| ! ASA Version hostname ${hostname} ! ip local pool VPN-POOL ${VPNPoolFrom1}-${VPNPoolTo1} mask ${VPNPoolMask1} !access-list split standard permit $ {VPCPOOL} $ {VPCMASK} !access-list split standard permit $ {OnPremPool} $ {OnPremMask} ! FIPS ! See https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/140sp/140sp2653.pdf !crashinfo console disable !fips enable !no service password-recovery !config-register 0x10011 !ssl server-version tlsv1-only !ssl client-version tlsv1-only !ssh version 2 ! service-type remote-access ! interface management0/0 nameif management management-only security-level 100 no ip address shut int tengi 0/0 nameif outside security-level 0 ip address dhcp setroute no shut int tengi 0/1 nameif inside security-level 100 ip address dhcp no shut ! ! webvpn enable outside !anyconnect image disk0:/anyconnect-macos-4.8.02045-webdeploy-k9.pkg 1 anyconnect enable tunnel-group-list enable group-policy LAB internal group-policy LAB attributes vpn-tunnel-protocol ssl-client ssl-clientless address-pools value VPN-POOL !split-tunnel-policy tunnelspecified !split-tunnel-network-list value split dynamic-access-policy-record DfltAccessPolicy username admin nopassword privilege 15 tunnel-group LAB type remote-access tunnel-group LAB general-attributes default-group-policy LAB address-pool VPN-POOL tunnel-group LAB webvpn-attributes group-alias LAB-VPN enable ! dns domain-lookup inside dns server-group DefaultDNS name-server ${dns1} name-server ${dns2} ! same-security-traffic permit inter-interface same-security-traffic permit intra-interface ! route inside 10.0.0.0 255.0.0.0 ${PrivateSubnet1GW} ! policy-map global_policy class inspection_default inspect icmp ! access-list 101 extended permit ip any any access-group 101 in interface outside access-group 101 in interface inside ! object network NET-${PrivateSubnet1CIDR} subnet ${PrivateSubnet1Pool} ${PrivateSubnet1Mask} nat (inside,outside) dynamic interface ! crypto key generate rsa modulus 2048 ssh 0 0 inside ssh 0 0 outside !ssh 0 0 management ssh timeout 30 aaa authentication ssh console LOCAL username admin nopassword privilege 15 username admin attributes username ${VPNUser} attributes username ${VPNUser} password ${VPNPassword} privilege 15 service-type admin ! name 129.6.15.28 time-a.nist.gov name 129.6.15.29 time-b.nist.gov name 129.6.15.30 time-c.nist.gov ntp server 169.254.169.123 ntp server time-c.nist.gov ntp server time-b.nist.gov ntp server time-a.nist.gov icmp permit any outside icmp permit any inside !icmp permit any management !