guest
no failover ip address eai
pdm location 36.115.177.40 255.255.255.255 outside
pdm location 36.115.177.42 255.255.255.255 outside
pdm location 36.115.177.44 255.255.255.255 outside
pdm location 36.115.177.45 255.255.255.255 outside
pdm location EAI2 255.255.255.252 outside
pdm location BLOCK_xxx.com 255.255.255.255 outside
pdm location BLOCK_playboy.com 255.255.255.255 outside
pdm location BLOCK_friendgreeting.com 255.255.255.255 outside
pdm location BLOCK_lady.com 255.255.255.255 outside
pdm location BLOCK_penthouse.com 255.255.255.255 outside
pdm location BLOCK_whitehouse.com 255.255.255.255 outside
pdm location 216.177.72.146 255.255.255.255 outside
pdm location 216.213.37.65 255.255.255.255 outside
pdm location DC1 255.255.255.255 inside
pdm location 10.1.1.151 255.255.255.255 inside pdm location 10.1.1.191 255.255.255.255 inside
pdm location 10.1.2.30 255.255.255.255 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.1.0.0 255.255.252.0 dmz
pdm location OWA 255.255.255.255 dmz
pdm location SPAM 255.255.255.255 dmz
pdm location 10.253.0.69 255.255.255.255 dmz
pdm location 10.253.0.70 255.255.255.255 dmz
pdm location 10.253.0.75 255.255.255.255 dmz
pdm location 10.253.0.79 255.255.255.255 dmz
pdm location 10.253.0.81 255.255.255.255 dmz
pdm location 10.253.0.82 255.255.255.255 dmz
pdm location 10.253.0.83 255.255.255.255 dmz
pdm location 10.253.0.84 255.255.255.255 dmz
pdm location 10.253.0.85 255.255.255.255 dmz
pdm location 10.253.0.86 255.255.255.255 dmz
pdm location 10.253.0.87 255.255.255.255 dmz
pdm location EXIIS101 255.255.255.255 dmz
pdm location 10.253.0.89 255.255.255.255 dmz
pdm location nhaexiis100 255.255.255.255 dmz
pdm location 10.253.0.91 255.255.255.255 dmz
pdm location 10.253.0.92 255.255.255.255 dmz
pdm location 10.253.0.95 255.255.255.255 dmz
pdm location CRM500 255.255.255.255 dmz pdm location 10.253.0.97 255.255.255.255 dmz
pdm location 10.253.0.115 255.255.255.255 dmz
pdm location 10.253.0.117 255.255.255.255 dmz
pdm location 10.253.0.123 255.255.255.255 dmz
pdm location 10.253.0.124 255.255.255.255 dmz
pdm location 10.253.0.125 255.255.255.255 dmz
pdm location 10.253.0.126 255.255.255.255 dmz
pdm location 10.253.0.128 255.255.255.255 dmz
pdm location 10.253.0.129 255.255.255.255 dmz
pdm location 10.1.0.0 255.255.252.0 Guest
pdm location 10.1.0.0 255.255.252.0 eai
pdm location 10.250.0.5 255.255.255.255 eai
pdm location 10.250.0.6 255.255.255.255 eai
pdm location 10.250.0.7 255.255.255.255 eai
pdm location 10.250.0.4 255.255.255.252 eai
pdm location 10.250.0.10 255.255.255.255 eai
pdm location 10.250.0.12 255.255.255.255 eai
pdm location 43.103.119.86 255.255.255.255 outside
pdm location 43.149.44.76 255.255.255.255 outside
pdm location 68.23.58.249 255.255.255.255 outside
pdm location quoianet.com 255.255.255.255 outside
pdm location SQL 255.255.255.255 inside
pdm location 74.56.237.113 255.255.255.255 outside
pdm location Cisco2924 255.255.255.255 dmz pdm location Cisco3845Inet 255.255.255.255 outside
pdm location 10.1.0.119 255.255.255.255 inside
pdm location nhamail1 255.255.255.255 inside
pdm location 10.1.0.166 255.255.255.255 inside
pdm location 10.253.0.166 255.255.255.255 dmz
pdm location SharepointEXT 255.255.255.255 outside
pdm location Websense10.1.0.120 255.255.255.255 inside
pdm location ATSQL 255.255.255.255 inside
pdm location ATIISCERT 255.255.255.255 dmz
pdm location atssqlcert 255.255.255.255 inside
pdm location ATSIIS1.1 255.255.255.255 dmz
pdm location ATSIIS2.1 255.255.255.255 dmz
pdm location ATSIIS1.2 255.255.255.255 dmz
pdm location NHADC3 255.255.255.255 inside
pdm location backup2 255.255.255.255 inside
pdm location EAI2 255.255.255.252 inside
pdm location 10.253.0.72 255.255.255.255 dmz
pdm location VPNClients 255.255.255.224 eai
pdm location 10.1.0.134 255.255.255.255 inside
pdm location 10.1.0.0 255.255.252.0 ADS
pdm location 0.0.0.0 255.255.255.255 ADS
pdm location Guest1 255.255.255.255 dmz
pdm location Guest2 255.255.255.255 dmz
pdm location Guest3 255.255.255.255 dmz pdm location Guest4 255.255.255.255 dmz
pdm location Guest5 255.255.255.255 dmz
pdm location Guest6 255.255.255.255 dmz
pdm location Guest7 255.255.255.255 dmz
pdm location Guest8 255.255.255.255 dmz
pdm location Guest9 255.255.255.255 dmz
pdm location Aramarkfood 255.255.255.255 outside
pdm location AramarkNet 255.255.0.0 outside
pdm location VPNClients 255.255.255.0 outside
pdm location printer3black 255.255.255.255 inside
pdm location printer1black 255.255.255.255 inside
pdm location printer2black 255.255.255.255 inside
pdm location printer4black 255.255.255.255 inside
pdm location printer5black 255.255.255.255 inside
pdm location printer6black 255.255.255.255 inside
pdm location printer7black 255.255.255.255 inside
pdm location printer8black 255.255.255.255 inside
pdm location printer9black 255.255.255.255 inside
pdm location printer10black 255.255.255.255 inside
pdm location printer1color 255.255.255.255 inside
pdm location printer2color 255.255.255.255 inside
pdm location BLOCK_electronicarts_simcity 255.255.255.255 outside
pdm location IPP 255.255.255.255 inside
pdm location IPP 255.255.255.255 dmz
pdm location Printserver 255.255.255.255 inside
pdm location 10.253.0.0 255.255.255.0 dmz
pdm location nhamail 255.255.255.255 inside
pdm location 10.253.0.120 255.255.255.255 dmz
pdm location Walton 255.255.255.0 inside
pdm location FollettAlliance 255.255.255.255 outside
pdm location NHAEXIIS2 255.255.255.255 dmz
pdm location ExtAtschoolCluster 255.255.255.255 dmz
pdm location NHAEXIIS1 255.255.255.255 dmz
pdm location atsmonitor 255.255.255.255 inside
pdm location ALSQL1 255.255.255.255 outside
pdm location ALSQL1 255.255.255.255 dmz
pdm location 10.1.0.159 255.255.255.255 inside
pdm location 10.0.0.0 255.0.0.0 eai
pdm location HelpDesk2 255.255.255.0 outside
pdm location HelpDesk 255.255.255.0 outside
pdm location 10.1.0.0 255.255.0.0 inside
pdm location 10.1.0.0 255.255.255.0 inside
pdm location HelpDesk3 255.255.255.0 outside
pdm location 10.1.0.24 255.255.255.255 inside
pdm location 10.1.0.124 255.255.255.255 inside
pdm location 10.0.0.0 255.0.0.0 dmz
pdm location IncidentMonitor 255.255.255.255 outside
pdm location Odyssey 255.255.255.255 dmz pdm location 255.255.255.0 outside
pdm location Internal 255.255.255.0 outside
pdm location IncMonitor 255.255.255.255 outside
pdm location 255.255.0.0 outside
pdm location Internal 255.255.0.0 outside
pdm location IncMonitor 255.255.255.224 outside
pdm location FollettforDestiny 255.255.255.255 outside
pdm location HelpDeskAnalysts 255.255.255.0 outside
pdm location NHADC2 255.255.255.255 inside
pdm location ATSIIS2.2 255.255.255.255 dmz
pdm location 10.250.0.8 255.255.255.255 eai
pdm location 10.250.0.9 255.255.255.255 eai
pdm location 10.1.4.0 255.255.252.0 inside
pdm location TFTPServer 255.255.255.255 inside
pdm location PRINTMON100 255.255.255.255 dmz
pdm group DMZservers dmz
pdm group DCs inside
pdm group DCs_ref dmz reference DCs
pdm group ATSIIS dmz
pdm group AramarkFoodServices dmz
pdm group printers inside
pdm group SharePoint dmz
pdm group IPP inside
pdm group IPP_ref dmz reference IPP
pdm group Mailservers inside
pdm group MailserversDMZ dmz
pdm group Mailservers_ref dmz reference Mailservers
pdm group ExternalWebfarm dmz
pdm group ATSSQLservers inside
pdm group ATSSQLservers_ref dmz reference ATSSQLservers
pdm logging notifications 512
pdm history enable
arp timeout 14400
global (outside) 1 67.229.254.10
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
nat (Guest) 1 0.0.0.0 0.0.0.0 0 0
nat (eai) 1 0.0.0.0 0.0.0.0 0 0
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (dmz,outside) 67.229.254.65 OWA netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.67 SPAM netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.85 10.253.0.85 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.86 10.253.0.86 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.84 10.253.0.84 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.70 10.253.0.70 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.72 10.253.0.72 netmask 255.255.255.255 0 0 static (dmz,outside) 67.229.254.87 10.253.0.87 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.76 ExtCluster netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.83 10.253.0.83 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.90 nhaexiis100 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.119 10.253.0.129 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.79 10.253.0.79 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.80 ALSQL1 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.81 10.253.0.81 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.82 10.253.0.82 netmask 255.255.255.255 0 0
static (inside,outside) 67.229.254.94 10.1.0.134 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.95 10.253.0.95 netmask 255.255.255.255 0 0
static (dmz,inside) 67.229.254.120 10.253.0.120 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.125 10.253.0.124 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.126 10.253.0.123 netmask 255.255.255.255 0 0
2static (eai,outside) 67.229.254.110 10.250.0.10 netmask 255.255.255.255 0 0
static (eai,outside) 67.229.254.112 10.250.0.12 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.97 10.253.0.97 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.92 10.253.0.92 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.123 10.253.0.125 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.116 ATIISCERT netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.120 10.253.0.126 netmask 255.255.255.255 0 0
static (eai,outside) 67.229.254.235 10.250.0.5 netmask 255.255.255.255 0 0
static (eai,outside) EAI2 10.250.0.6 netmask 255.255.255.255 0 0
static (eai,outside) 67.229.254.237 10.250.0.7 netmask 255.255.255.255 0 0 static (eai,outside) 67.229.254.238 10.250.0.8 netmask 255.255.255.255 0 0
static (eai,outside) 67.229.254.239 10.250.0.9 netmask 255.255.255.255 0 0
static (inside,eai) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (inside,outside) 67.229.254.75 10.1.0.124 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.96 CRM500 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.93 Odyssey netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.88 EXIIS101 netmask 255.255.255.255 0 0
static (dmz,outside) 67.229.254.194 PRINTMON100 netmask 255.255.255.255 0 0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
access-group dmz_acl in interface dmz
access-group Guest_access_in in interface Guest
access-group eai_acl in interface eai
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 Cisco3845Inet 1
route inside 10.0.0.0 255.0.0.0 10.1.0.3 1
route outside HelpDesk2 255.255.255.0 Cisco3845Inet 1
route outside HelpDesk 255.255.255.0 Cisco3845Inet 1
route outside HelpDesk3 255.255.255.0 Cisco3845Inet 1
route outside 255.255.0.0 Cisco3845Inet 1
route outside Internal 255.255.0.0 Cisco3845Inet 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host NHADC3 timeout 5
aaa-server LOCAL protocol local
url-server (inside) vendor websense host Websense10.1.0.120 timeout 5 protocol TCP version 4
filter url except 0.0.0.0 0.0.0.0 CRM500 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 EXIIS101 255.255.255.255
filter url except 10.0.0.0 255.0.0.0 ExtAtschoolCluster 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 10.253.0.91 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 nhaexiis100 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 Odyssey 255.255.255.255
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
ntp server NHADC1 source inside prefer
http server enable
http 10.1.0.2 255.255.255.255 inside
http 10.1.0.0 255.255.0.0 inside
snmp-server host inside TFTPServer
snmp-server location Corporate
snmp-server contact xxxx
snmp-server community pix
no snmp-server enable traps
tftp-server inside FTPServer /c:\TFTP-Root
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp dmz
sysopt noproxyarp ADS
sysopt noproxyarp Guest
sysopt noproxyarp eai
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 116.136.19.162
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer 236.136.13.162
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 236.136.13.162
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 50 ipsec-isakmp
crypto map outside_map 50 match address outside_cryptomap_50
crypto map outside_map 50 set peer 236.136.13.162
crypto map outside_map 50 set transform-set ESP-3DES-MD5
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 236.136.13.162
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 70 ipsec-isakmp
crypto map outside_map 70 match address outside_cryptomap_70
crypto map outside_map 70 set peer 236.136.13.162
crypto map outside_map 70 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 236.136.19.152 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup PIXVPN idle-time 1800
telnet 10.1.0.0 255.255.0.0 inside
telnet 10.1.0.0 255.255.252.0 dmz
telnet 10.1.0.0 255.255.252.0 Guest
telnet 10.1.0.0 255.255.252.0 eai
telnet timeout 12
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
url-block url-mempool 1500
url-block url-size 4
url-block block 128
terminal width 80
Cryptochecksum:
 
Upvote 0 Downvote
Yep,
ip address inside 10.1.0.2 255.255.252.0
ip address dmz 10.253.0.1 255.255.0.0
ip address eai 10.250.0.1 255.255.0.0
ip local pool PIXVPN 10.1.3.10-10.1.3.20

These subnets are in that block. You will have to divide it up into the separate subnets.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
We eneded up getting the data transfer to work via FTP instead of SMB. We found that some of our printer/scanning devices wouldn't support SMB. Thanks for your suggestions.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
918
nnaarrnn
nnaarrnn
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
416
PauS0n
PauS0n
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
1K
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
280
tklamb
tklamb

Part and Inventory Search

Sponsor

Back
Top