| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102 |
- |
- ! ASA Version
- hostname ${hostname}
- !
- ip local pool VPN-POOL ${VPNPoolFrom1}-${VPNPoolTo1} mask ${VPNPoolMask1}
- !access-list split standard permit $ {VPCPOOL} $ {VPCMASK}
- !access-list split standard permit $ {OnPremPool} $ {OnPremMask}
- ! FIPS
- ! See https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/140sp/140sp2653.pdf
- !crashinfo console disable
- !fips enable
- !no service password-recovery
- !config-register 0x10011
- !ssl server-version tlsv1-only
- !ssl client-version tlsv1-only
- !ssh version 2
- !
- service-type remote-access
- !
- interface management0/0
- nameif management
- management-only
- security-level 100
- no ip address
- shut
- int tengi 0/0
- nameif outside
- security-level 0
- ip address dhcp setroute
- no shut
- int tengi 0/1
- nameif inside
- security-level 100
- ip address dhcp
- no shut
- !
- !
- webvpn
- enable outside
- !anyconnect image disk0:/anyconnect-macos-4.8.02045-webdeploy-k9.pkg 1
- anyconnect enable
- tunnel-group-list enable
- group-policy LAB internal
- group-policy LAB attributes
- vpn-tunnel-protocol ssl-client ssl-clientless
- address-pools value VPN-POOL
- !split-tunnel-policy tunnelspecified
- !split-tunnel-network-list value split
- dynamic-access-policy-record DfltAccessPolicy
- username admin nopassword privilege 15
- tunnel-group LAB type remote-access
- tunnel-group LAB general-attributes
- default-group-policy LAB
- address-pool VPN-POOL
- tunnel-group LAB webvpn-attributes
- group-alias LAB-VPN enable
- !
- dns domain-lookup inside
- dns server-group DefaultDNS
- name-server ${dns1}
- name-server ${dns2}
- !
- same-security-traffic permit inter-interface
- same-security-traffic permit intra-interface
- !
- route inside 10.0.0.0 255.0.0.0 ${PrivateSubnet1GW}
- !
- policy-map global_policy
- class inspection_default
- inspect icmp
- !
- access-list 101 extended permit ip any any
- access-group 101 in interface outside
- access-group 101 in interface inside
- !
- object network NET-${PrivateSubnet1CIDR}
- subnet ${PrivateSubnet1Pool} ${PrivateSubnet1Mask}
- nat (inside,outside) dynamic interface
- !
- crypto key generate rsa modulus 2048
- ssh 0 0 inside
- ssh 0 0 outside
- !ssh 0 0 management
- ssh timeout 30
- aaa authentication ssh console LOCAL
- username admin nopassword privilege 15
- username admin attributes
- username ${VPNUser} attributes
- username ${VPNUser} password ${VPNPassword} privilege 15
- service-type admin
- !
- name 129.6.15.28 time-a.nist.gov
- name 129.6.15.29 time-b.nist.gov
- name 129.6.15.30 time-c.nist.gov
- ntp server 169.254.169.123
- ntp server time-c.nist.gov
- ntp server time-b.nist.gov
- ntp server time-a.nist.gov
- icmp permit any outside
- icmp permit any inside
- !icmp permit any management
- !
|
