Cisco ASA 1000V Cloud Firewall Getting Started Guide
Sample Configurations for the ASA 1000V
Downloads: This chapterpdf (PDF - 402.0KB) The complete bookPDF (PDF - 2.26MB) | Feedback

Sample Configurations for the Cisco ASA 1000V

Table Of Contents

Sample Configurations for the Cisco ASA 1000V

Sample Firewall Configuration

Sample LAN-to-LAN VPN Tunnel Configuration


Sample Configurations for the Cisco ASA 1000V


This chapter includes the following sections:

Sample Firewall Configuration

Sample LAN-to-LAN VPN Tunnel Configuration

Sample Firewall Configuration

The following sample shows the configuration for the ASA 1000V when it is configured for standalone mode and failover is not configured.

To view the configuration, enter the show running-config command, which shows a running configuration for the ASA 1000V.

ASA100V-VNMC-Primary# show running-config
: Saved
:
ASA Version 8.7(0)11 
!
hostname ASA100V-VNMC-Primary
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 10.1.2.1 255.255.255.0 
!
interface GigabitEthernet0/2
 description LAN/STATE Failover Interface
!
interface Management0/0
 nameif management
 security-level 100
 ip address 172.23.39.47 255.255.255.0 standby 172.23.39.48 
 management-only
!
interface security-profile1
 nameif sp1
 security-level 100
 security-profile default@root
!
ftp mode passive
access-list acl:root:default@inside-in extended deny ip any any 
access-list acl:root:default@inside-out extended deny ip any any 
access-list tcpint:default:default-rule@inside extended permit tcp any any 
access-list UDP:timeout:default:default-rule@inside extended permit udp any any 
access-list TCP:timeout:default:default-rule@inside extended permit tcp any any 
access-list ICMP:timeout:default:default-rule@inside extended permit icmp any any 
access-list acl:root:default@outside-in extended deny ip any any 
access-list acl:root:default@outside-out extended deny ip any any 
access-list tcpint:default:default-rule@outside extended permit tcp any any 
access-list UDP:timeout:default:default-rule@outside extended permit udp any any 
access-list TCP:timeout:default:default-rule@outside extended permit tcp any any 
access-list ICMP:timeout:default:default-rule@outside extended permit icmp any any 
access-list acl:root:default@sp1-in extended deny ip any any 
access-list acl:root:default@sp1-out extended deny ip any any 
access-list tcpint:default:default-rule@sp1 extended permit tcp any any 
access-list UDP:timeout:default:default-rule@sp1 extended permit udp any any 
access-list TCP:timeout:default:default-rule@sp1 extended permit tcp any any 
access-list ICMP:timeout:default:default-rule@sp1 extended permit icmp any any 
pager lines 23
mtu GigabitEthernet0/0 1500
mtu GigabitEthernet0/1 1500
mtu Management0/0 1500
failover
failover lan unit primary
failover lan interface fover GigabitEthernet0/2
failover link fover GigabitEthernet0/2
failover interface ip fover 10.1.3.10 255.255.255.0 standby 10.1.3.11
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group acl:root:default@sp1-in in interface sp1
access-group acl:root:default@sp1-out out interface sp1
route management 171.69.0.0 255.255.0.0 172.23.39.1 1
route management 171.69.42.102 255.255.255.255 172.23.39.1 1
route management 172.23.39.37 255.255.255.255 172.23.39.1 1
!
!
service-interface security-profile all inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 171.69.42.102 255.255.255.255 management
http 172.23.39.37 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint _internal_PA_VNMC_CA_CERT
 enrollment terminal
 crl configure
crypto ca certificate chain _internal_PA_VNMC_CA_CERT
 certificate ca 00aef9fd58cae70d8e
    30820345 3082022d a0030201 02020900 aef9fd58 cae70d8e 300d0609 2a864886 
    f70d0101 05050030 20311e30 1c060355 04031315 6c6f6361 6c686f73 742e6c6f 
    63616c64 6f6d6169 6e301e17 0d313230 35303231 34343530 365a170d 32323034 
    33303134 34353036 5a302031 1e301c06 03550403 13156c6f 63616c68 6f73742e 
    6c6f6361 6c646f6d 61696e30 82012230 0d06092a 864886f7 0d010101 05000382 
    010f0030 82010a02 82010100 d48e9cf0 8ce05f09 e6187e70 ad70d013 969faa37 
    0d08d5f7 ba57114e 21f82454 8f3282ea 911bbbcd a8a55e51 27e56b31 e506d9eb 
    0116819f 43e6b342 7bb8c50e 3ba3850b c7162d0e e8c5ecbd 2bf6884b b8cf44f0 
    806a40ad e6e49307 1db2efd0 446bf4ef e48e7f83 767e99e0 7136e9e1 100dfef4 
    bbb71379 bc7ef2a5 e5708218 09842d2a 2ccf23a4 e2311e12 a48e03af 2c90b40a 
    89bae78e 0739de49 9ccd2444 2dd965bc 2648db28 fc1a71c3 a9e67cbe bc7cd889 
    f6d03450 eb8f4090 b80ed863 793a3ff6 0369a635 81dceceb e8082e51 3b860679 
    b1cb859e c05e5ef9 7e95284d 0e7dbd13 aa5ee474 bb7ec909 64ec9175 5a09d402 
    0e116273 a1f553ac b516dc1f 02030100 01a38181 307f301d 0603551d 0e041604 
    1458f881 0b616f95 efda763f 1b1e435a 90dbec4e 96305006 03551d23 04493047 
    801458f8 810b616f 95efda76 3f1b1e43 5a90dbec 4e96a124 a4223020 311e301c 
    06035504 0313156c 6f63616c 686f7374 2e6c6f63 616c646f 6d61696e 820900ae 
    f9fd58ca e70d8e30 0c060355 1d130405 30030101 ff300d06 092a8648 86f70d01 
    01050500 03820101 002dfa77 37eb3388 d20ce18a 0fea44ab 7b71397a 785509c3 
    19cf68c6 acacdcc7 6b110c51 d89b5392 3d14d25d 2e356f64 ef3eb5d8 58bbd410 
    c3ce3fd5 ad057a56 12d9219e 0350821d 32cb41c8 2bafee6b d91ed862 2cb5d4e4 
    2bdb81e8 50b72f98 e42bfcfa 6c01f3db fe9ba77a 3b315cf1 94ed9350 977966ab 
    de61bbd2 ec57e897 c6862eb4 624fd14d 3cfd1327 e9bb3976 b5d2c6bd 0a0a4930 
    b2e1a561 4e3bdb42 5078a267 104ec527 fba33d71 2c1cdac9 c178b377 6367a61e 
    17d6df12 7bd89458 f0b3015d 872c6fdc cefbf35f c152ce0b e2e32956 8378e64d 
    add7f032 1cd9d865 383d9bef 316aab22 cdafd878 cbd3e945 3f739758 19cba558 
    69467e07 04bfad46 68
  quit
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
!
vnmc policy-agent
 registration host 172.23.39.37
 shared-secret *****
username admin password e1z89R3cZe9Kt6Ib encrypted
!
class-map ICMP:timeout:default:default-rule@outside
 match access-list ICMP:timeout:default:default-rule@outside
class-map tcpint:default:default-rule@outside
 match access-list tcpint:default:default-rule@outside
class-map tcpint:default:default-rule@sp1
 match access-list tcpint:default:default-rule@sp1
class-map ICMP:timeout:default:default-rule@sp1
 match access-list ICMP:timeout:default:default-rule@sp1
class-map TCP:timeout:default:default-rule@outside
 match access-list TCP:timeout:default:default-rule@outside
class-map UDP:timeout:default:default-rule@sp1
 match access-list UDP:timeout:default:default-rule@sp1
class-map insp:default:default-rule@outside
 match default-inspection-traffic
class-map insp:default:default-rule@sp1
 match default-inspection-traffic
class-map UDP:timeout:default:default-rule@outside
 match access-list UDP:timeout:default:default-rule@outside
class-map TCP:timeout:default:default-rule@sp1
 match access-list TCP:timeout:default:default-rule@sp1
class-map ICMP:timeout:default:default-rule@inside
 match access-list ICMP:timeout:default:default-rule@inside
class-map tcpint:default:default-rule@inside
 match access-list tcpint:default:default-rule@inside
class-map TCP:timeout:default:default-rule@inside
 match access-list TCP:timeout:default:default-rule@inside
class-map insp:default:default-rule@inside
 match default-inspection-traffic
class-map UDP:timeout:default:default-rule@inside
 match access-list UDP:timeout:default:default-rule@inside
!
!
policy-map mpf-inside
 class tcpint:default:default-rule@inside
 class insp:default:default-rule@inside
  inspect dns 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect sip 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
 class UDP:timeout:default:default-rule@inside
  set connection timeout idle 0:02:00 
 class TCP:timeout:default:default-rule@inside
  set connection timeout idle 1:00:00 
 class ICMP:timeout:default:default-rule@inside
  set connection timeout idle 0:02:00 
policy-map mpf-outside
 class tcpint:default:default-rule@outside
 class insp:default:default-rule@outside
  inspect dns 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect sip 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
 class UDP:timeout:default:default-rule@outside
  set connection timeout idle 0:02:00 
 class TCP:timeout:default:default-rule@outside
  set connection timeout idle 1:00:00 
 class ICMP:timeout:default:default-rule@outside
  set connection timeout idle 0:02:00 
policy-map mpf-sp1
 class tcpint:default:default-rule@sp1
 class insp:default:default-rule@sp1
  inspect dns 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect sip 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
 class UDP:timeout:default:default-rule@sp1
  set connection timeout idle 0:02:00 
 class TCP:timeout:default:default-rule@sp1
  set connection timeout idle 1:00:00 
 class ICMP:timeout:default:default-rule@sp1
  set connection timeout idle 0:02:00 
!
service-policy mpf-inside interface inside
service-policy mpf-outside interface outside
service-policy mpf-sp1 interface sp1
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 3
  subscribe-to-alert-group configuration periodic monthly 3
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:83c5fd09f1c24152f7cba73425b76190
: end

Sample LAN-to-LAN VPN Tunnel Configuration

The following is sample output from the show running-config command, which shows a running configuration for the ASA 1000V:

ciscoasa# show running-config
: Saved
:
ASA Version 8.7(0)12
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 10.1.2.1 255.255.255.0 standby 10.1.2.1
!
interface GigabitEthernet0/2
 description LAN/STATE Failover Interface
!
interface Management0/0
 nameif management
 security-level 100
 ip address 172.23.39.42 255.255.255.0 standby 172.23.39.43
 management-only
!
interface security-profile1
 nameif sp1
 security-level 100
 security-profile VPN@root/Tenant
!
interface security-profile2
 nameif sp2
 security-level 100
 security-profile C200-1@root/Tenant
!
interface security-profile3
 nameif sp3
 security-level 100
 security-profile default@root
!
interface security-profile4
 nameif sp4
 security-level 100
 security-profile test@root/Tenant
!
ftp mode passive
object-group network VDONOg:mymap:toRemote@sp2
 network-object host 10.1.3.30
object-group network VSONOg:mymap:toRemote@sp2
 network-object host 10.1.4.50
object-group network VDONOg:testmap:101@sp2
 network-object host 10.1.3.30
object-group network VSONOg:testmap:101@sp2
 network-object host 10.1.4.50
access-list tcpint:default:default-rule@inside extended permit tcp any any
access-list UDP:timeout:default:default-rule@inside extended permit udp any any
access-list TCP:timeout:default:default-rule@inside extended permit tcp any any
access-list ICMP:timeout:default:default-rule@inside extended permit icmp any any
access-list tcpint:default:default-rule@outside extended permit tcp any any
access-list UDP:timeout:default:default-rule@outside extended permit udp any any
access-list TCP:timeout:default:default-rule@outside extended permit tcp any any
access-list ICMP:timeout:default:default-rule@outside extended permit icmp any any
access-list tcpint:default:default-rule@sp3 extended permit tcp any any
access-list UDP:timeout:default:default-rule@sp3 extended permit udp any any
access-list TCP:timeout:default:default-rule@sp3 extended permit tcp any any
access-list ICMP:timeout:default:default-rule@sp3 extended permit icmp any any
access-list tcpint:default:default-rule@sp1 extended permit tcp any any
access-list UDP:timeout:default:default-rule@sp1 extended permit udp any any
access-list TCP:timeout:default:default-rule@sp1 extended permit tcp any any
access-list ICMP:timeout:default:default-rule@sp1 extended permit icmp any any
access-list tcpint:default:default-rule@sp2 extended permit tcp any any
access-list UDP:timeout:default:default-rule@sp2 extended permit udp any any
access-list TCP:timeout:default:default-rule@sp2 extended permit tcp any any
access-list ICMP:timeout:default:default-rule@sp2 extended permit icmp any any
access-list mymap@root:Tenant extended permit ip object-group VSONOg:mymap:toRemote@sp2 
object-group VDONOg:mymap:t
oRemote@sp2
access-list tcpint:default:default-rule@sp4 extended permit tcp any any
access-list UDP:timeout:default:default-rule@sp4 extended permit udp any any
access-list TCP:timeout:default:default-rule@sp4 extended permit tcp any any
access-list ICMP:timeout:default:default-rule@sp4 extended permit icmp any any
access-list testmap@root:Tenant extended permit ip object-group VSONOg:testmap:101@sp2 
object-group VDONOg:testmap:
101@sp2
pager lines 23
logging enable
logging buffered debugging
mtu GigabitEthernet0/0 1500
mtu GigabitEthernet0/1 1500
mtu Management0/0 1500
failover
failover lan unit secondary
failover lan interface fover GigabitEthernet0/2
failover link fover GigabitEthernet0/2
failover interface ip fover 172.27.48.1 255.255.255.0 standby 172.27.48.22
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route management 0.0.0.0 0.0.0.0 172.23.39.1 1
route outside 10.1.3.0 255.255.255.0 10.1.5.3 1
route management 172.23.195.138 255.255.255.255 172.23.39.1 1
!
service-interface security-profile all inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.23.39.0 255.255.255.0 management
http 172.23.195.138 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set V1:basic:2@root:Tenant:c-policy-se esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal V2:basic:2@root:Tenant:c-policy-se
 protocol esp encryption 3des
 protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 86400
crypto map outsidemap 100 match address mymap@root:Tenant
crypto map outsidemap 100 set peer 10.1.5.3
crypto map outsidemap 100 set ikev1 transform-set V1:basic:2@root:Tenant:c-policy-se
crypto map outsidemap 100 set ikev2 ipsec-proposal V2:basic:2@root:Tenant:c-policy-se
crypto map outsidemap 100 set security-association lifetime seconds 86400
crypto map outsidemap 100 set security-association lifetime kilobytes 4608000
crypto map outsidemap 100 set nat-t-disable
crypto map outsidemap interface outside
crypto ca trustpoint _internal_PA_VNMC_CA_CERT
 enrollment terminal
 crl configure
crypto ca certificate chain _internal_PA_VNMC_CA_CERT
 certificate ca 00fde69d6350ce9abe
    30820345 3082022d a0030201 02020900 fde69d63 50ce9abe 300d0609 2a864886
    f70d0101 05050030 20311e30 1c060355 04031315 6c6f6361 6c686f73 742e6c6f
    63616c64 6f6d6169 6e301e17 0d313230 35303431 34323435 385a170d 32323035
    30323134 32343538 5a302031 1e301c06 03550403 13156c6f 63616c68 6f73742e
    6c6f6361 6c646f6d 61696e30 82012230 0d06092a 864886f7 0d010101 05000382
    010f0030 82010a02 82010100 b7a7fc43 7a8b7db3 62368b62 078bbe29 ec70624f
    cff8da2d 74041861 6e7444c6 29649a5b 36bc151a 3b7b0a1d 4a002c77 f4a6288d
    53f0b3d7 991a51a6 798caec5 4eb2b188 f3cb5f63 9c9680db 48166513 c0a33ef0
    c567b144 699812ed 5b819641 9534aeca 75c18e41 3ad04a2c 5b3f4100 91ed36d2
    a4121bf3 480880e8 872ff089 358c5f62 f0cb1c2c 103a6d1d 6536fd6f fcb35ceb
    16c6778e 97c3de4d 92e75df1 98fe189f 09286b11 064839bf a7859e23 b4029b83
    b52f8e20 3bfb6e95 17a1baef 151c448b 3f143b54 b8ab93ec 12f465ec c7446144
    1ddbe6a5 aa5f5db9 6d0085e8 7f893dc1 0d0371ef 4aa017fa ffab3114 61d96eb7
    a07119a1 802ca270 4e316161 02030100 01a38181 307f301d 0603551d 0e041604
    14e33789 a4e2107f 2ba6051c 6299b91b bc6a10c9 dd305006 03551d23 04493047
    8014e337 89a4e210 7f2ba605 1c6299b9 1bbc6a10 c9dda124 a4223020 311e301c
    06035504 0313156c 6f63616c 686f7374 2e6c6f63 616c646f 6d61696e 820900fd
    e69d6350 ce9abe30 0c060355 1d130405 30030101 ff300d06 092a8648 86f70d01
    01050500 03820101 002f1be1 71f8e57d 177c9f11 d4db6267 323dbb88 03b8a311
    ee36ff4f 9a7984e5 0278ca12 795650a1 178be560 3c5c154b 9bed52c6 e62bfa71
    c8dbab0a 71835206 692dfeb0 033e9621 8dcb9c4c 35ba3065 fe72aacd 230c10ae
    6aeaf8f4 8ed7e8d5 cd1beaac 52f14d02 8f0751bf cb166123 e58e40ca e0d1430e
    17a117e6 d3171f48 442e0d97 7cfa0145 5f8041b7 869ba9e8 3d05dcfe 6142e5c9
    19178d2f 0bc31bdc 25d819f4 e6e0b54a 2a5c78a6 cf2ac414 3d8748ec c19576d7
    82a553d2 258365b3 8344e7de c12ad2ae 19588bda 7b7da8ca 4620222a f64ea010
    b9574ae5 406e0e15 ea3d731d 2e0dff74 b4de35b5 f449524a 1732642b 10c7505d
    90ca3125 df6418ac cd
  quit
crypto ikev2 policy 100
 encryption 3des
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 100
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 1440
ssh timeout 5
console timeout 0
!
vnmc policy-agent
 registration host 172.23.195.138
 shared-secret *****
tunnel-group 10.1.5.3 type ipsec-l2l
tunnel-group 10.1.5.3 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map tcpint:default:default-rule@sp4
 match access-list tcpint:default:default-rule@sp4
class-map ICMP:timeout:default:default-rule@outside
 match access-list ICMP:timeout:default:default-rule@outside
class-map ICMP:timeout:default:default-rule@sp4
 match access-list ICMP:timeout:default:default-rule@sp4
class-map tcpint:default:default-rule@outside
 match access-list tcpint:default:default-rule@outside
class-map ICMP:timeout:default:default-rule@sp2
 match access-list ICMP:timeout:default:default-rule@sp2
class-map ICMP:timeout:default:default-rule@sp3
 match access-list ICMP:timeout:default:default-rule@sp3
class-map tcpint:default:default-rule@sp1
 match access-list tcpint:default:default-rule@sp1
class-map tcpint:default:default-rule@sp2
 match access-list tcpint:default:default-rule@sp2
class-map tcpint:default:default-rule@sp3
 match access-list tcpint:default:default-rule@sp3
class-map ICMP:timeout:default:default-rule@sp1
 match access-list ICMP:timeout:default:default-rule@sp1
class-map insp:default:default-rule@sp4
 match default-inspection-traffic
class-map TCP:timeout:default:default-rule@outside
 match access-list TCP:timeout:default:default-rule@outside
class-map UDP:timeout:default:default-rule@sp1
 match access-list UDP:timeout:default:default-rule@sp1
class-map UDP:timeout:default:default-rule@sp2
 match access-list UDP:timeout:default:default-rule@sp2
class-map TCP:timeout:default:default-rule@sp4
 match access-list TCP:timeout:default:default-rule@sp4
class-map insp:default:default-rule@outside
 match default-inspection-traffic
class-map UDP:timeout:default:default-rule@sp3
 match access-list UDP:timeout:default:default-rule@sp3
class-map TCP:timeout:default:default-rule@sp2
 match access-list TCP:timeout:default:default-rule@sp2
class-map UDP:timeout:default:default-rule@sp4
 match access-list UDP:timeout:default:default-rule@sp4
class-map TCP:timeout:default:default-rule@sp3
 match access-list TCP:timeout:default:default-rule@sp3
class-map insp:default:default-rule@sp1
 match default-inspection-traffic
class-map insp:default:default-rule@sp2
 match default-inspection-traffic
class-map UDP:timeout:default:default-rule@outside
 match access-list UDP:timeout:default:default-rule@outside
class-map insp:default:default-rule@sp3
 match default-inspection-traffic
class-map TCP:timeout:default:default-rule@sp1
 match access-list TCP:timeout:default:default-rule@sp1
class-map ICMP:timeout:default:default-rule@inside
 match access-list ICMP:timeout:default:default-rule@inside
class-map tcpint:default:default-rule@inside
 match access-list tcpint:default:default-rule@inside
class-map TCP:timeout:default:default-rule@inside
 match access-list TCP:timeout:default:default-rule@inside
class-map insp:default:default-rule@inside
 match default-inspection-traffic
class-map UDP:timeout:default:default-rule@inside
 match access-list UDP:timeout:default:default-rule@inside
!
!
policy-map mpf-inside
 class tcpint:default:default-rule@inside
 class insp:default:default-rule@inside
  inspect dns
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect sip
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
 class UDP:timeout:default:default-rule@inside
  set connection timeout idle 0:02:00
 class TCP:timeout:default:default-rule@inside
  set connection timeout idle 1:00:00
 class ICMP:timeout:default:default-rule@inside
  set connection timeout idle 0:02:00
policy-map mpf-sp4
 class tcpint:default:default-rule@sp4
 class insp:default:default-rule@sp4
  inspect dns
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect sip
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
 class UDP:timeout:default:default-rule@sp4
  set connection timeout idle 0:02:00
 class TCP:timeout:default:default-rule@sp4
  set connection timeout idle 1:00:00
 class ICMP:timeout:default:default-rule@sp4
  set connection timeout idle 0:02:00
policy-map mpf-outside
 class tcpint:default:default-rule@outside
 class insp:default:default-rule@outside
  inspect dns
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect sip
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
 class UDP:timeout:default:default-rule@outside
  set connection timeout idle 0:02:00
 class TCP:timeout:default:default-rule@outside
  set connection timeout idle 1:00:00
 class ICMP:timeout:default:default-rule@outside
  set connection timeout idle 0:02:00
policy-map mpf-sp1
 class tcpint:default:default-rule@sp1
 class insp:default:default-rule@sp1
  inspect dns
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect sip
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
 class UDP:timeout:default:default-rule@sp1
  set connection timeout idle 0:02:00
 class TCP:timeout:default:default-rule@sp1
  set connection timeout idle 1:00:00
 class ICMP:timeout:default:default-rule@sp1
  set connection timeout idle 0:02:00
policy-map mpf-sp3
 class tcpint:default:default-rule@sp3
 class insp:default:default-rule@sp3
  inspect dns
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect sip
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
 class UDP:timeout:default:default-rule@sp3
  set connection timeout idle 0:02:00
 class TCP:timeout:default:default-rule@sp3
  set connection timeout idle 1:00:00
 class ICMP:timeout:default:default-rule@sp3
  set connection timeout idle 0:02:00
policy-map mpf-sp2
 class tcpint:default:default-rule@sp2
 class insp:default:default-rule@sp2
  inspect dns
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect sip
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
 class UDP:timeout:default:default-rule@sp2
  set connection timeout idle 0:02:00
 class TCP:timeout:default:default-rule@sp2
  set connection timeout idle 1:00:00
 class ICMP:timeout:default:default-rule@sp2
  set connection timeout idle 0:02:00
!
service-policy mpf-inside interface inside
service-policy mpf-outside interface outside
service-policy mpf-sp1 interface sp1
service-policy mpf-sp2 interface sp2
service-policy mpf-sp3 interface sp3
service-policy mpf-sp4 interface sp4
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 25
  subscribe-to-alert-group configuration periodic monthly 25
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6796450aa16ba3fd7148edf6b776ef8b
: end
ciscoasa#