Michael Torrie's Personal Wiki

You are here: start » computer_stuff » chem_firewall

Firewall Notes
- Firewall config and notes
  - Interfaces
  - Access Controls Rules

Firewall Notes

This document contains some notes on the current firewall configuration. The running firewall configuration can be exported to admin.chem.byu.edu by doing the following on admin.chem.byu.edu:

touch /tftpboot/network/firewall
chmod a+rw /tftpboot/network/firewall

Then on the firewall, after running enable, enter:

write net 192.168.105.12:network/firewall

After the config is successfully written out, you will want to remove the excessive permissions on the file on admin.chem.byu.edu:

chmod go-rwx /tftpboot/network/firewall

If you want to reverse the process, you must make the file on admin.chem.byu.edu readable to the tftp server with chmod and then you can pull from it over tftp.

Firewall config and notes

: Saved
: Written by admin at 12:49:34.518 MDT Tue Aug 6 2013
!
ASA Version 8.2(3) 
!
hostname Chemfire
domain-name chem.byu.edu
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted

Since we need to pass multicast traffic for Campus IPTV, multicast routing must be enabled:

multicast-routing

Several host names are set to make the rules a bit easier to understand and write. However it appears there area some host names that are old and maybe obsolete:

no names
name 192.168.105.10 NS1
name 192.168.105.37 Celeborn
name 192.168.105.36 Galadriel
name 192.168.200.6 purgatory
name 192.168.103.0 net_103
name 192.168.200.50 www_ext
name 192.168.104.0 net_104
name 192.168.200.0 dmz_any
name 192.168.100.0 net_100
name 192.168.200.10 mail
name 192.168.105.0 net_105
name 192.168.105.18 SQL
name 192.168.101.0 net_101
name 192.168.105.12 Admin
name 192.168.102.0 net_102
name 192.168.200.100 camera
name 128.187.0.0 BYUnet_public
name 10.0.0.0 BYUNet_private
name 192.168.104.240 reg_240
name 192.168.101.240 reg_101
name 192.168.103.240 reg_103
name 192.168.100.240 reg_100
name 192.168.105.240 reg_105
name 192.168.100.51 nmrlab
name 192.168.102.240 reg_102
name 192.168.4.0 WirelessNet
name 192.168.105.16 ccs_int
name 192.168.200.51 ccs_ext
name 192.168.0.0 inside_any
name 192.168.200.53 chemmgmt_proxy
name 192.168.200.52 www_rhel5 description RHEL 5 external webserver.
name 192.168.105.43 secure_rhel5 description RHEL 5 internal webserver.
name 192.168.105.19 sql_rhel6 description RHEL 6 MySQL/Postgres server.
name 192.168.105.58 chemmgmt-server
name 192.168.105.75 pchem-server
name 192.168.200.56 archiver description Ubuntu server for grad student.
name 192.168.105.85 cortana
name 192.168.105.38 mail-int_rhel5 description RHEL 5 internal mail server.
name 192.168.200.12 mail-ext2
name 192.168.200.57 www_rhel6 description RHEL 6 external webserver.
!

Interfaces

Untrusted

The main, untrusted interface is Ethernet0/0. It is assigned an address that covers all the public IP addresses that we use in the department. The address is 128.187.3.3/25, which means it effectively has addresses 3 through 126. Some of these are NATed to DMZ addresses, and some are used in a pool for outbound communications.

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 128.187.3.3 255.255.255.128 standby 128.187.3.2 
!

Trusted

The following interface is used to carry all traffic from the inside, or trusted network, to the outside world, the DMZ, or VPN hosts. It is not a VLAN trunk; it's just a access port on the core's 106 VLAN (??). The core has the address 192.168.106.1, and the firewall has the address of 192.168.106.254 (with 192.168.106.253 as the backup, which becomes 106.254 when it comes into service).

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.106.254 255.255.255.0 standby 192.168.106.253 
!

DMZ

Although the DMZ is not an actual VLAN, the firewall defines a subnet for it and acts as a router for DMZ traffic.

interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 192.168.200.1 255.255.255.0 standby 192.168.200.2 
!

interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!

interface Management0/0
 description LAN/STATE Failover Interface
!

Campus IPTV defines a multicast rendezvous point that the firewall needs to know of:

pim rp-address 10.3.3.199

boot system disk0:/asa823-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
 domain-name chem.byu.edu
same-security-traffic permit intra-interface

Campus IPTV comes from several multicast addresses, which we group together to make the rules easier to write:

object-group network MULTICAST_GROUPS
 network-object host 239.226.16.1
 network-object host 239.226.16.2
 network-object host 239.226.16.4
 network-object host 239.226.16.7
 network-object host 239.226.16.8
 network-object host 239.226.16.5
 network-object host 239.226.16.16
 network-object host 239.226.16.6
 network-object host 239.226.16.17
 network-object host 239.226.16.21
 network-object host 239.226.16.22
 network-object host 239.226.16.3
 network-object host 239.226.16.12
 network-object host 239.226.16.13
 network-object host 239.226.16.9
 network-object host 239.226.16.14
 network-object host 239.226.16.19
 network-object host 239.226.16.18
 network-object host 239.226.16.10
 network-object host 239.226.16.11
 network-object host 239.226.16.15
 network-object host 239.226.16.20
 network-object host 239.226.16.23
 network-object host 239.226.16.24
 network-object host 239.226.16.25
 network-object host 239.226.16.26
 network-object host 239.226.16.27
 network-object host 239.226.16.28
 network-object host 239.226.16.29
 network-object host 239.226.16.30
 network-object host 239.226.16.31
 network-object host 239.226.16.32
 network-object host 239.226.16.33
 network-object host 239.226.16.34
 network-object host 239.226.16.37
 network-object host 239.226.16.35
 network-object host 239.226.16.36
 network-object host 239.226.16.38
 network-object host 239.226.16.39
 network-object host 239.226.16.40
 network-object host 239.226.16.41
 network-object host 239.226.16.42
 network-object host 239.226.16.43
 network-object host 239.226.16.44
 network-object host 239.226.16.45
 network-object host 239.226.16.46
 network-object host 239.226.255.0
 network-object host 239.226.255.1
 network-object host 239.226.255.2

For convenience, a protocol group is defined to let a rule be made for both a tcp and udp port in the same line.

object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp

Access Controls Rules

From the DMZ to the Trusted Network

The following lines appear to be obsolete. the ip addresses resolve to ns1 and ns2, but neither server hosts LDAP currently. And port 88 is a kerberos port. Kerberos is at kerberos.chem.byu.edu which is really on admin.chem.byu.edu. So it appears these lines can be removed:

access-list dmz_in extended permit tcp any host 192.168.105.36 eq 88 
access-list dmz_in extended permit tcp any host 192.168.105.36 eq ldap 
access-list dmz_in extended permit tcp any host 192.168.105.36 eq ldaps 
access-list dmz_in extended permit tcp any host 192.168.105.37 eq ldap 
access-list dmz_in extended permit tcp any host 192.168.105.37 eq ldaps

DNS and time servers need to be accessible from the DMZ:

access-list dmz_in extended permit udp any host 192.168.105.10 eq domain 
access-list dmz_in extended permit udp any host 192.168.105.10 eq ntp 
access-list dmz_in extended permit tcp any host 192.168.105.10 eq domain

Purgatory may ssh or telnet into any trusted host:

access-list dmz_in extended permit tcp host 192.168.200.6 192.168.0.0 255.255.128.0 eq ssh 
access-list dmz_in extended permit tcp host 192.168.200.6 192.168.0.0 255.255.128.0 eq telnet

The following rule was to allow a sysadmin to ssh into purgatory and forward web connections so that the vpn concentrator could be controlled via its web interface. The VPN concentrator is now part of this firewall, so this code is useless:

access-list dmz_in extended permit tcp host 192.168.200.6 host 192.168.108.6 eq www 
access-list dmz_in extended permit tcp host 192.168.200.6 host 192.168.108.6 eq https

The following rule is obsolete too. It allowed a sysadmin to tunnel vnc through purgatory to the old Mac OS X Server celeborn which was on port 5900:

access-list dmz_in extended permit tcp host 192.168.200.6 host 192.168.105.36 eq 5900

The following code allowed the old web server to proxy information from trusted web servers (ports 80, 443, 8080, 8180), and access the SQL servers (port 3306 for mysql, 5432 for postgresql). This server was called www-old when the servers where changed to an split dmz/trusted arrangement, but is no longer in service. Hence these rules should be removed as 192.168.200.50 does not appear to be alive anymore:

access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.12 eq https 
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq www 
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq https 
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq 8080 
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq 8180 
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.18 eq 3306 
access-list dmz_in remark New SQL
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.19 eq 3306 
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.18 eq 5432 
access-list dmz_in remark New SQL
access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.19 eq 5432

The following rules allow any DMZ host to access LDAP on a backup LDAP server, which is no longer in service, as near as I can tell. So they can be removed as well:

access-list dmz_in extended permit tcp any host 192.168.105.18 eq ldap 
access-list dmz_in extended permit tcp any host 192.168.105.18 eq ldaps

Since DMZ hosts are not allowed to access the internet (though I'm unclear as to how this block was accompished!), any updates with yum and redhat's update network have to be done through the squid http proxy on admin, so dmz hosts need access to squid. Note that this is a potential security problem, but at the time I deemed it an acceptable risk:

access-list dmz_in extended permit tcp any host 192.168.105.12 eq 3128

mail-ext1 needs access to sql server(s). Currently only 192.168.105.19 is in use I think:

access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.18 eq 5432 
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.19 eq 5432 
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.18 eq 3306 
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.19 eq 3306

Allow www.chem.byu.edu to access information on admin.chem.byu.edu via https (proxying), sql, the web server on the internal mail server (for the purpose of controlling the mailing list, spam stuff, etc). Any references to 192.168.105.18 (sql-old) can be removed. I notice that Garrett has already made some of them inactive, which is a good idea:

access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.12 eq https 
access-list dmz_in extended permit tcp host 192.168.200.57 host 192.168.105.12 eq https inactive 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.18 eq 3306 inactive 
access-list dmz_in remark New SQL
access-list dmz_in extended permit tcp host 192.168.200.57 host 192.168.105.19 eq 3306 
access-list dmz_in remark New SQL
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.19 eq 3306 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.18 eq 5432 inactive 
access-list dmz_in remark New SQL
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.19 eq 5432 
access-list dmz_in remark New SQL
access-list dmz_in extended permit tcp host 192.168.200.57 host 192.168.105.19 eq 5432 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq www 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq https 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8080 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8081

Another obsolete line for www-old, which is dead:

access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq 8081

Allow the DMZ hosts to ping anything in or out:

access-list dmz_in extended permit icmp any any

Allow mail-ext1 to reach any internal smtp server, DNS, the auth ident port (113) on any trusted computer:

 
access-list dmz_in extended permit tcp host 192.168.200.10 any eq smtp 
access-list dmz_in extended permit tcp host 192.168.200.10 any eq domain 
access-list dmz_in extended permit tcp host 192.168.200.10 any eq ident 
access-list dmz_in extended permit udp host 192.168.200.10 any eq 113 
access-list dmz_in extended permit udp host 192.168.200.10 any eq domain

Allow purgatory to ssh, ftp into any BYU machine, on its private or public network. Not sure what port 8500 is:

access-list dmz_in extended permit tcp host 192.168.200.6 128.187.0.0 255.255.0.0 eq ssh 
access-list dmz_in extended permit tcp host 192.168.200.6 128.187.0.0 255.255.0.0 eq ftp 
access-list dmz_in extended permit tcp host 192.168.200.6 128.187.0.0 255.255.0.0 eq 8500 
access-list dmz_in extended permit tcp host 192.168.200.6 10.0.0.0 255.0.0.0 eq ssh 
access-list dmz_in extended permit tcp host 192.168.200.6 10.0.0.0 255.0.0.0 eq ftp

Allow www.chem.byu.edu to proxy web data from secure.chem.byu.edu:

access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq www 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq https 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8080 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8180

Allow any DMZ host to access LDAP:

access-list dmz_in extended permit tcp any host 192.168.105.12 eq ldap 
access-list dmz_in extended permit tcp any host 192.168.105.12 eq ldaps

Allow www.chem.byu.edu to ssh into admin. Not sure about this rule. It's possible that the code that generates door cards for faculty requires an ssh connection into admin to run inkscape to generate the pdf:

access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.12 eq ssh

Allow any dmz host access to ldap at a host that no longer exists. This line can be removed:

access-list dmz_in extended permit tcp any host 192.168.105.45 eq ldap 
access-list dmz_in extended permit tcp any host 192.168.105.45 eq ldaps

Allow any dmz host access to kerberos. However this ip address (an alias for ns1) does not run a kerberos server; it's on admin. So this rule can be removed:

 
access-list dmz_in extended permit udp any host 192.168.105.36 eq 88

Allow www to access web servers on secure.chem.byu.edu and pchem-server

access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8081 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8009 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.75 eq www 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8010

Allow DMZ hosts to access backup ldap server, which is on printqueue

access-list dmz_in extended permit tcp any host 192.168.105.13 eq ldap 
access-list dmz_in extended permit tcp any host 192.168.105.13 eq ldaps

Allow DMZhosts to access LDAP on 101.150, which may have been the old n175-serv file server. In any case, this address is not pinging and I believe that these entries can be removed:

access-list dmz_in extended permit tcp any host 192.168.101.150 eq ldap 
access-list dmz_in extended permit tcp any host 192.168.101.150 eq ldaps

Allow mail and www to access sql on 192.168.105.90 which is molecule.chem.byu.edu. I don't know anything about this host:

access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.90 eq 5432 
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.90 eq 3306 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.90 eq 3306 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.90 eq 5432

Allow mail-ext1 to access https on secure.chem.byu.edu:

access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.43 eq https

DMZ allowed to access kerberos and ldap on an obsolete host I think (address is now diskarray3). Should be removed:

access-list dmz_in extended permit udp any host 192.168.105.50 eq 88 
access-list dmz_in extended permit tcp any host 192.168.105.50 eq 88 
access-list dmz_in extended permit tcp any host 192.168.105.50 eq ldap 
access-list dmz_in extended permit tcp any host 192.168.105.50 eq ldaps

Allows mail-ext1 to access tcp port 2703 on any trusted host… not sure why:

access-list dmz_in extended permit tcp host 192.168.200.10 any eq 2703

Obsolete entry for www-old and tomcat again:

access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq 8181

Allow www.chem.byu.edu to access various web-related ports on secure (for proxying), mail-int (not sure?).

access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8181 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8181

Allowed www to proxy various things from chemmgmt-server, which is no longer here. Remove:

access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq www 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq https 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq 8080 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq 8081

Allow certain hosts to ssh into 192.168.0.0-192.168.127.0.0… No clue why this is in here. I'd say remove:

access-list dmz_in extended permit tcp host 192.168.200.60 192.168.0.0 255.255.128.0 eq ssh 
access-list dmz_in extended permit tcp host 192.168.200.62 192.168.0.0 255.255.128.0 eq ssh 
access-list dmz_in extended permit tcp host 192.168.200.61 192.168.0.0 255.255.128.0 eq ssh

Remove reference to obsolete host:

access-list dmz_in extended permit tcp any host 192.168.105.54 eq 2222

Allow mail-ext2 to access SQL (note that 105.18 is sql-old which is now obsolete and can be removed), and also the secure.chem.byu.edu https.

access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.18 eq 5432 
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.19 eq 5432 
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.18 eq 3306 
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.19 eq 3306 
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.43 eq https

Allow mail-ext1 to access mail-related ports on mail-int:

 
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq imap4 
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq pop3 
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq 995 
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq 993

Allow www.chem.byu.edu to access mail-related ports on mail-int. This could be for web-based e-mail apps to work, or just for apps to be able to send e-mail.

access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq imap4 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq pop3 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 995 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 993 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq smtp

Allow www.chem.byu.edu to ssh into vm3? Might be an obsolete entry from before virtualization:

 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.62 eq ssh

access-list dmz_in extended permit tcp host 192.168.200.52 any eq domain 
access-list dmz_in extended permit tcp host 192.168.200.57 any eq domain 
access-list dmz_in extended permit udp host 192.168.200.52 any eq domain 
access-list dmz_in extended permit udp host 192.168.200.57 any eq domain 
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.38 eq 993 
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.38 eq 995 
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.38 eq imap4 
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.38 eq pop3 
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.90 eq 3306 
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.90 eq 5432 
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.12 eq ssh 
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.12 eq ssh 
access-list dmz_in extended permit tcp host 192.168.200.12 any eq 2703 
access-list dmz_in extended permit tcp host 192.168.200.12 any eq domain 
access-list dmz_in extended permit tcp host 192.168.200.12 any eq ident 
access-list dmz_in extended permit tcp host 192.168.200.12 any eq smtp 
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.38 eq www 
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq www 
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq https 
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.38 eq https 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.56 eq www 
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.82 eq pop3 
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.82 eq imap4 
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.82 eq 993 
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.82 eq 995 
access-list dmz_in extended permit tcp host 192.168.200.6 host 192.168.111.26 eq 9100 
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.12 eq https 
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.43 eq www 
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.43 eq https 
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.43 eq 8080 
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.43 eq 8180 
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.18 eq 3306 inactive 
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.19 eq 3306 
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.18 eq 5432 inactive 
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.19 eq 5432 
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.56 eq www 
access-list dmz_in extended permit tcp host 192.168.200.55 any eq www 
access-list dmz_in extended permit tcp host 192.168.200.55 host 192.168.105.12 eq ssh 
access-list dmz_in extended permit tcp host 192.168.200.52 any eq www 
access-list dmz_in extended permit tcp host 192.168.200.54 host 192.168.105.18 eq 3306 inactive 
access-list dmz_in extended permit tcp host 192.168.200.54 host 192.168.105.19 eq 3306 
access-list dmz_in extended permit udp any host 192.168.105.11 eq domain 
access-list dmz_in extended permit udp any host 192.168.105.65 eq domain 
access-list dmz_in extended permit udp any host 192.168.105.64 eq domain 
access-list dmz_in extended permit udp any host 192.168.105.63 eq domain 
access-list dmz_in extended permit udp any host 192.168.105.62 eq domain 
access-list dmz_in extended permit udp any host 192.168.105.61 eq domain 
access-list dmz_in extended permit udp any host 192.168.105.60 eq domain 
access-list dmz_in extended permit tcp host 192.168.200.13 host 192.168.105.12 eq ssh 
access-list dmz_in extended permit tcp host 192.168.200.13 host 192.168.105.38 eq 993 
access-list dmz_in extended permit tcp host 192.168.200.13 host 192.168.105.38 eq 995 
access-list dmz_in extended permit tcp host 192.168.200.13 host 192.168.105.38 eq imap4 
access-list dmz_in extended permit tcp host 192.168.200.13 host 192.168.105.38 eq pop3 
access-list dmz_in extended permit tcp host 192.168.200.60 host 192.168.105.18 eq 3306 inactive 
access-list dmz_in extended permit tcp host 192.168.200.60 host 192.168.105.19 eq 3306 
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.83 eq imap4 
access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.83 eq pop3 
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.83 eq imap4 
access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.83 eq pop3 
access-list dmz_in extended permit tcp any host 192.168.105.12 eq 88 
access-list dmz_in extended permit udp any host 192.168.105.12 eq 88 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.12 eq 8877 
access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.12 eq 8878 
access-list dmz_in extended permit tcp host 192.168.200.57 host 192.168.105.12 eq 8877 
access-list dmz_in extended permit tcp host 192.168.200.57 host 192.168.105.12 eq 8878 
access-list dmz_in extended permit tcp host 192.168.200.61 host 192.168.105.18 eq 3306 inactive 
access-list dmz_in extended permit tcp host 192.168.200.61 host 192.168.105.19 eq 3306 
access-list dmz_in extended permit tcp any host 192.168.105.85 eq ssh 
access-list dmz_in remark Rules for "archiver," a server for a graduate student in Dr. Prince's lab.
access-list dmz_in extended permit tcp host 192.168.200.56 any eq www 
access-list dmz_in remark Rules for "archiver," a server for a graduate student in Dr. Prince's lab.
access-list dmz_in extended permit tcp host 192.168.200.56 any eq https 
access-list dmz_in extended permit tcp host 192.168.200.57 any eq www 
access-list dmz_in extended permit tcp host 192.168.200.57 any eq https 
access-list inside_in extended permit icmp any any 
access-list inside_in extended permit ip any any 
access-list outside_in remark Block access From C&C Server
access-list outside_in extended deny ip host 208.73.210.29 any 
access-list outside_in remark Block access to a Trojan.VBCrypt's C&C server.
access-list outside_in extended deny ip host 50.17.199.47 any 
access-list outside_in remark Block access to a Trojan.Refroso's C&C server.
access-list outside_in extended deny ip host 121.14.231.53 any 
access-list outside_in remark Block access to a Trojan.Refroso's C&C server.
access-list outside_in extended deny ip host 121.14.231.54 any 
access-list outside_in remark Block access to a Trojan.Refroso's C&C server.
access-list outside_in extended deny ip host 121.14.231.55 any 
access-list outside_in remark Block access to a Trojan.Refroso's C&C server.
access-list outside_in extended deny ip host 121.14.231.72 any 
access-list outside_in remark Block access to a Trojan.Refroso's C&C server.
access-list outside_in extended deny object-group TCPUDP host 121.14.231.53 any 
access-list outside_in remark Block access to a Trojan.Refroso's C&C server.
access-list outside_in extended deny object-group TCPUDP host 121.14.231.54 any 
access-list outside_in remark Block access to a Trojan.Refroso's C&C server.
access-list outside_in extended deny object-group TCPUDP host 121.14.231.55 any 
access-list outside_in remark Block access to a Trojan.Refroso's C&C server.
access-list outside_in extended deny object-group TCPUDP host 121.14.231.72 any 
access-list outside_in remark Pass through for Life Sciences' webcam.
access-list outside_in extended permit tcp host 128.187.102.173 host 128.187.3.50 eq 8080 
access-list outside_in remark Pass through for Life Sciences' webcam.
access-list outside_in extended permit tcp host 128.187.102.173 host 128.187.3.50 eq 8888 
access-list outside_in remark Pass through from Garrett's home machine to Life Sciences' webcam.
access-list outside_in extended permit tcp host 69.169.159.33 host 128.187.3.50 eq 8080 
access-list outside_in remark Pass through from Garrett's home machine to Life Sciences' webcam.
access-list outside_in extended permit tcp host 69.169.159.33 host 128.187.3.50 eq 8888 
access-list outside_in extended permit tcp any host 128.187.3.6 eq ftp 
access-list outside_in extended permit tcp any host 128.187.3.6 eq ssh 
access-list outside_in extended permit tcp any host 128.187.3.6 eq telnet 
access-list outside_in extended permit tcp any host 128.187.3.5 eq smtp 
access-list outside_in extended permit tcp any host 128.187.3.5 eq domain 
access-list outside_in extended permit tcp any host 128.187.3.5 eq www 
access-list outside_in extended permit tcp any host 128.187.3.5 eq pop3 
access-list outside_in extended permit tcp any host 128.187.3.5 eq imap4 
access-list outside_in extended permit tcp any host 128.187.3.5 eq 993 
access-list outside_in extended permit tcp any host 128.187.3.5 eq 995 
access-list outside_in extended permit udp any host 128.187.3.5 eq domain 
access-list outside_in extended permit tcp any host 128.187.3.7 eq www 
access-list outside_in extended permit tcp any host 128.187.3.7 eq https 
access-list outside_in extended permit tcp any host 128.187.3.7 eq 8080 
access-list outside_in extended permit tcp any host 128.187.3.9 eq www 
access-list outside_in extended permit tcp any host 128.187.3.9 eq https 
access-list outside_in extended permit tcp any host 128.187.3.9 eq 8080 
access-list outside_in extended permit tcp any host 128.187.3.10 eq www 
access-list outside_in extended permit tcp any host 128.187.3.10 eq 8080 
access-list outside_in extended permit tcp any host 128.187.3.10 eq https 
access-list outside_in extended permit tcp any host 128.187.3.11 eq www 
access-list outside_in extended permit tcp any host 128.187.3.11 eq 8080 
access-list outside_in extended permit tcp any host 128.187.3.11 eq https 
access-list outside_in extended permit tcp any host 128.187.3.12 eq www 
access-list outside_in extended permit tcp any host 128.187.3.12 eq 8080 
access-list outside_in extended permit tcp any host 128.187.3.12 eq https 
access-list outside_in extended permit tcp any host 128.187.3.8 eq www 
access-list outside_in extended permit tcp any host 128.187.3.8 eq https 
access-list outside_in extended permit icmp any host 128.187.3.6 
access-list outside_in extended permit icmp any host 128.187.3.5 
access-list outside_in extended permit icmp any host 128.187.3.7 
access-list outside_in extended permit icmp any host 128.187.3.8 
access-list outside_in extended permit icmp any host 128.187.3.9 
access-list outside_in extended permit icmp any host 128.187.3.10 
access-list outside_in extended permit icmp any host 128.187.3.11 
access-list outside_in extended permit icmp any host 128.187.3.12 
access-list outside_in extended permit icmp any host 128.187.3.13 
access-list outside_in extended permit icmp any any echo-reply 
access-list outside_in extended permit tcp any host 128.187.3.5 eq https 
access-list outside_in extended permit tcp any host 128.187.3.5 eq 465 
access-list outside_in extended permit icmp any host 128.187.3.14 
access-list outside_in extended permit tcp any host 128.187.3.14 eq www 
access-list outside_in extended permit tcp any host 128.187.3.14 eq ssh 
access-list outside_in extended permit icmp any host 128.187.3.4 
access-list outside_in extended permit tcp any host 128.187.3.4 eq 9999 
access-list outside_in extended permit tcp any host 128.187.3.14 eq 3389 
access-list outside_in extended permit icmp any any 
access-list outside_in extended permit tcp any host 128.187.3.9 eq smtp 
access-list outside_in extended permit tcp any host 128.187.3.9 eq 8181 
access-list outside_in extended permit tcp any host 128.187.3.4 eq 9002 
access-list outside_in extended permit tcp any host 128.187.3.4 eq 9003 
access-list outside_in extended permit tcp any host 128.187.3.4 eq 9005 
access-list outside_in extended permit tcp any host 128.187.3.9 eq pop3 
access-list outside_in extended permit tcp any host 128.187.3.9 eq imap4 
access-list outside_in extended permit tcp any host 128.187.3.9 eq 993 
access-list outside_in extended permit tcp any host 128.187.3.9 eq 995 
access-list outside_in extended permit tcp any host 128.187.3.15 eq 465 
access-list outside_in extended permit tcp any host 128.187.3.15 eq 993 
access-list outside_in extended permit tcp any host 128.187.3.15 eq 995 
access-list outside_in extended permit tcp any host 128.187.3.15 eq domain 
access-list outside_in extended permit tcp any host 128.187.3.15 eq imap4 
access-list outside_in extended permit tcp any host 128.187.3.15 eq pop3 
access-list outside_in extended permit tcp any host 128.187.3.15 eq smtp 
access-list outside_in extended permit tcp any host 128.187.3.15 eq www 
access-list outside_in extended permit tcp any host 128.187.3.15 eq https 
access-list outside_in extended permit udp any host 128.187.3.15 eq domain 
access-list outside_in extended permit ip any object-group MULTICAST_GROUPS 
access-list outside_in extended permit tcp any host 128.187.3.6 eq 5500 
access-list outside_in remark Xirrus Wireless Access Point to Radius Server
access-list outside_in extended permit udp host 10.3.92.253 host 128.187.3.5 eq 1812 
access-list outside_in remark Xirrus Wireless Access Point to Radius Server
access-list outside_in extended permit udp host 10.3.92.253 host 128.187.3.5 eq 1813 
access-list outside_in remark Xirrus Wireless Access Point to Radius Server
access-list outside_in extended permit udp host 10.3.92.253 host 128.187.3.15 eq 1812 
access-list outside_in remark Xirrus Wireless Access Point to Radius Server
access-list outside_in extended permit udp host 10.3.92.253 host 128.187.3.15 eq 1813 
access-list outside_in extended permit udp host 10.23.7.18 host 128.187.3.5 eq 1812 
access-list outside_in extended permit udp host 10.23.7.18 host 128.187.3.15 eq 1812 
access-list outside_in extended permit udp host 10.23.7.19 host 128.187.3.5 eq 1812 
access-list outside_in extended permit udp host 10.23.7.19 host 128.187.3.15 eq 1812 
access-list outside_in extended permit udp host 10.23.7.20 host 128.187.3.5 eq 1812 
access-list outside_in extended permit udp host 10.23.7.20 host 128.187.3.15 eq 1812 
access-list outside_in extended permit udp host 10.23.7.21 host 128.187.3.5 eq 1812 
access-list outside_in extended permit udp host 10.23.7.21 host 128.187.3.15 eq 1812 
access-list outside_in extended permit udp host 10.23.8.2 host 128.187.3.5 eq 1812 
access-list outside_in extended permit udp host 10.23.8.2 host 128.187.3.5 eq 1813 
access-list outside_in extended permit udp host 10.23.8.2 host 128.187.3.15 eq 1812 
access-list outside_in extended permit udp host 10.23.8.2 host 128.187.3.15 eq 1813 
access-list outside_in extended permit udp host 10.23.8.251 host 128.187.3.5 eq 1812 
access-list outside_in extended permit udp host 10.23.8.251 host 128.187.3.5 eq 1813 
access-list outside_in extended permit udp host 10.23.8.251 host 128.187.3.15 eq 1812 
access-list outside_in extended permit udp host 10.23.8.251 host 128.187.3.15 eq 1813 
access-list outside_in extended permit tcp 128.187.0.0 255.255.0.0 host 128.187.3.12 eq ssh 
access-list outside_in extended permit tcp 10.0.0.0 255.0.0.0 host 128.187.3.12 eq ssh 
access-list outside_in extended permit tcp any host 128.187.3.5 eq 3210 
access-list outside_in extended permit tcp any host 128.187.3.15 eq 3210 
access-list outside_in extended permit tcp any host 128.187.3.9 eq 1443 
access-list outside_in extended permit tcp any host 128.187.3.5 eq 587 
access-list outside_in extended permit tcp any host 128.187.3.115 eq 587 
access-list VPN-BYU-NETS-SPLIT extended permit ip 192.168.100.0 255.255.255.0 192.168.108.0 255.255.255.0 
access-list VPN-BYU-NETS-SPLIT extended permit ip 192.168.101.0 255.255.255.0 192.168.108.0 255.255.255.0 
access-list VPN-BYU-NETS-SPLIT extended permit ip 192.168.102.0 255.255.255.0 192.168.108.0 255.255.255.0 
access-list VPN-BYU-NETS-SPLIT extended permit ip 192.168.103.0 255.255.255.0 192.168.108.0 255.255.255.0 
access-list VPN-BYU-NETS-SPLIT extended permit ip 192.168.104.0 255.255.255.0 192.168.108.0 255.255.255.0 
access-list VPN-BYU-NETS-SPLIT extended permit ip 192.168.105.0 255.255.255.0 192.168.108.0 255.255.255.0 
access-list VPN-BYU-NETS-SPLIT extended permit ip 192.168.200.0 255.255.255.0 192.168.108.0 255.255.255.0 
access-list VPN-BYU-NETS-SPLIT extended permit ip 10.8.0.0 255.255.0.0 192.168.108.0 255.255.255.0 
access-list VPN-BYU-NETS-SPLIT extended permit ip 10.0.0.0 255.0.0.0 192.168.108.0 255.255.255.0 
access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.108.0 255.255.255.0 
access-list NO-NAT extended permit ip 192.168.101.0 255.255.255.0 192.168.108.0 255.255.255.0 
access-list NO-NAT extended permit ip 192.168.102.0 255.255.255.0 192.168.108.0 255.255.255.0 
access-list NO-NAT extended permit ip 192.168.103.0 255.255.255.0 192.168.108.0 255.255.255.0 
access-list NO-NAT extended permit ip 192.168.104.0 255.255.255.0 192.168.108.0 255.255.255.0 
access-list NO-NAT extended permit ip 192.168.105.0 255.255.255.0 192.168.108.0 255.255.255.0 
access-list NO-NAT extended permit ip 192.168.200.0 255.255.255.0 192.168.108.0 255.255.255.0 
access-list NO-NAT extended permit ip 10.8.0.0 255.255.0.0 192.168.108.0 255.255.255.0 
access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 192.168.108.0 255.255.255.0 
access-list inside_access_in remark Posible compromised machine registered to Daniel Austin.
access-list inside_access_in extended deny ip host 192.168.102.81 any 
access-list inside_access_in remark Block access to C&C Server
access-list inside_access_in extended deny ip any host 208.73.210.29 
access-list inside_access_in remark Block access to a Trojan.VBCrypt's C&C server.
access-list inside_access_in extended deny ip any host 50.17.199.47 
access-list inside_access_in remark Block access to a Trojan.Refroso's C&C server.
access-list inside_access_in extended deny ip any host 121.14.231.53 
access-list inside_access_in remark Block access to a Trojan.Refroso's C&C server.
access-list inside_access_in extended deny ip any host 121.14.231.54 
access-list inside_access_in remark Block access to a Trojan.Refroso's C&C server.
access-list inside_access_in extended deny ip any host 121.14.231.55 
access-list inside_access_in remark Block access to a Trojan.Refroso's C&C server.
access-list inside_access_in extended deny ip any host 121.14.231.72 
access-list inside_access_in remark Block access to a Trojan.Refroso's C&C server.
access-list inside_access_in extended deny object-group TCPUDP any host 121.14.231.53 
access-list inside_access_in remark Block access to a Trojan.Refroso's C&C server.
access-list inside_access_in extended deny object-group TCPUDP any host 121.14.231.54 
access-list inside_access_in remark Block access to a Trojan.Refroso's C&C server.
access-list inside_access_in extended deny object-group TCPUDP any host 121.14.231.55 
access-list inside_access_in remark Block access to a Trojan.Refroso's C&C server.
access-list inside_access_in extended deny object-group TCPUDP any host 121.14.231.72 
access-list inside_access_in remark Allow CSR access to software.byu.edu.
access-list inside_access_in extended permit ip 192.168.105.0 255.255.255.0 host 128.187.16.167 inactive 
access-list inside_access_in remark Deny access to software.byu.edu.
access-list inside_access_in extended deny ip any host 128.187.16.167 inactive 
access-list inside_access_in extended permit ip any host 128.187.16.167 
access-list inside_access_in extended permit ip any 192.168.200.0 255.255.255.0 
access-list inside_access_in extended permit tcp any 192.168.200.0 255.255.255.0 eq ssh inactive 
access-list inside_access_in extended permit tcp any 192.168.200.0 255.255.255.0 eq www inactive 
access-list inside_access_in extended permit tcp any 192.168.200.0 255.255.255.0 eq https inactive 
access-list inside_access_in extended permit tcp any 128.187.0.0 255.255.0.0 eq hostname inactive 
access-list inside_access_in extended permit tcp host 192.168.105.10 10.8.0.0 255.255.0.0 inactive 
access-list inside_access_in extended permit ip any any 
access-list public_access_in extended permit object-group TCPUDP any any eq www 
access-list public_access_in extended permit tcp any any eq https 
pager lines 24
logging enable
logging timestamp
logging buffer-size 40960
logging monitor informational
logging buffered informational
logging history informational
logging asdm informational
logging host inside 192.168.105.12
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool VPN-POOL 192.168.108.1-192.168.108.254
failover
failover lan unit primary
failover lan interface FAIL Management0/0
failover link FAIL Management0/0
failover interface ip FAIL 192.168.254.1 255.255.255.0 standby 192.168.254.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any dmz
asdm image disk0:/asdm-633.bin
no asdm history enable
arp timeout 14400
global (outside) 1 128.187.3.17-128.187.3.29
global (outside) 1 128.187.3.30
nat (outside) 0 access-list NO-NAT
nat (outside) 1 192.168.108.0 255.255.255.0
nat (inside) 0 access-list NO-NAT
nat (inside) 1 192.168.0.0 255.255.128.0
nat (dmz) 0 access-list NO-NAT
static (dmz,outside) 128.187.3.5 192.168.200.10 netmask 255.255.255.255 
static (dmz,outside) 128.187.3.4 192.168.200.100 netmask 255.255.255.255 
static (dmz,outside) 128.187.3.6 192.168.200.6 netmask 255.255.255.255 
static (dmz,outside) 128.187.3.8 192.168.200.51 netmask 255.255.255.255 
static (dmz,outside) 128.187.3.9 192.168.200.52 netmask 255.255.255.255 
static (dmz,outside) 128.187.3.10 192.168.200.53 netmask 255.255.255.255 
static (dmz,outside) 128.187.3.11 192.168.200.54 netmask 255.255.255.255 
static (dmz,outside) 128.187.3.12 192.168.200.55 netmask 255.255.255.255 
static (dmz,outside) 128.187.3.13 192.168.200.56 netmask 255.255.255.255 
static (inside,dmz) 192.168.105.0 192.168.105.0 netmask 255.255.255.0 
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 
static (inside,dmz) 192.168.101.0 192.168.101.0 netmask 255.255.255.0 
static (inside,dmz) 192.168.102.0 192.168.102.0 netmask 255.255.255.0 
static (inside,dmz) 192.168.103.0 192.168.103.0 netmask 255.255.255.0 
static (inside,dmz) 192.168.104.0 192.168.104.0 netmask 255.255.255.0 
static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.252.0 
static (inside,dmz) 192.168.122.0 192.168.122.0 netmask 255.255.255.0 
static (inside,dmz) 192.168.111.0 192.168.111.0 netmask 255.255.255.0 
static (inside,outside) 128.187.3.50 192.168.102.26 netmask 255.255.255.255 
static (dmz,outside) 128.187.3.14 192.168.200.57 netmask 255.255.255.255 
static (dmz,outside) 128.187.3.15 192.168.200.12 netmask 255.255.255.255 
access-group outside_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 128.187.3.1 1
route inside 192.168.4.0 255.255.252.0 192.168.106.1 1
route inside 192.168.100.0 255.255.255.0 192.168.106.1 1
route inside 192.168.101.0 255.255.255.0 192.168.106.1 1
route inside 192.168.102.0 255.255.255.0 192.168.106.1 1
route inside 192.168.103.0 255.255.255.0 192.168.106.1 1
route inside 192.168.104.0 255.255.255.0 192.168.106.1 1
route inside 192.168.105.0 255.255.255.0 192.168.106.1 1
route inside 192.168.111.0 255.255.255.0 192.168.106.1 1
route inside 192.168.122.0 255.255.255.0 192.168.106.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS-VPN protocol radius
aaa-server RADIUS-VPN (inside) host 192.168.105.12
 key chemistry
 authentication-port 1812
 accounting-port 1813
aaa authentication ssh console LOCAL 
aaa authentication enable console LOCAL 
aaa authentication telnet console LOCAL 
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication secure-http-client
http server enable
http 192.168.106.0 255.255.255.0 inside
http 192.168.105.0 255.255.255.0 inside
http 174.52.36.203 255.255.255.255 outside
http redirect outside 80
snmp-server host inside 192.168.105.12 community chemistry
snmp-server location ServerRoom
snmp-server contact Chemistry CSRs
snmp-server community chemistry
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN-VPN-MAP 100 set transform-set ESP-AES-256-SHA ESP-AES-SHA ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint firewall_internal_digicert
 keypair firewall_internal_digicert
 no client-types
 crl configure
crypto ca trustpoint chemca
 enrollment terminal
 crl configure
crypto ca trustpoint testing
 subject-name CN=vpn.chem.byu.edu
 keypair testing
 crl configure
crypto ca trustpoint chemca_vpncert
 enrollment terminal
 subject-name CN=vpn.chem.byu.edu
 crl configure
crypto ca trustpoint DigiCertCA
 enrollment terminal
 crl configure
crypto ca trustpoint DigiCertCA-RGTest
 enrollment terminal
 no client-types
 crl configure
crypto ca trustpoint DigiCertCA2-RGTest
 enrollment terminal
 crl configure
crypto ca certificate chain firewall_internal_digicert
 certificate 0ea54a4ad3a54290a6ed9e79fc5e6697
    30820728 30820610 a0030201 0202100e a54a4ad3 a54290a6 ed9e79fc 5e669730 
    0d06092a 864886f7 0d010105 05003066 310b3009 06035504 06130255 53311530 
    13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077 
    77772e64 69676963 6572742e 636f6d31 25302306 03550403 131c4469 67694365 
    72742048 69676820 41737375 72616e63 65204341 2d33301e 170d3130 31313039 
    30303030 30305a17 0d313331 31313232 33353935 395a3081 94310b30 09060355 
    04061302 5553310d 300b0603 55040813 04557461 68310e30 0c060355 04071305 
    50726f76 6f312130 1f060355 040a1318 42726967 68616d20 596f756e 6720556e 
    69766572 73697479 31233021 06035504 0b131a43 68656d69 73747279 20616e64 
    2042696f 6368656d 69737472 79311e30 1c060355 04031315 66697265 77616c6c 
    2e636865 6d2e6279 752e6564 75308201 22300d06 092a8648 86f70d01 01010500 
    0382010f 00308201 0a028201 0100aef1 20597d4f c3770e17 4d237999 09e88dec 
    696d03b4 e04e8599 c989ee09 dc51ced4 23631a49 fb3bed0b 5f594dcf 335be7f8 
    701a653f 033efba4 d84e308b 64cd1b6c 87cb0f98 d923786f 95dc9493 f8c31259 
    b3536e25 fbc0fc6f 1fdf2b51 849882ba 7ac67df8 3ad4ff63 cc46d218 19df7f7c 
    631d5e03 eb6e29bc 1d005aba 7d743521 0f6d97fa 576daffa 807ba925 997cc8e0 
    bf9e0c07 940819eb a5c7ed25 c7186243 1aaaa3e2 8b573fdb 3db615e5 0a472f7b 
    d15642b4 60b149bb 90969e49 d3e4a7e6 0ac745b6 e562812f e7220a31 849e6043 
    f61e328c 01364f9a 455c2605 44bd162f 6d8864e7 e91e18e3 c0b0b94b c99eb425 
    d7ca6cbb 0f992097 05825e40 7c830203 010001a3 8203a130 82039d30 1f060355 
    1d230418 30168014 50ea7389 db29fb10 8f9ee501 20d4de79 994883f7 301d0603 
    551d0e04 160414bc 47e4024f 223285e3 31c3c312 54ae4dae 93b17e30 70060355 
    1d110469 30678215 66697265 77616c6c 2e636865 6d2e6279 752e6564 75820866 
    69726577 616c6c82 16666972 6577616c 6c312e63 68656d2e 6279752e 65647582 
    16666972 6577616c 6c322e63 68656d2e 6279752e 65647582 09666972 6577616c 
    6c318209 66697265 77616c6c 32307b06 082b0601 05050701 01046f30 6d302406 
    082b0601 05050730 01861868 7474703a 2f2f6f63 73702e64 69676963 6572742e 
    636f6d30 4506082b 06010505 07300286 39687474 703a2f2f 63616365 7274732e 
    64696769 63657274 2e636f6d 2f446967 69436572 74486967 68417373 7572616e 
    63654341 2d332e63 7274300e 0603551d 0f0101ff 04040302 05a0300c 0603551d 
    130101ff 04023000 30650603 551d1f04 5e305c30 2ca02aa0 28862668 7474703a 
    2f2f6372 6c332e64 69676963 6572742e 636f6d2f 6361332d 32303130 682e6372 
    6c302ca0 2aa02886 26687474 703a2f2f 63726c34 2e646967 69636572 742e636f 
    6d2f6361 332d3230 3130682e 63726c30 8201c606 03551d20 048201bd 308201b9 
    308201b5 060b6086 480186fd 6c010300 01308201 a4303a06 082b0601 05050702 
    01162e68 7474703a 2f2f7777 772e6469 67696365 72742e63 6f6d2f73 736c2d63 
    70732d72 65706f73 69746f72 792e6874 6d308201 6406082b 06010505 07020230 
    8201561e 82015200 41006e00 79002000 75007300 65002000 6f006600 20007400 
    68006900 73002000 43006500 72007400 69006600 69006300 61007400 65002000 
    63006f00 6e007300 74006900 74007500 74006500 73002000 61006300 63006500 
    70007400 61006e00 63006500 20006f00 66002000 74006800 65002000 44006900 
    67006900 43006500 72007400 20004300 50002f00 43005000 53002000 61006e00 
    64002000 74006800 65002000 52006500 6c007900 69006e00 67002000 50006100 
    72007400 79002000 41006700 72006500 65006d00 65006e00 74002000 77006800 
    69006300 68002000 6c006900 6d006900 74002000 6c006900 61006200 69006c00 
    69007400 79002000 61006e00 64002000 61007200 65002000 69006e00 63006f00 
    72007000 6f007200 61007400 65006400 20006800 65007200 65006900 6e002000 
    62007900 20007200 65006600 65007200 65006e00 63006500 2e301d06 03551d25 
    04163014 06082b06 01050507 03010608 2b060105 05070302 300d0609 2a864886 
    f70d0101 05050003 82010100 921cfbb6 825c8bbd 076e1652 7055d013 99dd54db 
    0e304aa7 e08711b7 9c807a22 5771baaf 71d1b1e1 52293baf f09d5142 1fbd2f48 
    b50dfd1f 9bd1e87a 6c8288d9 70c05500 91ce4740 6a64ea03 275a1d28 da8f6a35 
    8aa4f611 0b58b672 6017a9fa a17d529d b5f78a52 c5d2b85f c690feac 5adba33e 
    563f9adb 67c65797 4c578971 57218346 aa6a5cca ad7bf24e cb2a03a0 2404c1af 
    0c78e788 62236d24 f9dbeb96 8661874d 7b644ffa 9b6a5fbf 6b2b2f5c 7e7c2874 
    fb0ad034 23ae894f c60d8d4f 1950d24a d96ca6f2 db665944 56b58731 3972caf9 
    0fd420bb e0551390 85249d96 735e621f 49db6732 0fe91245 43530532 c0ee38d0 
    f69a527b 0df15265 59b47813
  quit
 certificate ca 0851f959814145cabde024e212c9c20e
    30820655 3082053d a0030201 02021008 51f95981 4145cabd e024e212 c9c20e30 
    0d06092a 864886f7 0d010105 0500306c 310b3009 06035504 06130255 53311530 
    13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077 
    77772e64 69676963 6572742e 636f6d31 2b302906 03550403 13224469 67694365 
    72742048 69676820 41737375 72616e63 65204556 20526f6f 74204341 301e170d 
    30373034 30333030 30303030 5a170d32 32303430 33303030 3030305a 3066310b 
    30090603 55040613 02555331 15301306 0355040a 130c4469 67694365 72742049 
    6e633119 30170603 55040b13 10777777 2e646967 69636572 742e636f 6d312530 
    23060355 0403131c 44696769 43657274 20486967 68204173 73757261 6e636520 
    43412d33 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 
    02820101 00bf610a 29101f5e fe343751 08f81efb 22ed61be 0b0d704c 50632675 
    15b94188 97b6f0a0 15bb0860 e042e805 29108736 8a2865a8 ef310774 6d36972f 
    28466604 c72a7926 7a99d58e c36d4fa0 5eadbc3d 91c2597b 5e366cc0 53cf0008 
    323e1064 58101369 c70cee9c 425100f9 0544ee24 ce7a1fed 8c11bd12 a8f315f4 
    1c7a3169 011ba7e6 5dc09a6c 7e099ee7 52444a10 3a23e49b b603afa8 9cb45b9f 
    d44bad92 8cceb511 2aaa3718 8db4c2b8 d85c068c f8ff23bd 355ed47c 3e7e830e 
    91960598 c3b21fe3 c865eba9 7b5da02c ccfc3cd9 6dedccfa 4b438cc9 d4b8a561 
    1cb240b6 2812dfb9 f85ffed3 b2c9ef3d b41e4b7c 1c4c9936 9e3debec a7685e1d 
    df676e5e fb020301 0001a382 02f73082 02f3300e 0603551d 0f0101ff 04040302 
    01863082 01c60603 551d2004 8201bd30 8201b930 8201b506 0b608648 0186fd6c 
    01030002 308201a4 303a0608 2b060105 05070201 162e6874 74703a2f 2f777777 
    2e646967 69636572 742e636f 6d2f7373 6c2d6370 732d7265 706f7369 746f7279 
    2e68746d 30820164 06082b06 01050507 02023082 01561e82 01520041 006e0079 
    00200075 00730065 0020006f 00660020 00740068 00690073 00200043 00650072 
    00740069 00660069 00630061 00740065 00200063 006f006e 00730074 00690074 
    00750074 00650073 00200061 00630063 00650070 00740061 006e0063 00650020 
    006f0066 00200074 00680065 00200044 00690067 00690043 00650072 00740020 
    00430050 002f0043 00500053 00200061 006e0064 00200074 00680065 00200052 
    0065006c 00790069 006e0067 00200050 00610072 00740079 00200041 00670072 
    00650065 006d0065 006e0074 00200077 00680069 00630068 0020006c 0069006d 
    00690074 0020006c 00690061 00620069 006c0069 00740079 00200061 006e0064 
    00200061 00720065 00200069 006e0063 006f0072 0070006f 00720061 00740065 
    00640020 00680065 00720065 0069006e 00200062 00790020 00720065 00660065 
    00720065 006e0063 0065002e 300f0603 551d1301 01ff0405 30030101 ff303406 
    082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 7474703a 
    2f2f6f63 73702e64 69676963 6572742e 636f6d30 818f0603 551d1f04 81873081 
    843040a0 3ea03c86 3a687474 703a2f2f 63726c33 2e646967 69636572 742e636f 
    6d2f4469 67694365 72744869 67684173 73757261 6e636545 56526f6f 7443412e 
    63726c30 40a03ea0 3c863a68 7474703a 2f2f6372 6c342e64 69676963 6572742e 
    636f6d2f 44696769 43657274 48696768 41737375 72616e63 65455652 6f6f7443 
    412e6372 6c301f06 03551d23 04183016 8014b13e c36903f8 bf4701d4 98261a08 
    02ef6364 2bc3301d 0603551d 0e041604 1450ea73 89db29fb 108f9ee5 0120d4de 
    79994883 f7300d06 092a8648 86f70d01 01050500 03820101 005d4f84 f1a888d3 
    a3b2bc9c 6de52949 77e1e7d6 dca9d835 aec971dc e5dbdc9d 242190a6 cfb7011c 
    9bd45797 91d77516 a512d7b9 3d2e893d 39698ad6 3537f9f1 21c45b40 ad59a92f 
    5f3a0029 43277103 e4bd3032 55a6fe84 0e0b9b38 192c437c ac43bf75 31e5231c 
    4555b769 0891b5cf d7d5b15e ee9f94e4 d67ab918 c3b8d652 631c10ba 8b2f6d5d 
    cc0538f4 56056def 9eece861 360c144b 85145a0c 834f225c 59cb8c8a 71dafac5 
    108458cf 07eee390 c2f5f929 c75a2371 f959b464 2b88b0a7 36c79a20 61ebfa4e 
    b5ae6b1b e4e3ece2 d93c4149 a820a454 f5928dbb c0552004 a6d8b017 16cce3d0 
    c8b43de5 d984c6d3 f66e6d78 c97943e8 7a37ff5c 3549bfa1 c5
  quit
crypto ca certificate chain chemca
 certificate ca 01
    30820514 3082047d a0030201 02020101 300d0609 2a864886 f70d0101 04050030 
    819d3128 30260603 55040313 1f436865 6d697374 72792043 65727469 66696361 
    74652041 7574686f 72697479 310b3009 06035504 06130255 53310e30 0c060355 
    04071305 50726f76 6f310d30 0b060355 04081304 55746168 31233021 06035504 
    0a131a43 68656d69 73747279 20616e64 2042696f 6368656d 69737472 79312030 
    1e06092a 864886f7 0d010901 16116373 72734063 68656d2e 6279752e 65647530 
    1e170d30 34303531 30313535 3831325a 170d3234 31323331 31353538 31325a30 
    819d3128 30260603 55040313 1f436865 6d697374 72792043 65727469 66696361 
    74652041 7574686f 72697479 310b3009 06035504 06130255 53310e30 0c060355 
    04071305 50726f76 6f310d30 0b060355 04081304 55746168 31233021 06035504 
    0a131a43 68656d69 73747279 20616e64 2042696f 6368656d 69737472 79312030 
    1e06092a 864886f7 0d010901 16116373 72734063 68656d2e 6279752e 65647530 
    819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100 e08be81b 
    38d08b25 81bb3798 f6fb7a43 2dd5f173 8930d721 50220eb3 c758806e 83cd1f2d 
    324cb7b4 37de1959 999fd3ef 7affc138 0d660909 0b54d9a9 caa24445 e4023fa5 
    17e50a49 a13f6c99 9893c952 200fc984 f87b4c2a e335ceeb 1beb6066 f3b2fec4 
    c4639d19 e7e9a177 d32903fa 3cc4afd4 d04c5057 6773de60 8375e2e3 02030100 
    01a38202 60308202 5c300f06 03551d13 0101ff04 05300301 01ff301d 0603551d 
    0e041604 14f092d2 07b68654 c7ae189f c61303b0 37f25786 943081ca 0603551d 
    230481c2 3081bf80 14f092d2 07b68654 c7ae189f c61303b0 37f25786 94a181a3 
    a481a030 819d3128 30260603 55040313 1f436865 6d697374 72792043 65727469 
    66696361 74652041 7574686f 72697479 310b3009 06035504 06130255 53310e30 
    0c060355 04071305 50726f76 6f310d30 0b060355 04081304 55746168 31233021 
    06035504 0a131a43 68656d69 73747279 20616e64 2042696f 6368656d 69737472 
    79312030 1e06092a 864886f7 0d010901 16116373 72734063 68656d2e 6279752e 
    65647582 0101300b 0603551d 0f040403 02010630 11060960 86480186 f8420101 
    04040302 00073025 06096086 480186f8 42010204 18161668 7474703a 2f2f6361 
    2e636865 6d2e6279 752e6564 75303006 09608648 0186f842 01030423 16216874 
    74703a2f 2f63612e 6368656d 2e627975 2e656475 2f726576 6f636174 696f6e30 
    32060960 86480186 f8420104 04251623 68747470 3a2f2f63 612e6368 656d2e62 
    79752e65 64752f63 61726576 6f636174 696f6e30 31060960 86480186 f8420107 
    04241622 68747470 3a2f2f63 612e6368 656d2e62 79752e65 64752f63 65727472 
    656e6577 616c302e 06096086 480186f8 42010804 21161f68 7474703a 2f2f6361 
    2e636865 6d2e6279 752e6564 752f6361 706f6c69 6379302d 06096086 480186f8 
    42010c04 20161e68 74747073 3a2f2f73 65637572 652e6368 656d2e62 79752e65 
    64752f63 61301e06 09608648 0186f842 010d0411 160f7863 61206365 72746966 
    69636174 65300d06 092a8648 86f70d01 01040500 03818100 850c5176 067535c6 
    0b3b8562 a82bc5d4 807570d5 b50779d4 cdf28fd0 8addbe19 5594fc69 ac404dc6 
    21f72bd2 8048f2bc ed1bde18 cbfaa540 f33485cb c126de7c 5ac5b9b4 a5678c28 
    59581257 e9aff988 02859ad3 02920804 5d49adae c628b017 58a1c9ec b4b27b41 
    19c19230 1a666cb0 ae44f332 727a4df4 6fe8f683 d6696e64
  quit
crypto ca certificate chain testing
 certificate 0bbc6aa187164900bce4d1c645c3331a
    308206a8 30820590 a0030201 0202100b bc6aa187 164900bc e4d1c645 c3331a30 
    0d06092a 864886f7 0d010105 05003066 310b3009 06035504 06130255 53311530 
    13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077 
    77772e64 69676963 6572742e 636f6d31 25302306 03550403 131c4469 67694365 
    72742048 69676820 41737375 72616e63 65204341 2d33301e 170d3130 31313035 
    30303030 30305a17 0d313331 31313232 33353935 395a306a 310b3009 06035504 
    06130275 73310d30 0b060355 04081304 55746168 310e300c 06035504 07130550 
    726f766f 3121301f 06035504 0a131842 72696768 616d2059 6f756e67 20556e69 
    76657273 69747931 19301706 03550403 13107670 6e2e6368 656d2e62 79752e65 
    64753082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 
    010100e2 2057ca85 0abe9558 a549988d c30c919a cc0706e1 dcefe928 0a23a22a 
    2e1178d6 6d7cbbdb 402203c7 8fe6f784 ea61e76a 42d82bbc 2395e432 a547bd5f 
    892317ae 3f9fa2d1 72164697 9bfcdabd a13e18a3 ff195347 cb58cd0b d205f11c 
    fd11edb2 c12d2c1b ef557a86 e9d826a0 1b473c58 1a1d9fa6 ffc3df73 f0e4d027 
    38eb7c6b 5173b3a8 e09ddeaf 34d2a1af 299115c0 0cbe77f7 80ffc63b 0e448928 
    492193d1 b9dfdcac ce8c901c 2ce77b6d 593bc6d7 a00f24d9 a0779744 44a37f92 
    0be2c656 8da42a79 7c9fa916 e5072a2c 0715849a 1bee594a 7a1bd9b9 96954fbe 
    c64019ac 8bf926e0 fa483d25 02a37c4c d58475fe 155c668b b691f9f3 4a171b8e 
    ee34f302 03010001 a382034c 30820348 301f0603 551d2304 18301680 1450ea73 
    89db29fb 108f9ee5 0120d4de 79994883 f7301d06 03551d0e 04160414 a99572c9 
    99126d57 fe853d70 f24e6b39 14ac5ffa 301b0603 551d1104 14301282 1076706e 
    2e636865 6d2e6279 752e6564 75307b06 082b0601 05050701 01046f30 6d302406 
    082b0601 05050730 01861868 7474703a 2f2f6f63 73702e64 69676963 6572742e 
    636f6d30 4506082b 06010505 07300286 39687474 703a2f2f 63616365 7274732e 
    64696769 63657274 2e636f6d 2f446967 69436572 74486967 68417373 7572616e 
    63654341 2d332e63 7274300e 0603551d 0f0101ff 04040302 05a0300c 0603551d 
    130101ff 04023000 30650603 551d1f04 5e305c30 2ca02aa0 28862668 7474703a 
    2f2f6372 6c332e64 69676963 6572742e 636f6d2f 6361332d 32303130 682e6372 
    6c302ca0 2aa02886 26687474 703a2f2f 63726c34 2e646967 69636572 742e636f 
    6d2f6361 332d3230 3130682e 63726c30 8201c606 03551d20 048201bd 308201b9 
    308201b5 060b6086 480186fd 6c010300 01308201 a4303a06 082b0601 05050702 
    01162e68 7474703a 2f2f7777 772e6469 67696365 72742e63 6f6d2f73 736c2d63 
    70732d72 65706f73 69746f72 792e6874 6d308201 6406082b 06010505 07020230 
    8201561e 82015200 41006e00 79002000 75007300 65002000 6f006600 20007400 
    68006900 73002000 43006500 72007400 69006600 69006300 61007400 65002000 
    63006f00 6e007300 74006900 74007500 74006500 73002000 61006300 63006500 
    70007400 61006e00 63006500 20006f00 66002000 74006800 65002000 44006900 
    67006900 43006500 72007400 20004300 50002f00 43005000 53002000 61006e00 
    64002000 74006800 65002000 52006500 6c007900 69006e00 67002000 50006100 
    72007400 79002000 41006700 72006500 65006d00 65006e00 74002000 77006800 
    69006300 68002000 6c006900 6d006900 74002000 6c006900 61006200 69006c00 
    69007400 79002000 61006e00 64002000 61007200 65002000 69006e00 63006f00 
    72007000 6f007200 61007400 65006400 20006800 65007200 65006900 6e002000 
    62007900 20007200 65006600 65007200 65006e00 63006500 2e301d06 03551d25 
    04163014 06082b06 01050507 03010608 2b060105 05070302 300d0609 2a864886 
    f70d0101 05050003 82010100 98d034cd 65852025 954a3fd8 f1803b4c 0239f372 
    ebda784d a510f8c3 dc9d798e b433c43e ff2515d4 fed359e4 7536e0c4 3d82c2d5 
    9b74be13 7d09f752 c0fc9868 42ca1f99 a302c568 277903b0 dda05b02 2d8552d9 
    7bb989a1 0846c0fd c271098b 4fec7091 70161d00 d056f6c3 ef18d287 6598f7b5 
    e6e5c137 570206e5 24b08086 1adcf224 2359b396 520793f1 79d4d95b 97e9c5ec 
    08b09bbd 7732462b 716d17d7 3144f35e 67726523 540d37af 7772e140 f166988e 
    83743979 a283f1f7 f262edd7 0b8dd467 b4fea5ab d1b372b0 40453df0 87aac19f 
    347b9b4e d99cf3bc 4a3642dd f3b76228 171698ac 0d696e16 da0875ab dfa7cda1 
    d3cd82fd ed9995f6 4bd124fc
  quit
crypto ca certificate chain DigiCertCA
 certificate ca 0851f959814145cabde024e212c9c20e
    30820655 3082053d a0030201 02021008 51f95981 4145cabd e024e212 c9c20e30 
    0d06092a 864886f7 0d010105 0500306c 310b3009 06035504 06130255 53311530 
    13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077 
    77772e64 69676963 6572742e 636f6d31 2b302906 03550403 13224469 67694365 
    72742048 69676820 41737375 72616e63 65204556 20526f6f 74204341 301e170d 
    30373034 30333030 30303030 5a170d32 32303430 33303030 3030305a 3066310b 
    30090603 55040613 02555331 15301306 0355040a 130c4469 67694365 72742049 
    6e633119 30170603 55040b13 10777777 2e646967 69636572 742e636f 6d312530 
    23060355 0403131c 44696769 43657274 20486967 68204173 73757261 6e636520 
    43412d33 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 
    02820101 00bf610a 29101f5e fe343751 08f81efb 22ed61be 0b0d704c 50632675 
    15b94188 97b6f0a0 15bb0860 e042e805 29108736 8a2865a8 ef310774 6d36972f 
    28466604 c72a7926 7a99d58e c36d4fa0 5eadbc3d 91c2597b 5e366cc0 53cf0008 
    323e1064 58101369 c70cee9c 425100f9 0544ee24 ce7a1fed 8c11bd12 a8f315f4 
    1c7a3169 011ba7e6 5dc09a6c 7e099ee7 52444a10 3a23e49b b603afa8 9cb45b9f 
    d44bad92 8cceb511 2aaa3718 8db4c2b8 d85c068c f8ff23bd 355ed47c 3e7e830e 
    91960598 c3b21fe3 c865eba9 7b5da02c ccfc3cd9 6dedccfa 4b438cc9 d4b8a561 
    1cb240b6 2812dfb9 f85ffed3 b2c9ef3d b41e4b7c 1c4c9936 9e3debec a7685e1d 
    df676e5e fb020301 0001a382 02f73082 02f3300e 0603551d 0f0101ff 04040302 
    01863082 01c60603 551d2004 8201bd30 8201b930 8201b506 0b608648 0186fd6c 
    01030002 308201a4 303a0608 2b060105 05070201 162e6874 74703a2f 2f777777 
    2e646967 69636572 742e636f 6d2f7373 6c2d6370 732d7265 706f7369 746f7279 
    2e68746d 30820164 06082b06 01050507 02023082 01561e82 01520041 006e0079 
    00200075 00730065 0020006f 00660020 00740068 00690073 00200043 00650072 
    00740069 00660069 00630061 00740065 00200063 006f006e 00730074 00690074 
    00750074 00650073 00200061 00630063 00650070 00740061 006e0063 00650020 
    006f0066 00200074 00680065 00200044 00690067 00690043 00650072 00740020 
    00430050 002f0043 00500053 00200061 006e0064 00200074 00680065 00200052 
    0065006c 00790069 006e0067 00200050 00610072 00740079 00200041 00670072 
    00650065 006d0065 006e0074 00200077 00680069 00630068 0020006c 0069006d 
    00690074 0020006c 00690061 00620069 006c0069 00740079 00200061 006e0064 
    00200061 00720065 00200069 006e0063 006f0072 0070006f 00720061 00740065 
    00640020 00680065 00720065 0069006e 00200062 00790020 00720065 00660065 
    00720065 006e0063 0065002e 300f0603 551d1301 01ff0405 30030101 ff303406 
    082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 7474703a 
    2f2f6f63 73702e64 69676963 6572742e 636f6d30 818f0603 551d1f04 81873081 
    843040a0 3ea03c86 3a687474 703a2f2f 63726c33 2e646967 69636572 742e636f 
    6d2f4469 67694365 72744869 67684173 73757261 6e636545 56526f6f 7443412e 
    63726c30 40a03ea0 3c863a68 7474703a 2f2f6372 6c342e64 69676963 6572742e 
    636f6d2f 44696769 43657274 48696768 41737375 72616e63 65455652 6f6f7443 
    412e6372 6c301f06 03551d23 04183016 8014b13e c36903f8 bf4701d4 98261a08 
    02ef6364 2bc3301d 0603551d 0e041604 1450ea73 89db29fb 108f9ee5 0120d4de 
    79994883 f7300d06 092a8648 86f70d01 01050500 03820101 005d4f84 f1a888d3 
    a3b2bc9c 6de52949 77e1e7d6 dca9d835 aec971dc e5dbdc9d 242190a6 cfb7011c 
    9bd45797 91d77516 a512d7b9 3d2e893d 39698ad6 3537f9f1 21c45b40 ad59a92f 
    5f3a0029 43277103 e4bd3032 55a6fe84 0e0b9b38 192c437c ac43bf75 31e5231c 
    4555b769 0891b5cf d7d5b15e ee9f94e4 d67ab918 c3b8d652 631c10ba 8b2f6d5d 
    cc0538f4 56056def 9eece861 360c144b 85145a0c 834f225c 59cb8c8a 71dafac5 
    108458cf 07eee390 c2f5f929 c75a2371 f959b464 2b88b0a7 36c79a20 61ebfa4e 
    b5ae6b1b e4e3ece2 d93c4149 a820a454 f5928dbb c0552004 a6d8b017 16cce3d0 
    c8b43de5 d984c6d3 f66e6d78 c97943e8 7a37ff5c 3549bfa1 c5
  quit
crypto ca certificate chain DigiCertCA-RGTest
 certificate ca 0851f959814145cabde024e212c9c20e
    30820655 3082053d a0030201 02021008 51f95981 4145cabd e024e212 c9c20e30 
    0d06092a 864886f7 0d010105 0500306c 310b3009 06035504 06130255 53311530 
    13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077 
    77772e64 69676963 6572742e 636f6d31 2b302906 03550403 13224469 67694365 
    72742048 69676820 41737375 72616e63 65204556 20526f6f 74204341 301e170d 
    30373034 30333030 30303030 5a170d32 32303430 33303030 3030305a 3066310b 
    30090603 55040613 02555331 15301306 0355040a 130c4469 67694365 72742049 
    6e633119 30170603 55040b13 10777777 2e646967 69636572 742e636f 6d312530 
    23060355 0403131c 44696769 43657274 20486967 68204173 73757261 6e636520 
    43412d33 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 
    02820101 00bf610a 29101f5e fe343751 08f81efb 22ed61be 0b0d704c 50632675 
    15b94188 97b6f0a0 15bb0860 e042e805 29108736 8a2865a8 ef310774 6d36972f 
    28466604 c72a7926 7a99d58e c36d4fa0 5eadbc3d 91c2597b 5e366cc0 53cf0008 
    323e1064 58101369 c70cee9c 425100f9 0544ee24 ce7a1fed 8c11bd12 a8f315f4 
    1c7a3169 011ba7e6 5dc09a6c 7e099ee7 52444a10 3a23e49b b603afa8 9cb45b9f 
    d44bad92 8cceb511 2aaa3718 8db4c2b8 d85c068c f8ff23bd 355ed47c 3e7e830e 
    91960598 c3b21fe3 c865eba9 7b5da02c ccfc3cd9 6dedccfa 4b438cc9 d4b8a561 
    1cb240b6 2812dfb9 f85ffed3 b2c9ef3d b41e4b7c 1c4c9936 9e3debec a7685e1d 
    df676e5e fb020301 0001a382 02f73082 02f3300e 0603551d 0f0101ff 04040302 
    01863082 01c60603 551d2004 8201bd30 8201b930 8201b506 0b608648 0186fd6c 
    01030002 308201a4 303a0608 2b060105 05070201 162e6874 74703a2f 2f777777 
    2e646967 69636572 742e636f 6d2f7373 6c2d6370 732d7265 706f7369 746f7279 
    2e68746d 30820164 06082b06 01050507 02023082 01561e82 01520041 006e0079 
    00200075 00730065 0020006f 00660020 00740068 00690073 00200043 00650072 
    00740069 00660069 00630061 00740065 00200063 006f006e 00730074 00690074 
    00750074 00650073 00200061 00630063 00650070 00740061 006e0063 00650020 
    006f0066 00200074 00680065 00200044 00690067 00690043 00650072 00740020 
    00430050 002f0043 00500053 00200061 006e0064 00200074 00680065 00200052 
    0065006c 00790069 006e0067 00200050 00610072 00740079 00200041 00670072 
    00650065 006d0065 006e0074 00200077 00680069 00630068 0020006c 0069006d 
    00690074 0020006c 00690061 00620069 006c0069 00740079 00200061 006e0064 
    00200061 00720065 00200069 006e0063 006f0072 0070006f 00720061 00740065 
    00640020 00680065 00720065 0069006e 00200062 00790020 00720065 00660065 
    00720065 006e0063 0065002e 300f0603 551d1301 01ff0405 30030101 ff303406 
    082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 7474703a 
    2f2f6f63 73702e64 69676963 6572742e 636f6d30 818f0603 551d1f04 81873081 
    843040a0 3ea03c86 3a687474 703a2f2f 63726c33 2e646967 69636572 742e636f 
    6d2f4469 67694365 72744869 67684173 73757261 6e636545 56526f6f 7443412e 
    63726c30 40a03ea0 3c863a68 7474703a 2f2f6372 6c342e64 69676963 6572742e 
    636f6d2f 44696769 43657274 48696768 41737375 72616e63 65455652 6f6f7443 
    412e6372 6c301f06 03551d23 04183016 8014b13e c36903f8 bf4701d4 98261a08 
    02ef6364 2bc3301d 0603551d 0e041604 1450ea73 89db29fb 108f9ee5 0120d4de 
    79994883 f7300d06 092a8648 86f70d01 01050500 03820101 005d4f84 f1a888d3 
    a3b2bc9c 6de52949 77e1e7d6 dca9d835 aec971dc e5dbdc9d 242190a6 cfb7011c 
    9bd45797 91d77516 a512d7b9 3d2e893d 39698ad6 3537f9f1 21c45b40 ad59a92f 
    5f3a0029 43277103 e4bd3032 55a6fe84 0e0b9b38 192c437c ac43bf75 31e5231c 
    4555b769 0891b5cf d7d5b15e ee9f94e4 d67ab918 c3b8d652 631c10ba 8b2f6d5d 
    cc0538f4 56056def 9eece861 360c144b 85145a0c 834f225c 59cb8c8a 71dafac5 
    108458cf 07eee390 c2f5f929 c75a2371 f959b464 2b88b0a7 36c79a20 61ebfa4e 
    b5ae6b1b e4e3ece2 d93c4149 a820a454 f5928dbb c0552004 a6d8b017 16cce3d0 
    c8b43de5 d984c6d3 f66e6d78 c97943e8 7a37ff5c 3549bfa1 c5
  quit
crypto ca certificate chain DigiCertCA2-RGTest
 certificate ca 428740a5
    30820442 308203ab a0030201 02020442 8740a530 0d06092a 864886f7 0d010105 
    05003081 c3310b30 09060355 04061302 55533114 30120603 55040a13 0b456e74 
    72757374 2e6e6574 313b3039 06035504 0b133277 77772e65 6e747275 73742e6e 
    65742f43 50532069 6e636f72 702e2062 79207265 662e2028 6c696d69 7473206c 
    6961622e 29312530 23060355 040b131c 28632920 31393939 20456e74 72757374 
    2e6e6574 204c696d 69746564 313a3038 06035504 03133145 6e747275 73742e6e 
    65742053 65637572 65205365 72766572 20436572 74696669 63617469 6f6e2041 
    7574686f 72697479 301e170d 30363130 30313035 30303030 5a170d31 34303732 
    36313831 3531355a 306c310b 30090603 55040613 02555331 15301306 0355040a 
    130c4469 67694365 72742049 6e633119 30170603 55040b13 10777777 2e646967 
    69636572 742e636f 6d312b30 29060355 04031322 44696769 43657274 20486967 
    68204173 73757261 6e636520 45562052 6f6f7420 43413082 0122300d 06092a86 
    4886f70d 01010105 00038201 0f003082 010a0282 010100c6 cce573e6 fbd4bbe5 
    2d2d32a6 dfe5813f c9cd2549 b6712ac3 d5943467 a20a1cb0 5f69a640 b1c4b7b2 
    8fd098a4 a941593a d3dc94d6 3cdb7438 a44acc4d 2582f74a a5531238 eef3496d 
    71917e63 b6aba65f c3a484f8 4f6251be f8c5ecdb 3892e306 e508910c c4284155 
    fbcb5a89 157e71e8 35bf4d72 093dbe3a 38505b77 311b8db3 c724459a a7ac6d00 
    145a04b7 ba13eb51 0a984141 224e6561 87814150 a6795c89 de194a57 d52ee65d 
    1c532c7e 98cd1a06 16a46873 d0340413 5ca171d3 5a7c55db 5e64e137 87305604 
    e511b429 8012f179 3988a202 117c2766 b788b778 f2ca0aa8 38ab0a64 c2bf665d 
    9584c1a1 251e875d 1a500b20 12cc41bb 6e0b5138 b84bcb02 03010001 a3820113 
    3082010f 30120603 551d1301 01ff0408 30060101 ff020101 30270603 551d2504 
    20301e06 082b0601 05050703 0106082b 06010505 07030206 082b0601 05050703 
    04303306 082b0601 05050701 01042730 25302306 082b0601 05050730 01861768 
    7474703a 2f2f6f63 73702e65 6e747275 73742e6e 65743033 0603551d 1f042c30 
    2a3028a0 26a02486 22687474 703a2f2f 63726c2e 656e7472 7573742e 6e65742f 
    73657276 6572312e 63726c30 1d060355 1d0e0416 0414b13e c36903f8 bf4701d4 
    98261a08 02ef6364 2bc3300b 0603551d 0f040403 02010630 1f060355 1d230418 
    30168014 f0176213 553db3ff 0a006bfb 508497f3 ed62d01a 30190609 2a864886 
    f67d0741 00040c30 0a1b0456 372e3103 02008130 0d06092a 864886f7 0d010105 
    05000381 8100480e 2b6f2062 4c2893a3 243d58ab 21cf80f8 9a97906a 22ed5a7c 
    473699e7 798475ab 248f920a d56104ae c36a5cb2 ccd9e444 876fdb8f 3862f744 
    369dbabc 6e07c4d4 8de81fd1 0b60a3b5 9cce63be ed67dcf8 bade6ec9 25cb5bb5 
    9d76700b df4272f8 4f411164 a5d2eafc d5af11f4 1538679c 20a84b77 5a913242 
    32e785b3 df36
  quit
crypto isakmp enable outside
crypto isakmp policy 15
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes-192
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
vpn-addr-assign local reuse-delay 5
remote-access threshold session-threshold-exceeded 25
telnet 192.168.105.0 255.255.255.0 inside
telnet 192.168.106.0 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 174.52.36.203 255.255.255.255 outside
ssh 192.168.105.0 255.255.255.0 inside
ssh 192.168.106.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.105.10
ntp server 192.43.244.18
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
ssl trust-point DigiCertCA
ssl trust-point testing outside
ssl trust-point firewall_internal_digicert inside
webvpn
 enable outside
 anyconnect-essentials
 svc image disk0:/anyconnect-wince-ARMv4I-2.5.0217-k9.pkg 1 regex "Windows CE"
 svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 2 regex "Windows NT"
 svc image disk0:/anyconnect-macosx-i386-2.5.0217-k9.pkg 3 regex "Intel Mac OS X"
 svc image disk0:/anyconnect-linux-2.5.0217-k9.pkg 4 regex "Linux"
 svc enable
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.105.10
 dns-server value 192.168.105.10 192.168.105.11
 vpn-tunnel-protocol IPSec svc 
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-BYU-NETS-SPLIT
 default-domain value chem.byu.edu
 address-pools value VPN-POOL
username admin password FgibczyVGBcddWL6 encrypted privilege 15
username rgardner password VUYUqAgt9MbginSm encrypted privilege 15
username sivco password ppoI03NdjneYjuGd encrypted
username sivco attributes
 service-type remote-access
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group RADIUS-VPN LOCAL
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group RADIUS-VPN LOCAL
tunnel-group Faculty type remote-access
tunnel-group Faculty general-attributes
 authentication-server-group RADIUS-VPN
tunnel-group Faculty ipsec-attributes
 pre-shared-key facadmin
tunnel-group admin type remote-access
tunnel-group admin general-attributes
 authentication-server-group RADIUS-VPN
tunnel-group admin ipsec-attributes
 pre-shared-key cH3mAdM1n
tunnel-group cpmsdo type remote-access
tunnel-group cpmsdo general-attributes
 authentication-server-group RADIUS-VPN
tunnel-group cpmsdo ipsec-attributes
 pre-shared-key "An apple a day"
!
class-map inspection_default
 match default-inspection-traffic
class-map class_snmp
 match port udp eq snmp
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 4096
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect pptp 
  inspect ip-options 
  inspect icmp 
 class class_snmp
  inspect snmp 
!
service-policy global_policy global
prompt hostname priority state 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7c2abb046ce98aebff24c2e08a006762
: end

Trace: • chem_firewall

Michael Torrie's Personal Wiki

Table of Contents

Firewall Notes

Firewall config and notes

Interfaces

Untrusted

Trusted

DMZ

Access Controls Rules

From the DMZ to the Trusted Network

Navigation

Search

Toolbox

QR Code