Internet Edge
Configuration Guide
Revision: H2CY10
Who Should Read
This Guide
• Has IT workers with a CCNA® certification or equivalent experience
This document is for the reader who:
• Has already read the Cisco Smart Business Architecture (SBA) for
Government Large Agencies—Borderless Networks Internet Edge
Deployment Guide
• Has 2000–10,000 connected employees
• Wants to deploy their network infrastructure efficiently
• Wants the assurance of a tested solution
• Requires a migration path for growth
Related Documents
• Wants more secure access to the Internet
• Wants to provide backup connectivity to the Internet for employees
• Requires a solution for teleworker and mobile worker access to the
agency’s data
Before reading this guide
Design Overview
• Requires a solution to control employee access to the web and block
malicious web sites
• Requires a solution to filter SPAM and malicious email sent to the agency
Internet Edge Deployment Guide
• Requires a solution to improve the availability of internet facing services
Deployment Guides
Design Guides
Design Overview
Foundation Deployment
Guides
Internet Edge
Deployment Guide
Internet Edge
Configuration Guide
You are Here
Network Management
Guides
Who Should Read This Guide
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
ASA 5520 a (Remote Access VPN only) Internet Edge 10K. . . . . . . . . . . . . 19
Large Agencies Deployment Product List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
ASA 5520 b (Remote Access VPN only) Internet Edge 10K. . . . . . . . . . . . . 22
Internet Edge Configuration Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
ASA 5540 a Internet Edge 5K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Outside 3750 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
DMZ 3750. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
ASA 5540 b Internet Edge 5K. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
ACE Server Load Balancing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
ASA-SSM-40 a (IPS Module). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
ACE 4710-1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
ACE 4710-2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
ASA-SSM-40 b (IPS Module) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
ASA 5540 a (Firewall only) Internet Edge 10K . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
ASA 5540 b (Firewall only) Internet Edge 10K. . . . . . . . . . . . . . . . . . . . . . . . . . 18
Appendix A: SBA for Large Agencies Document System. . . . . . . . . . . . . . . . . 31
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND ITS SUPPLIERS
DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL
OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY
DEPENDING ON FACTORS NOT TESTED BY CISCO.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes
only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco Unified Communications SRND (Based on Cisco Unified Communications Manager 7.x)
© 2010 Cisco Systems, Inc. All rights reserved.
Table of Contents
Introduction
For Cisco partners and customers with 2000–10,000 connected users, we
have created an “out-of-the-box” deployment that is simple, fast, affordable,
scalable, and flexible. We have designed it to be easy—easy to configure,
deploy, and manage.
The simplicity of this deployment, though, belies the depth and breadth of
the architecture. Based on feedback from many customers and partners,
Cisco has developed a solid network foundation with a flexible platform
that does not require re-engineering to support additional Network or User
services.
The SBA for Large Agencies—Borderless Networks (BN) architecture is composed of a single Design Guide, and Deployment guides and Configuration
guides for each of the three sections: LAN, WAN, and Internet Edge.
The SBA for Large Agencies—Borderless Networks Internet Edge
Deployment Guide is a prescriptive reference design that provides stepby-step instructions for the deployment of the products in the design. It
is based on Enterprise best practice principles. Based on feedback from
customers and partners, Cisco has developed a solid network foundation as
a flexible platform that does not require reengineering to include additional
Network or User services.
Tech Ti p
Figure 1. SBA Model
User
Services
Security,
WAN Optimization,
Guest Access
Network
Services
Network
Foundation
Voice,
Video,
Web Meetings
Routing, Switching,
Wireless, and Internet
This deployment guide has been architected to make your life a little bit—
maybe even a lot—smoother. This architecture:
• Provides a solid foundation
• Makes deployment fast and easy
• Accelerates ability to easily deploy additional services
• Avoids the need for re-engineering of the core network
The Purpose of This Document
This document provides the available configuration files for the products
used in the Cisco SBA for Large Agencies—Borderless Networks Internet
Edge Deployment Guide. It is a companion document to the deployment
guide as a reference for engineers who are evaluating or deploying the SBA.
Graphical Interface Management
Some of the base concepts referenced in this guide are covered in the
SBA BN Design and Deployment Guides; these documents should be
reviewed first.
There are products in this design where we have omitted the configuration
file. Those products have browser-based graphical configuration tools. Please
refer to the companion Cisco SBA for Large Agencies—Borderless Networks
WAN Deployment Guide at https://www.cisco.com/go/sba for step-bystep instructions on configuring those products.
Introduction
1
SBA For Large Agencies—Borderless Networks
Campus
Internet
I
WAN
Aggregation
Hardware and Software
VPN
Remote
Access VPN
Internet
Edge Routers
Email Security
Appliance
Guest
WLAN
Teleworker /
Mobile Worker
WAN
Wireless
Access Point
Application
Acceleration
VPN
Wireless
LAN Controller
Client
Access
Switch
Data
Internet
Center
Edge
Internet
Edge
Firewall
W ww
W ww
Internet
Servers
Web Security
Appliance
Branch Router with
Application Acceleration
Core
Switches
Remote
Local Area
Network
Collapsed
Distribution/Core
Switches
Distribution
Switches
I
Wireless
LAN Controller
Regional
Router
Application
Acceleration
Regional
Office
Client
Access
Switches
Building 1
Building 2
Building 3
Building 4
Introduction
2
Large Agencies Deployment Product List
Functional Area
Product
Part Numbers
Software Version
ASA 5510 or
ASA5510-AIP10-SP-K9
8.2.2
ASA 5520 or
ASA5520-AIP20-K9
ASA 5540
ASA5540-AIP40-K9
SSM-AIP-10 or
*part of the firewall bundle
7.0.2E4
Software license for main 250 or 500 SSL Session Software
ASA FW
license
ASA5500-SSL-250
*as Firewall
Email Security
C370-BUN-R-NA
Internet Edge 5K
Firewall
IPS
SSM-AIP-20 or
SSM-AIP-40
C370
ASA5500-SSL-500
Async OS 7.0
*Please consult Trusted Partner or Ironport Sales Team for pricing and licensing
Web Security
S370
S370-BUN-R-NA
Async OS 6.3
*Please consult Trusted Partner or Ironport Sales Team for pricing and licensing
Server Load Balancing
ACE 4710
ACE-4710-0.5F-K9
A3(2.5)
Outside Switch
2x Catalyst 3750
WS-C3750G-24TS-S1U
12.2(53)SE1
DMZ Switch
2x Catalyst 3750
WS-C3750G-24TS-S1U
12.2(53)SE1
Large Agencies Deployment Product List
3
Functional Area
Product
Part Numbers
Software Version
2x ASA 5520 or
ASA5520-AIP20-K9
8.2.2
2x ASA 5540
ASA5540-AIP40-K9
2x SSM-AIP-20 or
*part of bundle above
7.0.2E4
2x ASA 5520 and 500 SSL seats or
ASA5520-SSL500-K9
8.2.2
2x ASA 5540 and 1000 SSL seats
ASA5540-SSL1000-K9
2x C370
C370-BUN-R-NA
Internet Edge 10K
Firewall
IPS
2x SSM-AIP-40
VPN
Email Security
Async OS 7.0
*Please consult Trusted Partner or Ironport Sales Team for pricing and licensing
Web Security
2x S370
Async OS 6.3
S370-BUN-R-NA
*Please consult Trusted Partner or Ironport Sales Team for pricing and licensing
Server Load Balancing
ACE 4710
ACE-4710-1F-K9
A3(2.5)
Outside Switch
2x Catalyst 3750
WS-C3750G-24TS-S1U
12.2(53)SE1
DMZ Switch
2x Catalyst 3750
WS-C3750G-24TS-S1U
12.2(53)SE1
Large Agencies Deployment Product List
4
Internet Edge
Configuration Files
ASA 5540 a Internet Edge 5K
ASA Version 8.2(2)
!
hostname asa5540A
domain-name cisco.local
enable password 2y4FIGBVVyBLau0Q encrypted
passwd 2y4FIGBVVyBLau0Q encrypted
names
name 172.16.130.1 outside-dmvpn-1
name 172.16.130.16 outside-mail-1 description public email address
name 10.4.200.10 dns-server
name 10.4.244.0 dmz-mail-net
name 10.4.0.0 internal-net
name 10.4.246.0 dmz-guest-wlc-net
name 10.4.246.54 dmz-guest-wlc
name 192.168.16.0 dmz-wifi-guest-net
name 10.4.245.0 dmz-web-net
name 10.4.248.0 ra-pool
name 10.4.128.32 dmz-dmvpn
name 10.4.128.33 dmz-dmvpn-1
name 10.4.128.34 dmz-dmvpn-2
name 10.4.200.25 inside-mail
name 10.4.244.16 dmz-C370
name 10.4.200.0 data-center-net
name 10.4.244.20 dmz-C370-B
name 172.16.130.17 outside-mail_B-1 description Address for C370B in ISP A
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.4.240.30 255.255.255.224 standby 10.4.240.29
!
interface GigabitEthernet0/1
description dmz trunk to dmz-3750 stack port x/0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.1120
vlan 1120
nameif dmz-mail
security-level 50
ip address 10.4.244.1 255.255.255.0 standby 10.4.244.2
!
interface GigabitEthernet0/1.1121
vlan 1121
nameif dmz-web
security-level 50
ip address 10.4.245.1 255.255.255.0 standby 10.4.245.2
!
interface GigabitEthernet0/1.1122
vlan 1122
nameif dmz-guest-wlc
security-level 50
ip address 10.4.246.1 255.255.255.0 standby 10.4.246.2
!
interface GigabitEthernet0/1.1126
vlan 1126
nameif dmz-wifi-guest
security-level 10
ip address 192.168.16.1 255.255.252.0
!
interface GigabitEthernet0/1.1128
vlan 1128
nameif dmz-vpn
security-level 75
ip address 10.4.128.35 255.255.255.248
!
interface GigabitEthernet0/2
description LAN/STATE Failover Interface
!
interface GigabitEthernet0/3
description uplink to out-3750 stack port port x/0/2
vlan 16
nameif outside
security-level 0
ip address 172.16.130.124 255.255.255.0 standby 172.16.130.123
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
Internet Edge Configuration Files
5
clock timezone PACIFIC -7
dns server-group DefaultDNS
domain-name cisco.local
object-group network NAT0-DMZ-EXEMPT
network-object dmz-web-net 255.255.255.0
network-object dmz-mail-net 255.255.255.0
network-object dmz-guest-wlc-net 255.255.255.0
network-object dmz-wifi-guest-net 255.255.252.0
network-object ra-pool 255.255.252.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network WLAN_Controllers
network-object host 10.4.56.64
network-object host 10.4.56.65
network-object host 10.4.56.66
network-object host 10.4.56.67
network-object host 10.4.56.68
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq smtp
access-list INSIDE_NAT0_OUTBOUND extended permit ip internal-net 255.254.0.0 object-group NAT0-DMZ-EXEMPT
access-list DMZ-MAIL_ACCESS_IN extended permit object-group TCPUDP dmz-mail-net255.255.255.0 host dns-server eq domain
access-list DMZ-MAIL_ACCESS_IN extended deny ip dmz-mail-net 255.255.255.0 internal-net 255.254.0.0
access-list DMZ-MAIL_ACCESS_IN extended deny ip dmz-mail-net 255.255.255.0 dmz-web-net 255.255.255.0
access-list DMZ-MAIL_ACCESS_IN extended deny ip dmz-mail-net 255.255.255.0 dmz-wifi-guest-net 255.255.252.0
access-list DMZ-MAIL_ACCESS_IN extended deny ip dmz-mail-net 255.255.255.0 dmz-guest-wlc-net 255.255.255.0
access-list DMZ-MAIL_ACCESS_IN extended permit tcp dmz-mail-net 255.255.255.0 any eq smtp
access-list DMZ-MAIL_ACCESS_IN extended permit icmp dmz-mail-net 255.255.255.0 any echo
access-list OUT-ACCESS-IN extended permit udp any host outside-dmvpn-1 eq 4500
access-list OUT-ACCESS-IN extended permit udp any host outside-dmvpn-1 eq isakmp
access-list OUT-ACCESS-IN extended permit esp any host outside-dmvpn-1
access-list OUT-ACCESS-IN extended permit icmp any host outside-dmvpn-1 echo
access-list OUT-ACCESS-IN extended permit icmp any host outside-dmvpn-1 echo-reply
access-list OUT-ACCESS-IN extended permit tcp any host outside-mail-1 eq smtp
access-list OUT-ACCESS-IN extended permit tcp any host outside-mail_B-1 eq smtp
access-list OUT-ACCESS-IN extended permit tcp any dmz-web-net 255.255.255.0 eq https
access-list OUT-ACCESS-IN extended permit tcp any dmz-web-net 255.255.255.0 eq www
access-list OUT-ACCESS-IN remark Arshad inserted this rule
Internet Edge Configuration Files
6
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
pager lines
OUT-ACCESS-IN extended permit icmp any any
WIFI-GUEST_NAT0_OUTBOUND extended permit ip dmz-wifi-guest-net 255.255.252.0 object-group NAT0-DMZ-EXEMPT
WIFI-GUEST_NAT0_OUTBOUND extended permit ip dmz-wifi-guest-net 255.255.252.0 internal-net 255.254.0.0
INSIDE_ACCESS_IN extended deny tcp internal-net 255.254.0.0 any eq telnet
INSIDE_ACCESS_IN extended permit tcp internal-net 255.254.0.0 dmz-mail-net 255.255.255.0 eq smtp
INSIDE_ACCESS_IN extended deny tcp internal-net 255.254.0.0 any eq smtp
INSIDE_ACCESS_IN extended permit ip internal-net 255.254.0.0 any
DMZ-WEB_ACCESS_IN extended permit object-group TCPUDP dmz-web-net 255.255.255.0 host dns-server eq domain
DMZ-GUEST-WLC_ACCESS_IN remark For Guest Access Controller at 10.4.246.54
DMZ-GUEST-WLC_ACCESS_IN extended permit udp host dmz-guest-wlc object-group WLAN_Controllers eq 16666
DMZ-GUEST-WLC_ACCESS_IN extended permit 97 host dmz-guest-wlc object-group WLAN_Controllers
DMZ-GUEST-WLC_ACCESS_IN extended permit tcp host dmz-guest-wlc any eq 161
DMZ-GUEST-WLC_ACCESS_IN extended permit tcp host dmz-guest-wlc any eq 162
DMZ-GUEST-WLC_ACCESS_IN extended permit udp host dmz-guest-wlc any eq tftp
DMZ-GUEST-WLC_ACCESS_IN extended permit udp host dmz-guest-wlc eq bootpc host dns-server eq bootps
DMZ-WIFI-GUEST_ACCESS_IN extended permit udp dmz-wifi-guest-net 255.255.252.0 host dns-server eq bootps
DMZ-WIFI-GUEST_ACCESS_IN extended deny ip dmz-wifi-guest-net 255.255.252.0 internal-net 255.254.0.0
DMZ-WIFI-GUEST_ACCESS_IN extended permit tcp dmz-wifi-guest-net 255.255.252.0 dmz-web-net 255.255.255.0 eq www
DMZ-WIFI-GUEST_ACCESS_IN extended permit tcp dmz-wifi-guest-net 255.255.252.0 dmz-web-net 255.255.255.0 eq https
DMZ-WIFI-GUEST_ACCESS_IN extended permit tcp dmz-wifi-guest-net 255.255.252.0 dmz-web-net 255.255.255.0 eq ftp
DMZ-WIFI-GUEST_ACCESS_IN extended deny ip dmz-wifi-guest-net 255.255.252.0 dmz-web-net 255.255.255.0
DMZ-WIFI-GUEST_ACCESS_IN extended deny ip dmz-wifi-guest-net 255.255.252.0 dmz-mail-net 255.255.255.0
DMZ-WIFI-GUEST_ACCESS_IN extended deny ip dmz-wifi-guest-net 255.255.252.0 dmz-guest-wlc-net 255.255.255.0
DMZ-WIFI-GUEST_ACCESS_IN extended permit ip dmz-wifi-guest-net 255.255.252.0 any
dmz-wifi-guest_access_in extended deny ip dmz-wifi-guest-net 255.255.252.0 internal-net 255.254.0.0
dmz-wifi-guest_access_in extended deny tcp dmz-wifi-guest-net 255.255.252.0 any eq telnet
dmz-wifi-guest_access_in extended deny tcp dmz-wifi-guest-net 255.255.252.0 any eq smtp
dmz-wifi-guest_access_in extended permit tcp dmz-wifi-guest-net 255.255.252.0 dmz-web-net 255.255.255.0 object-group DM_INLINE_TCP_1
dmz-wifi-guest_access_in extended deny ip dmz-wifi-guest-net 255.255.252.0 dmz-web-net 255.255.255.0
dmz-wifi-guest_access_in extended permit ip dmz-wifi-guest-net 255.255.252.0 any
dmz-mail_access_in extended permit tcp dmz-mail-net 255.255.255.0 host inside-mail eq smtp
dmz-mail_access_in extended permit object-group TCPUDP dmz-mail-net 255.255.255.0 host dns-server eq domain
dmz-mail_access_in extended permit tcp dmz-mail-net 255.255.255.0 data-center-net 255.255.255.0 eq ftp
dmz-mail_access_in extended permit tcp dmz-mail-net 255.255.255.0 data-center-net 255.255.255.0 eq ssh
dmz-mail_access_in extended permit icmp dmz-mail-net 255.255.255.0 data-center-net 255.255.255.0
dmz-mail_access_in remark Block all other traffic from mail net
dmz-mail_access_in extended deny ip dmz-mail-net 255.255.255.0 internal-net 255.254.0.0
dmz-mail_access_in extended permit tcp dmz-mail-net 255.255.255.0 any object-group DM_INLINE_TCP_2
RA-FULL-TUNNEL_ACL standard permit any
global_mpc extended permit ip any any
RA_FullTunnelACL standard permit any
WCCP_REDIRECT remark Do not redirect connections to these addresses
WCCP_REDIRECT extended deny ip any object-group DM_INLINE_NETWORK_1
WCCP_REDIRECT remark Redirect to all other IP addr’s
WCCP_REDIRECT extended permit ip any any
dmz-mail_nat0_outbound extended permit ip dmz-mail-net 255.255.255.0 internal-net 255.254.0.0
24
Internet Edge Configuration Files
7
logging enable
logging buffered informational
logging trap informational
logging asdm informational
logging host inside 10.4.200.17
logging host inside 10.4.200.115
mtu inside 1500
mtu dmz-mail 1500
mtu dmz-web 1500
mtu dmz-guest-wlc 1500
mtu dmz-wifi-guest 1500
mtu dmz-vpn 1500
mtu outside 1500
mtu outside-17 1500
ip local pool ravpn-pool ra-pool-10.4.251.255 mask 255.255.252.0
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/2
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover key *****
failover replication http
failover link failover GigabitEthernet0/2
failover interface ip failover 10.4.242.65 255.255.255.248 standby
10.4.242.66
monitor-interface dmz-mail
monitor-interface dmz-web
monitor-interface dmz-vpn
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list INSIDE_NAT0_OUTBOUND
nat (inside) 1 internal-net 255.254.0.0
nat (dmz-mail) 0 access-list dmz-mail_nat0_outbound
nat (dmz-mail) 1 dmz-mail-net 255.255.255.0
nat (dmz-web) 1 dmz-web-net 255.255.255.0
nat (dmz-wifi-guest) 0 access-list WIFI-GUEST_NAT0_OUTBOUND
nat (dmz-wifi-guest) 1 dmz-wifi-guest-net 255.255.252.0
static (dmz-vpn,outside) outside-dmvpn-1 dmz-dmvpn-1 netmask
255.255.255.255
static (dmz-mail,outside) outside-mail-1 dmz-C370 netmask
255.255.255.255
static (dmz-mail,outside) outside-mail_B-1 dmz-C370-B netmask
255.255.255.255
access-group INSIDE_ACCESS_IN in interface inside
access-group dmz-mail_access_in in interface dmz-mail
access-group DMZ-GUEST-WLC_ACCESS_IN in interface dmz-guest-wlc
access-group dmz-wifi-guest_access_in in interface dmz-wifi-guest
access-group OUT-ACCESS-IN in interface outside
!
router eigrp 100
no auto-summary
network 10.4.240.0 255.255.240.0
passive-interface default
no passive-interface inside
redistribute static
!
route outside 0.0.0.0 0.0.0.0 172.16.130.126 1
route inside 0.0.0.0 0.0.0.0 10.4.240.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map VPN-Group-AD-Map
map-name memberOf IETF-Radius-Class
map-value memberOf CN=vpn-partner,CN=Users,DC=cisco,DC=com bn-partner
map-value memberOf CN=vpn-user,CN=Users,DC=cisco,DC=com bn-user
dynamic-access-policy-record DfltAccessPolicy
aaa-server AAA-SERVER protocol radius
aaa-server AAA-SERVER (inside) host 10.4.200.15
key [SecretKey]
aaa-server AD protocol ldap
aaa-server AD (inside) host dns-server
server-port 389
ldap-base-dn CN=Users,DC=cisco,DC=local
ldap-naming-attribute sAMAccountName
ldap-login-password [cisco]
ldap-login-dn CN=ASA 5540,CN=Users,DC=cisco,DC=local
server-type microsoft
aaa authentication enable console AAA-SERVER LOCAL
aaa authentication ssh console AAA-SERVER LOCAL
http server enable
http internal-net 255.254.0.0 inside
http redirect outside 80
snmp-server enable traps snmp authentication linkup linkdown coldstart
no snmp-server location
no snmp-server contact
snmp-server community [cisco]
Internet Edge Configuration Files
8
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map BN_DYN_CRYPTO_MAP_1 101 set transform-set ESP-AES128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto dynamic-map BN_DYN_CRYPTO_MAP_1 101 set reverse-route
crypto dynamic-map BN_DYN_CRYPTO_MAP_2 102 set transform-set ESP-AES128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto dynamic-map BN_DYN_CRYPTO_MAP_2 102 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic BN_DYN_CRYPTO_MAP_1
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
telnet timeout 5
ssh internal-net 255.254.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcprelay server dns-server inside
dhcprelay enable dmz-wifi-guest
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
wccp 90 redirect-list WCCP_REDIRECT
wccp interface inside 90 redirect in
ntp server 10.4.200.17 source inside
webvpn
enable dmz-wifi-guest
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 3
svc image disk0:/anyconnect-macosx-i386-2.5.0217-k9.pkg 4
svc enable
tunnel-group-list enable
group-policy 5505Group internal
group-policy 5505Group attributes
vpn-tunnel-protocol IPSec
ip-comp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_FullTunnelACL
user-authentication-idle-timeout 480
nem enable
group-policy DfltGrpPolicy attributes
dns-server value 10.4.200.10
vpn-tunnel-protocol IPSec svc webvpn
split-dns value cisco.local
address-pools value ravpn-pool
webvpn
svc ask none default svc
group-policy bn-adm-group internal
group-policy bn-adm-group attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_FullTunnelACL
group-policy bn-user-group internal
group-policy bn-user-group attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_FullTunnelACL
group-policy bn-partner-group internal
group-policy bn-partner-group attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_FullTunnelACL
username 5505site5 password [c1sco123]
username 5505site5 attributes
vpn-group-policy 5505Group
ip-comp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_FullTunnelACL
user-authentication-idle-timeout 480
nem enable
username admin password [c1sco123] encrypted privilege 15
tunnel-group bn-user type remote-access
tunnel-group bn-user general-attributes
address-pool ravpn-pool
authentication-server-group AD
default-group-policy bn-user-group
tunnel-group bn-user webvpn-attributes
group-alias bn-user enable
group-url https://172.16.130.124/bn-user enable
tunnel-group bn-user ipsec-attributes
pre-shared-key [cisco]
tunnel-group bn-admin type remote-access
tunnel-group bn-admin general-attributes
address-pool ravpn-pool
default-group-policy bn-adm-group
Internet Edge Configuration Files
9
tunnel-group bn-admin webvpn-attributes
group-alias bn-admin enable
group-url https://172.16.130.124/bn-admin enable
tunnel-group bn-admin ipsec-attributes
pre-shared-key [cisco]
tunnel-group bn-partner type remote-access
tunnel-group bn-partner general-attributes
address-pool ravpn-pool
authentication-server-group AD
default-group-policy bn-partner-group
tunnel-group bn-partner webvpn-attributes
group-alias bn-partner enable
group-url https://172.16.130.124/bn-partner enable
tunnel-group bn-partner ipsec-attributes
pre-shared-key [cisco]
tunnel-group RA5505 type remote-access
tunnel-group RA5505 general-attributes
default-group-policy 5505Group
tunnel-group RA5505 ipsec-attributes
pre-shared-key [cisco]
!
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
class global-class
ips promiscuous fail-close
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/
services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ed9d61cebc3a992ec6d59da2b4eb13b1
: end
ASA 5540 b Internet Edge 5K
Tech Tip
This is not the configuration of the ASA. This is the configuration that
when applied allows the unit to become part of a failover pair. It does
require that the Primary unit be installed and configured.
interface GigabitEthernet0/2
no shutdown
!
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/2
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover key [cisco]
failover replication http
failover link failover GigabitEthernet0/2
failover interface ip failover 10.4.242.65 255.255.255.248 standby
10.4.242.66
Internet Edge Configuration Files
10
ASA-SSM-40 a (IPS Module)
Tech Tip
Unlike the output from show config on the sensor, the content below
can be cut and paste into the sensor because of the extra new lines
between each service section.
! -----------------------------! Current configuration last modified Thu Jun 03 13:58:29 2010
! -----------------------------! Version 7.0(2)
! Host:
!
Realm Keys
key1.0
! Signature Definition:
!
Signature Update
S482.0
2010-04-06
! -----------------------------service interface
exit
! -----------------------------service authentication
exit
! -----------------------------service event-action-rules rules0
exit
! -----------------------------service host
network-settings
host-ip 10.4.240.28/27,10.4.240.1
host-name SSM-40-A
telnet-option disabled
access-list 10.0.0.0/8
dns-primary-server enabled
address 10.4.200.10
exit
dns-secondary-server disabled
dns-tertiary-server disabled
http-proxy proxy-server
address 128.107.241.169
port 80
exit
exit
time-zone-settings
offset -480
standard-time-zone-name GMT-08:00
exit
ntp-option enabled-ntp-unauthenticated
ntp-server 10.4.200.17
exit
summertime-option recurring
summertime-zone-name GMT-08:00
exit
exit
! -----------------------------service logger
exit
! -----------------------------service network-access
exit
! -----------------------------service notification
exit
! -----------------------------service signature-definition sig0
signatures 2000 0
status
enabled true
exit
exit
signatures 2004 0
status
enabled true
exit
exit
exit
Internet Edge Configuration Files
11
! -----------------------------service ssh-known-hosts
exit
! -----------------------------service trusted-certificates
exit
! -----------------------------service web-server
exit
! -----------------------------service anomaly-detection ad0
exit
! -----------------------------service external-product-interface
exit
! -----------------------------service health-monitor
exit
! -----------------------------service global-correlation
network-participation partial
exit
! -----------------------------service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/1
exit
exit
ASA-SSM-40 b (IPS Module)
! -----------------------------! Current configuration last modified Thu May 27 17:09:01 2010
! -----------------------------! Version 7.0(2)
! Host:
!
Realm Keys
key1.0
! Signature Definition:
!
Signature Update
S425.0
2009-08-17
!
Virus Update
V1.4
2007-03-02
! -----------------------------service interface
exit
! -----------------------------service authentication
exit
! -----------------------------service event-action-rules rules0
exit
! -----------------------------service host
network-settings
host-ip 10.4.240.27/27,10.4.240.1
host-name SSM-40-B
telnet-option disabled
access-list 10.0.0.0/8
dns-primary-server enabled
address 10.4.200.10
exit
dns-secondary-server disabled
dns-tertiary-server disabled
http-proxy proxy-server
address 128.107.241.169
port 80
exit
exit
time-zone-settings
offset -480
standard-time-zone-name GMT-08:00
exit
ntp-option enabled-ntp-unauthenticated
ntp-server 10.4.200.17
Internet Edge Configuration Files
12
exit
summertime-option recurring
summertime-zone-name UTC
exit
exit
! -----------------------------service logger
exit
! -----------------------------service network-access
exit
! -----------------------------service notification
exit
! -----------------------------service signature-definition sig0
signatures 2000 0
status
enabled true
exit
exit
signatures 2004 0
status
enabled true
exit
exit
exit
! -----------------------------service ssh-known-hosts
exit
! -----------------------------service trusted-certificates
exit
! ------------------------------
service web-server
exit
! -----------------------------service anomaly-detection ad0
exit
! -----------------------------service external-product-interface
exit
! -----------------------------service health-monitor
exit
! -----------------------------service global-correlation
exit
! -----------------------------service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/1
exit
exit
ASA 5540 a (Firewall only) Internet Edge 10K
ASA Version 8.2(2)
!
hostname asa5540A
domain-name cisco.local
enable password c1sco123
passwd c1sco123
names
name 172.16.130.1 outside-dmvpn-1
name 172.16.130.16 outside-mail-1 description email address on ISP A
name 10.4.200.10 dns-server
name 10.4.244.0 dmz-mail-net
name 10.4.0.0 internal-net
Internet Edge Configuration Files
13
name 10.4.246.0 dmz-guest-wlc-net
name 10.4.246.54 dmz-guest-wlc
name 192.168.16.0 dmz-wifi-guest-net
name 10.4.245.0 dmz-web-net
name 10.4.248.0 ra-pool
name 10.4.128.32 dmz-dmvpn
name 10.4.128.33 dmz-dmvpn-1
name 10.4.128.34 dmz-dmvpn-2
name 10.4.200.25 inside-mail
name 10.4.244.16 dmz-C370
name 172.17.130.16 outside-mail-2 description Email address on ISP B
name 10.4.200.0 data-center-net
name 10.4.244.20 dmz-C370-B
name 172.16.130.17 outside-mail_B-1 description Address for C370B in ISP A
name 172.17.130.17 outside-mail_B-2 description Address for C370B in ISP B
!
interface GigabitEthernet0/0
no shutdown
nameif inside
security-level 100
ip address 10.4.240.30 255.255.255.224 standby 10.4.240.29
!
interface GigabitEthernet0/1
no shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.1120
vlan 1120
nameif dmz-mail
security-level 50
ip address 10.4.244.1 255.255.255.0 standby 10.4.244.2
!
interface GigabitEthernet0/1.1121
vlan 1121
nameif dmz-web
security-level 50
ip address 10.4.245.1 255.255.255.0 standby 10.4.245.2
!
interface GigabitEthernet0/1.1122
vlan 1122
nameif dmz-guest-wlc
security-level 50
ip address 10.4.246.1 255.255.255.0 standby 10.4.246.2
!
interface GigabitEthernet0/1.1126
vlan 1126
nameif dmz-wifi-guest
security-level 10
ip address 192.168.16.1 255.255.252.0
!
interface GigabitEthernet0/1.1128
vlan 1128
nameif dmz-vpn
security-level 75
ip address 10.4.128.35 255.255.255.248
!
interface GigabitEthernet0/2
no shutdown
!
interface GigabitEthernet0/3
no shutdown
description uplink to out-3750 stack port port x/0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.16
vlan 16
nameif outside-16
security-level 0
ip address 172.16.130.124 255.255.255.0 standby 172.16.130.123
!
interface GigabitEthernet0/3.17
vlan 17
nameif outside-17
security-level 0
ip address 172.17.130.124 255.255.255.0 standby 172.17.130.123
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone PACIFIC -7
dns server-group DefaultDNS
domain-name cisco.local
object-group network NAT0-DMZ-EXEMPT
network-object dmz-web-net 255.255.255.0
network-object dmz-mail-net 255.255.255.0
network-object dmz-guest-wlc-net 255.255.255.0
network-object dmz-wifi-guest-net 255.255.252.0
object-group protocol TCPUDP
Internet Edge Configuration Files
14
protocol-object udp
protocol-object tcp
object-group network WLAN_Controllers
network-object host 10.4.56.64
network-object host 10.4.56.65
network-object host 10.4.56.66
network-object host 10.4.56.67
network-object host 10.4.56.68
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq smtp
access-list INSIDE_NAT0_OUTBOUND extended permit ip internal-net 255.254.0.0 object-group NAT0-DMZ-EXEMPT
access-list DMZ-MAIL_ACCESS_IN extended permit object-group TCPUDP dmz-mail-net 255.255.255.0 host dns-server eq domain
access-list DMZ-MAIL_ACCESS_IN extended deny ip dmz-mail-net 255.255.255.0 internal-net 255.254.0.0
access-list DMZ-MAIL_ACCESS_IN extended deny ip dmz-mail-net 255.255.255.0 dmz-web-net 255.255.255.0
access-list DMZ-MAIL_ACCESS_IN extended deny ip dmz-mail-net 255.255.255.0 dmz-wifi-guest-net 255.255.252.0
access-list DMZ-MAIL_ACCESS_IN extended deny ip dmz-mail-net 255.255.255.0 dmz-guest-wlc-net 255.255.255.0
access-list DMZ-MAIL_ACCESS_IN extended permit tcp dmz-mail-net 255.255.255.0 any eq smtp
access-list DMZ-MAIL_ACCESS_IN extended permit icmp dmz-mail-net 255.255.255.0 any echo
access-list OUT-ACCESS-IN extended permit udp any host outside-dmvpn-1 eq 4500
access-list OUT-ACCESS-IN extended permit udp any host outside-dmvpn-1 eq isakmp
access-list OUT-ACCESS-IN extended permit esp any host outside-dmvpn-1
access-list OUT-ACCESS-IN extended permit icmp any host outside-dmvpn-1 echo
access-list OUT-ACCESS-IN extended permit icmp any host outside-dmvpn-1 echo-reply
access-list OUT-ACCESS-IN extended permit tcp any host outside-mail-1 eq smtp
access-list OUT-ACCESS-IN extended permit tcp any host outside-mail_B-1 eq smtp
access-list OUT-ACCESS-IN extended permit tcp any dmz-web-net 255.255.255.0 eq https
access-list OUT-ACCESS-IN extended permit tcp any dmz-web-net 255.255.255.0 eq www
access-list OUT-ACCESS-IN remark Arshad inserted this rule
access-list OUT-ACCESS-IN extended permit icmp any any
access-list WIFI-GUEST_NAT0_OUTBOUND extended permit ip dmz-wifi-guest-net 255.255.252.0 object-group NAT0-DMZ-EXEMPT
access-list WIFI-GUEST_NAT0_OUTBOUND extended permit ip dmz-wifi-guest-net 255.255.252.0 internal-net 255.254.0.0
access-list INSIDE_ACCESS_IN extended deny tcp internal-net 255.254.0.0 any eq telnet
access-list INSIDE_ACCESS_IN extended permit tcp internal-net 255.254.0.0 dmz-mail-net 255.255.255.0 eq smtp
access-list INSIDE_ACCESS_IN extended deny tcp internal-net 255.254.0.0 any eq smtp
access-list INSIDE_ACCESS_IN extended permit ip internal-net 255.254.0.0 any
access-list DMZ-WEB_ACCESS_IN extended permit object-group TCPUDP dmz-web-net 255.255.255.0 host dns-server eq domain
access-list DMZ-GUEST-WLC_ACCESS_IN remark For Guest Access Controller at 10.4.246.54
access-list DMZ-GUEST-WLC_ACCESS_IN extended permit udp host dmz-guest-wlc object-group WLAN_Controllers eq 16666
access-list DMZ-GUEST-WLC_ACCESS_IN extended permit 97 host dmz-guest-wlc object-group WLAN_Controllers
Internet Edge Configuration Files
15
access-list DMZ-GUEST-WLC_ACCESS_IN extended permit tcp host dmz-guest-wlc any eq 161
access-list DMZ-GUEST-WLC_ACCESS_IN extended permit tcp host dmz-guest-wlc any eq 162
access-list DMZ-GUEST-WLC_ACCESS_IN extended permit udp host dmz-guest-wlc any eq tftp
access-list DMZ-GUEST-WLC_ACCESS_IN extended permit udp host dmz-guest-wlc eq bootpc host dns-server eq bootps
access-list DMZ-WIFI-GUEST_ACCESS_IN extended permit udp dmz-wifi-guest-net 255.255.252.0 host dns-server eq bootps
access-list DMZ-WIFI-GUEST_ACCESS_IN extended deny ip dmz-wifi-guest-net 255.255.252.0 internal-net 255.254.0.0
access-list DMZ-WIFI-GUEST_ACCESS_IN extended permit tcp dmz-wifi-guest-net 255.255.252.0 dmz-web-net 255.255.255.0 eq www
access-list DMZ-WIFI-GUEST_ACCESS_IN extended permit tcp dmz-wifi-guest-net 255.255.252.0 dmz-web-net 255.255.255.0 eq https
access-list DMZ-WIFI-GUEST_ACCESS_IN extended permit tcp dmz-wifi-guest-net 255.255.252.0 dmz-web-net 255.255.255.0 eq ftp
access-list DMZ-WIFI-GUEST_ACCESS_IN extended deny ip dmz-wifi-guest-net 255.255.252.0 dmz-web-net 255.255.255.0
access-list DMZ-WIFI-GUEST_ACCESS_IN extended deny ip dmz-wifi-guest-net 255.255.252.0 dmz-mail-net 255.255.255.0
access-list DMZ-WIFI-GUEST_ACCESS_IN extended deny ip dmz-wifi-guest-net 255.255.252.0 dmz-guest-wlc-net 255.255.255.0
access-list DMZ-WIFI-GUEST_ACCESS_IN extended permit ip dmz-wifi-guest-net 255.255.252.0 any
access-list dmz-wifi-guest_access_in extended deny ip dmz-wifi-guest-net 255.255.252.0 internal-net 255.254.0.0
access-list dmz-wifi-guest_access_in extended deny tcp dmz-wifi-guest-net 255.255.252.0 any eq telnet
access-list dmz-wifi-guest_access_in extended deny tcp dmz-wifi-guest-net 255.255.252.0 any eq smtp
access-list dmz-wifi-guest_access_in extended permit tcp dmz-wifi-guest-net 255.255.252.0 dmz-web-net 255.255.255.0 object-group DM_INLINE_TCP_1
access-list dmz-wifi-guest_access_in extended deny ip dmz-wifi-guest-net 255.255.252.0 dmz-web-net 255.255.255.0
access-list dmz-wifi-guest_access_in extended permit ip dmz-wifi-guest-net 255.255.252.0 any
access-list dmz-mail_access_in extended permit tcp dmz-mail-net 255.255.255.0 host inside-mail eq smtp
access-list dmz-mail_access_in extended permit object-group TCPUDP dmz-mail-net 255.255.255.0 host dns-server eq domain
access-list dmz-mail_access_in extended permit tcp dmz-mail-net 255.255.255.0 data-center-net 255.255.255.0 eq ftp
access-list dmz-mail_access_in extended permit tcp dmz-mail-net 255.255.255.0 data-center-net 255.255.255.0 eq ssh
access-list dmz-mail_access_in extended permit icmp dmz-mail-net 255.255.255.0 data-center-net 255.255.255.0
access-list dmz-mail_access_in remark Block all other traffic from mail net
access-list dmz-mail_access_in extended deny ip dmz-mail-net 255.255.255.0 internal-net 255.254.0.0
access-list dmz-mail_access_in extended permit tcp dmz-mail-net 255.255.255.0 any object-group DM_INLINE_TCP_2
access-list global_mpc extended permit ip any any
access-list RA_FullTunnelACL standard permit any
access-list WCCP_REDIRECT remark Do not redirect connections to these addresses
access-list WCCP_REDIRECT extended deny ip any object-group DM_INLINE_NETWORK_1
access-list WCCP_REDIRECT remark Redirect to all other IP addr’s
access-list WCCP_REDIRECT extended permit ip any any
access-list outside-17_access extended permit tcp any host outside-mail-2 eq smtp
access-list outside-17_access extended permit tcp any host outside-mail_B-2 eq smtp
access-list dmz-mail_nat0_outbound extended permit ip dmz-mail-net 255.255.255.0 internal-net 255.254.0.0
pager lines 24
logging enable
logging buffered informational
logging trap informational
logging asdm informational
logging host inside 10.4.200.17
logging host inside 10.4.200.115
mtu inside 1500
mtu dmz-mail 1500
mtu dmz-web 1500
mtu dmz-guest-wlc 1500
mtu dmz-wifi-guest 1500
Internet Edge Configuration Files
16
mtu dmz-vpn 1500
mtu outside-16 1500
mtu outside-17 1500
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/2
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover key *****
failover replication http
failover link failover GigabitEthernet0/2
failover interface ip failover 10.4.242.65 255.255.255.248 standby
10.4.242.66
monitor-interface dmz-mail
monitor-interface dmz-web
monitor-interface dmz-vpn
monitor-interface outside-16
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside-16
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside-16) 1 interface
global (outside-17) 1 interface
nat (inside) 0 access-list INSIDE_NAT0_OUTBOUND
nat (inside) 1 internal-net 255.254.0.0
nat (dmz-mail) 0 access-list dmz-mail_nat0_outbound
nat (dmz-mail) 1 dmz-mail-net 255.255.255.0
nat (dmz-web) 1 dmz-web-net 255.255.255.0
nat (dmz-wifi-guest) 0 access-list WIFI-GUEST_NAT0_OUTBOUND
nat (dmz-wifi-guest) 1 dmz-wifi-guest-net 255.255.252.0
static (dmz-vpn,outside-16) outside-dmvpn-1 dmz-dmvpn-1 netmask
255.255.255.255
static (dmz-mail,outside-16) outside-mail-1 dmz-C370 netmask
255.255.255.255
static (dmz-mail,outside-17) outside-mail-2 dmz-C370 netmask
255.255.255.255
static (dmz-mail,outside-16) outside-mail_B-1 dmz-C370-B netmask
255.255.255.255
static (dmz-mail,outside-17) outside-mail_B-2 dmz-C370-B netmask
255.255.255.255
access-group INSIDE_ACCESS_IN in interface inside
access-group dmz-mail_access_in in interface dmz-mail
access-group DMZ-GUEST-WLC_ACCESS_IN in interface dmz-guest-wlc
access-group dmz-wifi-guest_access_in in interface dmz-wifi-guest
access-group OUT-ACCESS-IN in interface outside-16
access-group outside-17_access in interface outside-17
!
router eigrp 100
no auto-summary
network 10.4.240.0 255.255.240.0
passive-interface default
no passive-interface inside
redistribute static
!
route outside-16 0.0.0.0 0.0.0.0 172.16.130.126 1 track 1
route outside-17 0.0.0.0 0.0.0.0 172.17.130.126 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AAA-SERVER protocol radius
aaa-server AAA-SERVER (inside) host 10.4.200.15
key [SecretKey]
aaa authentication enable console AAA-SERVER LOCAL
aaa authentication ssh console AAA-SERVER LOCAL
http server enable
http internal-net 255.254.0.0 inside
http redirect outside-16 80
no snmp-server location
no snmp-server contact
snmp-server community [cisco]
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 16
type echo protocol ipIcmpEcho 10.194.112.65 interface outside-16
num-packets 3
frequency 10
sla monitor schedule 16 life forever start-time now
service resetoutside
!
track 1 rtr 16 reachability
telnet timeout 5
ssh internal-net 255.254.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside-16
ssh timeout 5
ssh version 2
console timeout 0
dhcprelay server dns-server inside
dhcprelay enable dmz-wifi-guest
dhcprelay timeout 60
threat-detection basic-threat
Internet Edge Configuration Files
17
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
wccp 90 redirect-list WCCP_REDIRECT
wccp interface inside 90 redirect in
ntp server 10.4.200.17 source inside
username admin password w2Y.6Op4j7clVDk2 encrypted privilege 15
!
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
class global-class
ips promiscuous fail-close
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/
services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ed9d61cebc3a992ec6d59da2b4eb13b1
: end
ASA 5540 b (Firewall only) Internet Edge 10K
Tech Tip
This is not the configuration of the ASA. This is the configuration that
when applied allows the unit to become part of a failover pair. It does
require that the Primary unit be installed and configured.
interface GigabitEthernet0/1
no shutdown
!
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/2
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover key [cisco]
failover replication http
failover link failover GigabitEthernet0/2
failover interface ip failover 10.4.242.65 255.255.255.248 standby
10.4.242.66
Internet Edge Configuration Files
18
ASA 5520 a (Remote Access VPN only) Internet Edge 10K
ASA Version 8.2(2)
!
hostname ASA5520
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.4.200.10 dns-server
name 10.4.0.0 internal-net
name 10.4.248.0 ra-pool
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.4.240.24 255.255.255.224 standby 10.4.240.23
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description LAN/STATE Failover Interface
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.16
vlan 16
nameif outside-16
security-level 0
ip address 172.16.130.122 255.255.255.0 standby 172.16.130.121
!
interface GigabitEthernet0/3.17
vlan 17
nameif outside-17
security-level 0
ip address 172.17.130.122 255.255.255.0 standby 172.17.130.121
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list RA_SplitTunnelACL standard permit internal-net 255.254.0.0
access-list inside_nat0_outbound extended permit ip any ra-pool
255.255.252.0
access-list RA_FullTunnelACL standard permit any
access-list redistribute-list standard permit ra-pool 255.255.252.0
pager lines 24
mtu inside 1500
mtu outside-16 1500
mtu outside-17 1500
ip local pool ravpn-pool ra-pool-10.4.251.255 mask 255.255.252.0
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/2
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover key *****
failover replication http
failover link failover GigabitEthernet0/2
failover interface ip failover 10.4.242.73 255.255.255.248 standby
10.4.242.74
monitor-interface outside-16
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
!
route-map redistribute-map permit 1
match ip address redistribute-list
!
!
router eigrp 100
no auto-summary
network internal-net 255.254.0.0
passive-interface default
no passive-interface inside
redistribute static route-map redistribute-map
!
route outside-16 0.0.0.0 0.0.0.0 172.16.130.126 1 track 1
route outside-17 0.0.0.0 0.0.0.0 172.17.130.126 254
route inside 0.0.0.0 0.0.0.0 10.4.240.1 tunneled
timeout xlate 3:00:00
Internet Edge Configuration Files
19
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map VPN-Group-AD-Map
map-name memberOf IETF-Radius-Class
map-value memberOf CN=vpn-partner,CN=Users,DC=cisco,DC=com bn-partner
map-value memberOf CN=vpn-user,CN=Users,DC=cisco,DC=com bn-user
dynamic-access-policy-record DfltAccessPolicy
aaa-server AAA-SERVER protocol radius
aaa-server AAA-SERVER (inside) host 10.4.200.15
key [SecretKey]
aaa-server AD protocol ldap
aaa-server AD (inside) host dns-server
server-port 389
ldap-base-dn CN=Users,DC=cisco,DC=local
ldap-naming-attribute sAMAccountName
ldap-login-password [cisco]
ldap-login-dn CN=ASA 5520,CN=Users,DC=cisco,DC=local
server-type microsoft
aaa authentication enable console AAA-SERVER LOCAL
aaa authentication ssh console AAA-SERVER LOCAL
http server enable
http internal-net 255.254.0.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 16
type echo protocol ipIcmpEcho 10.194.112.65 interface outside-16
num-packets 3
frequency 10
sla monitor schedule 16 life forever start-time now
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map BN_DYN_CRYPTO_MAP_1 101 set transform-set ESP-AES128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto dynamic-map BN_DYN_CRYPTO_MAP_1 101 set reverse-route
crypto dynamic-map BN_DYN_CRYPTO_MAP_2 102 set transform-set ESP-AES128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto dynamic-map BN_DYN_CRYPTO_MAP_2 102 set reverse-route
crypto map outside-16_map 65535 ipsec-isakmp dynamic BN_DYN_CRYPTO_MAP_1
crypto map outside-16_map interface outside-16
crypto map outside-17_map 65535 ipsec-isakmp dynamic BN_DYN_CRYPTO_MAP_2
crypto map outside-17_map interface outside-17
crypto isakmp enable outside-16
crypto isakmp enable outside-17
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
track 1 rtr 16 reachability
telnet timeout 5
ssh internal-net 255.254.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
!
tls-proxy maximum-session 1200
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.4.200.17 source inside
webvpn
enable outside-16
enable outside-17
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 3
svc image disk0:/anyconnect-macosx-i386-2.5.0217-k9.pkg 4
svc enable
tunnel-group-list enable
group-policy 5505Group internal
group-policy 5505Group attributes
vpn-group-policy 5505Group
ip-comp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_FullTunnelACL
user-authentication-idle-timeout 480
nem enable
group-policy DfltGrpPolicy attributes
dns-server value 10.4.200.10
vpn-tunnel-protocol IPSec svc webvpn
split-dns value cisco.local
address-pools value ravpn-pool
Internet Edge Configuration Files
20
webvpn
svc ask none default svc
group-policy bn-adm-group internal
group-policy bn-adm-group attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_FullTunnelACL
group-policy bn-user-group internal
group-policy bn-user-group attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_FullTunnelACL
group-policy bn-partner-group internal
group-policy bn-partner-group attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_FullTunnelACL
username 5505site5 password [c1sco123]
username 5505site5 attributes
vpn-group-policy 5505Group
ip-comp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_FullTunnelACL
user-authentication-idle-timeout 480
nem enable
username admin password [c1sco123] encrypted privilege 15
tunnel-group bn-user type remote-access
tunnel-group bn-user general-attributes
address-pool ravpn-pool
authentication-server-group AD
default-group-policy bn-user-group
tunnel-group bn-user webvpn-attributes
group-alias bn-user enable
group-url https://172.16.130.122/bn-user enable
group-url https://172.17.130.122/bn-user enable
tunnel-group bn-user ipsec-attributes
pre-shared-key [cisco]
tunnel-group bn-admin type remote-access
tunnel-group bn-admin general-attributes
address-pool ravpn-pool
default-group-policy bn-adm-group
tunnel-group bn-admin webvpn-attributes
group-alias bn-admin enable
group-url https://172.16.130.122/bn-admin enable
group-url https://172.17.130.122/bn-admin enable
tunnel-group bn-admin ipsec-attributes
pre-shared-key [cisco]
tunnel-group bn-partner type remote-access
tunnel-group bn-partner general-attributes
address-pool ravpn-pool
authentication-server-group AD
default-group-policy bn-partner-group
tunnel-group bn-partner webvpn-attributes
group-alias bn-partner enable
group-url https://172.16.130.122/bn-partner enable
group-url https://172.17.130.122/bn-partner enable
tunnel-group bn-partner ipsec-attributes
pre-shared-key [cisco]
tunnel-group RA5505 type remote-access
tunnel-group RA5505 general-attributes
default-group-policy 5505Group
tunnel-group RA5505 ipsec-attributes
pre-shared-key [cisco]
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/
services/DD
CEService
destination address email [email protected]
destination transport-method http
Internet Edge Configuration Files
21
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:168120830ff94b707f03b7457a67a38b
: end
ASA 5520 b (Remote Access VPN only) Internet Edge 10K
Tech Tip
This is not the configuration of the ASA. This is the configuration that
when applied allows the unit to become part of a failover pair. It does
require that the Primary unit be installed and configured.
interface GigabitEthernet0/2
no shutdown
!
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/2
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover key [cisco]
failover replication http
failover link failover GigabitEthernet0/2
failover interface ip failover 10.4.242.73 255.255.255.248 standby
10.4.242.74
Outside 3750
Current configuration : 4951 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname out-3750
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
switch 1 provision ws-c3750g-24ps
switch 2 provision ws-c3750g-24ps
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
!
!
!
!
crypto pki trustpoint TP-self-signed-3398555264
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3398555264
revocation-check none
rsakeypair TP-self-signed-3398555264
!
!
crypto pki certificate chain TP-self-signed-3398555264
certificate self-signed 01
30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D
69666963 6174652D 33333938 35353532 3634301E 170D3933 30333031
33395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33
35353236 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030
8100AE3B B3C1DB46 C135C457 31032217 01612602 87356D55 5DA2AA71
3BFA8FE4 D9BA9036 1F87E35F 2F4FAC0A FA8CCD54 75759EBF 69B4CE1A
1DE084CB 259C234F C3EFD7FD 842F5364 CAF0BB7C 1B2B6FB3 2A05394B
6C10B9C2 F4B0E7A2 F5FE375F 2C1A831D F993A2A3 106FD4A6 580FD16B
4C910203 010001A3 69306730 0F060355 1D130101 FF040530 030101FF
Internet Edge Configuration Files
22
04050030
43657274
30303031
03132649
33393835
81890281
817AC9D1
BB9E6D3E
7920DC9F
4E36AA32
30140603
551D1104
2D1A42A2
1A42A2E3
00038181
EDE91C06
3E782B1C
23E8D094
6A630A84
quit
0D300B82
E3A91351
A9135162
003DBB92
378E6E34
9A87A8BC
94331F96
D6
096F7574
620CAB5A
0CAB5A41
6B4E16EA
796D1432
4D450FFC
376FB6F6
2D333735
41A0F31B
A0F31B8B
62FCB5DA
C0A6294A
82CB45BE
D1680993
302E301F
8B6EF330
6EF3300D
7F5CF3D7
83EE960D
60ACA864
24D5F69F
!
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface GigabitEthernet1/0/1
switchport access vlan 16
!
interface GigabitEthernet1/0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,17
switchport mode trunk
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,17
switchport mode trunk
!
interface GigabitEthernet1/0/5
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,17
switchport mode trunk
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
0603551D
1D060355
06092A86
BE5BC356
6AAB121F
0F8933F9
0AF854CA
23041830
1D0E0416
4886F70D
8053627E
6042B6C3
2B732F28
C9A87DB3
16801438
0414382D
01010405
1A043AD4
7850EACB
E3F541C6
408FE524
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface GigabitEthernet2/0/1
switchport access vlan 17
!
interface GigabitEthernet2/0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,17
switchport mode trunk
Internet Edge Configuration Files
23
!
interface GigabitEthernet2/0/3
!
interface GigabitEthernet2/0/4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,17
switchport mode trunk
!
interface GigabitEthernet2/0/5
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,17
switchport mode trunk
!
interface GigabitEthernet2/0/6
!
interface GigabitEthernet2/0/7
!
interface GigabitEthernet2/0/8
!
interface GigabitEthernet2/0/9
!
interface GigabitEthernet2/0/10
!
interface GigabitEthernet2/0/11
!
interface GigabitEthernet2/0/12
!
interface GigabitEthernet2/0/13
!
interface GigabitEthernet2/0/14
!
interface GigabitEthernet2/0/15
!
interface GigabitEthernet2/0/16
!
interface GigabitEthernet2/0/17
!
interface GigabitEthernet2/0/18
!
interface GigabitEthernet2/0/19
!
interface GigabitEthernet2/0/20
!
interface GigabitEthernet2/0/21
!
interface GigabitEthernet2/0/22
!
interface GigabitEthernet2/0/23
!
interface GigabitEthernet2/0/24
!
interface GigabitEthernet2/0/25
!
interface GigabitEthernet2/0/26
!
interface GigabitEthernet2/0/27
!
interface GigabitEthernet2/0/28
!
interface Vlan1
no ip address
!
interface Vlan16
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.16.1
ip http server
ip http secure-server
!
!
ip sla enable reaction-alerts
!
!
!
line con 0
exec-timeout 0 0
line vty 0 4
login
line vty 5 15
login
!
end
Internet Edge Configuration Files
24
DMZ 3750
Current configuration : 4443 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname DMZ-3750
!
!
no aaa new-model
switch 1 provision ws-c3750g-24ps
vtp mode transparent
ip subnet-zero
!
!
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
vlan dot1q tag native
!
vlan 1120-1128
!
interface Port-channel1
!
interface Port-channel3
description ACE 1 port 1/1
switchport access vlan 1128
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1121
switchport mode trunk
!
interface Port-channel4
description ACE 1 port 1/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1121
switchport mode trunk
!
interface Port-channel5
description ACE 2 port 1/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1121
switchport mode trunk
!
interface Port-channel6
description ACE 2 port 1/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1121
switchport mode trunk
!
interface Port-channel20
description LAG port for Wireless Guest Access Controller
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1122,1126
switchport mode trunk
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
description Connection to Ironport C370
switchport access vlan 1120
!
interface GigabitEthernet1/0/3
description ACE 1 inter 1/1 ******
switchport access vlan 1128
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1121
switchport mode trunk
channel-group 3 mode on
spanning-tree portfast
!
interface GigabitEthernet1/0/4
description ACE 1 inter 1/2 ******
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1121
switchport mode trunk
channel-group 3 mode on
!
interface GigabitEthernet1/0/5
description ACE 2 inter 1/1 ********
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1121
switchport mode trunk
channel-group 5 mode on
!
interface GigabitEthernet1/0/6
Internet Edge Configuration Files
25
description ACE 2 inter 1/2 ********
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1121
switchport mode trunk
channel-group 5 mode on
!
interface GigabitEthernet1/0/7
description vpn-asr1006-1
switchport access vlan 1128
spanning-tree portfast
!
interface GigabitEthernet1/0/8
description vpn-asr1006-2
switchport access vlan 1128
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1122,1126
switchport mode trunk
channel-group 20 mode on
!
interface GigabitEthernet1/0/10
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1122,1126
switchport mode trunk
channel-group 20 mode on
!
interface GigabitEthernet1/0/11
description vpn-7206-1 gig0/3
switchport access vlan 1128
shutdown
!
interface GigabitEthernet1/0/12
description vpn-7206-2 gig0/3
switchport access vlan 1128
!
interface GigabitEthernet1/0/13
description Wireless Guest DHCP Server
switchport access vlan 1126
spanning-tree portfast
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
description vpn-3945e gig0/2
switchport access vlan 1128
shutdown
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
description uplink to 6504L (VMWare server connection)
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1120-1128
switchport mode trunk
!
interface GigabitEthernet1/0/23
description uplink to 5540-1 DMZ port Gi 0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1120-1128
switchport mode trunk
!
interface GigabitEthernet1/0/24
description uplink to 5540-2 DMZ port Gi 0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1120-1128
switchport mode trunk
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
no ip address
!
interface Vlan1120
ip address 10.4.241.5 255.255.255.0
!
interface Vlan1121
Internet Edge Configuration Files
26
ip address 10.4.245.254 255.255.255.0
!
interface Vlan1122
no ip address
!
ip classless
ip http server
ip http secure-server
!
!
control-plane
!
!
line con 0
line vty 0 4
no login
line vty 5 15
no login
!
end
ACE Server Load Balancing
ACE 4710-1
boot system image:c4710ace-mz.A3_2_5.bin
boot system image:c4710ace-mz.A3_2_0.bin
peer hostname ace-4710-2
hostname ace-4710-1
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
switchport trunk allowed vlan 12
no shutdown
interface gigabitEthernet 1/4
shutdown
interface port-channel 1
switchport trunk allowed vlan 1121
no shutdown
access-list ALL line 8 extended permit ip any any
probe http http-probe
interval 15
passdetect interval 60
request method head
expect status 200 200
open 1
rserver host
ip address
inservice
rserver host
ip address
inservice
webserver1
10.4.245.112
webserver2
10.4.245.113
serverfarm host webfarm
probe http-probe
rserver webserver1 80
inservice
rserver webserver2 80
inservice
class-map
2 match
class-map
2 match
3 match
4 match
5 match
6 match
7 match
8 match
match-all http-vip
virtual-address 10.4.245.100 tcp eq www
type management match-any remote_access
protocol xml-https any
protocol icmp any
protocol telnet any
protocol ssh any
protocol http any
protocol https any
protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match http-vip-17slb
class class-default
serverfarm webfarm
policy-map multi-match int1121
class http-vip
loadbalance vip inservice
Internet Edge Configuration Files
27
loadbalance policy http-vip-17slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1121
interface vlan 1121
ip address 10.4.245.22 255.255.255.0
peer ip address 10.4.245.21 255.255.255.0
access-group input ALL
nat-pool 1 10.4.245.99 10.4.245.99 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int1121
no shutdown
ft interface vlan 12
ip address 10.10.12.11 255.255.255.0
peer ip address 10.10.12.12 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 12
ft group 1
peer 1
peer priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 10.4.245.1
username admin password 5 $1$B3h9fdMd$Z421F/bPKKmRhoc/.L8dq1 role Admin
domain default-domain
username www password 5 $1$CjdxXlER$U78nAgDUH9Sdi7RRu60VU1 role Admin
domain default-domain
ACE 4710-2
boot system image:c4710ace-mz.A3_2_5.bin
boot system image:c4710ace-mz.A3_2_0.bin
hostname ace-4710-2
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
switchport trunk allowed vlan 12
no shutdown
interface gigabitEthernet 1/4
shutdown
interface port-channel 1
switchport trunk allowed vlan 1121
no shutdown
access-list ALL line 8 extended permit ip any any
probe http http-probe
interval 15
passdetect interval 60
request method head
expect status 200 200
open 1
rserver host
ip address
inservice
rserver host
ip address
inservice
webserver1
10.4.245.112
webserver2
10.4.245.113
serverfarm host webfarm
probe http-probe
rserver webserver1 80
inservice
rserver webserver2 80
inservice
class-map
2 match
class-map
2 match
3 match
4 match
5 match
6 match
match-all http-vip
virtual-address 10.4.245.100 tcp eq www
type management match-any remote_access
protocol xml-https any
protocol icmp any
protocol telnet any
protocol ssh any
protocol http any
Internet Edge Configuration Files
28
username www password 5 $1$CjdxXlER$U78nAgDUH9Sdi7RRu60VU1
domain default-domain
7 match protocol https any
8 match protocol snmp any
role Admin
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match http-vip-17slb
class class-default
serverfarm webfarm
policy-map multi-match int1121
class http-vip
loadbalance vip inservice
loadbalance policy http-vip-17slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1121
interface vlan 1121
ip address 10.4.245.21 255.255.255.0
peer ip address 10.4.245.22 255.255.255.0
access-group input ALL
nat-pool 1 10.4.245.99 10.4.245.99 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int1121
no shutdown
ft interface vlan 12
ip address 10.10.12.12 255.255.255.0
peer ip address 10.10.12.11 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 12
ft group 1
peer 1
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 10.4.245.1
username admin password 5 $1$B3h9fdMd$Z421F/bPKKmRhoc/.L8dq1
domain default-domain
role Admin
Internet Edge Configuration Files
29
Summary
The Internet Edge Configuration Guide is a supplemental guide to be used
with the Internet Edge Deployment Guide. The Internet Edge Deployment
Guide is a reference design for Cisco customers and partners. It covers the Internet Edge component of For Large Agencies—Borderless
Networks and is meant to be used in conjunction with the Cisco SBA for
Large Agencies—Borderless Networks LAN Deployment Guide and
WAN Deployment Guide, which you can find on www.cisco.com/go/sba.
If this design does not scale to meet your needs, please refer to the Cisco
Validated Designs (CVD) for larger deployment models. CVDs can be found
on Cisco.com. The Cisco products used in this design were tested in a
network lab at Cisco. The specific products are listed near the beginning of
this document for your convenience.
Internet Edge Configuration Files
30
Appendix A:
SBA for Large Agencies Document System
Deployment Guides
Design Guides
Design Overview
IPv6 Addressing
Guide
Supplemental Guides
Foundation Deployment
Guides
Wireless CleanAir
Deployment Guide
LAN Deployment
Guide
Nexus 7000
Deployment Guide
SIEM Deployment
Guide
LAN
Configuration Guide
WAN Deployment
Guide
ArcSight SIEM
Partner Guide
LogLogic SIEM
Partner Guide
WAN
Configuration Guide
Internet Edge
Deployment Guide
You are Here
nFx SIEM
Partner Guide
Internet Edge
Configuration Guide
Network Management
Guides
SolarWinds
Deployment Guide
RSA SIEM
Partner Guide
Splunk SIEM
Partner Guide
Data Security
Deployment Guide
CREDANT Data Security
Partner Guide
Lumension Data Security
Partner Guide
Appendix A
31
Americas Headquarters
Cisco Systems, Inc.
San Jose, CA
Asia Pacific Headquarters
Cisco Systems (USA) Pte. Ltd.
Singapore
Europe Headquarters
Cisco Systems International BV
Amsterdam, The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word
partner does not imply a partnership relationship between Cisco and any other company. (1005R)
C07-640805-00
/11