====== Firewall Notes ======
This document contains some notes on the current firewall configuration. The running firewall configuration can be exported to ''admin.chem.byu.edu'' by doing the following on admin.chem.byu.edu:
touch /tftpboot/network/firewall
chmod a+rw /tftpboot/network/firewall
Then on the firewall, after running ''enable'', enter:
write net 192.168.105.12:network/firewall
After the config is successfully written out, you will want to remove the excessive permissions on the file on ''admin.chem.byu.edu'':
chmod go-rwx /tftpboot/network/firewall
If you want to reverse the process, you must make the file on ''admin.chem.byu.edu'' readable to the tftp server with chmod and then you can pull from it over tftp.
===== Firewall config and notes =====
: Saved
: Written by admin at 12:49:34.518 MDT Tue Aug 6 2013
!
ASA Version 8.2(3)
!
hostname Chemfire
domain-name chem.byu.edu
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
Since we need to pass multicast traffic for Campus IPTV, multicast routing must be enabled:
multicast-routing
Several host names are set to make the rules a bit easier to understand and write. However it appears there area some host names that are old and maybe obsolete:
no names
name 192.168.105.10 NS1
name 192.168.105.37 Celeborn
name 192.168.105.36 Galadriel
name 192.168.200.6 purgatory
name 192.168.103.0 net_103
name 192.168.200.50 www_ext
name 192.168.104.0 net_104
name 192.168.200.0 dmz_any
name 192.168.100.0 net_100
name 192.168.200.10 mail
name 192.168.105.0 net_105
name 192.168.105.18 SQL
name 192.168.101.0 net_101
name 192.168.105.12 Admin
name 192.168.102.0 net_102
name 192.168.200.100 camera
name 128.187.0.0 BYUnet_public
name 10.0.0.0 BYUNet_private
name 192.168.104.240 reg_240
name 192.168.101.240 reg_101
name 192.168.103.240 reg_103
name 192.168.100.240 reg_100
name 192.168.105.240 reg_105
name 192.168.100.51 nmrlab
name 192.168.102.240 reg_102
name 192.168.4.0 WirelessNet
name 192.168.105.16 ccs_int
name 192.168.200.51 ccs_ext
name 192.168.0.0 inside_any
name 192.168.200.53 chemmgmt_proxy
name 192.168.200.52 www_rhel5 description RHEL 5 external webserver.
name 192.168.105.43 secure_rhel5 description RHEL 5 internal webserver.
name 192.168.105.19 sql_rhel6 description RHEL 6 MySQL/Postgres server.
name 192.168.105.58 chemmgmt-server
name 192.168.105.75 pchem-server
name 192.168.200.56 archiver description Ubuntu server for grad student.
name 192.168.105.85 cortana
name 192.168.105.38 mail-int_rhel5 description RHEL 5 internal mail server.
name 192.168.200.12 mail-ext2
name 192.168.200.57 www_rhel6 description RHEL 6 external webserver.
!
==== Interfaces ====
=== Untrusted ===
The main, untrusted interface is Ethernet0/0. It is assigned an address that covers all the public IP addresses that we use in the department. The address is 128.187.3.3/25, which means it effectively has addresses 3 through 126. Some of these are NATed to DMZ addresses, and some are used in a pool for outbound communications.
interface Ethernet0/0
nameif outside
security-level 0
ip address 128.187.3.3 255.255.255.128 standby 128.187.3.2
!
=== Trusted ===
The following interface is used to carry all traffic from the inside, or trusted network, to the outside world, the DMZ, or VPN hosts. It is **not** a VLAN trunk; it's just a access port on the core's 106 VLAN (??). The core has the address 192.168.106.1, and the firewall has the address of 192.168.106.254 (with 192.168.106.253 as the backup, which becomes 106.254 when it comes into service).
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.106.254 255.255.255.0 standby 192.168.106.253
!
=== DMZ ===
Although the DMZ is not an actual VLAN, the firewall defines a subnet for it and acts as a router for DMZ traffic.
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.200.1 255.255.255.0 standby 192.168.200.2
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description LAN/STATE Failover Interface
!
Campus IPTV defines a multicast rendezvous point that the firewall needs to know of:
pim rp-address 10.3.3.199
boot system disk0:/asa823-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name chem.byu.edu
same-security-traffic permit intra-interface
Campus IPTV comes from several multicast addresses, which we group together to make the rules easier to write:
object-group network MULTICAST_GROUPS
network-object host 239.226.16.1
network-object host 239.226.16.2
network-object host 239.226.16.4
network-object host 239.226.16.7
network-object host 239.226.16.8
network-object host 239.226.16.5
network-object host 239.226.16.16
network-object host 239.226.16.6
network-object host 239.226.16.17
network-object host 239.226.16.21
network-object host 239.226.16.22
network-object host 239.226.16.3
network-object host 239.226.16.12
network-object host 239.226.16.13
network-object host 239.226.16.9
network-object host 239.226.16.14
network-object host 239.226.16.19
network-object host 239.226.16.18
network-object host 239.226.16.10
network-object host 239.226.16.11
network-object host 239.226.16.15
network-object host 239.226.16.20
network-object host 239.226.16.23
network-object host 239.226.16.24
network-object host 239.226.16.25
network-object host 239.226.16.26
network-object host 239.226.16.27
network-object host 239.226.16.28
network-object host 239.226.16.29
network-object host 239.226.16.30
network-object host 239.226.16.31
network-object host 239.226.16.32
network-object host 239.226.16.33
network-object host 239.226.16.34
network-object host 239.226.16.37
network-object host 239.226.16.35
network-object host 239.226.16.36
network-object host 239.226.16.38
network-object host 239.226.16.39
network-object host 239.226.16.40
network-object host 239.226.16.41
network-object host 239.226.16.42
network-object host 239.226.16.43
network-object host 239.226.16.44
network-object host 239.226.16.45
network-object host 239.226.16.46
network-object host 239.226.255.0
network-object host 239.226.255.1
network-object host 239.226.255.2
For convenience, a protocol group is defined to let a rule be made for both a tcp and udp port in the same line.
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
==== Access Controls Rules ====
=== From the DMZ to the Trusted Network ===
The following lines appear to be obsolete. the ip addresses resolve to ns1 and ns2, but neither server hosts LDAP currently. And port 88 is a kerberos port. Kerberos is at ''kerberos.chem.byu.edu'' which is really on ''admin.chem.byu.edu''. So it appears these lines can be removed:
access-list dmz_in extended permit tcp any host 192.168.105.36 eq 88
access-list dmz_in extended permit tcp any host 192.168.105.36 eq ldap
access-list dmz_in extended permit tcp any host 192.168.105.36 eq ldaps
access-list dmz_in extended permit tcp any host 192.168.105.37 eq ldap
access-list dmz_in extended permit tcp any host 192.168.105.37 eq ldaps
DNS and time servers need to be accessible from the DMZ:
access-list dmz_in extended permit udp any host 192.168.105.10 eq domain
access-list dmz_in extended permit udp any host 192.168.105.10 eq ntp
access-list dmz_in extended permit tcp any host 192.168.105.10 eq domain
Purgatory may ssh or telnet into any trusted host:
access-list dmz_in extended permit tcp host 192.168.200.6 192.168.0.0 255.255.128.0 eq ssh
access-list dmz_in extended permit tcp host 192.168.200.6 192.168.0.0 255.255.128.0 eq telnet
The following rule was to allow a sysadmin to ssh into purgatory and forward web connections so that the vpn concentrator could be controlled via its web interface. The VPN concentrator is now part of this firewall, so this code is useless:
access-list dmz_in extended permit tcp host 192.168.200.6 host 192.168.108.6 eq www
access-list dmz_in extended permit tcp host 192.168.200.6 host 192.168.108.6 eq https
The following rule is obsolete too. It allowed a sysadmin to tunnel vnc through purgatory to the old Mac OS X Server celeborn which was on port 5900:
access-list dmz_in extended permit tcp host 192.168.200.6 host 192.168.105.36 eq 5900
The following code allowed the old web server to proxy information from trusted web servers (ports 80, 443, 8080, 8180), and access the SQL servers (port 3306 for mysql, 5432 for postgresql). This server was called www-old when the servers where changed to an split dmz/trusted arrangement, but is no longer in service. Hence these rules should be removed as 192.168.200.50 does not appear to be alive anymore:
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.12 eq https
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq www
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq https
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq 8080
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq 8180
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.18 eq 3306
access-list dmz_in remark New SQL
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.19 eq 3306
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.18 eq 5432
access-list dmz_in remark New SQL
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.19 eq 5432
The following rules allow any DMZ host to access LDAP on a backup LDAP server, which is no longer in service, as near as I can tell. So they can be removed as well:
access-list dmz_in extended permit tcp any host 192.168.105.18 eq ldap
access-list dmz_in extended permit tcp any host 192.168.105.18 eq ldaps
Since DMZ hosts are not allowed to access the internet (though I'm unclear as to how this block was accompished!), any updates with yum and redhat's update network have to be done through the squid http proxy on admin, so dmz hosts need access to squid. Note that this is a potential security problem, but at the time I deemed it an acceptable risk:
access-list dmz_in extended permit tcp any host 192.168.105.12 eq 3128
mail-ext1 needs access to sql server(s). Currently only 192.168.105.19 is in use I think:
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.18 eq 5432
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.19 eq 5432
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.18 eq 3306
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.19 eq 3306
Allow www.chem.byu.edu to access information on admin.chem.byu.edu via https (proxying), sql, the web server on the internal mail server (for the purpose of controlling the mailing list, spam stuff, etc). Any references to 192.168.105.18 (sql-old) can be removed. I notice that Garrett has already made some of them inactive, which is a good idea:
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.12 eq https
access-list dmz_in extended permit tcp host 192.168.200.57 host 192.168.105.12 eq https inactive
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.18 eq 3306 inactive
access-list dmz_in remark New SQL
access-list dmz_in extended permit tcp host 192.168.200.57 host 192.168.105.19 eq 3306
access-list dmz_in remark New SQL
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.19 eq 3306
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.18 eq 5432 inactive
access-list dmz_in remark New SQL
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.19 eq 5432
access-list dmz_in remark New SQL
access-list dmz_in extended permit tcp host 192.168.200.57 host 192.168.105.19 eq 5432
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq www
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq https
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8080
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8081
Another obsolete line for www-old, which is dead:
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq 8081
Allow the DMZ hosts to ping anything in or out:
access-list dmz_in extended permit icmp any any
Allow mail-ext1 to reach any internal smtp server, DNS, the auth ident port (113) on any trusted computer:
access-list dmz_in extended permit tcp host 192.168.200.10 any eq smtp
access-list dmz_in extended permit tcp host 192.168.200.10 any eq domain
access-list dmz_in extended permit tcp host 192.168.200.10 any eq ident
access-list dmz_in extended permit udp host 192.168.200.10 any eq 113
access-list dmz_in extended permit udp host 192.168.200.10 any eq domain
Allow purgatory to ssh, ftp into any BYU machine, on its private or public network. Not sure what port 8500 is:
access-list dmz_in extended permit tcp host 192.168.200.6 128.187.0.0 255.255.0.0 eq ssh
access-list dmz_in extended permit tcp host 192.168.200.6 128.187.0.0 255.255.0.0 eq ftp
access-list dmz_in extended permit tcp host 192.168.200.6 128.187.0.0 255.255.0.0 eq 8500
access-list dmz_in extended permit tcp host 192.168.200.6 10.0.0.0 255.0.0.0 eq ssh
access-list dmz_in extended permit tcp host 192.168.200.6 10.0.0.0 255.0.0.0 eq ftp
Allow www.chem.byu.edu to proxy web data from secure.chem.byu.edu:
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq www
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq https
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8080
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8180
Allow any DMZ host to access LDAP:
access-list dmz_in extended permit tcp any host 192.168.105.12 eq ldap
access-list dmz_in extended permit tcp any host 192.168.105.12 eq ldaps
Allow www.chem.byu.edu to ssh into admin. Not sure about this rule. It's possible that the code that generates door cards for faculty requires an ssh connection into admin to run inkscape to generate the pdf:
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.12 eq ssh
Allow any dmz host access to ldap at a host that no longer exists. This line can be removed:
access-list dmz_in extended permit tcp any host 192.168.105.45 eq ldap
access-list dmz_in extended permit tcp any host 192.168.105.45 eq ldaps
Allow any dmz host access to kerberos. However this ip address (an alias for ns1) does not run a kerberos server; it's on admin. So this rule can be removed:
access-list dmz_in extended permit udp any host 192.168.105.36 eq 88
Allow www to access web servers on secure.chem.byu.edu and pchem-server
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8081
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8009
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.75 eq www
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8010
Allow DMZ hosts to access backup ldap server, which is on printqueue
access-list dmz_in extended permit tcp any host 192.168.105.13 eq ldap
access-list dmz_in extended permit tcp any host 192.168.105.13 eq ldaps
Allow DMZhosts to access LDAP on 101.150, which may have been the old n175-serv file server. In any case, this address is not pinging and I believe that these entries can be removed:
access-list dmz_in extended permit tcp any host 192.168.101.150 eq ldap
access-list dmz_in extended permit tcp any host 192.168.101.150 eq ldaps
Allow mail and www to access sql on 192.168.105.90 which is molecule.chem.byu.edu. I don't know anything about this host:
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.90 eq 5432
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.90 eq 3306
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.90 eq 3306
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.90 eq 5432
Allow mail-ext1 to access https on secure.chem.byu.edu:
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.43 eq https
DMZ allowed to access kerberos and ldap on an obsolete host I think (address is now diskarray3). Should be removed:
access-list dmz_in extended permit udp any host 192.168.105.50 eq 88
access-list dmz_in extended permit tcp any host 192.168.105.50 eq 88
access-list dmz_in extended permit tcp any host 192.168.105.50 eq ldap
access-list dmz_in extended permit tcp any host 192.168.105.50 eq ldaps
Allows mail-ext1 to access tcp port 2703 on any trusted host... not sure why:
access-list dmz_in extended permit tcp host 192.168.200.10 any eq 2703
Obsolete entry for www-old and tomcat again:
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq 8181
Allow www.chem.byu.edu to access various web-related ports on secure (for proxying), mail-int (not sure?).
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8181
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8181
Allowed www to proxy various things from chemmgmt-server, which is no longer here. Remove:
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq www
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq https
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq 8080
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq 8081
Allow certain hosts to ssh into 192.168.0.0-192.168.127.0.0... No clue why this is in here. I'd say remove:
access-list dmz_in extended permit tcp host 192.168.200.60 192.168.0.0 255.255.128.0 eq ssh
access-list dmz_in extended permit tcp host 192.168.200.62 192.168.0.0 255.255.128.0 eq ssh
access-list dmz_in extended permit tcp host 192.168.200.61 192.168.0.0 255.255.128.0 eq ssh
Remove reference to obsolete host:
access-list dmz_in extended permit tcp any host 192.168.105.54 eq 2222
Allow mail-ext2 to access SQL (note that 105.18 is sql-old which is now obsolete and can be removed), and also the secure.chem.byu.edu https.
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.18 eq 5432
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.19 eq 5432
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.18 eq 3306
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.19 eq 3306
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.43 eq https
Allow mail-ext1 to access mail-related ports on mail-int:
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq imap4
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq pop3
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq 995
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq 993
Allow www.chem.byu.edu to access mail-related ports on mail-int. This could be for web-based e-mail apps to work, or just for apps to be able to send e-mail.
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq imap4
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq pop3
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 995
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 993
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq smtp
Allow www.chem.byu.edu to ssh into vm3? Might be an obsolete entry from before virtualization:
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.62 eq ssh
access-list dmz_in extended permit tcp host 192.168.200.52 any eq domain
access-list dmz_in extended permit tcp host 192.168.200.57 any eq domain
access-list dmz_in extended permit udp host 192.168.200.52 any eq domain
access-list dmz_in extended permit udp host 192.168.200.57 any eq domain
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.38 eq 993
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.38 eq 995
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.38 eq imap4
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.38 eq pop3
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.90 eq 3306
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.90 eq 5432
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.12 eq ssh
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.12 eq ssh
access-list dmz_in extended permit tcp host 192.168.200.12 any eq 2703
access-list dmz_in extended permit tcp host 192.168.200.12 any eq domain
access-list dmz_in extended permit tcp host 192.168.200.12 any eq ident
access-list dmz_in extended permit tcp host 192.168.200.12 any eq smtp
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.38 eq www
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq www
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq https
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.38 eq https
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.56 eq www
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.82 eq pop3
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.82 eq imap4
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.82 eq 993
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.82 eq 995
access-list dmz_in extended permit tcp host 192.168.200.6 host 192.168.111.26 eq 9100
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.12 eq https
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.43 eq www
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.43 eq https
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.43 eq 8080
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.43 eq 8180
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.18 eq 3306 inactive
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.19 eq 3306
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.18 eq 5432 inactive
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.19 eq 5432
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.56 eq www
access-list dmz_in extended permit tcp host 192.168.200.55 any eq www
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.12 eq ssh
access-list dmz_in extended permit tcp host 192.168.200.52 any eq www
access-list dmz_in extended permit tcp host 192.168.200.54 host 192.168.105.18 eq 3306 inactive
access-list dmz_in extended permit tcp host 192.168.200.54 host 192.168.105.19 eq 3306
access-list dmz_in extended permit udp any host 192.168.105.11 eq domain
access-list dmz_in extended permit udp any host 192.168.105.65 eq domain
access-list dmz_in extended permit udp any host 192.168.105.64 eq domain
access-list dmz_in extended permit udp any host 192.168.105.63 eq domain
access-list dmz_in extended permit udp any host 192.168.105.62 eq domain
access-list dmz_in extended permit udp any host 192.168.105.61 eq domain
access-list dmz_in extended permit udp any host 192.168.105.60 eq domain
access-list dmz_in extended permit tcp host 192.168.200.13 host 192.168.105.12 eq ssh
access-list dmz_in extended permit tcp host 192.168.200.13 host 192.168.105.38 eq 993
access-list dmz_in extended permit tcp host 192.168.200.13 host 192.168.105.38 eq 995
access-list dmz_in extended permit tcp host 192.168.200.13 host 192.168.105.38 eq imap4
access-list dmz_in extended permit tcp host 192.168.200.13 host 192.168.105.38 eq pop3
access-list dmz_in extended permit tcp host 192.168.200.60 host 192.168.105.18 eq 3306 inactive
access-list dmz_in extended permit tcp host 192.168.200.60 host 192.168.105.19 eq 3306
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.83 eq imap4
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.83 eq pop3
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.83 eq imap4
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.83 eq pop3
access-list dmz_in extended permit tcp any host 192.168.105.12 eq 88
access-list dmz_in extended permit udp any host 192.168.105.12 eq 88
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.12 eq 8877
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.12 eq 8878
access-list dmz_in extended permit tcp host 192.168.200.57 host 192.168.105.12 eq 8877
access-list dmz_in extended permit tcp host 192.168.200.57 host 192.168.105.12 eq 8878
access-list dmz_in extended permit tcp host 192.168.200.61 host 192.168.105.18 eq 3306 inactive
access-list dmz_in extended permit tcp host 192.168.200.61 host 192.168.105.19 eq 3306
access-list dmz_in extended permit tcp any host 192.168.105.85 eq ssh
access-list dmz_in remark Rules for "archiver," a server for a graduate student in Dr. Prince's lab.
access-list dmz_in extended permit tcp host 192.168.200.56 any eq www
access-list dmz_in remark Rules for "archiver," a server for a graduate student in Dr. Prince's lab.
access-list dmz_in extended permit tcp host 192.168.200.56 any eq https
access-list dmz_in extended permit tcp host 192.168.200.57 any eq www
access-list dmz_in extended permit tcp host 192.168.200.57 any eq https
access-list inside_in extended permit icmp any any
access-list inside_in extended permit ip any any
access-list outside_in remark Block access From C&C Server
access-list outside_in extended deny ip host 208.73.210.29 any
access-list outside_in remark Block access to a Trojan.VBCrypt's C&C server.
access-list outside_in extended deny ip host 50.17.199.47 any
access-list outside_in remark Block access to a Trojan.Refroso's C&C server.
access-list outside_in extended deny ip host 121.14.231.53 any
access-list outside_in remark Block access to a Trojan.Refroso's C&C server.
access-list outside_in extended deny ip host 121.14.231.54 any
access-list outside_in remark Block access to a Trojan.Refroso's C&C server.
access-list outside_in extended deny ip host 121.14.231.55 any
access-list outside_in remark Block access to a Trojan.Refroso's C&C server.
access-list outside_in extended deny ip host 121.14.231.72 any
access-list outside_in remark Block access to a Trojan.Refroso's C&C server.
access-list outside_in extended deny object-group TCPUDP host 121.14.231.53 any
access-list outside_in remark Block access to a Trojan.Refroso's C&C server.
access-list outside_in extended deny object-group TCPUDP host 121.14.231.54 any
access-list outside_in remark Block access to a Trojan.Refroso's C&C server.
access-list outside_in extended deny object-group TCPUDP host 121.14.231.55 any
access-list outside_in remark Block access to a Trojan.Refroso's C&C server.
access-list outside_in extended deny object-group TCPUDP host 121.14.231.72 any
access-list outside_in remark Pass through for Life Sciences' webcam.
access-list outside_in extended permit tcp host 128.187.102.173 host 128.187.3.50 eq 8080
access-list outside_in remark Pass through for Life Sciences' webcam.
access-list outside_in extended permit tcp host 128.187.102.173 host 128.187.3.50 eq 8888
access-list outside_in remark Pass through from Garrett's home machine to Life Sciences' webcam.
access-list outside_in extended permit tcp host 69.169.159.33 host 128.187.3.50 eq 8080
access-list outside_in remark Pass through from Garrett's home machine to Life Sciences' webcam.
access-list outside_in extended permit tcp host 69.169.159.33 host 128.187.3.50 eq 8888
access-list outside_in extended permit tcp any host 128.187.3.6 eq ftp
access-list outside_in extended permit tcp any host 128.187.3.6 eq ssh
access-list outside_in extended permit tcp any host 128.187.3.6 eq telnet
access-list outside_in extended permit tcp any host 128.187.3.5 eq smtp
access-list outside_in extended permit tcp any host 128.187.3.5 eq domain
access-list outside_in extended permit tcp any host 128.187.3.5 eq www
access-list outside_in extended permit tcp any host 128.187.3.5 eq pop3
access-list outside_in extended permit tcp any host 128.187.3.5 eq imap4
access-list outside_in extended permit tcp any host 128.187.3.5 eq 993
access-list outside_in extended permit tcp any host 128.187.3.5 eq 995
access-list outside_in extended permit udp any host 128.187.3.5 eq domain
access-list outside_in extended permit tcp any host 128.187.3.7 eq www
access-list outside_in extended permit tcp any host 128.187.3.7 eq https
access-list outside_in extended permit tcp any host 128.187.3.7 eq 8080
access-list outside_in extended permit tcp any host 128.187.3.9 eq www
access-list outside_in extended permit tcp any host 128.187.3.9 eq https
access-list outside_in extended permit tcp any host 128.187.3.9 eq 8080
access-list outside_in extended permit tcp any host 128.187.3.10 eq www
access-list outside_in extended permit tcp any host 128.187.3.10 eq 8080
access-list outside_in extended permit tcp any host 128.187.3.10 eq https
access-list outside_in extended permit tcp any host 128.187.3.11 eq www
access-list outside_in extended permit tcp any host 128.187.3.11 eq 8080
access-list outside_in extended permit tcp any host 128.187.3.11 eq https
access-list outside_in extended permit tcp any host 128.187.3.12 eq www
access-list outside_in extended permit tcp any host 128.187.3.12 eq 8080
access-list outside_in extended permit tcp any host 128.187.3.12 eq https
access-list outside_in extended permit tcp any host 128.187.3.8 eq www
access-list outside_in extended permit tcp any host 128.187.3.8 eq https
access-list outside_in extended permit icmp any host 128.187.3.6
access-list outside_in extended permit icmp any host 128.187.3.5
access-list outside_in extended permit icmp any host 128.187.3.7
access-list outside_in extended permit icmp any host 128.187.3.8
access-list outside_in extended permit icmp any host 128.187.3.9
access-list outside_in extended permit icmp any host 128.187.3.10
access-list outside_in extended permit icmp any host 128.187.3.11
access-list outside_in extended permit icmp any host 128.187.3.12
access-list outside_in extended permit icmp any host 128.187.3.13
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any host 128.187.3.5 eq https
access-list outside_in extended permit tcp any host 128.187.3.5 eq 465
access-list outside_in extended permit icmp any host 128.187.3.14
access-list outside_in extended permit tcp any host 128.187.3.14 eq www
access-list outside_in extended permit tcp any host 128.187.3.14 eq ssh
access-list outside_in extended permit icmp any host 128.187.3.4
access-list outside_in extended permit tcp any host 128.187.3.4 eq 9999
access-list outside_in extended permit tcp any host 128.187.3.14 eq 3389
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any host 128.187.3.9 eq smtp
access-list outside_in extended permit tcp any host 128.187.3.9 eq 8181
access-list outside_in extended permit tcp any host 128.187.3.4 eq 9002
access-list outside_in extended permit tcp any host 128.187.3.4 eq 9003
access-list outside_in extended permit tcp any host 128.187.3.4 eq 9005
access-list outside_in extended permit tcp any host 128.187.3.9 eq pop3
access-list outside_in extended permit tcp any host 128.187.3.9 eq imap4
access-list outside_in extended permit tcp any host 128.187.3.9 eq 993
access-list outside_in extended permit tcp any host 128.187.3.9 eq 995
access-list outside_in extended permit tcp any host 128.187.3.15 eq 465
access-list outside_in extended permit tcp any host 128.187.3.15 eq 993
access-list outside_in extended permit tcp any host 128.187.3.15 eq 995
access-list outside_in extended permit tcp any host 128.187.3.15 eq domain
access-list outside_in extended permit tcp any host 128.187.3.15 eq imap4
access-list outside_in extended permit tcp any host 128.187.3.15 eq pop3
access-list outside_in extended permit tcp any host 128.187.3.15 eq smtp
access-list outside_in extended permit tcp any host 128.187.3.15 eq www
access-list outside_in extended permit tcp any host 128.187.3.15 eq https
access-list outside_in extended permit udp any host 128.187.3.15 eq domain
access-list outside_in extended permit ip any object-group MULTICAST_GROUPS
access-list outside_in extended permit tcp any host 128.187.3.6 eq 5500
access-list outside_in remark Xirrus Wireless Access Point to Radius Server
access-list outside_in extended permit udp host 10.3.92.253 host 128.187.3.5 eq 1812
access-list outside_in remark Xirrus Wireless Access Point to Radius Server
access-list outside_in extended permit udp host 10.3.92.253 host 128.187.3.5 eq 1813
access-list outside_in remark Xirrus Wireless Access Point to Radius Server
access-list outside_in extended permit udp host 10.3.92.253 host 128.187.3.15 eq 1812
access-list outside_in remark Xirrus Wireless Access Point to Radius Server
access-list outside_in extended permit udp host 10.3.92.253 host 128.187.3.15 eq 1813
access-list outside_in extended permit udp host 10.23.7.18 host 128.187.3.5 eq 1812
access-list outside_in extended permit udp host 10.23.7.18 host 128.187.3.15 eq 1812
access-list outside_in extended permit udp host 10.23.7.19 host 128.187.3.5 eq 1812
access-list outside_in extended permit udp host 10.23.7.19 host 128.187.3.15 eq 1812
access-list outside_in extended permit udp host 10.23.7.20 host 128.187.3.5 eq 1812
access-list outside_in extended permit udp host 10.23.7.20 host 128.187.3.15 eq 1812
access-list outside_in extended permit udp host 10.23.7.21 host 128.187.3.5 eq 1812
access-list outside_in extended permit udp host 10.23.7.21 host 128.187.3.15 eq 1812
access-list outside_in extended permit udp host 10.23.8.2 host 128.187.3.5 eq 1812
access-list outside_in extended permit udp host 10.23.8.2 host 128.187.3.5 eq 1813
access-list outside_in extended permit udp host 10.23.8.2 host 128.187.3.15 eq 1812
access-list outside_in extended permit udp host 10.23.8.2 host 128.187.3.15 eq 1813
access-list outside_in extended permit udp host 10.23.8.251 host 128.187.3.5 eq 1812
access-list outside_in extended permit udp host 10.23.8.251 host 128.187.3.5 eq 1813
access-list outside_in extended permit udp host 10.23.8.251 host 128.187.3.15 eq 1812
access-list outside_in extended permit udp host 10.23.8.251 host 128.187.3.15 eq 1813
access-list outside_in extended permit tcp 128.187.0.0 255.255.0.0 host 128.187.3.12 eq ssh
access-list outside_in extended permit tcp 10.0.0.0 255.0.0.0 host 128.187.3.12 eq ssh
access-list outside_in extended permit tcp any host 128.187.3.5 eq 3210
access-list outside_in extended permit tcp any host 128.187.3.15 eq 3210
access-list outside_in extended permit tcp any host 128.187.3.9 eq 1443
access-list outside_in extended permit tcp any host 128.187.3.5 eq 587
access-list outside_in extended permit tcp any host 128.187.3.115 eq 587
access-list VPN-BYU-NETS-SPLIT extended permit ip 192.168.100.0 255.255.255.0 192.168.108.0 255.255.255.0
access-list VPN-BYU-NETS-SPLIT extended permit ip 192.168.101.0 255.255.255.0 192.168.108.0 255.255.255.0
access-list VPN-BYU-NETS-SPLIT extended permit ip 192.168.102.0 255.255.255.0 192.168.108.0 255.255.255.0
access-list VPN-BYU-NETS-SPLIT extended permit ip 192.168.103.0 255.255.255.0 192.168.108.0 255.255.255.0
access-list VPN-BYU-NETS-SPLIT extended permit ip 192.168.104.0 255.255.255.0 192.168.108.0 255.255.255.0
access-list VPN-BYU-NETS-SPLIT extended permit ip 192.168.105.0 255.255.255.0 192.168.108.0 255.255.255.0
access-list VPN-BYU-NETS-SPLIT extended permit ip 192.168.200.0 255.255.255.0 192.168.108.0 255.255.255.0
access-list VPN-BYU-NETS-SPLIT extended permit ip 10.8.0.0 255.255.0.0 192.168.108.0 255.255.255.0
access-list VPN-BYU-NETS-SPLIT extended permit ip 10.0.0.0 255.0.0.0 192.168.108.0 255.255.255.0
access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.108.0 255.255.255.0
access-list NO-NAT extended permit ip 192.168.101.0 255.255.255.0 192.168.108.0 255.255.255.0
access-list NO-NAT extended permit ip 192.168.102.0 255.255.255.0 192.168.108.0 255.255.255.0
access-list NO-NAT extended permit ip 192.168.103.0 255.255.255.0 192.168.108.0 255.255.255.0
access-list NO-NAT extended permit ip 192.168.104.0 255.255.255.0 192.168.108.0 255.255.255.0
access-list NO-NAT extended permit ip 192.168.105.0 255.255.255.0 192.168.108.0 255.255.255.0
access-list NO-NAT extended permit ip 192.168.200.0 255.255.255.0 192.168.108.0 255.255.255.0
access-list NO-NAT extended permit ip 10.8.0.0 255.255.0.0 192.168.108.0 255.255.255.0
access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 192.168.108.0 255.255.255.0
access-list inside_access_in remark Posible compromised machine registered to Daniel Austin.
access-list inside_access_in extended deny ip host 192.168.102.81 any
access-list inside_access_in remark Block access to C&C Server
access-list inside_access_in extended deny ip any host 208.73.210.29
access-list inside_access_in remark Block access to a Trojan.VBCrypt's C&C server.
access-list inside_access_in extended deny ip any host 50.17.199.47
access-list inside_access_in remark Block access to a Trojan.Refroso's C&C server.
access-list inside_access_in extended deny ip any host 121.14.231.53
access-list inside_access_in remark Block access to a Trojan.Refroso's C&C server.
access-list inside_access_in extended deny ip any host 121.14.231.54
access-list inside_access_in remark Block access to a Trojan.Refroso's C&C server.
access-list inside_access_in extended deny ip any host 121.14.231.55
access-list inside_access_in remark Block access to a Trojan.Refroso's C&C server.
access-list inside_access_in extended deny ip any host 121.14.231.72
access-list inside_access_in remark Block access to a Trojan.Refroso's C&C server.
access-list inside_access_in extended deny object-group TCPUDP any host 121.14.231.53
access-list inside_access_in remark Block access to a Trojan.Refroso's C&C server.
access-list inside_access_in extended deny object-group TCPUDP any host 121.14.231.54
access-list inside_access_in remark Block access to a Trojan.Refroso's C&C server.
access-list inside_access_in extended deny object-group TCPUDP any host 121.14.231.55
access-list inside_access_in remark Block access to a Trojan.Refroso's C&C server.
access-list inside_access_in extended deny object-group TCPUDP any host 121.14.231.72
access-list inside_access_in remark Allow CSR access to software.byu.edu.
access-list inside_access_in extended permit ip 192.168.105.0 255.255.255.0 host 128.187.16.167 inactive
access-list inside_access_in remark Deny access to software.byu.edu.
access-list inside_access_in extended deny ip any host 128.187.16.167 inactive
access-list inside_access_in extended permit ip any host 128.187.16.167
access-list inside_access_in extended permit ip any 192.168.200.0 255.255.255.0
access-list inside_access_in extended permit tcp any 192.168.200.0 255.255.255.0 eq ssh inactive
access-list inside_access_in extended permit tcp any 192.168.200.0 255.255.255.0 eq www inactive
access-list inside_access_in extended permit tcp any 192.168.200.0 255.255.255.0 eq https inactive
access-list inside_access_in extended permit tcp any 128.187.0.0 255.255.0.0 eq hostname inactive
access-list inside_access_in extended permit tcp host 192.168.105.10 10.8.0.0 255.255.0.0 inactive
access-list inside_access_in extended permit ip any any
access-list public_access_in extended permit object-group TCPUDP any any eq www
access-list public_access_in extended permit tcp any any eq https
pager lines 24
logging enable
logging timestamp
logging buffer-size 40960
logging monitor informational
logging buffered informational
logging history informational
logging asdm informational
logging host inside 192.168.105.12
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool VPN-POOL 192.168.108.1-192.168.108.254
failover
failover lan unit primary
failover lan interface FAIL Management0/0
failover link FAIL Management0/0
failover interface ip FAIL 192.168.254.1 255.255.255.0 standby 192.168.254.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any dmz
asdm image disk0:/asdm-633.bin
no asdm history enable
arp timeout 14400
global (outside) 1 128.187.3.17-128.187.3.29
global (outside) 1 128.187.3.30
nat (outside) 0 access-list NO-NAT
nat (outside) 1 192.168.108.0 255.255.255.0
nat (inside) 0 access-list NO-NAT
nat (inside) 1 192.168.0.0 255.255.128.0
nat (dmz) 0 access-list NO-NAT
static (dmz,outside) 128.187.3.5 192.168.200.10 netmask 255.255.255.255
static (dmz,outside) 128.187.3.4 192.168.200.100 netmask 255.255.255.255
static (dmz,outside) 128.187.3.6 192.168.200.6 netmask 255.255.255.255
static (dmz,outside) 128.187.3.8 192.168.200.51 netmask 255.255.255.255
static (dmz,outside) 128.187.3.9 192.168.200.52 netmask 255.255.255.255
static (dmz,outside) 128.187.3.10 192.168.200.53 netmask 255.255.255.255
static (dmz,outside) 128.187.3.11 192.168.200.54 netmask 255.255.255.255
static (dmz,outside) 128.187.3.12 192.168.200.55 netmask 255.255.255.255
static (dmz,outside) 128.187.3.13 192.168.200.56 netmask 255.255.255.255
static (inside,dmz) 192.168.105.0 192.168.105.0 netmask 255.255.255.0
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (inside,dmz) 192.168.101.0 192.168.101.0 netmask 255.255.255.0
static (inside,dmz) 192.168.102.0 192.168.102.0 netmask 255.255.255.0
static (inside,dmz) 192.168.103.0 192.168.103.0 netmask 255.255.255.0
static (inside,dmz) 192.168.104.0 192.168.104.0 netmask 255.255.255.0
static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.252.0
static (inside,dmz) 192.168.122.0 192.168.122.0 netmask 255.255.255.0
static (inside,dmz) 192.168.111.0 192.168.111.0 netmask 255.255.255.0
static (inside,outside) 128.187.3.50 192.168.102.26 netmask 255.255.255.255
static (dmz,outside) 128.187.3.14 192.168.200.57 netmask 255.255.255.255
static (dmz,outside) 128.187.3.15 192.168.200.12 netmask 255.255.255.255
access-group outside_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 128.187.3.1 1
route inside 192.168.4.0 255.255.252.0 192.168.106.1 1
route inside 192.168.100.0 255.255.255.0 192.168.106.1 1
route inside 192.168.101.0 255.255.255.0 192.168.106.1 1
route inside 192.168.102.0 255.255.255.0 192.168.106.1 1
route inside 192.168.103.0 255.255.255.0 192.168.106.1 1
route inside 192.168.104.0 255.255.255.0 192.168.106.1 1
route inside 192.168.105.0 255.255.255.0 192.168.106.1 1
route inside 192.168.111.0 255.255.255.0 192.168.106.1 1
route inside 192.168.122.0 255.255.255.0 192.168.106.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS-VPN protocol radius
aaa-server RADIUS-VPN (inside) host 192.168.105.12
key chemistry
authentication-port 1812
accounting-port 1813
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication secure-http-client
http server enable
http 192.168.106.0 255.255.255.0 inside
http 192.168.105.0 255.255.255.0 inside
http 174.52.36.203 255.255.255.255 outside
http redirect outside 80
snmp-server host inside 192.168.105.12 community chemistry
snmp-server location ServerRoom
snmp-server contact Chemistry CSRs
snmp-server community chemistry
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN-VPN-MAP 100 set transform-set ESP-AES-256-SHA ESP-AES-SHA ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint firewall_internal_digicert
keypair firewall_internal_digicert
no client-types
crl configure
crypto ca trustpoint chemca
enrollment terminal
crl configure
crypto ca trustpoint testing
subject-name CN=vpn.chem.byu.edu
keypair testing
crl configure
crypto ca trustpoint chemca_vpncert
enrollment terminal
subject-name CN=vpn.chem.byu.edu
crl configure
crypto ca trustpoint DigiCertCA
enrollment terminal
crl configure
crypto ca trustpoint DigiCertCA-RGTest
enrollment terminal
no client-types
crl configure
crypto ca trustpoint DigiCertCA2-RGTest
enrollment terminal
crl configure
crypto ca certificate chain firewall_internal_digicert
certificate 0ea54a4ad3a54290a6ed9e79fc5e6697
30820728 30820610 a0030201 0202100e a54a4ad3 a54290a6 ed9e79fc 5e669730
0d06092a 864886f7 0d010105 05003066 310b3009 06035504 06130255 53311530
13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077
77772e64 69676963 6572742e 636f6d31 25302306 03550403 131c4469 67694365
72742048 69676820 41737375 72616e63 65204341 2d33301e 170d3130 31313039
30303030 30305a17 0d313331 31313232 33353935 395a3081 94310b30 09060355
04061302 5553310d 300b0603 55040813 04557461 68310e30 0c060355 04071305
50726f76 6f312130 1f060355 040a1318 42726967 68616d20 596f756e 6720556e
69766572 73697479 31233021 06035504 0b131a43 68656d69 73747279 20616e64
2042696f 6368656d 69737472 79311e30 1c060355 04031315 66697265 77616c6c
2e636865 6d2e6279 752e6564 75308201 22300d06 092a8648 86f70d01 01010500
0382010f 00308201 0a028201 0100aef1 20597d4f c3770e17 4d237999 09e88dec
696d03b4 e04e8599 c989ee09 dc51ced4 23631a49 fb3bed0b 5f594dcf 335be7f8
701a653f 033efba4 d84e308b 64cd1b6c 87cb0f98 d923786f 95dc9493 f8c31259
b3536e25 fbc0fc6f 1fdf2b51 849882ba 7ac67df8 3ad4ff63 cc46d218 19df7f7c
631d5e03 eb6e29bc 1d005aba 7d743521 0f6d97fa 576daffa 807ba925 997cc8e0
bf9e0c07 940819eb a5c7ed25 c7186243 1aaaa3e2 8b573fdb 3db615e5 0a472f7b
d15642b4 60b149bb 90969e49 d3e4a7e6 0ac745b6 e562812f e7220a31 849e6043
f61e328c 01364f9a 455c2605 44bd162f 6d8864e7 e91e18e3 c0b0b94b c99eb425
d7ca6cbb 0f992097 05825e40 7c830203 010001a3 8203a130 82039d30 1f060355
1d230418 30168014 50ea7389 db29fb10 8f9ee501 20d4de79 994883f7 301d0603
551d0e04 160414bc 47e4024f 223285e3 31c3c312 54ae4dae 93b17e30 70060355
1d110469 30678215 66697265 77616c6c 2e636865 6d2e6279 752e6564 75820866
69726577 616c6c82 16666972 6577616c 6c312e63 68656d2e 6279752e 65647582
16666972 6577616c 6c322e63 68656d2e 6279752e 65647582 09666972 6577616c
6c318209 66697265 77616c6c 32307b06 082b0601 05050701 01046f30 6d302406
082b0601 05050730 01861868 7474703a 2f2f6f63 73702e64 69676963 6572742e
636f6d30 4506082b 06010505 07300286 39687474 703a2f2f 63616365 7274732e
64696769 63657274 2e636f6d 2f446967 69436572 74486967 68417373 7572616e
63654341 2d332e63 7274300e 0603551d 0f0101ff 04040302 05a0300c 0603551d
130101ff 04023000 30650603 551d1f04 5e305c30 2ca02aa0 28862668 7474703a
2f2f6372 6c332e64 69676963 6572742e 636f6d2f 6361332d 32303130 682e6372
6c302ca0 2aa02886 26687474 703a2f2f 63726c34 2e646967 69636572 742e636f
6d2f6361 332d3230 3130682e 63726c30 8201c606 03551d20 048201bd 308201b9
308201b5 060b6086 480186fd 6c010300 01308201 a4303a06 082b0601 05050702
01162e68 7474703a 2f2f7777 772e6469 67696365 72742e63 6f6d2f73 736c2d63
70732d72 65706f73 69746f72 792e6874 6d308201 6406082b 06010505 07020230
8201561e 82015200 41006e00 79002000 75007300 65002000 6f006600 20007400
68006900 73002000 43006500 72007400 69006600 69006300 61007400 65002000
63006f00 6e007300 74006900 74007500 74006500 73002000 61006300 63006500
70007400 61006e00 63006500 20006f00 66002000 74006800 65002000 44006900
67006900 43006500 72007400 20004300 50002f00 43005000 53002000 61006e00
64002000 74006800 65002000 52006500 6c007900 69006e00 67002000 50006100
72007400 79002000 41006700 72006500 65006d00 65006e00 74002000 77006800
69006300 68002000 6c006900 6d006900 74002000 6c006900 61006200 69006c00
69007400 79002000 61006e00 64002000 61007200 65002000 69006e00 63006f00
72007000 6f007200 61007400 65006400 20006800 65007200 65006900 6e002000
62007900 20007200 65006600 65007200 65006e00 63006500 2e301d06 03551d25
04163014 06082b06 01050507 03010608 2b060105 05070302 300d0609 2a864886
f70d0101 05050003 82010100 921cfbb6 825c8bbd 076e1652 7055d013 99dd54db
0e304aa7 e08711b7 9c807a22 5771baaf 71d1b1e1 52293baf f09d5142 1fbd2f48
b50dfd1f 9bd1e87a 6c8288d9 70c05500 91ce4740 6a64ea03 275a1d28 da8f6a35
8aa4f611 0b58b672 6017a9fa a17d529d b5f78a52 c5d2b85f c690feac 5adba33e
563f9adb 67c65797 4c578971 57218346 aa6a5cca ad7bf24e cb2a03a0 2404c1af
0c78e788 62236d24 f9dbeb96 8661874d 7b644ffa 9b6a5fbf 6b2b2f5c 7e7c2874
fb0ad034 23ae894f c60d8d4f 1950d24a d96ca6f2 db665944 56b58731 3972caf9
0fd420bb e0551390 85249d96 735e621f 49db6732 0fe91245 43530532 c0ee38d0
f69a527b 0df15265 59b47813
quit
certificate ca 0851f959814145cabde024e212c9c20e
30820655 3082053d a0030201 02021008 51f95981 4145cabd e024e212 c9c20e30
0d06092a 864886f7 0d010105 0500306c 310b3009 06035504 06130255 53311530
13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077
77772e64 69676963 6572742e 636f6d31 2b302906 03550403 13224469 67694365
72742048 69676820 41737375 72616e63 65204556 20526f6f 74204341 301e170d
30373034 30333030 30303030 5a170d32 32303430 33303030 3030305a 3066310b
30090603 55040613 02555331 15301306 0355040a 130c4469 67694365 72742049
6e633119 30170603 55040b13 10777777 2e646967 69636572 742e636f 6d312530
23060355 0403131c 44696769 43657274 20486967 68204173 73757261 6e636520
43412d33 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
02820101 00bf610a 29101f5e fe343751 08f81efb 22ed61be 0b0d704c 50632675
15b94188 97b6f0a0 15bb0860 e042e805 29108736 8a2865a8 ef310774 6d36972f
28466604 c72a7926 7a99d58e c36d4fa0 5eadbc3d 91c2597b 5e366cc0 53cf0008
323e1064 58101369 c70cee9c 425100f9 0544ee24 ce7a1fed 8c11bd12 a8f315f4
1c7a3169 011ba7e6 5dc09a6c 7e099ee7 52444a10 3a23e49b b603afa8 9cb45b9f
d44bad92 8cceb511 2aaa3718 8db4c2b8 d85c068c f8ff23bd 355ed47c 3e7e830e
91960598 c3b21fe3 c865eba9 7b5da02c ccfc3cd9 6dedccfa 4b438cc9 d4b8a561
1cb240b6 2812dfb9 f85ffed3 b2c9ef3d b41e4b7c 1c4c9936 9e3debec a7685e1d
df676e5e fb020301 0001a382 02f73082 02f3300e 0603551d 0f0101ff 04040302
01863082 01c60603 551d2004 8201bd30 8201b930 8201b506 0b608648 0186fd6c
01030002 308201a4 303a0608 2b060105 05070201 162e6874 74703a2f 2f777777
2e646967 69636572 742e636f 6d2f7373 6c2d6370 732d7265 706f7369 746f7279
2e68746d 30820164 06082b06 01050507 02023082 01561e82 01520041 006e0079
00200075 00730065 0020006f 00660020 00740068 00690073 00200043 00650072
00740069 00660069 00630061 00740065 00200063 006f006e 00730074 00690074
00750074 00650073 00200061 00630063 00650070 00740061 006e0063 00650020
006f0066 00200074 00680065 00200044 00690067 00690043 00650072 00740020
00430050 002f0043 00500053 00200061 006e0064 00200074 00680065 00200052
0065006c 00790069 006e0067 00200050 00610072 00740079 00200041 00670072
00650065 006d0065 006e0074 00200077 00680069 00630068 0020006c 0069006d
00690074 0020006c 00690061 00620069 006c0069 00740079 00200061 006e0064
00200061 00720065 00200069 006e0063 006f0072 0070006f 00720061 00740065
00640020 00680065 00720065 0069006e 00200062 00790020 00720065 00660065
00720065 006e0063 0065002e 300f0603 551d1301 01ff0405 30030101 ff303406
082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 7474703a
2f2f6f63 73702e64 69676963 6572742e 636f6d30 818f0603 551d1f04 81873081
843040a0 3ea03c86 3a687474 703a2f2f 63726c33 2e646967 69636572 742e636f
6d2f4469 67694365 72744869 67684173 73757261 6e636545 56526f6f 7443412e
63726c30 40a03ea0 3c863a68 7474703a 2f2f6372 6c342e64 69676963 6572742e
636f6d2f 44696769 43657274 48696768 41737375 72616e63 65455652 6f6f7443
412e6372 6c301f06 03551d23 04183016 8014b13e c36903f8 bf4701d4 98261a08
02ef6364 2bc3301d 0603551d 0e041604 1450ea73 89db29fb 108f9ee5 0120d4de
79994883 f7300d06 092a8648 86f70d01 01050500 03820101 005d4f84 f1a888d3
a3b2bc9c 6de52949 77e1e7d6 dca9d835 aec971dc e5dbdc9d 242190a6 cfb7011c
9bd45797 91d77516 a512d7b9 3d2e893d 39698ad6 3537f9f1 21c45b40 ad59a92f
5f3a0029 43277103 e4bd3032 55a6fe84 0e0b9b38 192c437c ac43bf75 31e5231c
4555b769 0891b5cf d7d5b15e ee9f94e4 d67ab918 c3b8d652 631c10ba 8b2f6d5d
cc0538f4 56056def 9eece861 360c144b 85145a0c 834f225c 59cb8c8a 71dafac5
108458cf 07eee390 c2f5f929 c75a2371 f959b464 2b88b0a7 36c79a20 61ebfa4e
b5ae6b1b e4e3ece2 d93c4149 a820a454 f5928dbb c0552004 a6d8b017 16cce3d0
c8b43de5 d984c6d3 f66e6d78 c97943e8 7a37ff5c 3549bfa1 c5
quit
crypto ca certificate chain chemca
certificate ca 01
30820514 3082047d a0030201 02020101 300d0609 2a864886 f70d0101 04050030
819d3128 30260603 55040313 1f436865 6d697374 72792043 65727469 66696361
74652041 7574686f 72697479 310b3009 06035504 06130255 53310e30 0c060355
04071305 50726f76 6f310d30 0b060355 04081304 55746168 31233021 06035504
0a131a43 68656d69 73747279 20616e64 2042696f 6368656d 69737472 79312030
1e06092a 864886f7 0d010901 16116373 72734063 68656d2e 6279752e 65647530
1e170d30 34303531 30313535 3831325a 170d3234 31323331 31353538 31325a30
819d3128 30260603 55040313 1f436865 6d697374 72792043 65727469 66696361
74652041 7574686f 72697479 310b3009 06035504 06130255 53310e30 0c060355
04071305 50726f76 6f310d30 0b060355 04081304 55746168 31233021 06035504
0a131a43 68656d69 73747279 20616e64 2042696f 6368656d 69737472 79312030
1e06092a 864886f7 0d010901 16116373 72734063 68656d2e 6279752e 65647530
819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100 e08be81b
38d08b25 81bb3798 f6fb7a43 2dd5f173 8930d721 50220eb3 c758806e 83cd1f2d
324cb7b4 37de1959 999fd3ef 7affc138 0d660909 0b54d9a9 caa24445 e4023fa5
17e50a49 a13f6c99 9893c952 200fc984 f87b4c2a e335ceeb 1beb6066 f3b2fec4
c4639d19 e7e9a177 d32903fa 3cc4afd4 d04c5057 6773de60 8375e2e3 02030100
01a38202 60308202 5c300f06 03551d13 0101ff04 05300301 01ff301d 0603551d
0e041604 14f092d2 07b68654 c7ae189f c61303b0 37f25786 943081ca 0603551d
230481c2 3081bf80 14f092d2 07b68654 c7ae189f c61303b0 37f25786 94a181a3
a481a030 819d3128 30260603 55040313 1f436865 6d697374 72792043 65727469
66696361 74652041 7574686f 72697479 310b3009 06035504 06130255 53310e30
0c060355 04071305 50726f76 6f310d30 0b060355 04081304 55746168 31233021
06035504 0a131a43 68656d69 73747279 20616e64 2042696f 6368656d 69737472
79312030 1e06092a 864886f7 0d010901 16116373 72734063 68656d2e 6279752e
65647582 0101300b 0603551d 0f040403 02010630 11060960 86480186 f8420101
04040302 00073025 06096086 480186f8 42010204 18161668 7474703a 2f2f6361
2e636865 6d2e6279 752e6564 75303006 09608648 0186f842 01030423 16216874
74703a2f 2f63612e 6368656d 2e627975 2e656475 2f726576 6f636174 696f6e30
32060960 86480186 f8420104 04251623 68747470 3a2f2f63 612e6368 656d2e62
79752e65 64752f63 61726576 6f636174 696f6e30 31060960 86480186 f8420107
04241622 68747470 3a2f2f63 612e6368 656d2e62 79752e65 64752f63 65727472
656e6577 616c302e 06096086 480186f8 42010804 21161f68 7474703a 2f2f6361
2e636865 6d2e6279 752e6564 752f6361 706f6c69 6379302d 06096086 480186f8
42010c04 20161e68 74747073 3a2f2f73 65637572 652e6368 656d2e62 79752e65
64752f63 61301e06 09608648 0186f842 010d0411 160f7863 61206365 72746966
69636174 65300d06 092a8648 86f70d01 01040500 03818100 850c5176 067535c6
0b3b8562 a82bc5d4 807570d5 b50779d4 cdf28fd0 8addbe19 5594fc69 ac404dc6
21f72bd2 8048f2bc ed1bde18 cbfaa540 f33485cb c126de7c 5ac5b9b4 a5678c28
59581257 e9aff988 02859ad3 02920804 5d49adae c628b017 58a1c9ec b4b27b41
19c19230 1a666cb0 ae44f332 727a4df4 6fe8f683 d6696e64
quit
crypto ca certificate chain testing
certificate 0bbc6aa187164900bce4d1c645c3331a
308206a8 30820590 a0030201 0202100b bc6aa187 164900bc e4d1c645 c3331a30
0d06092a 864886f7 0d010105 05003066 310b3009 06035504 06130255 53311530
13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077
77772e64 69676963 6572742e 636f6d31 25302306 03550403 131c4469 67694365
72742048 69676820 41737375 72616e63 65204341 2d33301e 170d3130 31313035
30303030 30305a17 0d313331 31313232 33353935 395a306a 310b3009 06035504
06130275 73310d30 0b060355 04081304 55746168 310e300c 06035504 07130550
726f766f 3121301f 06035504 0a131842 72696768 616d2059 6f756e67 20556e69
76657273 69747931 19301706 03550403 13107670 6e2e6368 656d2e62 79752e65
64753082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282
010100e2 2057ca85 0abe9558 a549988d c30c919a cc0706e1 dcefe928 0a23a22a
2e1178d6 6d7cbbdb 402203c7 8fe6f784 ea61e76a 42d82bbc 2395e432 a547bd5f
892317ae 3f9fa2d1 72164697 9bfcdabd a13e18a3 ff195347 cb58cd0b d205f11c
fd11edb2 c12d2c1b ef557a86 e9d826a0 1b473c58 1a1d9fa6 ffc3df73 f0e4d027
38eb7c6b 5173b3a8 e09ddeaf 34d2a1af 299115c0 0cbe77f7 80ffc63b 0e448928
492193d1 b9dfdcac ce8c901c 2ce77b6d 593bc6d7 a00f24d9 a0779744 44a37f92
0be2c656 8da42a79 7c9fa916 e5072a2c 0715849a 1bee594a 7a1bd9b9 96954fbe
c64019ac 8bf926e0 fa483d25 02a37c4c d58475fe 155c668b b691f9f3 4a171b8e
ee34f302 03010001 a382034c 30820348 301f0603 551d2304 18301680 1450ea73
89db29fb 108f9ee5 0120d4de 79994883 f7301d06 03551d0e 04160414 a99572c9
99126d57 fe853d70 f24e6b39 14ac5ffa 301b0603 551d1104 14301282 1076706e
2e636865 6d2e6279 752e6564 75307b06 082b0601 05050701 01046f30 6d302406
082b0601 05050730 01861868 7474703a 2f2f6f63 73702e64 69676963 6572742e
636f6d30 4506082b 06010505 07300286 39687474 703a2f2f 63616365 7274732e
64696769 63657274 2e636f6d 2f446967 69436572 74486967 68417373 7572616e
63654341 2d332e63 7274300e 0603551d 0f0101ff 04040302 05a0300c 0603551d
130101ff 04023000 30650603 551d1f04 5e305c30 2ca02aa0 28862668 7474703a
2f2f6372 6c332e64 69676963 6572742e 636f6d2f 6361332d 32303130 682e6372
6c302ca0 2aa02886 26687474 703a2f2f 63726c34 2e646967 69636572 742e636f
6d2f6361 332d3230 3130682e 63726c30 8201c606 03551d20 048201bd 308201b9
308201b5 060b6086 480186fd 6c010300 01308201 a4303a06 082b0601 05050702
01162e68 7474703a 2f2f7777 772e6469 67696365 72742e63 6f6d2f73 736c2d63
70732d72 65706f73 69746f72 792e6874 6d308201 6406082b 06010505 07020230
8201561e 82015200 41006e00 79002000 75007300 65002000 6f006600 20007400
68006900 73002000 43006500 72007400 69006600 69006300 61007400 65002000
63006f00 6e007300 74006900 74007500 74006500 73002000 61006300 63006500
70007400 61006e00 63006500 20006f00 66002000 74006800 65002000 44006900
67006900 43006500 72007400 20004300 50002f00 43005000 53002000 61006e00
64002000 74006800 65002000 52006500 6c007900 69006e00 67002000 50006100
72007400 79002000 41006700 72006500 65006d00 65006e00 74002000 77006800
69006300 68002000 6c006900 6d006900 74002000 6c006900 61006200 69006c00
69007400 79002000 61006e00 64002000 61007200 65002000 69006e00 63006f00
72007000 6f007200 61007400 65006400 20006800 65007200 65006900 6e002000
62007900 20007200 65006600 65007200 65006e00 63006500 2e301d06 03551d25
04163014 06082b06 01050507 03010608 2b060105 05070302 300d0609 2a864886
f70d0101 05050003 82010100 98d034cd 65852025 954a3fd8 f1803b4c 0239f372
ebda784d a510f8c3 dc9d798e b433c43e ff2515d4 fed359e4 7536e0c4 3d82c2d5
9b74be13 7d09f752 c0fc9868 42ca1f99 a302c568 277903b0 dda05b02 2d8552d9
7bb989a1 0846c0fd c271098b 4fec7091 70161d00 d056f6c3 ef18d287 6598f7b5
e6e5c137 570206e5 24b08086 1adcf224 2359b396 520793f1 79d4d95b 97e9c5ec
08b09bbd 7732462b 716d17d7 3144f35e 67726523 540d37af 7772e140 f166988e
83743979 a283f1f7 f262edd7 0b8dd467 b4fea5ab d1b372b0 40453df0 87aac19f
347b9b4e d99cf3bc 4a3642dd f3b76228 171698ac 0d696e16 da0875ab dfa7cda1
d3cd82fd ed9995f6 4bd124fc
quit
crypto ca certificate chain DigiCertCA
certificate ca 0851f959814145cabde024e212c9c20e
30820655 3082053d a0030201 02021008 51f95981 4145cabd e024e212 c9c20e30
0d06092a 864886f7 0d010105 0500306c 310b3009 06035504 06130255 53311530
13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077
77772e64 69676963 6572742e 636f6d31 2b302906 03550403 13224469 67694365
72742048 69676820 41737375 72616e63 65204556 20526f6f 74204341 301e170d
30373034 30333030 30303030 5a170d32 32303430 33303030 3030305a 3066310b
30090603 55040613 02555331 15301306 0355040a 130c4469 67694365 72742049
6e633119 30170603 55040b13 10777777 2e646967 69636572 742e636f 6d312530
23060355 0403131c 44696769 43657274 20486967 68204173 73757261 6e636520
43412d33 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
02820101 00bf610a 29101f5e fe343751 08f81efb 22ed61be 0b0d704c 50632675
15b94188 97b6f0a0 15bb0860 e042e805 29108736 8a2865a8 ef310774 6d36972f
28466604 c72a7926 7a99d58e c36d4fa0 5eadbc3d 91c2597b 5e366cc0 53cf0008
323e1064 58101369 c70cee9c 425100f9 0544ee24 ce7a1fed 8c11bd12 a8f315f4
1c7a3169 011ba7e6 5dc09a6c 7e099ee7 52444a10 3a23e49b b603afa8 9cb45b9f
d44bad92 8cceb511 2aaa3718 8db4c2b8 d85c068c f8ff23bd 355ed47c 3e7e830e
91960598 c3b21fe3 c865eba9 7b5da02c ccfc3cd9 6dedccfa 4b438cc9 d4b8a561
1cb240b6 2812dfb9 f85ffed3 b2c9ef3d b41e4b7c 1c4c9936 9e3debec a7685e1d
df676e5e fb020301 0001a382 02f73082 02f3300e 0603551d 0f0101ff 04040302
01863082 01c60603 551d2004 8201bd30 8201b930 8201b506 0b608648 0186fd6c
01030002 308201a4 303a0608 2b060105 05070201 162e6874 74703a2f 2f777777
2e646967 69636572 742e636f 6d2f7373 6c2d6370 732d7265 706f7369 746f7279
2e68746d 30820164 06082b06 01050507 02023082 01561e82 01520041 006e0079
00200075 00730065 0020006f 00660020 00740068 00690073 00200043 00650072
00740069 00660069 00630061 00740065 00200063 006f006e 00730074 00690074
00750074 00650073 00200061 00630063 00650070 00740061 006e0063 00650020
006f0066 00200074 00680065 00200044 00690067 00690043 00650072 00740020
00430050 002f0043 00500053 00200061 006e0064 00200074 00680065 00200052
0065006c 00790069 006e0067 00200050 00610072 00740079 00200041 00670072
00650065 006d0065 006e0074 00200077 00680069 00630068 0020006c 0069006d
00690074 0020006c 00690061 00620069 006c0069 00740079 00200061 006e0064
00200061 00720065 00200069 006e0063 006f0072 0070006f 00720061 00740065
00640020 00680065 00720065 0069006e 00200062 00790020 00720065 00660065
00720065 006e0063 0065002e 300f0603 551d1301 01ff0405 30030101 ff303406
082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 7474703a
2f2f6f63 73702e64 69676963 6572742e 636f6d30 818f0603 551d1f04 81873081
843040a0 3ea03c86 3a687474 703a2f2f 63726c33 2e646967 69636572 742e636f
6d2f4469 67694365 72744869 67684173 73757261 6e636545 56526f6f 7443412e
63726c30 40a03ea0 3c863a68 7474703a 2f2f6372 6c342e64 69676963 6572742e
636f6d2f 44696769 43657274 48696768 41737375 72616e63 65455652 6f6f7443
412e6372 6c301f06 03551d23 04183016 8014b13e c36903f8 bf4701d4 98261a08
02ef6364 2bc3301d 0603551d 0e041604 1450ea73 89db29fb 108f9ee5 0120d4de
79994883 f7300d06 092a8648 86f70d01 01050500 03820101 005d4f84 f1a888d3
a3b2bc9c 6de52949 77e1e7d6 dca9d835 aec971dc e5dbdc9d 242190a6 cfb7011c
9bd45797 91d77516 a512d7b9 3d2e893d 39698ad6 3537f9f1 21c45b40 ad59a92f
5f3a0029 43277103 e4bd3032 55a6fe84 0e0b9b38 192c437c ac43bf75 31e5231c
4555b769 0891b5cf d7d5b15e ee9f94e4 d67ab918 c3b8d652 631c10ba 8b2f6d5d
cc0538f4 56056def 9eece861 360c144b 85145a0c 834f225c 59cb8c8a 71dafac5
108458cf 07eee390 c2f5f929 c75a2371 f959b464 2b88b0a7 36c79a20 61ebfa4e
b5ae6b1b e4e3ece2 d93c4149 a820a454 f5928dbb c0552004 a6d8b017 16cce3d0
c8b43de5 d984c6d3 f66e6d78 c97943e8 7a37ff5c 3549bfa1 c5
quit
crypto ca certificate chain DigiCertCA-RGTest
certificate ca 0851f959814145cabde024e212c9c20e
30820655 3082053d a0030201 02021008 51f95981 4145cabd e024e212 c9c20e30
0d06092a 864886f7 0d010105 0500306c 310b3009 06035504 06130255 53311530
13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077
77772e64 69676963 6572742e 636f6d31 2b302906 03550403 13224469 67694365
72742048 69676820 41737375 72616e63 65204556 20526f6f 74204341 301e170d
30373034 30333030 30303030 5a170d32 32303430 33303030 3030305a 3066310b
30090603 55040613 02555331 15301306 0355040a 130c4469 67694365 72742049
6e633119 30170603 55040b13 10777777 2e646967 69636572 742e636f 6d312530
23060355 0403131c 44696769 43657274 20486967 68204173 73757261 6e636520
43412d33 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
02820101 00bf610a 29101f5e fe343751 08f81efb 22ed61be 0b0d704c 50632675
15b94188 97b6f0a0 15bb0860 e042e805 29108736 8a2865a8 ef310774 6d36972f
28466604 c72a7926 7a99d58e c36d4fa0 5eadbc3d 91c2597b 5e366cc0 53cf0008
323e1064 58101369 c70cee9c 425100f9 0544ee24 ce7a1fed 8c11bd12 a8f315f4
1c7a3169 011ba7e6 5dc09a6c 7e099ee7 52444a10 3a23e49b b603afa8 9cb45b9f
d44bad92 8cceb511 2aaa3718 8db4c2b8 d85c068c f8ff23bd 355ed47c 3e7e830e
91960598 c3b21fe3 c865eba9 7b5da02c ccfc3cd9 6dedccfa 4b438cc9 d4b8a561
1cb240b6 2812dfb9 f85ffed3 b2c9ef3d b41e4b7c 1c4c9936 9e3debec a7685e1d
df676e5e fb020301 0001a382 02f73082 02f3300e 0603551d 0f0101ff 04040302
01863082 01c60603 551d2004 8201bd30 8201b930 8201b506 0b608648 0186fd6c
01030002 308201a4 303a0608 2b060105 05070201 162e6874 74703a2f 2f777777
2e646967 69636572 742e636f 6d2f7373 6c2d6370 732d7265 706f7369 746f7279
2e68746d 30820164 06082b06 01050507 02023082 01561e82 01520041 006e0079
00200075 00730065 0020006f 00660020 00740068 00690073 00200043 00650072
00740069 00660069 00630061 00740065 00200063 006f006e 00730074 00690074
00750074 00650073 00200061 00630063 00650070 00740061 006e0063 00650020
006f0066 00200074 00680065 00200044 00690067 00690043 00650072 00740020
00430050 002f0043 00500053 00200061 006e0064 00200074 00680065 00200052
0065006c 00790069 006e0067 00200050 00610072 00740079 00200041 00670072
00650065 006d0065 006e0074 00200077 00680069 00630068 0020006c 0069006d
00690074 0020006c 00690061 00620069 006c0069 00740079 00200061 006e0064
00200061 00720065 00200069 006e0063 006f0072 0070006f 00720061 00740065
00640020 00680065 00720065 0069006e 00200062 00790020 00720065 00660065
00720065 006e0063 0065002e 300f0603 551d1301 01ff0405 30030101 ff303406
082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 7474703a
2f2f6f63 73702e64 69676963 6572742e 636f6d30 818f0603 551d1f04 81873081
843040a0 3ea03c86 3a687474 703a2f2f 63726c33 2e646967 69636572 742e636f
6d2f4469 67694365 72744869 67684173 73757261 6e636545 56526f6f 7443412e
63726c30 40a03ea0 3c863a68 7474703a 2f2f6372 6c342e64 69676963 6572742e
636f6d2f 44696769 43657274 48696768 41737375 72616e63 65455652 6f6f7443
412e6372 6c301f06 03551d23 04183016 8014b13e c36903f8 bf4701d4 98261a08
02ef6364 2bc3301d 0603551d 0e041604 1450ea73 89db29fb 108f9ee5 0120d4de
79994883 f7300d06 092a8648 86f70d01 01050500 03820101 005d4f84 f1a888d3
a3b2bc9c 6de52949 77e1e7d6 dca9d835 aec971dc e5dbdc9d 242190a6 cfb7011c
9bd45797 91d77516 a512d7b9 3d2e893d 39698ad6 3537f9f1 21c45b40 ad59a92f
5f3a0029 43277103 e4bd3032 55a6fe84 0e0b9b38 192c437c ac43bf75 31e5231c
4555b769 0891b5cf d7d5b15e ee9f94e4 d67ab918 c3b8d652 631c10ba 8b2f6d5d
cc0538f4 56056def 9eece861 360c144b 85145a0c 834f225c 59cb8c8a 71dafac5
108458cf 07eee390 c2f5f929 c75a2371 f959b464 2b88b0a7 36c79a20 61ebfa4e
b5ae6b1b e4e3ece2 d93c4149 a820a454 f5928dbb c0552004 a6d8b017 16cce3d0
c8b43de5 d984c6d3 f66e6d78 c97943e8 7a37ff5c 3549bfa1 c5
quit
crypto ca certificate chain DigiCertCA2-RGTest
certificate ca 428740a5
30820442 308203ab a0030201 02020442 8740a530 0d06092a 864886f7 0d010105
05003081 c3310b30 09060355 04061302 55533114 30120603 55040a13 0b456e74
72757374 2e6e6574 313b3039 06035504 0b133277 77772e65 6e747275 73742e6e
65742f43 50532069 6e636f72 702e2062 79207265 662e2028 6c696d69 7473206c
6961622e 29312530 23060355 040b131c 28632920 31393939 20456e74 72757374
2e6e6574 204c696d 69746564 313a3038 06035504 03133145 6e747275 73742e6e
65742053 65637572 65205365 72766572 20436572 74696669 63617469 6f6e2041
7574686f 72697479 301e170d 30363130 30313035 30303030 5a170d31 34303732
36313831 3531355a 306c310b 30090603 55040613 02555331 15301306 0355040a
130c4469 67694365 72742049 6e633119 30170603 55040b13 10777777 2e646967
69636572 742e636f 6d312b30 29060355 04031322 44696769 43657274 20486967
68204173 73757261 6e636520 45562052 6f6f7420 43413082 0122300d 06092a86
4886f70d 01010105 00038201 0f003082 010a0282 010100c6 cce573e6 fbd4bbe5
2d2d32a6 dfe5813f c9cd2549 b6712ac3 d5943467 a20a1cb0 5f69a640 b1c4b7b2
8fd098a4 a941593a d3dc94d6 3cdb7438 a44acc4d 2582f74a a5531238 eef3496d
71917e63 b6aba65f c3a484f8 4f6251be f8c5ecdb 3892e306 e508910c c4284155
fbcb5a89 157e71e8 35bf4d72 093dbe3a 38505b77 311b8db3 c724459a a7ac6d00
145a04b7 ba13eb51 0a984141 224e6561 87814150 a6795c89 de194a57 d52ee65d
1c532c7e 98cd1a06 16a46873 d0340413 5ca171d3 5a7c55db 5e64e137 87305604
e511b429 8012f179 3988a202 117c2766 b788b778 f2ca0aa8 38ab0a64 c2bf665d
9584c1a1 251e875d 1a500b20 12cc41bb 6e0b5138 b84bcb02 03010001 a3820113
3082010f 30120603 551d1301 01ff0408 30060101 ff020101 30270603 551d2504
20301e06 082b0601 05050703 0106082b 06010505 07030206 082b0601 05050703
04303306 082b0601 05050701 01042730 25302306 082b0601 05050730 01861768
7474703a 2f2f6f63 73702e65 6e747275 73742e6e 65743033 0603551d 1f042c30
2a3028a0 26a02486 22687474 703a2f2f 63726c2e 656e7472 7573742e 6e65742f
73657276 6572312e 63726c30 1d060355 1d0e0416 0414b13e c36903f8 bf4701d4
98261a08 02ef6364 2bc3300b 0603551d 0f040403 02010630 1f060355 1d230418
30168014 f0176213 553db3ff 0a006bfb 508497f3 ed62d01a 30190609 2a864886
f67d0741 00040c30 0a1b0456 372e3103 02008130 0d06092a 864886f7 0d010105
05000381 8100480e 2b6f2062 4c2893a3 243d58ab 21cf80f8 9a97906a 22ed5a7c
473699e7 798475ab 248f920a d56104ae c36a5cb2 ccd9e444 876fdb8f 3862f744
369dbabc 6e07c4d4 8de81fd1 0b60a3b5 9cce63be ed67dcf8 bade6ec9 25cb5bb5
9d76700b df4272f8 4f411164 a5d2eafc d5af11f4 1538679c 20a84b77 5a913242
32e785b3 df36
quit
crypto isakmp enable outside
crypto isakmp policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-192
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-addr-assign local reuse-delay 5
remote-access threshold session-threshold-exceeded 25
telnet 192.168.105.0 255.255.255.0 inside
telnet 192.168.106.0 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 174.52.36.203 255.255.255.255 outside
ssh 192.168.105.0 255.255.255.0 inside
ssh 192.168.106.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.105.10
ntp server 192.43.244.18
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
ssl trust-point DigiCertCA
ssl trust-point testing outside
ssl trust-point firewall_internal_digicert inside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-wince-ARMv4I-2.5.0217-k9.pkg 1 regex "Windows CE"
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 2 regex "Windows NT"
svc image disk0:/anyconnect-macosx-i386-2.5.0217-k9.pkg 3 regex "Intel Mac OS X"
svc image disk0:/anyconnect-linux-2.5.0217-k9.pkg 4 regex "Linux"
svc enable
group-policy DfltGrpPolicy attributes
wins-server value 192.168.105.10
dns-server value 192.168.105.10 192.168.105.11
vpn-tunnel-protocol IPSec svc
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-BYU-NETS-SPLIT
default-domain value chem.byu.edu
address-pools value VPN-POOL
username admin password FgibczyVGBcddWL6 encrypted privilege 15
username rgardner password VUYUqAgt9MbginSm encrypted privilege 15
username sivco password ppoI03NdjneYjuGd encrypted
username sivco attributes
service-type remote-access
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
authentication-server-group RADIUS-VPN LOCAL
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group RADIUS-VPN LOCAL
tunnel-group Faculty type remote-access
tunnel-group Faculty general-attributes
authentication-server-group RADIUS-VPN
tunnel-group Faculty ipsec-attributes
pre-shared-key facadmin
tunnel-group admin type remote-access
tunnel-group admin general-attributes
authentication-server-group RADIUS-VPN
tunnel-group admin ipsec-attributes
pre-shared-key cH3mAdM1n
tunnel-group cpmsdo type remote-access
tunnel-group cpmsdo general-attributes
authentication-server-group RADIUS-VPN
tunnel-group cpmsdo ipsec-attributes
pre-shared-key "An apple a day"
!
class-map inspection_default
match default-inspection-traffic
class-map class_snmp
match port udp eq snmp
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect ip-options
inspect icmp
class class_snmp
inspect snmp
!
service-policy global_policy global
prompt hostname priority state
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7c2abb046ce98aebff24c2e08a006762
: end