Cisco PCI Solution for Retail 2.0 Design and Implementation Guide
Detailed Full Running Configurations
Downloads: This chapterpdf (PDF - 4.37MB) The complete bookPDF (PDF - 36.07MB) | Feedback

Detailed Full Running Configurations

Table Of Contents

Detailed Full Running Configurations

ASA-DC-1

ASA-IE-1

ASA-WAN-1

ASA-WAN-1_IDS

ASA-WAN-2_IDS

DMZ-ACE-1

DMZ-ACE-1_PCI

DMZ-ACE-2_Admin

DMZ-ACE-2_PCI

DMZ-IDS-1

DMZ-IDSM2

FW-A2-MSP-1

FWSM-DMZ-1

MDS-DC-1-running

MDS-DC-2-running

N1kv-1-running

r-a2-conv-1

r-a2-lrg-1

r-a2-lrg-2

r-a2-med-1

r-a2-med-2

r-a2-mini-1

R-a2-Small

RAGG-1-running

RAGG-1-vdc1-running

RAGG-1-vdc2-running

RAGG-2-running

RAGG-2-vdc1-running

RAGG-2-vdc2-running

rcore-1

rcore-2

rie-1

rie-2

RIE-3

RIE-4

rserv-1

rserv-2

rwan-1

rwan-2

S-A2-Conv-1

S-A2-Lrg-1

S-A2-Lrg-2

S-A2-Lrg-3

S-A2-Lrg-4

S-A2-Lrg-5

S-a2-med-1

S-A2-Med-3

S-A2-Mini-1

S-A2-Mini-2

S-A2-MSP-1

S-A2-Small

saccess-1

saccess-2

SACCESS-3

SACCESS-4

saccess-5

swan-1

swan-3

VSG-Tenant-1-running


Detailed Full Running Configurations


This appendix includes the following device configurations:

Branch Configurations

Large Store Router #1, page E-2

Large Store Router #2, page E-15

Medium Store Router #1, page E-28

Medium Store Router #2, page E-41

Small Store Router #1, page E-52

Data Center WAN Router #1, page E-65

Data Center WAN Router #2, page E-70

Large Store Switch #1, page E-76

Large Store Switch #2, page E-83

Large Store Switch #3, page E-90

Large Store Switch #4, page E-96

Medium StoreBranch Switch #1, page E-103

Medium Store Switch #2, page E-109

Large StoreWireless Controller, page E-115

Medium StoreWireless Controller, page E-132

Small Store Wireless controller in the Data Center, page E-147

Large Store Access Point, page E-162

Medium Store Access Point, page E-163

Small Store Access Point, page E-164

Internet Edge Configurations

Cisco Firewall Service Module, page E-165

Cisco Catalyst 3750, page E-171

Cisco Catalyst 6500, page E-176

Cisco 7200 Edge Router, page E-186

Cisco Application Control Engine, page E-192

Data Center Configurations, page E-195

Cisco Catalyst 3750, page E-195

Cisco Catalyst 6500, page E-198

Cisco 7206 VXR Router, page E-200

Cisco Adaptive Security Appliance, page E-205

ASA-DC-1

: Saved
:
ASA Version 8.4(1) <context>
!
firewall transparent
hostname dca-vc1
domain-name cisco-irn.com
enable password <removed> encrypted
passwd <removed> encrypted
names
!
interface outside
 nameif north
 bridge-group 1
 security-level 0
!
interface inside
 nameif south
 bridge-group 1
 security-level 100
!
interface BVI1
 ip address 192.168.162.21 255.255.255.0 standby 192.168.162.22 
!
dns domain-lookup south
dns server-group DefaultDNS
 name-server 192.168.42.130
 domain-name cisco-irn.com
object-group network AdminStation
 network-object 192.168.41.101 255.255.255.255
object-group network AdminStation2
 network-object 192.168.41.102 255.255.255.255
object-group network AdminStation4-bart
 network-object 10.19.151.99 255.255.255.255
object-group network CSM_INLINE_src_rule_77309411633
 description Generated by CS-Manager from src of FirewallRule# 2 
(ASA-DC-1-vdc1_v1/mandatory)
 group-object AdminStation
 group-object AdminStation2
 group-object AdminStation4-bart
object-group network DC-ALL
 description All of the Data Center
 network-object 192.168.0.0 255.255.0.0
object-group network Stores-ALL
 description all store networks
 network-object 10.10.0.0 255.255.0.0
object-group network CSM_INLINE_dst_rule_77309411633
 description Generated by CS-Manager from dst of FirewallRule# 2 
(ASA-DC-1-vdc1_v1/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
object-group network EMC-NCM
 description EMC Network Configuration Manager
 network-object 192.168.42.122 255.255.255.255
object-group network CSManager
 description Cisco Security Manager
 network-object 192.168.42.133 255.255.255.255
object-group network RSA-enVision
 description RSA EnVision Syslog collector and SIM
 network-object 192.168.42.124 255.255.255.255
object-group network AdminStation3
 network-object 192.168.42.138 255.255.255.255
object-group network Admin-Systems
 group-object EMC-NCM
 group-object AdminStation
 group-object AdminStation2
 group-object CSManager
 group-object RSA-enVision
 group-object AdminStation3
 group-object AdminStation4-bart
object-group network DC-DMZ
 description (Optimized by CS-Manager)
 network-object 192.168.20.0 255.255.252.0
 network-object 192.168.24.0 255.255.255.0
object-group network CSM_INLINE_dst_rule_77309411635
 description Generated by CS-Manager from dst of FirewallRule# 3 
(ASA-DC-1-vdc1_v1/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
 group-object DC-DMZ
object-group network CSM_INLINE_src_rule_77309414079
 description Generated by CS-Manager from src of FirewallRule# 4 
(ASA-DC-1-vdc1_v1/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
object-group network CSM_INLINE_src_rule_77309414081
 description Generated by CS-Manager from src of FirewallRule# 5 
(ASA-DC-1-vdc1_v1/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
object-group network ActiveDirectory.cisco-irn.com
 network-object 192.168.42.130 255.255.255.255
object-group network vSphere-1
 description vSphere server for Lab
 network-object 192.168.41.102 255.255.255.255
object-group network WCSManager
 description Wireless Manager
 network-object 192.168.43.135 255.255.255.255
object-group network DC-Wifi-Controllers
 description Central Wireless Controllers for stores
 network-object 192.168.43.21 255.255.255.255
 network-object 192.168.43.22 255.255.255.255
object-group network DC-Wifi-MSE
 description Mobility Service Engines
 network-object 192.168.43.31 255.255.255.255
 network-object 192.168.43.32 255.255.255.255
object-group network CSM_INLINE_src_rule_77309411641
 description Generated by CS-Manager from src of FirewallRule# 9 
(ASA-DC-1-vdc1_v1/mandatory)
 group-object WCSManager
 group-object DC-Wifi-Controllers
 group-object DC-Wifi-MSE
object-group network PAME-DC-1
 network-object 192.168.44.111 255.255.255.255
object-group network MSP-DC-1
 description Data Center VSOM
 network-object 192.168.44.121 255.255.255.255
object-group network CSM_INLINE_src_rule_77309411643
 description Generated by CS-Manager from src of FirewallRule# 10 
(ASA-DC-1-vdc1_v1/mandatory)
 group-object PAME-DC-1
 group-object MSP-DC-1
object-group network DC-WAAS
 description WAE Appliances in Data Center
 network-object 192.168.48.10 255.255.255.255
 network-object 192.168.49.10 255.255.255.255
 network-object 192.168.47.11 255.255.255.255
 network-object 192.168.47.12 255.255.255.255
object-group network CSM_INLINE_src_rule_77309414071
 description Generated by CS-Manager from src of FirewallRule# 15 
(ASA-DC-1-vdc1_v1/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
object-group network NTP-Servers
 description NTP Servers
 network-object 192.168.62.161 255.255.255.255
 network-object 162.168.62.162 255.255.255.255
object-group network TACACS
 description Csico Secure ACS server for TACACS and Radius
 network-object 192.168.42.131 255.255.255.255
object-group network RSA-AM
 description RSA Authentication Manager for SecureID
 network-object 192.168.42.137 255.255.255.255
object-group network NAC-2
 network-object 192.168.42.112 255.255.255.255
object-group network NAC-1
 description ISE server for NAC
 network-object 192.168.42.111 255.255.255.255
object-group network CSM_INLINE_dst_rule_77309411663
 description Generated by CS-Manager from dst of FirewallRule# 25 
(ASA-DC-1-vdc1_v1/mandatory)
 group-object TACACS
 group-object RSA-AM
 group-object NAC-2
 group-object NAC-1
object-group network CSM_INLINE_dst_rule_77309411665
 description Generated by CS-Manager from dst of FirewallRule# 26 
(ASA-DC-1-vdc1_v1/mandatory)
 group-object NAC-2
 group-object NAC-1
object-group network CSM_INLINE_dst_rule_77309411669
 description Generated by CS-Manager from dst of FirewallRule# 28 
(ASA-DC-1-vdc1_v1/mandatory)
 group-object PAME-DC-1
 group-object MSP-DC-1
object-group network CSM_INLINE_dst_rule_77309411671
 description Generated by CS-Manager from dst of FirewallRule# 29 
(ASA-DC-1-vdc1_v1/mandatory)
 group-object DC-Wifi-Controllers
 group-object DC-Wifi-MSE
object-group network MS-Update
 description Windows Update Server
 network-object 192.168.42.150 255.255.255.255
object-group network MSExchange
 description Mail Server
 network-object 192.168.42.140 255.255.255.255
object-group network POS-Store-Conv
 network-object 10.10.160.81 255.255.255.255
object-group network POS-Store-MSP
 network-object 10.10.176.81 255.255.255.255
object-group network POS-Store-SMALL-1
 description Small Store POS devices
 network-object 10.10.128.81 255.255.255.255
 network-object 10.10.128.82 255.255.255.255
object-group network POS-Store-Medium
 network-object 10.10.112.81 255.255.255.255
 network-object 10.10.125.40 255.255.255.255
object-group network POS-Store-Mini
 network-object 10.10.144.81 255.255.255.255
object-group network POS-Store-3g
 network-object 10.10.192.82 255.255.255.255
object-group network POS-Store-Large
 network-object 10.10.96.81 255.255.255.255
 network-object 10.10.96.82 255.255.255.255
object-group network CSM_INLINE_src_rule_77309411683
 description Generated by CS-Manager from src of FirewallRule# 35 
(ASA-DC-1-vdc1_v1/mandatory)
 group-object POS-Store-Conv
 group-object POS-Store-MSP
 group-object POS-Store-SMALL-1
 group-object POS-Store-Medium
 group-object POS-Store-Mini
 group-object POS-Store-3g
 group-object POS-Store-Large
object-group network DC-POS-Tomax
 description Tomax POS Communication from Store to Data Center
 network-object 192.168.52.96 255.255.255.224
object-group network DC-POS
 description POS in the Data Center
 network-object 192.168.52.0 255.255.255.0
object-group network DC-POS-SAP
 description SAP POS Communication from Store to Data Center
 network-object 192.168.52.144 255.255.255.240
object-group network DC-POS-Oracle
 description Oracle POS Communication from Store to Data Center
 network-object 192.168.52.128 255.255.255.240
object-group network CSM_INLINE_dst_rule_77309411683
 description Generated by CS-Manager from dst of FirewallRule# 35 
(ASA-DC-1-vdc1_v1/mandatory)
 group-object DC-POS-Tomax
 group-object DC-POS
 group-object DC-POS-SAP
 group-object DC-POS-Oracle
object-group network CSM_INLINE_src_rule_77309414158
 description Generated by CS-Manager from src of FirewallRule# 36 
(ASA-DC-1-vdc1_v1/mandatory)
 network-object 192.168.22.11 255.255.255.255
 network-object 192.168.22.12 255.255.255.255
 network-object 192.168.21.0 255.255.255.0
object-group network CSM_INLINE_src_rule_77309414160
 description Generated by CS-Manager from src of FirewallRule# 37 
(ASA-DC-1-vdc1_v1/mandatory)
 network-object 192.168.22.11 255.255.255.255
 network-object 192.168.22.12 255.255.255.255
 network-object 192.168.21.0 255.255.255.0
object-group network CSM_INLINE_src_rule_77309414162
 description Generated by CS-Manager from src of FirewallRule# 38 
(ASA-DC-1-vdc1_v1/mandatory)
 network-object 192.168.22.11 255.255.255.255
 network-object 192.168.22.12 255.255.255.255
 network-object 192.168.21.0 255.255.255.0
object-group service HTTPS-8443
 service-object tcp destination eq 8443 
object-group service CSM_INLINE_svc_rule_77309411635
 description Generated by CS-Manager from service of FirewallRule# 3 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object tcp destination eq ssh 
 service-object tcp destination eq https 
 group-object HTTPS-8443
object-group service CSM_INLINE_svc_rule_77309414079
 description Generated by CS-Manager from service of FirewallRule# 4 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object tcp destination eq smtp 
 service-object tcp destination eq https 
 service-object tcp destination eq ssh 
object-group service CSM_INLINE_svc_rule_77309414081
 description Generated by CS-Manager from service of FirewallRule# 5 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object tcp destination eq https 
 service-object tcp destination eq ssh 
object-group service RPC
 service-object tcp destination eq 135 
object-group service LDAP-GC
 service-object tcp destination eq 3268 
object-group service LDAP-GC-SSL
 service-object tcp destination eq 3269 
object-group service DNS-Resolving
 description Domain Name Server
 service-object tcp destination eq domain 
 service-object udp destination eq domain 
object-group service Kerberos-TCP
 service-object tcp destination eq 88 
object-group service Microsoft-DS-SMB
 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing
 service-object tcp destination eq 445 
object-group service LDAP-UDP
 service-object udp destination eq 389 
object-group service RPC-HighPorts
 service-object tcp destination range 1024 65535 
object-group service CSM_INLINE_svc_rule_77309411637
 description Generated by CS-Manager from service of FirewallRule# 7 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object tcp destination eq ldap 
 service-object tcp destination eq ldaps 
 service-object udp destination eq 88 
 service-object udp destination eq ntp 
 service-object udp destination eq netbios-dgm 
 group-object RPC
 group-object LDAP-GC
 group-object LDAP-GC-SSL
 group-object DNS-Resolving
 group-object Kerberos-TCP
 group-object Microsoft-DS-SMB
 group-object LDAP-UDP
 group-object RPC-HighPorts
object-group service vCenter-to-ESX4
 description Communication from vCetner to ESX hosts
 service-object tcp destination eq 5989 
 service-object tcp destination eq 8000 
 service-object tcp destination eq 902 
 service-object tcp destination eq 903 
object-group service CSM_INLINE_svc_rule_77309411639
 description Generated by CS-Manager from service of FirewallRule# 8 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object tcp destination eq https 
 service-object tcp destination eq ssh 
 group-object vCenter-to-ESX4
object-group service IP-Protocol-97
 description IP protocol 97
 service-object 97 
object-group service TFTP
 description Trivial File Transfer
 service-object tcp destination eq 69 
 service-object udp destination eq tftp 
object-group service LWAPP
 description LWAPP UDP ports 12222 and 12223
 service-object udp destination eq 12222 
 service-object udp destination eq 12223 
object-group service CAPWAP
 description CAPWAP UDP ports 5246 and 5247
 service-object udp destination eq 5246 
 service-object udp destination eq 5247 
object-group service CSM_INLINE_svc_rule_77309411641
 description Generated by CS-Manager from service of FirewallRule# 9 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object tcp destination eq https 
 service-object tcp destination eq www 
 service-object udp destination eq isakmp 
 service-object tcp destination eq telnet 
 service-object tcp destination eq ssh 
 group-object IP-Protocol-97
 group-object TFTP
 group-object LWAPP
 group-object CAPWAP
object-group service TCP1080
 service-object tcp destination eq 1080 
object-group service TCP8080
 service-object tcp destination eq 8080 
object-group service RDP
 description Windows Remote Desktop
 service-object tcp destination eq 3389 
object-group service CSM_INLINE_svc_rule_77309411645
 description Generated by CS-Manager from service of FirewallRule# 11 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq ssh 
 service-object tcp destination eq ftp 
 group-object HTTPS-8443
 group-object TCP1080
 group-object TCP8080
 group-object RDP
object-group service CISCO-WAAS
 description Ports for Cisco WAAS
 service-object tcp destination eq 4050 
object-group service Netbios
 description Netbios Servers
 service-object udp destination eq netbios-dgm 
 service-object udp destination eq netbios-ns 
 service-object tcp destination eq netbios-ssn 
object-group service CSM_INLINE_svc_rule_77309411647
 description Generated by CS-Manager from service of FirewallRule# 12 
(ASA-DC-1-vdc1_v1/mandatory)
 group-object CISCO-WAAS
 group-object HTTPS-8443
 group-object Microsoft-DS-SMB
 group-object Netbios
object-group service CSM_INLINE_svc_rule_77309411649
 description Generated by CS-Manager from service of FirewallRule# 13 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object tcp-udp destination eq sip 
 service-object tcp destination eq 2000 
object-group service CSM_INLINE_svc_rule_77309414071
 description Generated by CS-Manager from service of FirewallRule# 15 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object icmp echo
 service-object icmp echo-reply
 service-object icmp unreachable
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq ftp 
 service-object tcp destination eq ssh 
 group-object TCP1080
 group-object TCP8080
 group-object RDP
object-group service NTP
 description NTP Protocols
 service-object tcp destination eq 123 
 service-object udp destination eq ntp 
object-group service CSM_INLINE_svc_rule_77309414073
 description Generated by CS-Manager from service of FirewallRule# 16 
(ASA-DC-1-vdc1_v1/mandatory)
 group-object DNS-Resolving
 group-object NTP
object-group service CSM_INLINE_svc_rule_77309414077
 description Generated by CS-Manager from service of FirewallRule# 18 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object tcp destination eq ldap 
 service-object tcp destination eq ldaps 
 group-object LDAP-GC
 group-object LDAP-GC-SSL
 group-object LDAP-UDP
object-group service CSM_INLINE_svc_rule_77309411655
 description Generated by CS-Manager from service of FirewallRule# 21 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object udp destination eq snmptrap 
 service-object udp destination eq snmp 
 service-object udp destination eq syslog 
object-group service CSM_INLINE_svc_rule_77309411657
 description Generated by CS-Manager from service of FirewallRule# 22 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object udp destination eq domain 
 service-object tcp destination eq ldap 
 service-object tcp destination eq ldaps 
object-group service CSM_INLINE_svc_rule_77309411663
 description Generated by CS-Manager from service of FirewallRule# 25 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object udp destination eq 1812 
 service-object udp destination eq 1813 
object-group service CSM_INLINE_svc_rule_77309411665
 description Generated by CS-Manager from service of FirewallRule# 26 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object tcp destination eq https 
 service-object tcp destination eq www 
 group-object HTTPS-8443
object-group service ESX-SLP
 description CIM Service Location Protocol (SLP) for VMware systems
 service-object udp destination eq 427 
 service-object tcp destination eq 427 
object-group service CSM_INLINE_svc_rule_77309411667
 description Generated by CS-Manager from service of FirewallRule# 27 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object tcp destination eq https 
 service-object tcp destination eq www 
 service-object tcp destination eq ssh 
 group-object vCenter-to-ESX4
 group-object ESX-SLP
object-group service Cisco-Mobility
 description Mobility ports for Wireless
 service-object udp destination eq 16666 
 service-object udp destination eq 16667 
object-group service CSM_INLINE_svc_rule_77309411671
 description Generated by CS-Manager from service of FirewallRule# 29 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object tcp destination eq https 
 service-object udp destination eq isakmp 
 group-object Cisco-Mobility
 group-object IP-Protocol-97
 group-object LWAPP
 group-object CAPWAP
object-group service CSM_INLINE_svc_rule_77309411673
 description Generated by CS-Manager from service of FirewallRule# 30 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object tcp-udp destination eq sip 
 service-object tcp destination eq 2000 
object-group service CSM_INLINE_svc_rule_77309411675
 description Generated by CS-Manager from service of FirewallRule# 31 
(ASA-DC-1-vdc1_v1/mandatory)
 group-object CISCO-WAAS
 group-object HTTPS-8443
 group-object Microsoft-DS-SMB
 group-object Netbios
object-group service CSM_INLINE_svc_rule_77309411677
 description Generated by CS-Manager from service of FirewallRule# 32 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object tcp destination eq ldap 
 service-object tcp destination eq ldaps 
 service-object udp destination eq 88 
 service-object udp destination eq ntp 
 service-object udp destination eq netbios-dgm 
 group-object RPC
 group-object LDAP-GC
 group-object LDAP-GC-SSL
 group-object DNS-Resolving
 group-object Kerberos-TCP
 group-object Microsoft-DS-SMB
 group-object LDAP-UDP
 group-object RPC-HighPorts
object-group service CSM_INLINE_svc_rule_77309411679
 description Generated by CS-Manager from service of FirewallRule# 33 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object tcp destination eq www 
 service-object tcp destination eq https 
object-group service CSM_INLINE_svc_rule_77309411681
 description Generated by CS-Manager from service of FirewallRule# 34 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq smtp 
 service-object tcp destination eq pop3 
 service-object tcp destination eq imap4 
object-group service CSM_INLINE_svc_rule_77309414166
 description Generated by CS-Manager from service of FirewallRule# 40 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object tcp destination eq smtp 
 group-object DNS-Resolving
object-group service CSM_INLINE_svc_rule_77309414172
 description Generated by CS-Manager from service of FirewallRule# 43 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object udp destination eq 1812 
 service-object udp destination eq 1813 
object-group service CSM_INLINE_svc_rule_77309414176
 description Generated by CS-Manager from service of FirewallRule# 45 
(ASA-DC-1-vdc1_v1/mandatory)
 service-object icmp 
 service-object tcp destination eq ssh 
 service-object tcp destination eq telnet 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq 8880 
 service-object tcp destination eq 8444 
 service-object tcp destination eq 5900 
 service-object tcp destination eq 5800 
 group-object RDP
 group-object TCP1080
 group-object TCP8080
 group-object TFTP
 group-object HTTPS-8443
 group-object vCenter-to-ESX4
access-list CSM_FW_ACL_north extended permit ospf 192.168.162.0 255.255.255.0 
192.168.162.0 255.255.255.0 
access-list CSM_FW_ACL_north extended permit tcp object-group Stores-ALL object-group 
EMC-NCM eq ssh 
access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411655 
object-group Stores-ALL object-group RSA-enVision 
access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411657 
object-group Stores-ALL object-group ActiveDirectory.cisco-irn.com 
access-list CSM_FW_ACL_north extended permit tcp object-group Stores-ALL object-group 
TACACS eq tacacs 
access-list CSM_FW_ACL_north extended permit udp object-group Stores-ALL object-group 
NTP-Servers eq ntp 
access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411663 
object-group Stores-ALL object-group CSM_INLINE_dst_rule_77309411663 
access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411665 
object-group Stores-ALL object-group CSM_INLINE_dst_rule_77309411665 
access-list CSM_FW_ACL_north remark VMWare ESX to Data Center
access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411667 
object-group Stores-ALL object-group vSphere-1 
access-list CSM_FW_ACL_north remark Physical security systems
access-list CSM_FW_ACL_north extended permit tcp object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_77309411669 eq https 
access-list CSM_FW_ACL_north remark Wireless control systems
access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411671 
object-group Stores-ALL object-group CSM_INLINE_dst_rule_77309411671 
access-list CSM_FW_ACL_north remark Voice calls
access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411673 
object-group Stores-ALL object-group DC-ALL 
access-list CSM_FW_ACL_north remark WAAS systems
access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411675 
object-group Stores-ALL object-group DC-WAAS 
access-list CSM_FW_ACL_north remark Allow Active Directory Domain
access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411677 
object-group Stores-ALL object-group ActiveDirectory.cisco-irn.com 
access-list CSM_FW_ACL_north remark Allow Windows Updates
access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411679 
object-group Stores-ALL object-group MS-Update 
access-list CSM_FW_ACL_north remark Allow Mail
access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309411681 
object-group Stores-ALL object-group MSExchange 
access-list CSM_FW_ACL_north remark Allow Applications
access-list CSM_FW_ACL_north extended permit tcp object-group 
CSM_INLINE_src_rule_77309411683 object-group CSM_INLINE_dst_rule_77309411683 eq https 
access-list CSM_FW_ACL_north extended permit udp object-group 
CSM_INLINE_src_rule_77309414158 object-group NTP-Servers eq ntp 
access-list CSM_FW_ACL_north remark - RIE-2
access-list CSM_FW_ACL_north extended permit udp object-group 
CSM_INLINE_src_rule_77309414160 object-group RSA-enVision eq syslog 
access-list CSM_FW_ACL_north extended permit tcp object-group 
CSM_INLINE_src_rule_77309414162 object-group TACACS eq tacacs 
access-list CSM_FW_ACL_north extended permit udp 192.168.21.0 255.255.255.0 object-group 
ActiveDirectory.cisco-irn.com eq domain 
access-list CSM_FW_ACL_north remark Ironport traffic in from DNZ
access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309414166 
host 192.168.23.68 any 
access-list CSM_FW_ACL_north extended permit udp host 192.168.23.68 object-group 
RSA-enVision eq syslog 
access-list CSM_FW_ACL_north extended permit udp host 192.168.23.68 object-group 
NTP-Servers eq ntp 
access-list CSM_FW_ACL_north extended permit object-group CSM_INLINE_svc_rule_77309414172 
host 192.168.23.68 object-group TACACS 
access-list CSM_FW_ACL_north remark Drop all other traffic
access-list CSM_FW_ACL_north extended deny ip any any log 
access-list CSM_FW_ACL_south extended permit ospf 192.168.162.0 255.255.255.0 
192.168.162.0 255.255.255.0 
access-list CSM_FW_ACL_south extended permit ip object-group 
CSM_INLINE_src_rule_77309411633 object-group CSM_INLINE_dst_rule_77309411633 
access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411635 
object-group Admin-Systems object-group CSM_INLINE_dst_rule_77309411635 
access-list CSM_FW_ACL_south remark Allow services for Ironport apps
access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414079 
object-group CSM_INLINE_src_rule_77309414079 192.168.23.64 255.255.255.224 
access-list CSM_FW_ACL_south remark Allow traffic to DMZ
access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414081 
object-group CSM_INLINE_src_rule_77309414081 host 192.168.20.30 
access-list CSM_FW_ACL_south remark Drop unauthorized traffic to DMZ
access-list CSM_FW_ACL_south extended deny ip any 192.168.20.0 255.255.252.0 log 
access-list CSM_FW_ACL_south remark Allow Active Directory Domain
access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411637 
object-group ActiveDirectory.cisco-irn.com object-group Stores-ALL 
access-list CSM_FW_ACL_south remark VMWare - ESX systems
access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411639 
object-group vSphere-1 object-group Stores-ALL 
access-list CSM_FW_ACL_south remark Wireless Management to Stores
access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411641 
object-group CSM_INLINE_src_rule_77309411641 object-group Stores-ALL 
access-list CSM_FW_ACL_south remark Physical security systems
access-list CSM_FW_ACL_south extended permit tcp object-group 
CSM_INLINE_src_rule_77309411643 object-group Stores-ALL eq https 
access-list CSM_FW_ACL_south remark Allow Management of store systems
access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411645 
object-group DC-ALL object-group Stores-ALL 
access-list CSM_FW_ACL_south remark WAAS systems
access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411647 
object-group DC-WAAS object-group Stores-ALL 
access-list CSM_FW_ACL_south remark Voice calls
access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309411649 
object-group DC-ALL object-group Stores-ALL 
access-list CSM_FW_ACL_south extended deny ip any object-group Stores-ALL 
access-list CSM_FW_ACL_south remark Allow outbound services for Internet
access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414071 
object-group CSM_INLINE_src_rule_77309414071 any 
access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414073 
object-group ActiveDirectory.cisco-irn.com any 
access-list CSM_FW_ACL_south extended permit udp object-group NTP-Servers any eq ntp 
access-list CSM_FW_ACL_south remark Allow LDAP out LAB test
access-list CSM_FW_ACL_south extended permit object-group CSM_INLINE_svc_rule_77309414077 
object-group PAME-DC-1 any log 
access-list CSM_FW_ACL_south remark Drop and Log all other traffic
access-list CSM_FW_ACL_south extended deny ip any any log 
pager lines 24
logging host south 192.168.42.124
mtu north 1500
mtu south 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any north
icmp permit any south
asdm history enable
arp timeout 14400
access-group CSM_FW_ACL_north in interface north
access-group CSM_FW_ACL_south in interface south
route north 0.0.0.0 0.0.0.0 192.168.162.1 1
route south 192.168.38.0 255.255.255.0 192.168.162.7 1
route south 192.168.39.0 255.255.255.0 192.168.162.7 1
route south 192.168.40.0 255.255.255.0 192.168.162.7 1
route south 192.168.41.0 255.255.255.0 192.168.162.7 1
route south 192.168.42.0 255.255.255.0 192.168.162.7 1
route south 192.168.43.0 255.255.255.0 192.168.162.7 1
route south 192.168.44.0 255.255.255.0 192.168.162.7 1
route south 192.168.45.0 255.255.255.0 192.168.162.7 1
route south 192.168.46.0 255.255.255.0 192.168.162.7 1
route south 192.168.52.0 255.255.255.0 192.168.162.7 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
aaa-server RETAIL protocol tacacs+
aaa-server RETAIL (south) host 192.168.42.131
 key *****
aaa authentication ssh console RETAIL LOCAL
aaa authentication enable console RETAIL LOCAL
aaa authentication http console RETAIL LOCAL
aaa accounting ssh console RETAIL
aaa accounting enable console RETAIL
aaa accounting command privilege 15 RETAIL
aaa authentication secure-http-client
aaa local authentication attempts max-fail 6
aaa authorization exec authentication-server
http server enable
http server idle-timeout 15
http server session-timeout 60
http 10.19.151.99 255.255.255.255 north
http 192.168.41.101 255.255.255.255 south
http 192.168.41.102 255.255.255.255 south
http 192.168.42.122 255.255.255.255 south
http 192.168.42.124 255.255.255.255 south
http 192.168.42.133 255.255.255.255 south
http 192.168.42.138 255.255.255.255 south
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh 10.19.151.99 255.255.255.255 north
ssh 192.168.41.101 255.255.255.255 south
ssh 192.168.41.102 255.255.255.255 south
ssh 192.168.42.122 255.255.255.255 south
ssh 192.168.42.124 255.255.255.255 south
ssh 192.168.42.133 255.255.255.255 south
ssh 192.168.42.138 255.255.255.255 south
ssh timeout 15
ssh version 2
no threat-detection statistics tcp-intercept
username csmadmin password  <removed> encrypted privilege 15
username retail password <removed> encrypted privilege 15
username bmcgloth password <removed> encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
Cryptochecksum:70afa3a2a3007db41f3f336aca5cf51d
: end
asdm history enable
 
   

ASA-IE-1

: Saved
: Written by retail at 20:28:46.793 PDT Fri Apr 29 2011
!
ASA Version 8.4(1) 
!
hostname ASA-IE-1
domain-name cisco-irn.com
enable password <removed> encrypted
passwd <removed> encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 192.168.21.1 255.255.255.0 standby 192.168.21.2 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.11.60 255.255.255.0 standby 192.168.11.62 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 no nameif
 no security-level
 no ip address
 management-only
!
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.42.130
 domain-name cisco-irn.com
same-security-traffic permit inter-interface
object network AdminStation 
 host 192.168.41.101
object network AdminStation2 
 host 192.168.41.102
object network EMC-NCM 
 host 192.168.42.122
 description EMC Network Configuration Manager 
object network CSManager 
 host 192.168.42.133
 description Cisco Security Manager 
object network RSA-enVision 
 host 192.168.42.124
 description RSA EnVision Syslog collector and SIM 
object network AdminStation3 
 host 192.168.42.138
object network AdminStation4-bart 
 host 10.19.151.99
object network DC-ALL 
 subnet 192.168.0.0 255.255.0.0
 description All of the Data Center 
object network Stores-ALL 
 subnet 10.10.0.0 255.255.0.0
 description all store networks 
object network ActiveDirectory.cisco-irn.com 
 host 192.168.42.130
object network PAME-DC-1 
 host 192.168.44.111
object network TACACS 
 host 192.168.42.131
 description Csico Secure ACS server for TACACS and Radius 
object service TCP1080 
 service tcp destination eq 1080 
object service TCP8080 
 service tcp destination eq 8080 
object service RDP 
 service tcp destination eq 3389 
 description Windows Remote Desktop 
object service LDAP-GC 
 service tcp destination eq 3268 
object service LDAP-GC-SSL 
 service tcp destination eq 3269 
object service LDAP-UDP 
 service udp destination eq 389 
object-group network CSM_INLINE_src_rule_77309412132
 description Generated by CS-Manager from src of FirewallRule# 3 (ASA-IE-1_v1/mandatory)
 network-object object EMC-NCM
 network-object object AdminStation
 network-object object CSManager
 network-object object AdminStation2
 network-object object RSA-enVision
 network-object object AdminStation3
 network-object object AdminStation4-bart
object-group network CSM_INLINE_src_rule_77309412156
 description Generated by CS-Manager from src of FirewallRule# 4 (ASA-IE-1_v1/mandatory)
 network-object object DC-ALL
 network-object object Stores-ALL
object-group network CSM_INLINE_src_rule_77309412168
 description Generated by CS-Manager from src of FirewallRule# 5 (ASA-IE-1_v1/mandatory)
 network-object object DC-ALL
 network-object object Stores-ALL
object-group network CSM_INLINE_src_rule_77309412178
 description Generated by CS-Manager from src of FirewallRule# 7 (ASA-IE-1_v1/mandatory)
 network-object object DC-ALL
 network-object object Stores-ALL
object-group network NTP-Servers
 description NTP Servers
 network-object 192.168.62.161 255.255.255.255
 network-object 162.168.62.162 255.255.255.255
object-group network CSM_INLINE_src_rule_77309412254
 description Generated by CS-Manager from src of FirewallRule# 15 (ASA-IE-1_v1/mandatory)
 network-object 192.168.22.11 255.255.255.255
 network-object 192.168.22.12 255.255.255.255
 network-object 192.168.21.0 255.255.255.0
object-group network CSM_INLINE_src_rule_77309412258
 description Generated by CS-Manager from src of FirewallRule# 16 (ASA-IE-1_v1/mandatory)
 network-object 192.168.22.11 255.255.255.255
 network-object 192.168.22.12 255.255.255.255
 network-object 192.168.21.0 255.255.255.0
object-group network CSM_INLINE_src_rule_77309412260
 description Generated by CS-Manager from src of FirewallRule# 17 (ASA-IE-1_v1/mandatory)
 network-object 192.168.22.11 255.255.255.255
 network-object 192.168.22.12 255.255.255.255
 network-object 192.168.21.0 255.255.255.0
object-group service CSM_INLINE_svc_rule_77309412132
 description Generated by CS-Manager from service of FirewallRule# 3 
(ASA-IE-1_v1/mandatory)
 service-object tcp destination eq ssh 
 service-object tcp destination eq https 
object-group service CSM_INLINE_svc_rule_77309412156
 description Generated by CS-Manager from service of FirewallRule# 4 
(ASA-IE-1_v1/mandatory)
 service-object tcp destination eq smtp 
 service-object tcp destination eq https 
 service-object tcp destination eq ssh 
object-group service CSM_INLINE_svc_rule_77309412168
 description Generated by CS-Manager from service of FirewallRule# 5 
(ASA-IE-1_v1/mandatory)
 service-object tcp destination eq https 
 service-object tcp destination eq ssh 
object-group service CSM_INLINE_svc_rule_77309412178
 description Generated by CS-Manager from service of FirewallRule# 7 
(ASA-IE-1_v1/mandatory)
 service-object icmp echo
 service-object icmp echo-reply
 service-object icmp unreachable
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq ftp 
 service-object tcp destination eq ssh 
 service-object object TCP1080 
 service-object object TCP8080 
 service-object object RDP 
object-group service DNS-Resolving
 description Domain Name Server
 service-object tcp destination eq domain 
 service-object udp destination eq domain 
object-group service NTP
 description NTP Protocols
 service-object tcp destination eq 123 
 service-object udp destination eq ntp 
object-group service CSM_INLINE_svc_rule_77309412202
 description Generated by CS-Manager from service of FirewallRule# 8 
(ASA-IE-1_v1/mandatory)
 group-object DNS-Resolving
 group-object NTP
object-group service CSM_INLINE_svc_rule_77309412216
 description Generated by CS-Manager from service of FirewallRule# 10 
(ASA-IE-1_v1/mandatory)
 service-object tcp destination eq ldap 
 service-object tcp destination eq ldaps 
 service-object object LDAP-GC 
 service-object object LDAP-GC-SSL 
 service-object object LDAP-UDP 
object-group service TFTP
 description Trivial File Transfer
 service-object tcp destination eq 69 
 service-object udp destination eq tftp 
object-group service HTTPS-8443
 service-object tcp destination eq 8443 
object-group service vCenter-to-ESX4
 description Communication from vCetner to ESX hosts
 service-object tcp destination eq 5989 
 service-object tcp destination eq 8000 
 service-object tcp destination eq 902 
 service-object tcp destination eq 903 
object-group service CSM_INLINE_svc_rule_77309412222
 description Generated by CS-Manager from service of FirewallRule# 13 
(ASA-IE-1_v1/mandatory)
 service-object icmp 
 service-object tcp destination eq ssh 
 service-object tcp destination eq telnet 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq 8880 
 service-object tcp destination eq 8444 
 service-object tcp destination eq 5900 
 service-object tcp destination eq 5800 
 service-object object RDP 
 service-object object TCP1080 
 service-object object TCP8080 
 group-object TFTP
 group-object HTTPS-8443
 group-object vCenter-to-ESX4
object-group service CSM_INLINE_svc_rule_77309412276
 description Generated by CS-Manager from service of FirewallRule# 19 
(ASA-IE-1_v1/mandatory)
 service-object tcp destination eq smtp 
 group-object DNS-Resolving
object-group service CSM_INLINE_svc_rule_77309412288
 description Generated by CS-Manager from service of FirewallRule# 22 
(ASA-IE-1_v1/mandatory)
 service-object udp destination eq 1812 
 service-object udp destination eq 1813 
access-list all extended permit ip any any 
access-list INSIDE extended permit ip object AdminStation any 
access-list INSIDE extended permit ip object AdminStation2 any 
access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_77309412132 
object-group CSM_INLINE_src_rule_77309412132 192.168.20.0 255.255.252.0 
access-list INSIDE remark Allow services for Ironport apps
access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_77309412156 
object-group CSM_INLINE_src_rule_77309412156 192.168.23.64 255.255.255.224 
access-list INSIDE remark Allow traffic to DMZ
access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_77309412168 
object-group CSM_INLINE_src_rule_77309412168 host 192.168.20.30 
access-list INSIDE remark Drop unauthorized traffic to DMZ
access-list INSIDE extended deny ip any 192.168.20.0 255.255.255.0 log 
access-list INSIDE remark Allow outbound services for Internet
access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_77309412178 
object-group CSM_INLINE_src_rule_77309412178 any 
access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_77309412202 object 
ActiveDirectory.cisco-irn.com any 
access-list INSIDE extended permit udp object-group NTP-Servers any eq ntp 
access-list INSIDE remark Allow LDAP out LAB test
access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_77309412216 object 
PAME-DC-1 any log 
access-list INSIDE remark Drop and Log all other traffic
access-list INSIDE extended deny ip any any log 
access-list OUTSIDE remark Allow SSL VPN
access-list OUTSIDE extended permit tcp any host 192.168.21.1 eq https log 
access-list OUTSIDE extended permit udp object-group CSM_INLINE_src_rule_77309412254 
object-group NTP-Servers eq ntp 
access-list OUTSIDE remark - RIE-2
access-list OUTSIDE extended permit udp object-group CSM_INLINE_src_rule_77309412258 
object RSA-enVision eq syslog 
access-list OUTSIDE extended permit tcp object-group CSM_INLINE_src_rule_77309412260 
object TACACS eq tacacs 
access-list OUTSIDE extended permit udp 192.168.21.0 255.255.255.0 object 
ActiveDirectory.cisco-irn.com eq domain 
access-list OUTSIDE remark Ironport traffic in from DNZ
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_77309412276 host 
192.168.23.68 any 
access-list OUTSIDE extended permit udp host 192.168.23.68 object RSA-enVision eq syslog 
access-list OUTSIDE extended permit udp host 192.168.23.68 object-group NTP-Servers eq ntp 

access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_77309412288 host 
192.168.23.68 object TACACS 
access-list OUTSIDE remark Drop all other traffic
access-list OUTSIDE extended deny ip any any log 
access-list all-web webtype permit url any log default
pager lines 24
logging asdm informational
logging host inside 192.168.42.124
mtu outside 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface folink GigabitEthernet0/3
failover link folink GigabitEthernet0/3
failover interface ip folink 192.168.12.31 255.255.255.0 standby 192.168.12.32
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
access-group OUTSIDE in interface outside
access-group INSIDE in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.21.10 1
route inside 10.10.0.0 255.255.0.0 192.168.11.1 1
route outside 10.10.0.0 255.255.255.0 192.168.21.10 1
route inside 192.168.0.0 255.255.0.0 192.168.11.10 1
route outside 192.168.20.0 255.255.255.0 192.168.21.10 1
route outside 192.168.22.0 255.255.255.0 192.168.21.10 1
route outside 192.168.23.0 255.255.255.0 192.168.21.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
 network-acl all
 webvpn
  appl-acl all-web
  url-list value page1
  file-browsing enable
  file-entry enable
  http-proxy enable
  url-entry enable
  svc ask enable default webvpn
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.42.137
 timeout 5
 key *****
 radius-common-pw *****
aaa-server RETAIL protocol tacacs+
aaa-server RETAIL (inside) host 192.168.42.131
 key *****
aaa authentication ssh console RETAIL LOCAL
aaa authentication enable console RETAIL LOCAL
aaa authentication http console RETAIL LOCAL
aaa accounting ssh console RETAIL
aaa accounting enable console RETAIL
aaa accounting command privilege 15 RETAIL
aaa authentication secure-http-client
aaa local authentication attempts max-fail 6
aaa authorization exec authentication-server
http server enable
http server idle-timeout 15
http server session-timeout 60
http 10.19.151.99 255.255.255.255 inside
http 192.168.41.101 255.255.255.255 inside
http 192.168.41.102 255.255.255.255 inside
http 192.168.42.122 255.255.255.255 inside
http 192.168.42.124 255.255.255.255 inside
http 192.168.42.133 255.255.255.255 inside
http 192.168.42.138 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no snmp-server enable
telnet timeout 5
ssh 10.19.151.99 255.255.255.255 inside
ssh 192.168.41.101 255.255.255.255 inside
ssh 192.168.41.102 255.255.255.255 inside
ssh 192.168.42.122 255.255.255.255 inside
ssh 192.168.42.124 255.255.255.255 inside
ssh 192.168.42.133 255.255.255.255 inside
ssh 192.168.42.138 255.255.255.255 inside
ssh timeout 15
ssh version 2
console timeout 15
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.62.162 source inside
ntp server 192.168.62.161 source inside prefer
webvpn
 enable outside
 internal-password enable
 smart-tunnel list AllExternalApplications All-Applications * platform windows
group-policy DfltGrpPolicy attributes
 webvpn
  url-list value page1
  smart-tunnel enable AllExternalApplications
group-policy Retail-PCI internal
group-policy Retail-PCI attributes
 vpn-tunnel-protocol ssl-clientless
username csmadmin password  <removed> encrypted privilege 15
username retail password <removed> encrypted privilege 15
username bmcgloth password <removed> encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group partnerauth
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group partnerauth
tunnel-group Retail-Lab type remote-access
tunnel-group Retail-Lab general-attributes
 authentication-server-group partnerauth LOCAL
 default-group-policy Retail-PCI
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:7523e3d4b6eac19b34c670de405c3e45
: end

ASA-WAN-1

: Saved
: Written by retail at 18:21:22.920 PDT Fri Apr 29 2011
!
ASA Version 8.4(1) 
!
firewall transparent
hostname ASA-WAN-1
domain-name cisco-irn.com
enable password <removed> encrypted
passwd <removed> encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 bridge-group 1
 security-level 0
!
interface GigabitEthernet0/1
 nameif inside
 bridge-group 1
 security-level 100
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
!
interface GigabitEthernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 management-only
!
interface BVI1
 ip address 192.168.11.20 255.255.255.0 standby 192.168.11.21 
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name cisco-irn.com
object network AdminStation 
 host 192.168.41.101
object network AdminStation2 
 host 192.168.41.102
object network AdminStation4-bart 
 host 10.19.151.99
object network EMC-NCM 
 host 192.168.42.122
 description EMC Network Configuration Manager 
object network CSManager 
 host 192.168.42.133
 description Cisco Security Manager 
object network AdminStation3 
 host 192.168.42.138
object network ActiveDirectory.cisco-irn.com 
 host 192.168.42.130
object network Stores-ALL 
 subnet 10.10.0.0 255.255.0.0
 description all store networks 
object network vSphere-1 
 host 192.168.41.102
 description vSphere server for Lab 
object network WCSManager 
 host 192.168.43.135
 description Wireless Manager 
object network PAME-DC-1 
 host 192.168.44.111
object network MSP-DC-1 
 host 192.168.44.121
 description Data Center VSOM 
object network DC-ALL 
 subnet 192.168.0.0 255.255.0.0
 description All of the Data Center 
object network RSA-enVision 
 host 192.168.42.124
 description RSA EnVision Syslog collector and SIM 
object network TACACS 
 host 192.168.42.131
 description Csico Secure ACS server for TACACS and Radius 
object network RSA-AM 
 host 192.168.42.137
 description RSA Authentication Manager for SecureID 
object network NAC-2 
 host 192.168.42.112
object network NAC-1 
 host 192.168.42.111
 description ISE server for NAC 
object network MS-Update 
 host 192.168.42.150
 description Windows Update Server 
object network MSExchange 
 host 192.168.42.140
 description Mail Server 
object network DC-POS 
 subnet 192.168.52.0 255.255.255.0
 description POS in the Data Center 
object service RPC 
 service tcp destination eq 135 
object service LDAP-GC 
 service tcp destination eq 3268 
object service LDAP-GC-SSL 
 service tcp destination eq 3269 
object service Kerberos-TCP 
 service tcp destination eq 88 
object service Microsoft-DS-SMB 
 service tcp destination eq 445 
 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing 
object service LDAP-UDP 
 service udp destination eq 389 
object service RPC-HighPorts 
 service tcp destination range 1024 65535 
object service IP-Protocol-97 
 service 97 
 description IP protocol 97 
object service TCP1080 
 service tcp destination eq 1080 
object service TCP8080 
 service tcp destination eq 8080 
object service RDP 
 service tcp destination eq 3389 
 description Windows Remote Desktop 
object-group network CSM_INLINE_src_rule_73014456577
 description Generated by CS-Manager from src of FirewallRule# 1 (ASA-WAN_1/mandatory)
 network-object object AdminStation
 network-object object AdminStation2
 network-object object AdminStation4-bart
object-group network STORE-POS
 network-object 10.10.0.0 255.255.0.0
object-group network Admin-Systems
 network-object object EMC-NCM
 network-object object AdminStation
 network-object object AdminStation2
 network-object object CSManager
 network-object object AdminStation3
 network-object object AdminStation4-bart
object-group network DC-Wifi-Controllers
 description Central Wireless Controllers for stores
 network-object 192.168.43.21 255.255.255.255
 network-object 192.168.43.22 255.255.255.255
object-group network DC-Wifi-MSE
 description Mobility Service Engines
 network-object 192.168.43.31 255.255.255.255
 network-object 192.168.43.32 255.255.255.255
object-group network CSM_INLINE_src_rule_73014456585
 description Generated by CS-Manager from src of FirewallRule# 5 (ASA-WAN_1/mandatory)
 network-object object WCSManager
 group-object DC-Wifi-Controllers
 group-object DC-Wifi-MSE
object-group network CSM_INLINE_src_rule_73014456587
 description Generated by CS-Manager from src of FirewallRule# 6 (ASA-WAN_1/mandatory)
 network-object object PAME-DC-1
 network-object object MSP-DC-1
object-group network DC-WAAS
 description WAE Appliances in Data Center
 network-object 192.168.48.10 255.255.255.255
 network-object 192.168.49.10 255.255.255.255
 network-object 192.168.47.11 255.255.255.255
 network-object 192.168.47.12 255.255.255.255
object-group network NTP-Servers
 description NTP Servers
 network-object 192.168.62.161 255.255.255.255
 network-object 162.168.62.162 255.255.255.255
object-group network CSM_INLINE_dst_rule_73014456607
 description Generated by CS-Manager from dst of FirewallRule# 16 (ASA-WAN_1/mandatory)
 network-object object TACACS
 network-object object RSA-AM
 network-object object NAC-2
 network-object object NAC-1
object-group network CSM_INLINE_dst_rule_73014456609
 description Generated by CS-Manager from dst of FirewallRule# 17 (ASA-WAN_1/mandatory)
 network-object object NAC-2
 network-object object NAC-1
object-group network CSM_INLINE_dst_rule_73014456613
 description Generated by CS-Manager from dst of FirewallRule# 19 (ASA-WAN_1/mandatory)
 network-object object PAME-DC-1
 network-object object MSP-DC-1
object-group network CSM_INLINE_dst_rule_73014456615
 description Generated by CS-Manager from dst of FirewallRule# 20 (ASA-WAN_1/mandatory)
 group-object DC-Wifi-Controllers
 group-object DC-Wifi-MSE
object-group network DC-POS-Tomax
 description Tomax POS Communication from Store to Data Center
 network-object 192.168.52.96 255.255.255.224
object-group network DC-POS-SAP
 description SAP POS Communication from Store to Data Center
 network-object 192.168.52.144 255.255.255.240
object-group network DC-POS-Oracle
 description Oracle POS Communication from Store to Data Center
 network-object 192.168.52.128 255.255.255.240
object-group network CSM_INLINE_dst_rule_73014456627
 description Generated by CS-Manager from dst of FirewallRule# 26 (ASA-WAN_1/mandatory)
 group-object DC-POS-Tomax
 network-object object DC-POS
 group-object DC-POS-SAP
 group-object DC-POS-Oracle
object-group service HTTPS-8443
 service-object tcp destination eq 8443 
object-group service CSM_INLINE_svc_rule_73014456579
 description Generated by CS-Manager from service of FirewallRule# 2 (ASA-WAN_1/mandatory)
 service-object tcp destination eq ssh 
 service-object tcp destination eq https 
 group-object HTTPS-8443
object-group service DNS-Resolving
 description Domain Name Server
 service-object tcp destination eq domain 
 service-object udp destination eq domain 
object-group service CSM_INLINE_svc_rule_73014456581
 description Generated by CS-Manager from service of FirewallRule# 3 (ASA-WAN_1/mandatory)
 service-object tcp destination eq ldap 
 service-object tcp destination eq ldaps 
 service-object udp destination eq 88 
 service-object udp destination eq ntp 
 service-object udp destination eq netbios-dgm 
 service-object object RPC 
 service-object object LDAP-GC 
 service-object object LDAP-GC-SSL 
 service-object object Kerberos-TCP 
 service-object object Microsoft-DS-SMB 
 service-object object LDAP-UDP 
 service-object object RPC-HighPorts 
 group-object DNS-Resolving
object-group service vCenter-to-ESX4
 description Communication from vCetner to ESX hosts
 service-object tcp destination eq 5989 
 service-object tcp destination eq 8000 
 service-object tcp destination eq 902 
 service-object tcp destination eq 903 
object-group service CSM_INLINE_svc_rule_73014456583
 description Generated by CS-Manager from service of FirewallRule# 4 (ASA-WAN_1/mandatory)
 service-object tcp destination eq https 
 service-object tcp destination eq ssh 
 group-object vCenter-to-ESX4
object-group service TFTP
 description Trivial File Transfer
 service-object tcp destination eq 69 
 service-object udp destination eq tftp 
object-group service LWAPP
 description LWAPP UDP ports 12222 and 12223
 service-object udp destination eq 12222 
 service-object udp destination eq 12223 
object-group service CAPWAP
 description CAPWAP UDP ports 5246 and 5247
 service-object udp destination eq 5246 
 service-object udp destination eq 5247 
object-group service CSM_INLINE_svc_rule_73014456585
 description Generated by CS-Manager from service of FirewallRule# 5 (ASA-WAN_1/mandatory)
 service-object tcp destination eq https 
 service-object tcp destination eq www 
 service-object udp destination eq isakmp 
 service-object tcp destination eq telnet 
 service-object tcp destination eq ssh 
 service-object object IP-Protocol-97 
 group-object TFTP
 group-object LWAPP
 group-object CAPWAP
object-group service CSM_INLINE_svc_rule_73014456589
 description Generated by CS-Manager from service of FirewallRule# 7 (ASA-WAN_1/mandatory)
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq ssh 
 service-object tcp destination eq ftp 
 service-object object TCP1080 
 service-object object TCP8080 
 service-object object RDP 
 group-object HTTPS-8443
object-group service CISCO-WAAS
 description Ports for Cisco WAAS
 service-object tcp destination eq 4050 
object-group service Netbios
 description Netbios Servers
 service-object udp destination eq netbios-dgm 
 service-object udp destination eq netbios-ns 
 service-object tcp destination eq netbios-ssn 
object-group service CSM_INLINE_svc_rule_73014456591
 description Generated by CS-Manager from service of FirewallRule# 8 (ASA-WAN_1/mandatory)
 service-object object Microsoft-DS-SMB 
 group-object CISCO-WAAS
 group-object HTTPS-8443
 group-object Netbios
object-group service CSM_INLINE_svc_rule_73014456593
 description Generated by CS-Manager from service of FirewallRule# 9 (ASA-WAN_1/mandatory)
 service-object tcp-udp destination eq sip 
 service-object tcp destination eq 2000 
object-group service CSM_INLINE_svc_rule_73014456599
 description Generated by CS-Manager from service of FirewallRule# 12 
(ASA-WAN_1/mandatory)
 service-object udp destination eq snmptrap 
 service-object udp destination eq snmp 
 service-object udp destination eq syslog 
object-group service CSM_INLINE_svc_rule_73014456601
 description Generated by CS-Manager from service of FirewallRule# 13 
(ASA-WAN_1/mandatory)
 service-object udp destination eq domain 
 service-object tcp destination eq ldap 
 service-object tcp destination eq ldaps 
object-group service CSM_INLINE_svc_rule_73014456607
 description Generated by CS-Manager from service of FirewallRule# 16 
(ASA-WAN_1/mandatory)
 service-object udp destination eq 1812 
 service-object udp destination eq 1813 
object-group service CSM_INLINE_svc_rule_73014456609
 description Generated by CS-Manager from service of FirewallRule# 17 
(ASA-WAN_1/mandatory)
 service-object tcp destination eq https 
 service-object tcp destination eq www 
 group-object HTTPS-8443
object-group service ESX-SLP
 description CIM Service Location Protocol (SLP) for VMware systems
 service-object udp destination eq 427 
 service-object tcp destination eq 427 
object-group service CSM_INLINE_svc_rule_73014456611
 description Generated by CS-Manager from service of FirewallRule# 18 
(ASA-WAN_1/mandatory)
 service-object tcp destination eq https 
 service-object tcp destination eq www 
 service-object tcp destination eq ssh 
 group-object vCenter-to-ESX4
 group-object ESX-SLP
object-group service Cisco-Mobility
 description Mobility ports for Wireless
 service-object udp destination eq 16666 
 service-object udp destination eq 16667 
object-group service CSM_INLINE_svc_rule_73014456615
 description Generated by CS-Manager from service of FirewallRule# 20 
(ASA-WAN_1/mandatory)
 service-object tcp destination eq https 
 service-object udp destination eq isakmp 
 service-object object IP-Protocol-97 
 group-object Cisco-Mobility
 group-object LWAPP
 group-object CAPWAP
object-group service CSM_INLINE_svc_rule_73014456617
 description Generated by CS-Manager from service of FirewallRule# 21 
(ASA-WAN_1/mandatory)
 service-object tcp-udp destination eq sip 
 service-object tcp destination eq 2000 
object-group service CSM_INLINE_svc_rule_73014456619
 description Generated by CS-Manager from service of FirewallRule# 22 
(ASA-WAN_1/mandatory)
 service-object object Microsoft-DS-SMB 
 group-object CISCO-WAAS
 group-object HTTPS-8443
 group-object Netbios
object-group service CSM_INLINE_svc_rule_73014456621
 description Generated by CS-Manager from service of FirewallRule# 23 
(ASA-WAN_1/mandatory)
 service-object tcp destination eq ldap 
 service-object tcp destination eq ldaps 
 service-object udp destination eq 88 
 service-object udp destination eq ntp 
 service-object udp destination eq netbios-dgm 
 service-object object RPC 
 service-object object LDAP-GC 
 service-object object LDAP-GC-SSL 
 service-object object Kerberos-TCP 
 service-object object Microsoft-DS-SMB 
 service-object object LDAP-UDP 
 service-object object RPC-HighPorts 
 group-object DNS-Resolving
object-group service CSM_INLINE_svc_rule_73014456623
 description Generated by CS-Manager from service of FirewallRule# 24 
(ASA-WAN_1/mandatory)
 service-object tcp destination eq www 
 service-object tcp destination eq https 
object-group service CSM_INLINE_svc_rule_73014456625
 description Generated by CS-Manager from service of FirewallRule# 25 
(ASA-WAN_1/mandatory)
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq smtp 
 service-object tcp destination eq pop3 
 service-object tcp destination eq imap4 
object-group network DM_INLINE_NETWORK_1
 network-object 10.10.0.0 255.255.0.0
 network-object object Stores-ALL
object-group service DM_INLINE_SERVICE_1
 service-object tcp destination eq ftp 
 service-object tcp destination eq ssh 
 service-object udp destination eq tftp 
access-list INSIDE extended permit ip object-group CSM_INLINE_src_rule_73014456577 
object-group STORE-POS 
access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_73014456579 
object-group Admin-Systems object-group STORE-POS 
access-list INSIDE remark Allow Active Directory Domain
access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_73014456581 object 
ActiveDirectory.cisco-irn.com object Stores-ALL 
access-list INSIDE remark VMWare - ESX systems
access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_73014456583 object 
vSphere-1 object Stores-ALL 
access-list INSIDE remark Wireless Management to Stores
access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_73014456585 
object-group CSM_INLINE_src_rule_73014456585 object Stores-ALL 
access-list INSIDE remark Physical security systems
access-list INSIDE extended permit tcp object-group CSM_INLINE_src_rule_73014456587 object 
Stores-ALL eq https 
access-list INSIDE remark Allow Management of store systems
access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_73014456589 object 
DC-ALL object Stores-ALL 
access-list INSIDE remark WAAS systems
access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_73014456591 
object-group DC-WAAS object Stores-ALL 
access-list INSIDE remark Voice calls
access-list INSIDE extended permit object-group CSM_INLINE_svc_rule_73014456593 object 
DC-ALL object Stores-ALL 
access-list INSIDE remark Drop and Log all other traffic
access-list INSIDE extended deny ip any any log 
access-list OUTSIDE extended permit tcp object Stores-ALL object EMC-NCM eq ssh 
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456599 object 
Stores-ALL object RSA-enVision 
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456601 object 
Stores-ALL object ActiveDirectory.cisco-irn.com 
access-list OUTSIDE extended permit tcp object Stores-ALL object TACACS eq tacacs 
access-list OUTSIDE extended permit udp object Stores-ALL object-group NTP-Servers eq ntp 
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456607 object 
Stores-ALL object-group CSM_INLINE_dst_rule_73014456607 
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456609 object 
Stores-ALL object-group CSM_INLINE_dst_rule_73014456609 
access-list OUTSIDE remark VMWare ESX to Data Center
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456611 object 
Stores-ALL object vSphere-1 
access-list OUTSIDE remark Physical security systems
access-list OUTSIDE extended permit tcp object Stores-ALL object-group 
CSM_INLINE_dst_rule_73014456613 eq https 
access-list OUTSIDE remark Wireless control systems
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456615 object 
Stores-ALL object-group CSM_INLINE_dst_rule_73014456615 
access-list OUTSIDE remark Voice calls
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456617 object 
Stores-ALL object DC-ALL 
access-list OUTSIDE remark WAAS systems
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456619 object 
Stores-ALL object-group DC-WAAS 
access-list OUTSIDE remark Allow Active Directory Domain
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456621 object 
Stores-ALL object ActiveDirectory.cisco-irn.com 
access-list OUTSIDE remark Allow Windows Updates
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456623 object 
Stores-ALL object MS-Update 
access-list OUTSIDE remark Allow Mail
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014456625 object 
Stores-ALL object MSExchange 
access-list OUTSIDE remark Allow Applications
access-list OUTSIDE extended permit tcp object Stores-ALL object-group 
CSM_INLINE_dst_rule_73014456627 eq https 
access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_1 object-group 
DM_INLINE_NETWORK_1 object AdminStation2 log disable 
access-list OUTSIDE remark Drop all other traffic
access-list OUTSIDE extended deny ip any any log 
pager lines 24
logging host inside 192.168.42.124
mtu outside 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface folink GigabitEthernet0/3
failover link folink GigabitEthernet0/3
failover interface ip folink 192.168.12.20 255.255.255.0 standby 192.168.12.21
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
access-group OUTSIDE in interface outside
access-group INSIDE in interface inside
route inside 0.0.0.0 0.0.0.0 192.168.11.60 1
route outside 10.10.0.0 255.255.0.0 192.168.11.1 1
route inside 10.10.0.0 255.255.255.0 192.168.11.60 1
route outside 10.10.1.0 255.255.255.0 192.168.11.2 1
route outside 10.10.2.0 255.255.255.0 192.168.11.3 1
route inside 10.10.3.0 255.255.255.0 192.168.11.60 1
route inside 10.10.4.0 255.255.255.0 192.168.11.60 1
route outside 10.10.254.0 255.255.255.0 192.168.11.3 1
route outside 10.10.255.0 255.255.255.0 192.168.11.2 1
route inside 192.168.0.0 255.255.0.0 192.168.11.10 1
route outside 192.168.1.111 255.255.255.255 192.168.11.2 1
route outside 192.168.1.112 255.255.255.255 192.168.11.3 1
route inside 192.168.20.0 255.255.252.0 192.168.11.60 1
route inside 192.168.24.0 255.255.255.0 192.168.11.60 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RETAIL protocol tacacs+
aaa-server RETAIL (inside) host 192.168.42.131
 key *****
aaa authentication ssh console RETAIL LOCAL
aaa authentication enable console RETAIL LOCAL
aaa authentication http console RETAIL LOCAL
aaa accounting ssh console RETAIL
aaa accounting enable console RETAIL
aaa accounting command privilege 15 RETAIL
aaa authentication secure-http-client
aaa local authentication attempts max-fail 6
aaa authorization exec authentication-server
http server enable
http server idle-timeout 15
http server session-timeout 60
http 192.168.41.102 255.255.255.255 inside
http 10.19.151.99 255.255.255.255 inside
http 192.168.41.101 255.255.255.255 inside
http 192.168.42.122 255.255.255.255 inside
http 192.168.42.124 255.255.255.255 inside
http 192.168.42.133 255.255.255.255 inside
http 192.168.42.138 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no snmp-server enable
telnet timeout 1
ssh scopy enable
ssh 10.19.151.99 255.255.255.255 inside
ssh 192.168.41.101 255.255.255.255 inside
ssh 192.168.41.102 255.255.255.255 inside
ssh 192.168.42.122 255.255.255.255 inside
ssh 192.168.42.124 255.255.255.255 inside
ssh 192.168.42.133 255.255.255.255 inside
ssh 192.168.42.138 255.255.255.255 inside
ssh timeout 15
ssh version 2
console timeout 15
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.62.162 source inside
ntp server 192.168.62.161 source inside prefer
username csmadmin password <removed> encrypted privilege 15
username retail password <removed>  encrypted privilege 15
username bmcgloth password <removed>  encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
class-map global-class-PCI
 match any
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 description IPS inspection policy for Cisco PCI LAB
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
 class global-class-PCI
  ips promiscuous fail-open
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:6711019c0f0a6b2f849474306a18ba82
: end
 
   

ASA-WAN-1_IDS

! ------------------------------
! Current configuration last modified Thu Apr 28 23:24:09 2011
! ------------------------------
! Version 7.0(4)
! Host:                                         
!     Realm Keys          key1.0                
! Signature Definition:                         
!     Signature Update    S500.0   2010-07-09   
! ------------------------------
service interface
exit
! ------------------------------
service authentication
attemptLimit 6
password-strength
size 7-64
digits-min 1
lowercase-min 1
other-min 1
number-old-passwords 4
exit
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 192.168.11.23/24,192.168.11.10
host-name ASA-WAN-1_IPS
telnet-option disabled
access-list 10.19.151.99/32 
access-list 192.168.41.101/32 
access-list 192.168.41.102/32 
access-list 192.168.42.122/32 
access-list 192.168.42.124/32 
access-list 192.168.42.133/32 
access-list 192.168.42.138/32 
dns-primary-server enabled
address 192.168.42.130
exit
dns-secondary-server disabled
dns-tertiary-server disabled
http-proxy proxy-server
address 128.107.241.169
port 80
exit
exit
time-zone-settings
offset -8
standard-time-zone-name PST
exit
ntp-option enabled-ntp-unauthenticated
ntp-server 192.168.62.161
exit
summertime-option recurring
summertime-zone-name PDT
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
trap-destinations 192.168.42.124 
trap-community-name <removed>
exit
enable-notifications true
trap-community-name <removed>
exit
! ------------------------------
service signature-definition sig0
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service health-monitor
exit
! ------------------------------
service global-correlation
exit
! ------------------------------
service aaa
aaa radius
primary-server
server-address 192.168.42.131
shared-secret <removed>
exit
nas-id DMZ-IDS1
local-fallback enabled
console-authentication radius-and-local
default-user-role administrator
exit
exit
! ------------------------------
service analysis-engine
exit

ASA-WAN-2_IDS

! ------------------------------
! Current configuration last modified Thu Apr 28 23:26:43 2011
! ------------------------------
! Version 7.0(4)
! Host:                                         
!     Realm Keys          key1.0                
! Signature Definition:                         
!     Signature Update    S500.0   2010-07-09   
! ------------------------------
service interface
exit
! ------------------------------
service authentication
attemptLimit 6
password-strength
size 7-64
digits-min 1
lowercase-min 1
other-min 1
number-old-passwords 4
exit
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 192.168.11.24/24,192.168.11.10
host-name ASA-WAN-2_IPS
telnet-option disabled
access-list 10.19.151.99/32 
access-list 192.168.41.101/32 
access-list 192.168.41.102/32 
access-list 192.168.42.122/32 
access-list 192.168.42.124/32 
access-list 192.168.42.133/32 
access-list 192.168.42.138/32 
dns-primary-server enabled
address 192.168.42.130
exit
dns-secondary-server disabled
dns-tertiary-server disabled
http-proxy proxy-server
address 128.107.241.169
port 80
exit
exit
time-zone-settings
offset -8
standard-time-zone-name PST
exit
ntp-option enabled-ntp-unauthenticated
ntp-server 192.168.62.161
exit
summertime-option recurring
summertime-zone-name PDT
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
trap-destinations 192.168.42.124 
trap-community-name <removed>
exit
enable-notifications true
trap-community-name <removed>
exit
! ------------------------------
service signature-definition sig0
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service health-monitor
exit
! ------------------------------
service global-correlation
exit
! ------------------------------
service aaa
aaa radius
primary-server
server-address 192.168.42.131
shared-secret <removed>
exit
nas-id DMZ-IDS1
local-fallback enabled
console-authentication radius-and-local
default-user-role administrator
exit
exit
! ------------------------------
service analysis-engine
exit

DMZ-ACE-1

 
   
logging enable
logging timestamp
logging trap 6
logging buffered 6
logging device-id context-name
logging host 192.168.42.124 udp/514  
logging rate-limit 1 120 message 302027
 
   
 
   
login timeout 15
hostname ACE1
boot system image:c6ace-t1k9-mz.3.0.0_A1_4a.bin
 
   
resource-class Gold
  limit-resource all minimum 0.00 maximum unlimited
  limit-resource conc-connections minimum 10.00 maximum unlimited
  limit-resource sticky minimum 10.00 maximum unlimited
 
   
tacacs-server host 192.168.42.131 key 7 "<removed>" 
aaa group server tacacs+ RETAIL
  server 192.168.42.131
 
   
 
   
clock timezone standard PST
clock summer-time standard PDT
aaa authentication login default group RETAIL local 
aaa authentication login console group RETAIL local 
aaa accounting default group RETAIL local 
 
   
 
   
 
   
class-map type management match-any remote-mgmt
  9 match protocol ssh source-address 192.168.41.102 255.255.255.255
  10 match protocol ssh source-address 192.168.42.131 255.255.255.255
  30 match protocol icmp any
  31 match protocol ssh source-address 10.19.151.99 255.255.255.255
  32 match protocol ssh source-address 192.168.41.101 255.255.255.255
  33 match protocol ssh source-address 192.168.42.111 255.255.255.255
  34 match protocol ssh source-address 192.168.42.122 255.255.255.255
  35 match protocol ssh source-address 192.168.42.124 255.255.255.255
  36 match protocol ssh source-address 192.168.42.133 255.255.255.255
  37 match protocol ssh source-address 192.168.42.138 255.255.255.255
 
   
policy-map type management first-match remote-access
  class remote-mgmt
    permit
 
   
interface vlan 21
  ip address 192.168.21.95 255.255.255.0
  service-policy input remote-access
  no shutdown
 
   
ft interface vlan 85
  ip address 192.168.20.9 255.255.255.252
  peer ip address 192.168.20.10 255.255.255.252
  no shutdown
 
   
ft peer 1
  heartbeat interval 300
  heartbeat count 10
  ft-interface vlan 85
ft group 11
  peer 1
  priority 110
  peer priority 105
  associate-context Admin
  inservice
 
   
domain cisco-irn.com
 
   
ip route 0.0.0.0 0.0.0.0 192.168.21.1
 
   
context PCI
  allocate-interface vlan 82-83
  allocate-interface vlan 95
 
   
 
   
  
ft group 10
  peer 1
  priority 110
  peer priority 105
  associate-context PCI
  inservice
username admin password 5 <removed>   role Admin domain default-domain 
username www password 5 <removed>   role Admin domain default-domain 
username retail password 5 <removed>   role Admin domain default-domain 
username csmadmin password 5 <removed>   role Admin domain default-domain 
ssh key rsa 1024 force
 
   

DMZ-ACE-1_PCI

ACE1/PCI# sh run
Generating configuration....
 
   
logging enable
logging timestamp
logging buffered 7
logging monitor 7
logging device-id context-name
logging host 192.168.42.124 udp/514
logging rate-limit 1 120 message 302027
 
   
 
   
login timeout 15
 
   
tacacs-server host 192.168.42.131 key 7 "<removed>"
aaa group server tacacs+ RETAIL
  server 192.168.42.131
aaa authentication login default group RETAIL local
aaa authentication login console group RETAIL local
aaa accounting default group RETAIL local
 
   
access-list allow2server line 20 extended permit ip any host 192.168.20.3
access-list allow2server line 21 extended permit tcp host 192.168.20.44 host 192
.168.42.130 eq ldap
access-list allow2server line 22 extended deny ip any any
access-list in2out line 10 extended permit ip host 192.168.20.3 any
access-list in2out line 15 extended deny ip any any
access-list out2in line 10 extended permit tcp any host 192.168.20.1 eq www
access-list out2in line 15 extended deny ip any any
 
   
 
   
probe icmp ICMP
  interval 2
  faildetect 2
  passdetect interval 60
  passdetect count 2
 
   
rserver host ECOM
  ip address 192.168.20.44
  inservice
 
   
serverfarm host PCI-ECOM
  predictor leastconns
  probe ICMP
  rserver ECOM
    inservice
 
   
class-map match-any ECOMVIP
  11 match virtual-address 192.168.20.1 any
class-map type management match-any remote-mgmt
  30 match protocol icmp any
  31 match protocol ssh source-address 10.19.151.99 255.255.255.255
  32 match protocol ssh source-address 192.168.41.101 255.255.255.255
  33 match protocol ssh source-address 192.168.41.102 255.255.255.255
  34 match protocol ssh source-address 192.168.42.111 255.255.255.255
  35 match protocol ssh source-address 192.168.42.122 255.255.255.255
  36 match protocol ssh source-address 192.168.42.124 255.255.255.255
  37 match protocol ssh source-address 192.168.42.131 255.255.255.255
  38 match protocol ssh source-address 192.168.42.133 255.255.255.255
  39 match protocol ssh source-address 192.168.42.138 255.255.255.255
 
   
policy-map type management first-match remote-access
  class remote-mgmt
    permit
policy-map type loadbalance first-match ECOMPOLICY
  class class-default
    serverfarm PCI-ECOM
policy-map multi-match ECOM_MATCH
  class ECOMVIP
    loadbalance vip inservice
    loadbalance policy ECOMPOLICY
 
   
service-policy input remote-access
 
   
interface vlan 82
  description ACE_outside
  ip address 192.168.20.28 255.255.255.248
  ip verify reverse-path
  alias 192.168.20.30 255.255.255.248
  peer ip address 192.168.20.29 255.255.255.248
  access-group input out2in
  service-policy input ECOM_MATCH
  no shutdown
interface vlan 83
  description ACE_inside
  ip address 192.168.20.4 255.255.255.248
  ip verify reverse-path
  alias 192.168.20.6 255.255.255.248
  peer ip address 192.168.20.5 255.255.255.248
  access-group input in2out
  no shutdown
 
   
domain cisco-irn.com
 
   
ip route 0.0.0.0 0.0.0.0 192.168.20.25
username csmadmin password 5 <removed>   role Admin doma
in default-domain
username retail password 5 <removed>   role Admin domain
 default-domain
username bmcgloth password 5 <removed>   role Admin doma
in default-domain
 
   

DMZ-ACE-2_Admin

ACE2/Admin# sh run
Generating configuration....
 
   
logging enable
logging timestamp
logging trap 6
logging buffered 6
logging device-id context-name
logging host 192.168.42.124 udp/514
logging rate-limit 1 120 message 302027
 
   
 
   
login timeout 15
hostname ACE2
boot system image:c6ace-t1k9-mz.3.0.0_A1_4a.bin
 
   
resource-class Gold
  limit-resource all minimum 0.00 maximum unlimited
  limit-resource conc-connections minimum 10.00 maximum unlimited
  limit-resource sticky minimum 10.00 maximum unlimited
 
   
 
   
tacacs-server host 192.168.42.131 key 7 "<removed>"
aaa group server tacacs+ RETAIL
  server 192.168.42.131
 
   
clock timezone standard PST
clock summer-time standard PDT
aaa authentication login default group RETAIL local
aaa authentication login console group RETAIL local
aaa accounting default group RETAIL local
 
   
 
   
 
   
class-map type management match-any remote-mgmt
  9 match protocol ssh source-address 192.168.41.102 255.255.255.255
  10 match protocol ssh source-address 192.168.42.131 255.255.255.255
  30 match protocol icmp any
  31 match protocol ssh source-address 10.19.151.99 255.255.255.255
  32 match protocol ssh source-address 192.168.41.101 255.255.255.255
  33 match protocol ssh source-address 192.168.42.111 255.255.255.255
  34 match protocol ssh source-address 192.168.42.122 255.255.255.255
  35 match protocol ssh source-address 192.168.42.124 255.255.255.255
  36 match protocol ssh source-address 192.168.42.133 255.255.255.255
  37 match protocol ssh source-address 192.168.42.138 255.255.255.255
 
   
policy-map type management first-match remote-access
  class remote-mgmt
    permit
 
   
interface vlan 21
  peer ip address 192.168.21.95 255.255.255.0
  service-policy input remote-access
  no shutdown
 
   
ft interface vlan 85
  ip address 192.168.20.10 255.255.255.252
  peer ip address 192.168.20.9 255.255.255.252
  no shutdown
 
   
ft peer 1
  heartbeat interval 300
  heartbeat count 10
  ft-interface vlan 85
ft group 11
  peer 1
  priority 105
  peer priority 110
  associate-context Admin
  inservice
 
   
domain cisco-irn.com
 
   
ip route 0.0.0.0 0.0.0.0 192.168.21.1
 
   
context PCI
  allocate-interface vlan 82-83
  allocate-interface vlan 95
 
   
 
   
 
   
ft group 10
  peer 1
  priority 105
  peer priority 110
  associate-context PCI
  inservice
username admin password 5 <removed>   role Admin domain
default-domain
username www password 5 <removed>   role Admin domain de
fault-domain
username retail password 5 <removed>   role Admin domain
 default-domain
username csmadmin password 5 <removed>   role Admin doma
in default-domain
ssh key rsa 1024 force
 
   
ACE2/Admin#
 
   

DMZ-ACE-2_PCI

ACE2/PCI# sh run
Generating configuration....
 
   
logging enable
logging timestamp
logging buffered 7
logging monitor 7
logging device-id context-name
logging host 192.168.42.124 udp/514
logging rate-limit 1 120 message 302027
 
   
 
   
login timeout 15
 
   
tacacs-server host 192.168.42.131 key 7 "<removed>"
aaa group server tacacs+ RETAIL
  server 192.168.42.131
aaa authentication login default group RETAIL local
aaa authentication login console group RETAIL local
aaa accounting default group RETAIL local
 
   
access-list allow2server line 20 extended permit ip any host 192.168.20.3
access-list allow2server line 21 extended permit tcp host 192.168.20.44 host 192
.168.42.130 eq ldap
access-list allow2server line 22 extended deny ip any any
access-list in2out line 10 extended permit ip host 192.168.20.3 any
access-list in2out line 15 extended deny ip any any
access-list out2in line 10 extended permit tcp any host 192.168.20.1 eq www
access-list out2in line 15 extended deny ip any any
 
   
 
   
probe icmp ICMP
  interval 2
  faildetect 2
  passdetect interval 60
  passdetect count 2
 
   
rserver host ECOM
  ip address 192.168.20.44
  inservice
 
   
serverfarm host PCI-ECOM
  predictor leastconns
  probe ICMP
  rserver ECOM
    inservice
 
   
class-map match-any ECOMVIP
  11 match virtual-address 192.168.20.1 any
class-map type management match-any remote-mgmt
  30 match protocol icmp any
  31 match protocol ssh source-address 10.19.151.99 255.255.255.255
  32 match protocol ssh source-address 192.168.41.101 255.255.255.255
  33 match protocol ssh source-address 192.168.41.102 255.255.255.255
  34 match protocol ssh source-address 192.168.42.111 255.255.255.255
  35 match protocol ssh source-address 192.168.42.122 255.255.255.255
  36 match protocol ssh source-address 192.168.42.124 255.255.255.255
  37 match protocol ssh source-address 192.168.42.131 255.255.255.255
  38 match protocol ssh source-address 192.168.42.133 255.255.255.255
  39 match protocol ssh source-address 192.168.42.138 255.255.255.255
 
   
policy-map type management first-match remote-access
  class remote-mgmt
    permit
policy-map type loadbalance first-match ECOMPOLICY
  class class-default
    serverfarm PCI-ECOM
policy-map multi-match ECOM_MATCH
  class ECOMVIP
    loadbalance vip inservice
    loadbalance policy ECOMPOLICY
 
   
service-policy input remote-access
 
   
interface vlan 82
  description ACE_outside
  ip address 192.168.20.29 255.255.255.248
  ip verify reverse-path
  alias 192.168.20.30 255.255.255.248
  peer ip address 192.168.20.28 255.255.255.248
  access-group input out2in
  service-policy input ECOM_MATCH
  no shutdown
interface vlan 83
  description ACE_inside
  ip address 192.168.20.5 255.255.255.248
  ip verify reverse-path
  alias 192.168.20.6 255.255.255.248
  peer ip address 192.168.20.4 255.255.255.248
  access-group input in2out
  no shutdown
 
   
domain cisco-irn.com
 
   
ip route 0.0.0.0 0.0.0.0 192.168.20.25
username csmadmin password 5 <removed>   role Admin doma
in default-domain
username retail password 5 <removed>   role Admin domain
 default-domain
username bmcgloth password 5 <removed>   role Admin doma
in default-domain
 
   
 
   
 
   
ACE2/PCI#
 
   

DMZ-IDS-1

! ------------------------------
! Current configuration last modified Thu Apr 28 21:34:42 2011
! ------------------------------
! Version 7.0(4)
! Host:                                         
!     Realm Keys          key1.0                
! Signature Definition:                         
!     Signature Update    S500.0   2010-07-09   
! ------------------------------
service interface
physical-interfaces GigabitEthernet0/7 
subinterface-type inline-vlan-pair
subinterface 1 
description INT1 vlans 83 and 84
vlan1 83
vlan2 84
exit
exit
exit
exit
! ------------------------------
service authentication
attemptLimit 6
password-strength
size 7-64
digits-min 1
lowercase-min 1
other-min 1
number-old-passwords 4
exit
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 192.168.21.93/24,192.168.21.1
host-name DMZ-IDS1
telnet-option disabled
access-list 10.19.151.99/32 
access-list 192.168.41.101/32 
access-list 192.168.41.102/32 
access-list 192.168.42.122/32 
access-list 192.168.42.124/32 
access-list 192.168.42.133/32 
access-list 192.168.42.138/32 
dns-primary-server enabled
address 192.168.42.130
exit
dns-secondary-server disabled
dns-tertiary-server disabled
http-proxy proxy-server
address 128.107.241.169
port 80
exit
exit
time-zone-settings
offset -8
standard-time-zone-name PST
exit
ntp-option enabled-ntp-unauthenticated
ntp-server 192.168.62.161
exit
summertime-option recurring
summertime-zone-name PDT
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
trap-destinations 192.168.42.124 
trap-community-name <removed>
exit
enable-notifications true
trap-community-name <removed>
exit
! ------------------------------
service signature-definition sig0
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service health-monitor
exit
! ------------------------------
service global-correlation
exit
! ------------------------------
service aaa
aaa radius
primary-server
server-address 192.168.42.131
shared-secret <removed>
exit
nas-id DMZ-IDS1
local-fallback enabled
console-authentication radius-and-local
default-user-role administrator
exit
exit
! ------------------------------
service analysis-engine
exit

DMZ-IDSM2

! ------------------------------
! Current configuration last modified Thu Apr 28 22:06:38 2011
! ------------------------------
! Version 7.0(4)
! Host:                                         
!     Realm Keys          key1.0                
! Signature Definition:                         
!     Signature Update    S500.0   2010-07-09   
! ------------------------------
service interface
physical-interfaces GigabitEthernet0/7 
subinterface-type inline-vlan-pair
subinterface 1 
description INT1 vlans 83 and 84
vlan1 83
vlan2 84
exit
exit
exit
exit
! ------------------------------
service authentication
attemptLimit 6
password-strength
size 7-64
digits-min 1
lowercase-min 1
other-min 1
number-old-passwords 4
exit
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 192.168.21.94/24,192.168.21.1
host-name DMZ-IDS2
telnet-option disabled
access-list 10.19.151.99/32 
access-list 192.168.41.101/32 
access-list 192.168.41.102/32 
access-list 192.168.42.122/32 
access-list 192.168.42.124/32 
access-list 192.168.42.133/32 
access-list 192.168.42.138/32 
dns-primary-server enabled
address 192.168.42.130
exit
dns-secondary-server disabled
dns-tertiary-server disabled
http-proxy proxy-server
address 128.107.241.169
port 80
exit
exit
time-zone-settings
offset -8
standard-time-zone-name PST
exit
ntp-option enabled-ntp-unauthenticated
ntp-server 192.168.62.161
exit
summertime-option recurring
summertime-zone-name PDT
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
trap-destinations 192.168.42.124 
trap-community-name <removed>
exit
enable-notifications true
trap-community-name <removed>
exit
! ------------------------------
service signature-definition sig0
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service health-monitor
exit
! ------------------------------
service global-correlation
exit
! ------------------------------
service aaa
aaa radius
primary-server
server-address 192.168.42.131
shared-secret <removed>
exit
nas-id DMZ-IDS1
local-fallback enabled
console-authentication radius-and-local
default-user-role administrator
exit
exit
! ------------------------------
service analysis-engine
exit

FW-A2-MSP-1

: Saved
: Written by retail at 18:15:18.945 PDT Fri Apr 29 2011
!
ASA Version 8.4(1) 
!
hostname FW-A2-MSP-1
domain-name cisco-irn.com
enable password <removed>  encrypted
passwd <removed>  encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif MSP-WAN
 security-level 0
 ip address 10.10.255.176 255.255.255.0 
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1.11
 vlan 11
 nameif POS
 security-level 95
 ip address 10.10.176.1 255.255.255.0 
!
interface Ethernet0/1.12
 vlan 12
 nameif DATA
 security-level 85
 ip address 10.10.177.1 255.255.255.0 
!
interface Ethernet0/1.13
 vlan 13
 nameif VOICE
 security-level 80
 ip address 10.10.178.1 255.255.255.0 
!
interface Ethernet0/1.14
 vlan 14
 nameif WIRELESS
 security-level 70
 ip address 10.10.179.1 255.255.255.0 
!
interface Ethernet0/1.15
 vlan 15
 nameif WIRELESS-POS
 security-level 90
 ip address 10.10.180.1 255.255.255.0 
!
interface Ethernet0/1.16
 vlan 16
 nameif PARTNER
 security-level 65
 ip address 10.10.181.1 255.255.255.0 
!
interface Ethernet0/1.17
 vlan 17
 nameif WIRELESS-GUEST
 security-level 10
 ip address 10.10.182.1 255.255.255.0 
!
interface Ethernet0/1.18
 vlan 18
 nameif WIRELESS-CONTROL
 security-level 75
 ip address 10.10.183.1 255.255.255.0 
!
interface Ethernet0/1.19
 vlan 19
 nameif WAAS
 security-level 100
 ip address 10.10.184.1 255.255.255.0 
!
interface Ethernet0/1.1000
 vlan 1000
 nameif MANAGEMENT
 security-level 100
 ip address 10.10.191.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name cisco-irn.com
same-security-traffic permit inter-interface
object network AdminStation 
 host 192.168.41.101
object network AdminStation2 
 host 192.168.41.102
object network AdminStation4-bart 
 host 10.19.151.99
object network EMC-NCM 
 host 192.168.42.122
 description EMC Network Configuration Manager 
object network CSManager 
 host 192.168.42.133
 description Cisco Security Manager 
object network AdminStation3 
 host 192.168.42.138
object network ActiveDirectory.cisco-irn.com 
 host 192.168.42.130
object network DC-POS 
 subnet 192.168.52.0 255.255.255.0
 description POS in the Data Center 
object network WCSManager 
 host 192.168.43.135
 description Wireless Manager 
object network PAME-DC-1 
 host 192.168.44.111
object network MSP-DC-1 
 host 192.168.44.121
 description Data Center VSOM 
object network DC-ALL 
 subnet 192.168.0.0 255.255.0.0
 description All of the Data Center 
object network RSA-enVision 
 host 192.168.42.124
 description RSA EnVision Syslog collector and SIM 
object network TACACS 
 host 192.168.42.131
 description Csico Secure ACS server for TACACS and Radius 
object network RSA-AM 
 host 192.168.42.137
 description RSA Authentication Manager for SecureID 
object network NAC-2 
 host 192.168.42.112
object network NAC-1 
 host 192.168.42.111
 description ISE server for NAC 
object network MS-Update 
 host 192.168.42.150
 description Windows Update Server 
object network MSExchange 
 host 192.168.42.140
 description Mail Server 
object service RPC 
 service tcp destination eq 135 
object service LDAP-GC 
 service tcp destination eq 3268 
object service LDAP-GC-SSL 
 service tcp destination eq 3269 
object service Kerberos-TCP 
 service tcp destination eq 88 
object service Microsoft-DS-SMB 
 service tcp destination eq 445 
 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing 
object service LDAP-UDP 
 service udp destination eq 389 
object service RPC-HighPorts 
 service tcp destination range 1024 65535 
object service ORACLE-OAS 
 service tcp destination eq 12601 
 description OAS uses one port for HTTP and RMI - 12601. 
object service TOMAX-8990 
 service tcp destination eq 8990 
 description Tomax Application Port 
object service IP-Protocol-97 
 service 97 
 description IP protocol 97 
object service TCP1080 
 service tcp destination eq 1080 
object service TCP8080 
 service tcp destination eq 8080 
object service RDP 
 service tcp destination eq 3389 
 description Windows Remote Desktop 
object-group network CSM_INLINE_src_rule_73014461090
 description Generated by CS-Manager from src of FirewallRule# 1 (ASA-Store_V2/mandatory)
 network-object object AdminStation
 network-object object AdminStation2
 network-object object AdminStation4-bart
object-group network Admin-Systems
 network-object object EMC-NCM
 network-object object AdminStation
 network-object object AdminStation2
 network-object object CSManager
 network-object object AdminStation3
 network-object object AdminStation4-bart
object-group network DC-POS-Tomax
 description Tomax POS Communication from Store to Data Center
 network-object 192.168.52.96 255.255.255.224
object-group network DC-POS-SAP
 description SAP POS Communication from Store to Data Center
 network-object 192.168.52.144 255.255.255.240
object-group network DC-POS-Oracle
 description Oracle POS Communication from Store to Data Center
 network-object 192.168.52.128 255.255.255.240
object-group network CSM_INLINE_src_rule_73014461184
 description Generated by CS-Manager from src of FirewallRule# 4 (ASA-Store_V2/mandatory)
 group-object DC-POS-Tomax
 network-object object DC-POS
 group-object DC-POS-SAP
 group-object DC-POS-Oracle
object-group network POS-Store-MSP
 network-object 10.10.176.81 255.255.255.255
object-group network CSM_INLINE_dst_rule_73014461438
 description Generated by CS-Manager from dst of FirewallRule# 5 (ASA-Store_V2/mandatory)
 group-object DC-POS-Tomax
 network-object object DC-POS
 group-object DC-POS-SAP
 group-object DC-POS-Oracle
object-group network Store-MSP-POS-net
 network-object 10.10.176.0 255.255.255.0
 network-object 10.10.180.0 255.255.255.0
object-group network CSM_INLINE_dst_rule_73014461436
 description Generated by CS-Manager from dst of FirewallRule# 7 (ASA-Store_V2/mandatory)
 group-object DC-POS-Tomax
 network-object object DC-POS
 group-object DC-POS-SAP
 group-object DC-POS-Oracle
object-group network DC-Wifi-Controllers
 description Central Wireless Controllers for stores
 network-object 192.168.43.21 255.255.255.255
 network-object 192.168.43.22 255.255.255.255
object-group network DC-Wifi-MSE
 description Mobility Service Engines
 network-object 192.168.43.31 255.255.255.255
 network-object 192.168.43.32 255.255.255.255
object-group network CSM_INLINE_src_rule_73014461098
 description Generated by CS-Manager from src of FirewallRule# 8 (ASA-Store_V2/mandatory)
 network-object object WCSManager
 group-object DC-Wifi-Controllers
 group-object DC-Wifi-MSE
object-group network CSM_INLINE_src_rule_73014461100
 description Generated by CS-Manager from src of FirewallRule# 9 (ASA-Store_V2/mandatory)
 network-object object PAME-DC-1
 network-object object MSP-DC-1
object-group network DC-WAAS
 description WAE Appliances in Data Center
 network-object 192.168.48.10 255.255.255.255
 network-object 192.168.49.10 255.255.255.255
 network-object 192.168.47.11 255.255.255.255
 network-object 192.168.47.12 255.255.255.255
object-group network NTP-Servers
 description NTP Servers
 network-object 192.168.62.161 255.255.255.255
 network-object 162.168.62.162 255.255.255.255
object-group network CSM_INLINE_dst_rule_73014461120
 description Generated by CS-Manager from dst of FirewallRule# 17 (ASA-Store_V2/mandatory)
 network-object object TACACS
 network-object object RSA-AM
 network-object object NAC-2
 network-object object NAC-1
object-group network CSM_INLINE_dst_rule_73014461126
 description Generated by CS-Manager from dst of FirewallRule# 18 (ASA-Store_V2/mandatory)
 network-object object PAME-DC-1
 network-object object MSP-DC-1
object-group network CSM_INLINE_dst_rule_73014461128
 description Generated by CS-Manager from dst of FirewallRule# 19 (ASA-Store_V2/mandatory)
 group-object DC-Wifi-Controllers
 group-object DC-Wifi-MSE
object-group service HTTPS-8443
 service-object tcp destination eq 8443 
object-group service CSM_INLINE_svc_rule_73014461092
 description Generated by CS-Manager from service of FirewallRule# 2 
(ASA-Store_V2/mandatory)
 service-object tcp destination eq ssh 
 service-object tcp destination eq https 
 group-object HTTPS-8443
object-group service DNS-Resolving
 description Domain Name Server
 service-object tcp destination eq domain 
 service-object udp destination eq domain 
object-group service CSM_INLINE_svc_rule_73014461094
 description Generated by CS-Manager from service of FirewallRule# 3 
(ASA-Store_V2/mandatory)
 service-object tcp destination eq ldap 
 service-object tcp destination eq ldaps 
 service-object udp destination eq 88 
 service-object udp destination eq ntp 
 service-object udp destination eq netbios-dgm 
 service-object object RPC 
 service-object object LDAP-GC 
 service-object object LDAP-GC-SSL 
 service-object object Kerberos-TCP 
 service-object object Microsoft-DS-SMB 
 service-object object LDAP-UDP 
 service-object object RPC-HighPorts 
 group-object DNS-Resolving
object-group service ORACLE-RMI
 description RMI TCP ports 1300 and 1301-1319.
 service-object tcp destination range 1300 1319 
object-group service ORACLE-Weblogic
 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.
 service-object tcp destination eq 7001 
 service-object tcp destination eq 7002 
 service-object tcp destination eq sqlnet 
object-group service ORACLE-WAS
 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414
 service-object tcp destination eq 2809 
 service-object tcp destination eq 9443 
 service-object tcp destination eq 1414 
object-group service CSM_INLINE_svc_rule_73014461184
 description Generated by CS-Manager from service of FirewallRule# 4 
(ASA-Store_V2/mandatory)
 service-object tcp destination eq https 
 service-object tcp destination eq ssh 
 service-object object ORACLE-OAS 
 service-object object TOMAX-8990 
 group-object ORACLE-RMI
 group-object ORACLE-Weblogic
 group-object ORACLE-WAS
 group-object HTTPS-8443
object-group service TFTP
 description Trivial File Transfer
 service-object tcp destination eq 69 
 service-object udp destination eq tftp 
object-group service LWAPP
 description LWAPP UDP ports 12222 and 12223
 service-object udp destination eq 12222 
 service-object udp destination eq 12223 
object-group service CAPWAP
 description CAPWAP UDP ports 5246 and 5247
 service-object udp destination eq 5246 
 service-object udp destination eq 5247 
object-group service CSM_INLINE_svc_rule_73014461098
 description Generated by CS-Manager from service of FirewallRule# 8 
(ASA-Store_V2/mandatory)
 service-object tcp destination eq https 
 service-object tcp destination eq www 
 service-object udp destination eq isakmp 
 service-object tcp destination eq telnet 
 service-object tcp destination eq ssh 
 service-object object IP-Protocol-97 
 group-object TFTP
 group-object LWAPP
 group-object CAPWAP
object-group service CSM_INLINE_svc_rule_73014461102
 description Generated by CS-Manager from service of FirewallRule# 10 
(ASA-Store_V2/mandatory)
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq ssh 
 service-object tcp destination eq ftp 
 service-object object TCP1080 
 service-object object TCP8080 
 service-object object RDP 
 group-object HTTPS-8443
object-group service CISCO-WAAS
 description Ports for Cisco WAAS
 service-object tcp destination eq 4050 
object-group service Netbios
 description Netbios Servers
 service-object udp destination eq netbios-dgm 
 service-object udp destination eq netbios-ns 
 service-object tcp destination eq netbios-ssn 
object-group service CSM_INLINE_svc_rule_73014461104
 description Generated by CS-Manager from service of FirewallRule# 11 
(ASA-Store_V2/mandatory)
 service-object object Microsoft-DS-SMB 
 group-object CISCO-WAAS
 group-object HTTPS-8443
 group-object Netbios
object-group service CSM_INLINE_svc_rule_73014461106
 description Generated by CS-Manager from service of FirewallRule# 12 
(ASA-Store_V2/mandatory)
 service-object tcp-udp destination eq sip 
 service-object tcp destination eq 2000 
object-group service CSM_INLINE_svc_rule_73014461112
 description Generated by CS-Manager from service of FirewallRule# 14 
(ASA-Store_V2/mandatory)
 service-object udp destination eq snmptrap 
 service-object udp destination eq snmp 
 service-object udp destination eq syslog 
object-group service CSM_INLINE_svc_rule_73014461120
 description Generated by CS-Manager from service of FirewallRule# 17 
(ASA-Store_V2/mandatory)
 service-object udp destination eq 1812 
 service-object udp destination eq 1813 
 service-object tcp destination eq https 
 service-object tcp destination eq www 
 group-object HTTPS-8443
object-group service Cisco-Mobility
 description Mobility ports for Wireless
 service-object udp destination eq 16666 
 service-object udp destination eq 16667 
object-group service CSM_INLINE_svc_rule_73014461128
 description Generated by CS-Manager from service of FirewallRule# 19 
(ASA-Store_V2/mandatory)
 service-object tcp destination eq https 
 service-object udp destination eq isakmp 
 service-object object IP-Protocol-97 
 group-object Cisco-Mobility
 group-object LWAPP
 group-object CAPWAP
object-group service CSM_INLINE_svc_rule_73014461130
 description Generated by CS-Manager from service of FirewallRule# 20 
(ASA-Store_V2/mandatory)
 service-object tcp-udp destination eq sip 
 service-object tcp destination eq 2000 
object-group service CSM_INLINE_svc_rule_73014461132
 description Generated by CS-Manager from service of FirewallRule# 21 
(ASA-Store_V2/mandatory)
 service-object object Microsoft-DS-SMB 
 group-object CISCO-WAAS
 group-object HTTPS-8443
 group-object Netbios
object-group service CSM_INLINE_svc_rule_73014461134
 description Generated by CS-Manager from service of FirewallRule# 22 
(ASA-Store_V2/mandatory)
 service-object tcp destination eq ldap 
 service-object tcp destination eq ldaps 
 service-object udp destination eq 88 
 service-object udp destination eq ntp 
 service-object udp destination eq netbios-dgm 
 service-object object RPC 
 service-object object LDAP-GC 
 service-object object LDAP-GC-SSL 
 service-object object Kerberos-TCP 
 service-object object Microsoft-DS-SMB 
 service-object object LDAP-UDP 
 service-object object RPC-HighPorts 
 group-object DNS-Resolving
object-group service CSM_INLINE_svc_rule_73014461136
 description Generated by CS-Manager from service of FirewallRule# 23 
(ASA-Store_V2/mandatory)
 service-object tcp destination eq www 
 service-object tcp destination eq https 
object-group service CSM_INLINE_svc_rule_73014461138
 description Generated by CS-Manager from service of FirewallRule# 24 
(ASA-Store_V2/mandatory)
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq smtp 
 service-object tcp destination eq pop3 
 service-object tcp destination eq imap4 
access-list OUTSIDE remark LAB Testing
access-list OUTSIDE extended permit ip object-group CSM_INLINE_src_rule_73014461090 
10.10.176.0 255.255.248.0 
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461092 
object-group Admin-Systems 10.10.176.0 255.255.248.0 
access-list OUTSIDE remark Allow Active Directory Domain
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461094 object 
ActiveDirectory.cisco-irn.com 10.10.176.0 255.255.248.0 
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461184 
object-group CSM_INLINE_src_rule_73014461184 object-group POS-Store-MSP 
access-list OUTSIDE extended deny ip any object-group Store-MSP-POS-net 
access-list OUTSIDE extended deny ip any object-group CSM_INLINE_dst_rule_73014461436 
access-list OUTSIDE remark Wireless Management to Stores
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461098 
object-group CSM_INLINE_src_rule_73014461098 10.10.183.0 255.255.255.0 
access-list OUTSIDE remark Physical security systems
access-list OUTSIDE extended permit tcp object-group CSM_INLINE_src_rule_73014461100 
10.10.191.0 255.255.255.0 eq https 
access-list OUTSIDE remark Allow Management of store systems
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461102 object 
DC-ALL 10.10.176.0 255.255.248.0 
access-list OUTSIDE remark WAAS systems
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461104 
object-group DC-WAAS 10.10.184.0 255.255.255.0 
access-list OUTSIDE remark Voice calls
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461106 object 
DC-ALL 10.10.178.0 255.255.255.0 
access-list OUTSIDE extended permit tcp 10.10.176.0 255.255.248.0 object EMC-NCM eq ssh 
access-list OUTSIDE extended permit object-group CSM_INLINE_svc_rule_73014461112 
10.10.176.0 255.255.248.0 object RSA-enVision 
access-list OUTSIDE extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq tacacs 
access-list OUTSIDE extended permit udp 10.10.176.0 255.255.248.0 object-group NTP-Servers 
eq ntp 
access-list OUTSIDE remark Drop all other traffic
access-list OUTSIDE extended deny ip any any log 
access-list CSM_FW_ACL_POS remark Allow Applications
access-list CSM_FW_ACL_POS extended permit tcp object-group POS-Store-MSP object-group 
CSM_INLINE_dst_rule_73014461438 eq https 
access-list CSM_FW_ACL_POS extended deny ip any object-group Store-MSP-POS-net 
access-list CSM_FW_ACL_POS extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436 
access-list CSM_FW_ACL_POS extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp 
access-list CSM_FW_ACL_POS extended permit object-group CSM_INLINE_svc_rule_73014461120 
10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120 
access-list CSM_FW_ACL_POS remark Allow Active Directory Domain
access-list CSM_FW_ACL_POS extended permit object-group CSM_INLINE_svc_rule_73014461134 
10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com 
access-list CSM_FW_ACL_POS remark Allow Windows Updates
access-list CSM_FW_ACL_POS extended permit object-group CSM_INLINE_svc_rule_73014461136 
10.10.176.0 255.255.248.0 object MS-Update 
access-list CSM_FW_ACL_POS remark Allow Mail
access-list CSM_FW_ACL_POS extended permit object-group CSM_INLINE_svc_rule_73014461138 
10.10.176.0 255.255.248.0 object MSExchange 
access-list CSM_FW_ACL_POS remark Drop all other traffic
access-list CSM_FW_ACL_POS extended deny ip any any log 
access-list CSM_FW_ACL_WIRELESS-POS remark Allow Applications
access-list CSM_FW_ACL_WIRELESS-POS extended permit tcp object-group POS-Store-MSP 
object-group CSM_INLINE_dst_rule_73014461438 eq https 
access-list CSM_FW_ACL_WIRELESS-POS extended deny ip any object-group Store-MSP-POS-net 
access-list CSM_FW_ACL_WIRELESS-POS extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436 
access-list CSM_FW_ACL_WIRELESS-POS extended permit udp 10.10.176.0 255.255.248.0 
object-group NTP-Servers eq ntp 
access-list CSM_FW_ACL_WIRELESS-POS remark Allow Active Directory Domain
access-list CSM_FW_ACL_WIRELESS-POS extended permit object-group 
CSM_INLINE_svc_rule_73014461134 10.10.176.0 255.255.248.0 object 
ActiveDirectory.cisco-irn.com 
access-list CSM_FW_ACL_WIRELESS-POS remark Allow Windows Updates
access-list CSM_FW_ACL_WIRELESS-POS extended permit object-group 
CSM_INLINE_svc_rule_73014461136 10.10.176.0 255.255.248.0 object MS-Update 
access-list CSM_FW_ACL_WIRELESS-POS remark Allow Mail
access-list CSM_FW_ACL_WIRELESS-POS extended permit object-group 
CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange 
access-list CSM_FW_ACL_WIRELESS-POS remark Drop all other traffic
access-list CSM_FW_ACL_WIRELESS-POS extended deny ip any any log 
access-list CSM_FW_ACL_DATA extended deny ip any object-group Store-MSP-POS-net 
access-list CSM_FW_ACL_DATA extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436 
access-list CSM_FW_ACL_DATA extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp 
access-list CSM_FW_ACL_DATA extended permit object-group CSM_INLINE_svc_rule_73014461120 
10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120 
access-list CSM_FW_ACL_DATA remark Allow Active Directory Domain
access-list CSM_FW_ACL_DATA extended permit object-group CSM_INLINE_svc_rule_73014461134 
10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com 
access-list CSM_FW_ACL_DATA remark Allow Windows Updates
access-list CSM_FW_ACL_DATA extended permit object-group CSM_INLINE_svc_rule_73014461136 
10.10.176.0 255.255.248.0 object MS-Update 
access-list CSM_FW_ACL_DATA remark Allow Mail
access-list CSM_FW_ACL_DATA extended permit object-group CSM_INLINE_svc_rule_73014461138 
10.10.176.0 255.255.248.0 object MSExchange 
access-list CSM_FW_ACL_DATA remark Drop all other traffic
access-list CSM_FW_ACL_DATA extended deny ip any any log 
access-list CSM_FW_ACL_MANAGEMENT extended deny ip any object-group Store-MSP-POS-net 
access-list CSM_FW_ACL_MANAGEMENT extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436 
access-list CSM_FW_ACL_MANAGEMENT extended permit tcp 10.10.176.0 255.255.248.0 object 
EMC-NCM eq ssh 
access-list CSM_FW_ACL_MANAGEMENT extended permit object-group 
CSM_INLINE_svc_rule_73014461112 10.10.176.0 255.255.248.0 object RSA-enVision 
access-list CSM_FW_ACL_MANAGEMENT extended permit tcp 10.10.176.0 255.255.248.0 object 
TACACS eq tacacs 
access-list CSM_FW_ACL_MANAGEMENT extended permit udp 10.10.176.0 255.255.248.0 
object-group NTP-Servers eq ntp 
access-list CSM_FW_ACL_MANAGEMENT extended permit object-group 
CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group 
CSM_INLINE_dst_rule_73014461120 
access-list CSM_FW_ACL_MANAGEMENT remark Physical security systems
access-list CSM_FW_ACL_MANAGEMENT extended permit tcp 10.10.191.0 255.255.255.0 
object-group CSM_INLINE_dst_rule_73014461126 eq https 
access-list CSM_FW_ACL_MANAGEMENT remark Allow Mail
access-list CSM_FW_ACL_MANAGEMENT extended permit object-group 
CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange 
access-list CSM_FW_ACL_MANAGEMENT remark Drop all other traffic
access-list CSM_FW_ACL_MANAGEMENT extended deny ip any any log 
access-list CSM_FW_ACL_PARTNER extended deny ip any object-group Store-MSP-POS-net 
access-list CSM_FW_ACL_PARTNER extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436 
access-list CSM_FW_ACL_PARTNER extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp 
access-list CSM_FW_ACL_PARTNER extended permit object-group 
CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group 
CSM_INLINE_dst_rule_73014461120 
access-list CSM_FW_ACL_PARTNER remark Allow Mail
access-list CSM_FW_ACL_PARTNER extended permit object-group 
CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange 
access-list CSM_FW_ACL_PARTNER remark Drop all other traffic
access-list CSM_FW_ACL_PARTNER extended deny ip any any log 
access-list CSM_FW_ACL_VOICE extended deny ip any object-group Store-MSP-POS-net 
access-list CSM_FW_ACL_VOICE extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436 
access-list CSM_FW_ACL_VOICE extended permit tcp 10.10.176.0 255.255.248.0 object EMC-NCM 
eq ssh 
access-list CSM_FW_ACL_VOICE extended permit object-group CSM_INLINE_svc_rule_73014461112 
10.10.176.0 255.255.248.0 object RSA-enVision 
access-list CSM_FW_ACL_VOICE extended permit tcp 10.10.176.0 255.255.248.0 object TACACS 
eq tacacs 
access-list CSM_FW_ACL_VOICE extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp 
access-list CSM_FW_ACL_VOICE extended permit object-group CSM_INLINE_svc_rule_73014461120 
10.10.176.0 255.255.248.0 object-group CSM_INLINE_dst_rule_73014461120 
access-list CSM_FW_ACL_VOICE remark Voice calls
access-list CSM_FW_ACL_VOICE extended permit object-group CSM_INLINE_svc_rule_73014461130 
10.10.178.0 255.255.255.0 object DC-ALL 
access-list CSM_FW_ACL_VOICE remark Allow Mail
access-list CSM_FW_ACL_VOICE extended permit object-group CSM_INLINE_svc_rule_73014461138 
10.10.176.0 255.255.248.0 object MSExchange 
access-list CSM_FW_ACL_VOICE remark Drop all other traffic
access-list CSM_FW_ACL_VOICE extended deny ip any any log 
access-list CSM_FW_ACL_WAAS extended deny ip any object-group Store-MSP-POS-net 
access-list CSM_FW_ACL_WAAS extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436 
access-list CSM_FW_ACL_WAAS extended permit tcp 10.10.176.0 255.255.248.0 object EMC-NCM 
eq ssh 
access-list CSM_FW_ACL_WAAS extended permit object-group CSM_INLINE_svc_rule_73014461112 
10.10.176.0 255.255.248.0 object RSA-enVision 
access-list CSM_FW_ACL_WAAS extended permit tcp 10.10.176.0 255.255.248.0 object TACACS eq 
tacacs 
access-list CSM_FW_ACL_WAAS extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp 
access-list CSM_FW_ACL_WAAS remark WAAS systems
access-list CSM_FW_ACL_WAAS extended permit object-group CSM_INLINE_svc_rule_73014461132 
10.10.184.0 255.255.255.0 object-group DC-WAAS 
access-list CSM_FW_ACL_WAAS remark Allow Active Directory Domain
access-list CSM_FW_ACL_WAAS extended permit object-group CSM_INLINE_svc_rule_73014461134 
10.10.176.0 255.255.248.0 object ActiveDirectory.cisco-irn.com 
access-list CSM_FW_ACL_WAAS remark Drop all other traffic
access-list CSM_FW_ACL_WAAS extended deny ip any any log 
access-list CSM_FW_ACL_WIRELESS extended deny ip any object-group Store-MSP-POS-net 
access-list CSM_FW_ACL_WIRELESS extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436 
access-list CSM_FW_ACL_WIRELESS extended permit udp 10.10.176.0 255.255.248.0 object-group 
NTP-Servers eq ntp 
access-list CSM_FW_ACL_WIRELESS remark Allow Active Directory Domain
access-list CSM_FW_ACL_WIRELESS extended permit object-group 
CSM_INLINE_svc_rule_73014461134 10.10.176.0 255.255.248.0 object 
ActiveDirectory.cisco-irn.com 
access-list CSM_FW_ACL_WIRELESS remark Allow Windows Updates
access-list CSM_FW_ACL_WIRELESS extended permit object-group 
CSM_INLINE_svc_rule_73014461136 10.10.176.0 255.255.248.0 object MS-Update 
access-list CSM_FW_ACL_WIRELESS remark Allow Mail
access-list CSM_FW_ACL_WIRELESS extended permit object-group 
CSM_INLINE_svc_rule_73014461138 10.10.176.0 255.255.248.0 object MSExchange 
access-list CSM_FW_ACL_WIRELESS remark Drop all other traffic
access-list CSM_FW_ACL_WIRELESS extended deny ip any any log 
access-list CSM_FW_ACL_WIRELESS-CONTROL extended deny ip any object-group 
Store-MSP-POS-net 
access-list CSM_FW_ACL_WIRELESS-CONTROL extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436 
access-list CSM_FW_ACL_WIRELESS-CONTROL extended permit tcp 10.10.176.0 255.255.248.0 
object EMC-NCM eq ssh 
access-list CSM_FW_ACL_WIRELESS-CONTROL extended permit object-group 
CSM_INLINE_svc_rule_73014461112 10.10.176.0 255.255.248.0 object RSA-enVision 
access-list CSM_FW_ACL_WIRELESS-CONTROL extended permit tcp 10.10.176.0 255.255.248.0 
object TACACS eq tacacs 
access-list CSM_FW_ACL_WIRELESS-CONTROL extended permit udp 10.10.176.0 255.255.248.0 
object-group NTP-Servers eq ntp 
access-list CSM_FW_ACL_WIRELESS-CONTROL extended permit object-group 
CSM_INLINE_svc_rule_73014461120 10.10.176.0 255.255.248.0 object-group 
CSM_INLINE_dst_rule_73014461120 
access-list CSM_FW_ACL_WIRELESS-CONTROL remark Wireless control systems
access-list CSM_FW_ACL_WIRELESS-CONTROL extended permit object-group 
CSM_INLINE_svc_rule_73014461128 10.10.183.0 255.255.255.0 object-group 
CSM_INLINE_dst_rule_73014461128 
access-list CSM_FW_ACL_WIRELESS-CONTROL remark Drop all other traffic
access-list CSM_FW_ACL_WIRELESS-CONTROL extended deny ip any any log 
access-list CSM_FW_ACL_WIRELESS-GUEST extended deny ip any object-group Store-MSP-POS-net 
access-list CSM_FW_ACL_WIRELESS-GUEST extended deny ip any object-group 
CSM_INLINE_dst_rule_73014461436 
access-list CSM_FW_ACL_WIRELESS-GUEST extended permit udp 10.10.176.0 255.255.248.0 
object-group NTP-Servers eq ntp 
access-list CSM_FW_ACL_WIRELESS-GUEST remark Drop all other traffic
access-list CSM_FW_ACL_WIRELESS-GUEST extended deny ip any any log 
pager lines 24
logging enable
logging trap debugging
logging asdm debugging
logging host MSP-WAN 192.168.42.124
mtu MSP-WAN 1500
mtu POS 1500
mtu DATA 1500
mtu VOICE 1500
mtu WIRELESS 1500
mtu WIRELESS-POS 1500
mtu PARTNER 1500
mtu WIRELESS-GUEST 1500
mtu WIRELESS-CONTROL 1500
mtu WAAS 1500
mtu MANAGEMENT 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any MSP-WAN
icmp permit any POS
icmp permit any DATA
icmp permit any VOICE
icmp permit any WIRELESS
icmp permit any WIRELESS-POS
icmp permit any PARTNER
icmp permit any WIRELESS-GUEST
icmp permit any WIRELESS-CONTROL
icmp permit any WAAS
icmp permit any MANAGEMENT
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
access-group OUTSIDE in interface MSP-WAN
access-group CSM_FW_ACL_POS in interface POS
access-group CSM_FW_ACL_DATA in interface DATA
access-group CSM_FW_ACL_VOICE in interface VOICE
access-group CSM_FW_ACL_WIRELESS in interface WIRELESS
access-group CSM_FW_ACL_WIRELESS-POS in interface WIRELESS-POS
access-group CSM_FW_ACL_PARTNER in interface PARTNER
access-group CSM_FW_ACL_WIRELESS-GUEST in interface WIRELESS-GUEST
access-group CSM_FW_ACL_WIRELESS-CONTROL in interface WIRELESS-CONTROL
access-group CSM_FW_ACL_WAAS in interface WAAS
access-group CSM_FW_ACL_MANAGEMENT in interface MANAGEMENT
route MSP-WAN 0.0.0.0 0.0.0.0 10.10.255.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RETAIL protocol tacacs+
aaa-server RETAIL (MANAGEMENT) host 192.168.42.131
 key ******
aaa authentication enable console RETAIL LOCAL
aaa authentication http console RETAIL LOCAL
aaa authentication ssh console RETAIL LOCAL
aaa accounting ssh console RETAIL
aaa accounting enable console RETAIL
aaa accounting command privilege 15 RETAIL
aaa authentication secure-http-client
aaa local authentication attempts max-fail 6
aaa authorization exec authentication-server
http server enable
http server idle-timeout 15
http server session-timeout 60
http 10.19.151.99 255.255.255.255 MSP-WAN
http 192.168.41.101 255.255.255.255 MSP-WAN
http 192.168.41.102 255.255.255.255 MSP-WAN
http 192.168.42.122 255.255.255.255 MSP-WAN
http 192.168.42.124 255.255.255.255 MSP-WAN
http 192.168.42.133 255.255.255.255 MSP-WAN
http 192.168.42.138 255.255.255.255 MSP-WAN
no snmp-server location
no snmp-server contact
snmp-server community RetailCMOprivate
no snmp-server enable
telnet timeout 5
ssh 10.19.151.99 255.255.255.255 MSP-WAN
ssh 192.168.41.101 255.255.255.255 MSP-WAN
ssh 192.168.41.102 255.255.255.255 MSP-WAN
ssh 192.168.42.122 255.255.255.255 MSP-WAN
ssh 192.168.42.124 255.255.255.255 MSP-WAN
ssh 192.168.42.133 255.255.255.255 MSP-WAN
ssh 192.168.42.138 255.255.255.255 MSP-WAN
ssh timeout 15
ssh version 2
console timeout 15
dhcprelay server 192.168.42.130 MSP-WAN
dhcprelay enable POS
dhcprelay enable DATA
dhcprelay enable VOICE
dhcprelay enable WIRELESS
dhcprelay enable WIRELESS-POS
dhcprelay enable PARTNER
dhcprelay enable WIRELESS-GUEST
dhcprelay enable WIRELESS-CONTROL
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.62.162 source MSP-WAN
ntp server 192.168.62.161 source MSP-WAN prefer
webvpn
username csmadmin password <removed> encrypted privilege 15
username retail password <removed>  encrypted privilege 15
username bmcgloth password <removed> encrypted privilege 15
!
!
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:0b5ca833caa61d445ed02aeee4bbf096
: end

FWSM-DMZ-1

FWSM-RIE-3# sh run
: Saved
:
FWSM Version 4.1(5)
!
hostname FWSM-RIE-3
domain-name cisco-irn.com
enable password <removed>  encrypted
names
dns-guard
!
interface Vlan21
 nameif inside
 security-level 100
 ip address 192.168.21.10 255.255.255.0
!
interface Vlan22
 nameif outside
 security-level 0
 ip address 192.168.22.1 255.255.255.0 standby 192.168.22.2
!
interface Vlan82
 nameif DMZ
 security-level 20
 ip address 192.168.20.25 255.255.255.248 standby 192.168.20.26
!
interface Vlan91
 description LAN Failover Interface
!
interface Vlan92
 description STATE Failover Interface
!
interface Vlan2305
 nameif EmailSecurityAppliance
 security-level 50
 ip address 192.168.23.65 255.255.255.240 standby 192.168.23.66
!
interface Vlan2306
 nameif EmailSecurityMgrAppliance
 security-level 60
 ip address 192.168.23.81 255.255.255.240 standby 192.168.23.82
!
passwd <removed>  encrypted
ftp mode passive
dns domain-lookup inside
dns name-server 192.168.42.130
same-security-traffic permit inter-interface
object-group icmp-type CSM_INLINE_svc_rule_81604379602.icmp
 description Generated by CS-Manager from service of FirewallRule# 10 
(FWSM-DMZ-1_v1/mandatory)
 icmp-object echo
 icmp-object echo-reply
 icmp-object unreachable
object-group network CSM_INLINE_src_rule_81604379520
 description Generated by CS-Manager from src of FirewallRule# 1 (FWSM-DMZ-1_v1/mandatory)
 network-object 192.168.23.68 255.255.255.255
 network-object 192.168.23.84 255.255.255.255
object-group network CSM_INLINE_src_rule_81604379526
 description Generated by CS-Manager from src of FirewallRule# 2 (FWSM-DMZ-1_v1/mandatory)
 network-object 192.168.23.68 255.255.255.255
 network-object 192.168.23.84 255.255.255.255
object-group network RSA-enVision_1
 description RSA EnVision Syslog collector and SIM
 network-object 192.168.42.124 255.255.255.255
object-group network CSM_INLINE_src_rule_81604379528
 description Generated by CS-Manager from src of FirewallRule# 3 (FWSM-DMZ-1_v1/mandatory)
 network-object 192.168.23.68 255.255.255.255
 network-object 192.168.23.84 255.255.255.255
object-group network NTP-Servers
 description NTP Servers
 network-object 192.168.62.161 255.255.255.255
 network-object 162.168.62.162 255.255.255.255
object-group network CSM_INLINE_src_rule_81604379532
 description Generated by CS-Manager from src of FirewallRule# 4 (FWSM-DMZ-1_v1/mandatory)
 network-object 192.168.23.68 255.255.255.255
 network-object 192.168.23.84 255.255.255.255
object-group network TACACS_1
 description Csico Secure ACS server for TACACS and Radius
 network-object 192.168.42.131 255.255.255.255
object-group network AdminStation
 network-object 192.168.41.101 255.255.255.255
object-group network AdminStation2
 network-object 192.168.41.102 255.255.255.255
object-group network CSM_INLINE_src_rule_81604379552
 description Generated by CS-Manager from src of FirewallRule# 5 (FWSM-DMZ-1_v1/mandatory)
 group-object AdminStation
 group-object AdminStation2
object-group network EMC-NCM
 description EMC Network Configuration Manager
 network-object 192.168.42.122 255.255.255.255
object-group network CSManager
 description Cisco Security Manager
 network-object 192.168.42.133 255.255.255.255
object-group network RSA-enVision
 description RSA EnVision Syslog collector and SIM
 network-object 192.168.42.124 255.255.255.255
object-group network AdminStation3
 network-object 192.168.42.138 255.255.255.255
object-group network AdminStation4-bart
 network-object 10.19.151.99 255.255.255.255
object-group network Admin-Systems
 group-object EMC-NCM
 group-object AdminStation
 group-object AdminStation2
 group-object CSManager
 group-object RSA-enVision
 group-object AdminStation3
 group-object AdminStation4-bart
object-group network DC-ALL
 description All of the Data Center
 network-object 192.168.0.0 255.255.0.0
object-group network Stores-ALL
 description all store networks
 network-object 10.10.0.0 255.255.0.0
object-group network CSM_INLINE_src_rule_81604379580
 description Generated by CS-Manager from src of FirewallRule# 7 (FWSM-DMZ-1_v1/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
object-group network CSM_INLINE_src_rule_81604379592
 description Generated by CS-Manager from src of FirewallRule# 8 (FWSM-DMZ-1_v1/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
object-group network CSM_INLINE_src_rule_81604379602
 description Generated by CS-Manager from src of FirewallRule# 10 
(FWSM-DMZ-1_v1/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
object-group network ActiveDirectory.cisco-irn.com
 network-object 192.168.42.130 255.255.255.255
object-group network PAME-DC-1
 network-object 192.168.44.111 255.255.255.255
object-group network TACACS
 description Csico Secure ACS server for TACACS and Radius
 network-object 192.168.42.131 255.255.255.255
object-group network CSM_INLINE_src_rule_81604379688
 description Generated by CS-Manager from src of FirewallRule# 21 
(FWSM-DMZ-1_v1/mandatory)
 network-object 192.168.22.11 255.255.255.255
 network-object 192.168.22.12 255.255.255.255
object-group network CSM_INLINE_src_rule_81604379690
 description Generated by CS-Manager from src of FirewallRule# 22 
(FWSM-DMZ-1_v1/mandatory)
 network-object 192.168.22.11 255.255.255.255
 network-object 192.168.22.12 255.255.255.255
object-group network CSM_INLINE_src_rule_81604379692
 description Generated by CS-Manager from src of FirewallRule# 23 
(FWSM-DMZ-1_v1/mandatory)
 network-object 192.168.22.11 255.255.255.255
 network-object 192.168.22.12 255.255.255.255
object-group service CSM_INLINE_svc_rule_81604379520.tcp tcp
 description Generated by CS-Manager from service of FirewallRule# 1 
(FWSM-DMZ-1_v1/mandatory)
 port-object eq smtp
 port-object eq domain
object-group service CSM_INLINE_svc_rule_81604379532 udp
 description Generated by CS-Manager from service of FirewallRule# 4 
(FWSM-DMZ-1_v1/mandatory)
 port-object eq 1812
 port-object eq 1813
object-group service CSM_INLINE_svc_rule_81604379556 tcp
 description Generated by CS-Manager from service of FirewallRule# 6 
(FWSM-DMZ-1_v1/mandatory)
 port-object eq ssh
 port-object eq https
object-group service CSM_INLINE_svc_rule_81604379580 tcp
 description Generated by CS-Manager from service of FirewallRule# 7 
(FWSM-DMZ-1_v1/mandatory)
 port-object eq smtp
 port-object eq https
 port-object eq ssh
object-group service CSM_INLINE_svc_rule_81604379592 tcp
 description Generated by CS-Manager from service of FirewallRule# 8 
(FWSM-DMZ-1_v1/mandatory)
 port-object eq https
 port-object eq ssh
object-group service CSM_INLINE_svc_rule_81604379602.tcp tcp
 description Generated by CS-Manager from service of FirewallRule# 10 
(FWSM-DMZ-1_v1/mandatory)
 port-object eq www
 port-object eq ftp
 port-object eq https
 port-object eq 8443
 port-object eq 1080
 port-object eq 8080
 port-object eq telnet
 port-object eq ssh
object-group service CSM_INLINE_svc_rule_81604379626.tcp tcp
 description Generated by CS-Manager from service of FirewallRule# 11 
(FWSM-DMZ-1_v1/mandatory)
 port-object eq domain
 port-object eq 123
object-group service CSM_INLINE_svc_rule_81604379626.udp udp
 description Generated by CS-Manager from service of FirewallRule# 11 
(FWSM-DMZ-1_v1/mandatory)
 port-object eq domain
 port-object eq ntp
object-group service CSM_INLINE_svc_rule_81604379640.tcp tcp
 description Generated by CS-Manager from service of FirewallRule# 13 
(FWSM-DMZ-1_v1/mandatory)
 port-object eq ldap
 port-object eq 3268
 port-object eq 3269
 port-object eq ldaps
object-group service CSM_INLINE_svc_rule_81604379680 tcp
 description Generated by CS-Manager from service of FirewallRule# 18 
(FWSM-DMZ-1_v1/mandatory)
 port-object eq https
 port-object eq ssh
object-group service vCenter-to-ESX4 tcp
 description Communication from vCetner to ESX hosts
 port-object eq 5989
 port-object eq 8000
 port-object eq 902
 port-object eq 903
object-group service CSM_INLINE_svc_rule_81604380215.tcp tcp
 description Generated by CS-Manager from service of FirewallRule# 25 
(FWSM-DMZ-1_v1/mandatory)
 port-object eq 8880
 port-object eq 8444
 port-object eq 5900
 port-object eq 5800
 port-object eq ssh
 port-object eq 3389
 port-object eq 1080
 port-object eq 8080
 port-object eq telnet
 port-object eq 69
 port-object eq www
 port-object eq https
 port-object eq 8443
 group-object vCenter-to-ESX4
access-list Ironport1-in remark Allow main and DNZ
access-list Ironport1-in extended permit udp object-group CSM_INLINE_src_rule_81604379520 
any eq domain
access-list Ironport1-in extended permit tcp object-group CSM_INLINE_src_rule_81604379520 
any object-group CSM_INLINE_svc_rule_81604379520.tcp
access-list Ironport1-in extended permit udp object-group CSM_INLINE_src_rule_81604379526 
object-group RSA-enVision_1 eq syslog
access-list Ironport1-in extended permit udp object-group CSM_INLINE_src_rule_81604379528 
object-group NTP-Servers eq ntp
access-list Ironport1-in extended permit udp object-group CSM_INLINE_src_rule_81604379532 
object-group TACACS_1 object-group CSM_INLINE_svc_rule_81604379532
access-list From-DMZ extended permit udp 192.168.20.0 255.255.255.0 object-group 
RSA-enVision eq syslog
access-list From-DMZ extended permit tcp 192.168.20.0 255.255.255.0 object-group TACACS eq 
tacacs
access-list From-DMZ extended permit udp 192.168.20.0 255.255.255.0 object-group 
NTP-Servers eq ntp
access-list Ironport2-in remark Allow main and DNZ
access-list Ironport2-in extended permit udp object-group CSM_INLINE_src_rule_81604379520 
any eq domain
access-list Ironport2-in extended permit tcp object-group CSM_INLINE_src_rule_81604379520 
any object-group CSM_INLINE_svc_rule_81604379520.tcp
access-list Ironport2-in extended permit udp object-group CSM_INLINE_src_rule_81604379526 
object-group RSA-enVision_1 eq syslog
access-list Ironport2-in extended permit udp object-group CSM_INLINE_src_rule_81604379528 
object-group NTP-Servers eq ntp
access-list Ironport2-in extended permit udp object-group CSM_INLINE_src_rule_81604379532 
object-group TACACS_1 object-group CSM_INLINE_svc_rule_81604379532
access-list INSIDE extended permit tcp object-group Admin-Systems 192.168.20.0 
255.255.252.0 object-group CSM_INLINE_svc_rule_81604379556
access-list INSIDE remark Allow services for Ironport apps
access-list INSIDE extended permit tcp object-group CSM_INLINE_src_rule_81604379580 
192.168.23.64 255.255.255.224 object-group CSM_INLINE_svc_rule_81604379580
access-list INSIDE remark Allow traffic to DMZ
access-list INSIDE extended permit tcp object-group CSM_INLINE_src_rule_81604379592 host 
192.168.20.30 object-group CSM_INLINE_svc_rule_81604379592
access-list INSIDE remark - Drop unauthorized traffic to DMZ
access-list INSIDE extended deny ip any 192.168.20.0 255.255.252.0 log
access-list INSIDE remark Allow outbound services for Internet
access-list INSIDE extended permit icmp object-group CSM_INLINE_src_rule_81604379602 any 
object-group CSM_INLINE_svc_rule_81604379602.icmp
access-list INSIDE extended permit tcp object-group CSM_INLINE_src_rule_81604379602 any 
object-group CSM_INLINE_svc_rule_81604379602.tcp
access-list INSIDE extended permit tcp object-group ActiveDirectory.cisco-irn.com any 
object-group CSM_INLINE_svc_rule_81604379626.tcp
access-list INSIDE extended permit udp object-group ActiveDirectory.cisco-irn.com any 
object-group CSM_INLINE_svc_rule_81604379626.udp
access-list INSIDE extended permit udp object-group NTP-Servers any eq ntp
access-list INSIDE remark Allow LDAP out LAB test
access-list INSIDE extended permit udp object-group PAME-DC-1 any eq 389 log
access-list INSIDE extended permit tcp object-group PAME-DC-1 any object-group 
CSM_INLINE_svc_rule_81604379640.tcp log
access-list INSIDE remark Drop and Log all other traffic - END-OF-LINE
access-list INSIDE extended deny ip any any log
access-list OUTSIDE remark Allow traffic to DMZ e-commerce Server
access-list OUTSIDE extended permit tcp any host 192.168.20.30 object-group 
CSM_INLINE_svc_rule_81604379680
access-list OUTSIDE remark Mail to Ironport
access-list OUTSIDE extended permit tcp any host 192.168.23.68 eq smtp
access-list OUTSIDE remark Remote Access SSL VPN
access-list OUTSIDE extended permit tcp any host 192.168.21.1 eq https
access-list OUTSIDE remark Allow traffic from edge routers - RIE-1
access-list OUTSIDE extended permit udp object-group CSM_INLINE_src_rule_81604379688 
object-group RSA-enVision eq syslog
access-list OUTSIDE remark Allow traffic from edge routers - RIE-1
access-list OUTSIDE extended permit tcp object-group CSM_INLINE_src_rule_81604379690 
object-group TACACS eq tacacs
access-list OUTSIDE remark Allow traffic from edge routers - RIE-1
access-list OUTSIDE extended permit udp object-group CSM_INLINE_src_rule_81604379692 
object-group NTP-Servers eq ntp
access-list OUTSIDE remark Drop all other traffic
access-list OUTSIDE extended deny ip any any log
pager lines 24
logging host inside 192.168.42.124
mtu inside 1500
mtu outside 1500
mtu EmailSecurityAppliance 1500
mtu EmailSecurityMgrAppliance 1500
mtu DMZ 1500
failover
failover lan unit primary
failover lan interface failover Vlan91
failover link statelink Vlan92
failover interface ip failover 192.168.20.13 255.255.255.252 standby 192.168.20.14
failover interface ip statelink 192.168.20.33 255.255.255.252 standby 192.168.20.34
icmp permit any inside
icmp permit any outside
icmp permit any EmailSecurityAppliance
icmp permit any EmailSecurityMgrAppliance
asdm history enable
arp timeout 14400
access-group INSIDE in interface inside
access-group OUTSIDE in interface outside
access-group Ironport1-in in interface EmailSecurityAppliance
access-group Ironport2-in in interface EmailSecurityMgrAppliance
access-group From-DMZ in interface DMZ
route inside 192.168.0.0 255.255.0.0 192.168.21.1 1
route inside 10.10.0.0 255.255.0.0 192.168.21.1 1
route outside 10.10.0.0 255.255.255.0 192.168.22.10 1
route outside 0.0.0.0 0.0.0.0 192.168.22.10 1
route outside 10.10.3.0 255.255.255.0 192.168.22.11 1
route outside 10.10.4.0 255.255.255.0 192.168.22.12 1
route DMZ 192.168.20.0 255.255.255.248 192.168.20.28 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout pptp-gre 0:02:00
timeout uauth 0:05:00 absolute
aaa-server RETAIL protocol tacacs+
aaa-server RETAIL host 192.168.42.131
 key ******
username csmadmin password <removed> encrypted privilege 15
username retail password <removed> encrypted privilege 15
username bmcgloth password <removed> encrypted privilege 15
aaa authentication ssh console RETAIL LOCAL
aaa authentication enable console RETAIL LOCAL
aaa authentication http console RETAIL LOCAL
aaa accounting ssh console RETAIL
aaa accounting enable console RETAIL
aaa accounting command privilege 15 RETAIL
aaa authentication secure-http-client
aaa local authentication attempts max-fail 6
http server enable
http 10.19.151.99 255.255.255.255 inside
http 192.168.41.101 255.255.255.255 inside
http 192.168.41.102 255.255.255.255 inside
http 192.168.42.122 255.255.255.255 inside
http 192.168.42.124 255.255.255.255 inside
http 192.168.42.133 255.255.255.255 inside
http 192.168.42.138 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no snmp-server enable
service reset no-connection
no service reset connection marked-for-deletion
telnet timeout 5
ssh 10.19.151.99 255.255.255.255 inside
ssh 192.168.41.101 255.255.255.255 inside
ssh 192.168.41.102 255.255.255.255 inside
ssh 192.168.42.122 255.255.255.255 inside
ssh 192.168.42.124 255.255.255.255 inside
ssh 192.168.42.133 255.255.255.255 inside
ssh 192.168.42.138 255.255.255.255 inside
ssh timeout 15
ssh version 2
console timeout 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect skinny
  inspect smtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0ce5577c4093206d7ce2fc0f65139d9d
: end
FWSM-RIE-3#

MDS-DC-1-running

 
   
!Command: show running-config
!Time: Sun Apr 24 16:47:39 2011
 
   
version 5.0(1a)
system default switchport mode F 
feature npiv
feature privilege
feature tacacs+
role name default-role
  description This is a system defined role and applies to all users.
  rule 5 permit show feature environment
  rule 4 permit show feature hardware
  rule 3 permit show feature module
  rule 2 permit show feature snmp
  rule 1 permit show feature system
username admin password 5 <removed> role network-admin
username retail password 5 <removed>   role network-admin
username emc-ncm password 5 <removed>   role network-admin
username bart password 5 <removed>   role network-admin
enable secret 5 <removed>
 
   
banner motd #WARNING:    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail 
****                    **** AUTHORIZED USERS ONLY! ****ANY USE OF THIS COMPUTER NETWORK 
SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENTTO MONITORING OF SUCH USE AND TO SUCH 
ADDITIONAL MONITORING AS MAY BE NECESSARYTO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM 
ADMINISTRATOR OR OTHERREPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY 
TIME WITHOUTFURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY 
OTHERCRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAWENFORCEMENT 
OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.UNAUTHORIZED ACCESS IS A VIOLATION 
OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.#
 
   
ssh login-attempts 6
 
   
ip domain-lookup
ip domain-name cisco-irn.com
ip host MDS-DC-1 192.168.41.51
tacacs-server key 7 "<removed>"
tacacs-server host 192.168.42.131 
aaa group server tacacs+ CiscoACS 
    server 192.168.42.131 
aaa group server radius radius 
snmp-server user bart network-admin auth md5 <removed>  priv <removed>  localizedkey
snmp-server user admin network-admin auth md5 <removed>  priv <removed>  localizedkey
snmp-server user retail network-admin auth md5 <removed>  priv <removed>  localizedkey
snmp-server user emc-ncm network-admin auth md5 <removed>  priv <removed>  localizedkey
snmp-server host 192.168.41.101 traps version 2c public  udp-port 2162
snmp-server host 192.168.42.121 traps version 3 auth public 
no snmp-server enable traps entity entity_mib_change
no snmp-server enable traps entity entity_module_status_change
no snmp-server enable traps entity entity_power_status_change
no snmp-server enable traps entity entity_module_inserted
no snmp-server enable traps entity entity_module_removed
no snmp-server enable traps entity entity_unrecognised_module
no snmp-server enable traps entity entity_fan_status_change
no snmp-server enable traps entity entity_power_out_change
no snmp-server enable traps rf redundancy_framework
ntp server 192.168.62.161
ntp server 192.168.62.162
aaa authentication login default group CiscoACS 
aaa authentication login console group CiscoACS 
aaa authorization ssh-certificate default group CiscoACS 
aaa accounting default group CiscoACS 
aaa authentication login error-enable 
ip access-list 23 permit ip 127.0.0.1 0.0.0.0 192.168.41.51 0.0.0.0
ip access-list 23 permit ip 192.168.41.101 0.0.0.0 192.168.41.51 0.0.0.0
ip access-list 23 permit ip 192.168.41.102 0.0.0.0 192.168.41.51 0.0.0.0
ip access-list 23 permit ip 192.168.42.111 0.0.0.0 192.168.41.51 0.0.0.0
ip access-list 23 permit ip 192.168.42.121 0.0.0.0 192.168.41.51 0.0.0.0
ip access-list 23 permit ip 192.168.42.122 0.0.0.0 192.168.41.51 0.0.0.0
ip access-list 23 permit ip 192.168.42.131 0.0.0.0 192.168.41.51 0.0.0.0
ip access-list 23 permit ip 192.168.42.133 0.0.0.0 192.168.41.51 0.0.0.0
ip access-list 23 permit ip 192.168.42.138 0.0.0.0 192.168.41.51 0.0.0.0
ip access-list 23 permit ip 10.19.151.99 0.0.0.0 192.168.41.51 0.0.0.0
ip access-list 23 deny ip any any log-deny
vsan database
  vsan 2 name "Promise-2" 
  vsan 10 name "UIM_VSAN_A_10" 
fcdomain fcid database
  vsan 1 wwn 50:00:40:20:03:fc:44:6a fcid 0x020000 dynamic
  vsan 1 wwn 50:00:40:21:03:fc:44:6a fcid 0x020001 dynamic
  vsan 1 wwn 21:00:00:e0:8b:19:70:09 fcid 0x020100 area dynamic
  vsan 1 wwn 20:89:00:05:30:00:99:de fcid 0x020200 area dynamic
  vsan 1 wwn 20:8a:00:05:30:00:99:de fcid 0x020300 area dynamic
  vsan 1 wwn 23:00:00:05:30:00:99:e0 fcid 0x020002 dynamic
  vsan 1 wwn 23:01:00:05:30:00:99:e0 fcid 0x020003 dynamic
  vsan 1 wwn 23:02:00:05:30:00:99:e0 fcid 0x020004 dynamic
  vsan 1 wwn 23:03:00:05:30:00:99:e0 fcid 0x020005 dynamic
  vsan 1 wwn 23:04:00:05:30:00:99:e0 fcid 0x020006 dynamic
  vsan 1 wwn 23:05:00:05:30:00:99:e0 fcid 0x020007 dynamic
  vsan 1 wwn 23:06:00:05:30:00:99:e0 fcid 0x020008 dynamic
  vsan 1 wwn 23:07:00:05:30:00:99:e0 fcid 0x020009 dynamic
  vsan 1 wwn 23:08:00:05:30:00:99:e0 fcid 0x02000a dynamic
  vsan 1 wwn 22:02:00:05:30:00:99:e0 fcid 0x02000b dynamic
  vsan 1 wwn 22:04:00:05:30:00:99:e0 fcid 0x02000c dynamic
  vsan 1 wwn 22:06:00:05:30:00:99:e0 fcid 0x02000d dynamic
  vsan 1 wwn 22:08:00:05:30:00:99:e0 fcid 0x02000e dynamic
  vsan 1 wwn 22:0a:00:05:30:00:99:e0 fcid 0x02000f dynamic
  vsan 1 wwn 22:0c:00:05:30:00:99:e0 fcid 0x020010 dynamic
  vsan 1 wwn 10:00:00:00:c9:60:df:80 fcid 0x020011 dynamic
  vsan 1 wwn 23:12:00:05:30:00:99:e0 fcid 0x020012 dynamic
  vsan 1 wwn 23:13:00:05:30:00:99:e0 fcid 0x020013 dynamic
  vsan 1 wwn 23:14:00:05:30:00:99:e0 fcid 0x020014 dynamic
  vsan 1 wwn 23:15:00:05:30:00:99:e0 fcid 0x020015 dynamic
  vsan 1 wwn 23:17:00:05:30:00:99:e0 fcid 0x020016 dynamic
  vsan 1 wwn 23:16:00:05:30:00:99:e0 fcid 0x020017 dynamic
  vsan 1 wwn 23:18:00:05:30:00:99:e0 fcid 0x020018 dynamic
  vsan 1 wwn 23:19:00:05:30:00:99:e0 fcid 0x020019 dynamic
  vsan 1 wwn 11:00:00:00:00:00:00:01 fcid 0x02001a dynamic
  vsan 1 wwn 20:00:00:00:00:00:00:01 fcid 0x02001b dynamic
  vsan 1 wwn 10:00:00:00:c9:77:94:21 fcid 0x02001c dynamic
  vsan 1 wwn 10:00:00:00:c9:77:92:e9 fcid 0x02001d dynamic
  vsan 1 wwn 10:00:00:00:c9:77:dd:bc fcid 0x02001e dynamic
  vsan 1 wwn 20:41:00:05:9b:73:10:c0 fcid 0x02001f dynamic
  vsan 1 wwn 20:41:00:05:9b:73:17:40 fcid 0x020020 dynamic
  vsan 1 wwn 10:00:00:00:c9:77:dc:c3 fcid 0x020021 dynamic
  vsan 1 wwn 10:00:00:00:c9:75:68:c3 fcid 0x020022 dynamic
  vsan 1 wwn 20:4c:00:0d:ec:2d:94:c0 fcid 0x020400 area dynamic
  vsan 1 wwn 20:64:00:0d:ec:2d:94:c0 fcid 0x020500 area dynamic
  vsan 1 wwn 10:00:00:00:c9:77:db:c3 fcid 0x020023 dynamic
  vsan 2 wwn 20:4c:00:0d:ec:2d:94:c0 fcid 0xef0000 area dynamic
  vsan 2 wwn 10:00:00:00:c9:75:68:c3 fcid 0xef0100 dynamic
  vsan 2 wwn 10:00:00:00:c9:77:dc:c3 fcid 0xef0101 dynamic
  vsan 2 wwn 10:00:00:00:c9:77:dd:bc fcid 0xef0102 dynamic
  vsan 2 wwn 10:00:00:00:c9:77:db:c3 fcid 0xef0103 dynamic
  vsan 2 wwn 10:00:00:00:c9:77:92:e9 fcid 0xef0104 dynamic
  vsan 2 wwn 50:06:01:60:46:e0:33:aa fcid 0xef01ef dynamic
  vsan 2 wwn 20:41:00:05:9b:73:10:c0 fcid 0xef0105 dynamic
  vsan 1 wwn 50:06:01:68:46:e0:33:aa fcid 0x0200ef dynamic
  vsan 1 wwn 50:06:01:60:46:e0:33:aa fcid 0x0206ef dynamic
  vsan 2 wwn 20:41:00:05:9b:73:17:40 fcid 0xef0106 dynamic
  vsan 2 wwn 10:00:00:00:c9:77:94:21 fcid 0xef0107 dynamic
  vsan 2 wwn 20:64:00:0d:ec:2d:94:c0 fcid 0xef0200 area dynamic
  vsan 2 wwn 50:06:01:68:46:e0:33:aa fcid 0xef03ef dynamic
  vsan 10 wwn 50:06:01:60:46:e0:33:aa fcid 0xd800ef dynamic
  vsan 10 wwn 20:41:00:05:9b:73:10:c0 fcid 0xd80000 dynamic
  vsan 10 wwn 20:41:00:05:9b:73:17:40 fcid 0xd80001 dynamic
  vsan 10 wwn 10:00:00:00:c9:77:94:21 fcid 0xd80002 dynamic
  vsan 10 wwn 50:06:01:61:46:e0:33:aa fcid 0xd801ef dynamic
  vsan 10 wwn 50:06:01:69:46:e0:33:aa fcid 0xd802ef dynamic
  vsan 10 wwn 20:42:00:05:9b:73:10:c0 fcid 0xd80003 dynamic
  vsan 10 wwn 20:00:00:25:b5:01:11:0f fcid 0xd80004 dynamic
  vsan 10 wwn 20:00:00:25:b5:01:11:18 fcid 0xd80005 dynamic
  vsan 10 wwn 20:00:00:25:b5:01:11:12 fcid 0xd80006 dynamic
  vsan 10 wwn 20:00:00:25:b5:01:11:15 fcid 0xd80007 dynamic
  vsan 10 wwn 20:00:00:25:b5:01:11:19 fcid 0xd80008 dynamic
  vsan 10 wwn 20:00:00:25:b5:01:11:10 fcid 0xd80009 dynamic
  vsan 10 wwn 20:00:00:25:b5:01:11:1c fcid 0xd8000a dynamic
  vsan 10 wwn 20:00:00:25:b5:01:11:25 fcid 0xd8000b dynamic
  vsan 10 wwn 20:00:00:25:b5:01:11:22 fcid 0xd8000c dynamic
  vsan 10 wwn 20:00:00:25:b5:01:11:1f fcid 0xd8000d dynamic
  vsan 10 wwn 20:00:00:25:b5:01:11:2b fcid 0xd8000e dynamic
  vsan 10 wwn 20:00:00:25:b5:01:11:28 fcid 0xd8000f dynamic
vsan database
  vsan 2 interface fc2/1
  vsan 2 interface fc2/2
  vsan 2 interface fc2/3
  vsan 2 interface fc2/4
  vsan 2 interface fc2/5
  vsan 2 interface fc2/6
  vsan 2 interface fc2/7
  vsan 2 interface fc2/8
  vsan 2 interface fc2/9
  vsan 2 interface fc2/10
  vsan 2 interface fc2/11
  vsan 2 interface fc2/12
  vsan 2 interface fc2/13
  vsan 2 interface fc2/14
  vsan 2 interface fc2/15
  vsan 2 interface fc2/16
  vsan 2 interface fc2/17
  vsan 2 interface fc2/18
  vsan 2 interface fc2/19
  vsan 2 interface fc2/20
  vsan 2 interface fc2/21
  vsan 2 interface fc2/22
  vsan 2 interface fc2/23
  vsan 10 interface fc2/24
  vsan 10 interface fc2/25
  vsan 10 interface fc2/26
  vsan 2 interface fc2/27
  vsan 2 interface fc2/28
  vsan 2 interface fc2/29
  vsan 2 interface fc2/30
  vsan 2 interface fc2/31
  vsan 2 interface fc2/32
  vsan 2 interface fc2/33
  vsan 2 interface fc2/34
  vsan 2 interface fc2/35
  vsan 2 interface fc2/36
  vsan 2 interface fc2/37
  vsan 2 interface fc2/38
  vsan 2 interface fc2/39
  vsan 2 interface fc2/40
  vsan 2 interface fc2/41
  vsan 2 interface fc2/42
  vsan 2 interface fc2/43
  vsan 2 interface fc2/44
  vsan 2 interface fc2/45
  vsan 2 interface fc2/46
  vsan 2 interface fc2/47
  vsan 10 interface fc2/48
  vsan 2 interface fc4/1
  vsan 2 interface fc4/2
  vsan 2 interface fc4/3
  vsan 2 interface fc4/4
  vsan 2 interface fc4/5
  vsan 2 interface fc4/6
  vsan 2 interface fc4/7
  vsan 2 interface fc4/8
  vsan 2 interface fc4/9
  vsan 2 interface fc4/10
  vsan 2 interface fc4/11
  vsan 2 interface fc4/12
  vsan 2 interface fc4/13
  vsan 2 interface fc4/14
  vsan 2 interface fc4/15
  vsan 2 interface fc4/16
  vsan 2 interface fc4/17
  vsan 2 interface fc4/18
clock timezone PST -8 0
clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60
ip default-gateway 192.168.41.1
switchname MDS-DC-1
line vty
  exec-timeout 15
line console
  exec-timeout 15
boot kickstart bootflash:/m9500-sf2ek9-kickstart-mzg.5.0.1a.bin.S4 sup-1
boot system bootflash:/m9500-sf2ek9-mzg.5.0.1a.bin.S4 sup-1
boot kickstart bootflash:/m9500-sf2ek9-kickstart-mzg.5.0.1a.bin.S4 sup-2
boot system bootflash:/m9500-sf2ek9-mzg.5.0.1a.bin.S4 sup-2
interface fc2/12
  switchport speed 4000
  switchport rate-mode shared
interface fc2/11
  switchport rate-mode dedicated
interface fc2/36
  switchport rate-mode dedicated
interface fc2/1
interface fc2/2
interface fc2/3
interface fc2/4
interface fc2/5
interface fc2/6
interface fc2/7
interface fc2/8
interface fc2/9
interface fc2/10
interface fc2/12
  switchport mode FL
interface fc2/13
interface fc2/14
interface fc2/15
interface fc2/16
interface fc2/17
interface fc2/18
interface fc2/19
interface fc2/20
interface fc2/21
interface fc2/22
interface fc2/23
interface fc2/24
interface fc2/25
interface fc2/26
interface fc2/27
interface fc2/28
interface fc2/29
interface fc2/30
interface fc2/31
interface fc2/32
interface fc2/33
interface fc2/34
interface fc2/35
interface fc2/37
interface fc2/38
interface fc2/39
interface fc2/40
interface fc2/41
interface fc2/42
interface fc2/43
interface fc2/44
interface fc2/45
interface fc2/46
interface fc2/47
interface fc2/48
interface fc2/11
  switchport mode auto
interface fc2/36
  switchport mode auto
interface fc4/1
interface fc4/2
interface fc4/3
interface fc4/4
interface fc4/5
interface fc4/6
interface fc4/7
interface fc4/8
interface fc4/9
interface fc4/10
interface fc4/11
interface fc4/12
interface fc4/13
interface fc4/14
interface fc4/15
interface fc4/16
interface fc4/17
interface fc4/18
logging server 192.168.42.121
logging server 192.168.42.124 6
system default zone default-zone permit
system default zone distribute full
zone default-zone permit vsan 2
zone default-zone permit vsan 10
zoneset distribute full vsan 1-2
zoneset distribute full vsan 10
!Full Zone Database Section for vsan 2
zone name global_zone vsan 2
    member pwwn 26:00:00:01:55:35:7e:44
    member pwwn 26:02:00:01:55:35:7e:44
    member pwwn 10:00:00:00:c9:75:68:c3
    member pwwn 10:00:00:00:c9:77:92:e9
    member pwwn 10:00:00:00:c9:77:db:c3
    member pwwn 10:00:00:00:c9:77:dc:c3
    member pwwn 10:00:00:00:c9:77:dd:bc
    member pwwn 21:00:00:1b:32:00:33:0c
    member pwwn 21:00:00:1b:32:00:3a:0c
    member pwwn 21:00:00:1b:32:00:5d:0d
    member pwwn 21:00:00:1b:32:00:5e:0d
    member pwwn 21:00:00:1b:32:00:70:0d
    member pwwn 21:00:00:1b:32:00:ab:0d
    member pwwn 21:00:00:1b:32:80:0b:10
    member pwwn 21:00:00:1b:32:80:52:10
    member pwwn 21:00:00:1b:32:80:da:0f
    member pwwn 21:00:00:1b:32:80:f1:0f
 
   
zoneset name promise-2_zs vsan 2
    member global_zone
 
   
zoneset activate name promise-2_zs vsan 2
!Full Zone Database Section for vsan 10
zone name UIM_20000025B5011112_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:12
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011110_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:10
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011112_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:12
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011110_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:10
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011112_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:12
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011110_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:10
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011112_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:12
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011110_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:10
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011115_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:15
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011116_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:16
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011115_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:15
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011116_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:16
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011115_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:15
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011116_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:16
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011115_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:15
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011116_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:16
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B501111A_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:1a
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011119_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:19
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B501111A_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:1a
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011119_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:19
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B501111A_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:1a
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011119_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:19
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B501111A_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:1a
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011119_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:19
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B501111D_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:1d
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B501111C_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:1c
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B501111D_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:1d
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B501111C_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:1c
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B501111D_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:1d
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B501111C_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:1c
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B501111D_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:1d
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B501111C_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:1c
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B501111F_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:1f
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011120_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:20
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B501111F_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:1f
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011120_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:20
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B501111F_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:1f
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011120_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:20
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B501111F_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:1f
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011120_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:20
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011123_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:23
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011122_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:22
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011123_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:23
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011122_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:22
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011123_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:23
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011122_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:22
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011123_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:23
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011122_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:22
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011125_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:25
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011126_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:26
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011125_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:25
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011126_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:26
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011125_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:25
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011126_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:26
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011125_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:25
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011126_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:26
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011129_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:29
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011128_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:28
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011129_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:29
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011128_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:28
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011129_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:29
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011128_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:28
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011129_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:29
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011128_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:28
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B501112B_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:2b
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B501112C_5006016946E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:2c
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B501112B_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:2b
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B501112C_5006016846E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:2c
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B501112B_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:2b
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B501112C_5006016046E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:2c
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B501112B_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:2b
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B501112C_5006016146E033AA vsan 10
    member pwwn 20:00:00:25:b5:01:11:2c
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zoneset name UIM_ZONESET_A vsan 10
    member UIM_20000025B5011112_5006016046E033AA
    member UIM_20000025B5011110_5006016046E033AA
    member UIM_20000025B5011112_5006016946E033AA
    member UIM_20000025B5011110_5006016946E033AA
    member UIM_20000025B5011112_5006016846E033AA
    member UIM_20000025B5011110_5006016846E033AA
    member UIM_20000025B5011112_5006016146E033AA
    member UIM_20000025B5011110_5006016146E033AA
    member UIM_20000025B5011115_5006016846E033AA
    member UIM_20000025B5011116_5006016846E033AA
    member UIM_20000025B5011115_5006016146E033AA
    member UIM_20000025B5011116_5006016146E033AA
    member UIM_20000025B5011115_5006016946E033AA
    member UIM_20000025B5011116_5006016946E033AA
    member UIM_20000025B5011115_5006016046E033AA
    member UIM_20000025B5011116_5006016046E033AA
    member UIM_20000025B501111A_5006016946E033AA
    member UIM_20000025B5011119_5006016946E033AA
    member UIM_20000025B501111A_5006016146E033AA
    member UIM_20000025B5011119_5006016146E033AA
    member UIM_20000025B501111A_5006016846E033AA
    member UIM_20000025B5011119_5006016846E033AA
    member UIM_20000025B501111A_5006016046E033AA
    member UIM_20000025B5011119_5006016046E033AA
    member UIM_20000025B501111D_5006016146E033AA
    member UIM_20000025B501111C_5006016146E033AA
    member UIM_20000025B501111D_5006016846E033AA
    member UIM_20000025B501111C_5006016846E033AA
    member UIM_20000025B501111D_5006016946E033AA
    member UIM_20000025B501111C_5006016946E033AA
    member UIM_20000025B501111D_5006016046E033AA
    member UIM_20000025B501111C_5006016046E033AA
    member UIM_20000025B501111F_5006016146E033AA
    member UIM_20000025B5011120_5006016146E033AA
    member UIM_20000025B501111F_5006016946E033AA
    member UIM_20000025B5011120_5006016946E033AA
    member UIM_20000025B501111F_5006016846E033AA
    member UIM_20000025B5011120_5006016846E033AA
    member UIM_20000025B501111F_5006016046E033AA
    member UIM_20000025B5011120_5006016046E033AA
    member UIM_20000025B5011123_5006016946E033AA
    member UIM_20000025B5011122_5006016946E033AA
    member UIM_20000025B5011123_5006016146E033AA
    member UIM_20000025B5011122_5006016146E033AA
    member UIM_20000025B5011123_5006016846E033AA
    member UIM_20000025B5011122_5006016846E033AA
    member UIM_20000025B5011123_5006016046E033AA
    member UIM_20000025B5011122_5006016046E033AA
    member UIM_20000025B5011125_5006016146E033AA
    member UIM_20000025B5011126_5006016146E033AA
    member UIM_20000025B5011125_5006016946E033AA
    member UIM_20000025B5011126_5006016946E033AA
    member UIM_20000025B5011125_5006016846E033AA
    member UIM_20000025B5011126_5006016846E033AA
    member UIM_20000025B5011125_5006016046E033AA
    member UIM_20000025B5011126_5006016046E033AA
    member UIM_20000025B5011129_5006016846E033AA
    member UIM_20000025B5011128_5006016846E033AA
    member UIM_20000025B5011129_5006016046E033AA
    member UIM_20000025B5011128_5006016046E033AA
    member UIM_20000025B5011129_5006016146E033AA
    member UIM_20000025B5011128_5006016146E033AA
    member UIM_20000025B5011129_5006016946E033AA
    member UIM_20000025B5011128_5006016946E033AA
    member UIM_20000025B501112B_5006016946E033AA
    member UIM_20000025B501112C_5006016946E033AA
    member UIM_20000025B501112B_5006016846E033AA
    member UIM_20000025B501112C_5006016846E033AA
    member UIM_20000025B501112B_5006016046E033AA
    member UIM_20000025B501112C_5006016046E033AA
    member UIM_20000025B501112B_5006016146E033AA
    member UIM_20000025B501112C_5006016146E033AA
 
   
zoneset activate name UIM_ZONESET_A vsan 10
 
   
interface fc2/1
 
   
interface fc2/2
 
   
interface fc2/3
 
   
interface fc2/4
 
   
interface fc2/5
 
   
interface fc2/6
 
   
interface fc2/7
 
   
interface fc2/8
 
   
interface fc2/9
 
   
interface fc2/10
 
   
interface fc2/11
  no shutdown
 
   
interface fc2/12
  no shutdown
 
   
interface fc2/13
 
   
interface fc2/14
 
   
interface fc2/15
 
   
interface fc2/16
 
   
interface fc2/17
 
   
interface fc2/18
 
   
interface fc2/19
 
   
interface fc2/20
 
   
interface fc2/21
 
   
interface fc2/22
 
   
interface fc2/23
 
   
interface fc2/24
  no shutdown
 
   
interface fc2/25
  no shutdown
 
   
interface fc2/26
  no shutdown
 
   
interface fc2/27
 
   
interface fc2/28
 
   
interface fc2/29
 
   
interface fc2/30
 
   
interface fc2/31
 
   
interface fc2/32
 
   
interface fc2/33
 
   
interface fc2/34
 
   
interface fc2/35
 
   
interface fc2/36
  no shutdown
 
   
interface fc2/37
  shutdown
 
   
interface fc2/38
 
   
interface fc2/39
 
   
interface fc2/40
 
   
interface fc2/41
 
   
interface fc2/42
 
   
interface fc2/43
 
   
interface fc2/44
 
   
interface fc2/45
 
   
interface fc2/46
 
   
interface fc2/47
 
   
interface fc2/48
  no shutdown
 
   
interface fc4/1
 
   
interface fc4/2
 
   
interface fc4/3
 
   
interface fc4/4
 
   
interface fc4/5
 
   
interface fc4/6
 
   
interface fc4/7
 
   
interface fc4/8
 
   
interface fc4/9
 
   
interface fc4/10
 
   
interface fc4/11
 
   
interface fc4/12
 
   
interface fc4/13
 
   
interface fc4/14
 
   
interface fc4/15
 
   
interface fc4/16
 
   
interface fc4/17
 
   
interface fc4/18
 
   
interface GigabitEthernet4/1
 
   
interface GigabitEthernet4/2
 
   
interface GigabitEthernet4/3
 
   
interface GigabitEthernet4/4
 
   
interface mgmt0
  ip address 192.168.41.51 255.255.255.0
  ip access-group 23 in
no system default switchport shutdown
 
   

MDS-DC-2-running

 
   
!Command: show running-config
!Time: Sun Apr 24 16:48:05 2011
 
   
version 5.0(4)
system default switchport mode F 
feature npiv
feature privilege
feature tacacs+
role name default-role
  description This is a system defined role and applies to all users.
  rule 5 permit show feature environment
  rule 4 permit show feature hardware
  rule 3 permit show feature module
  rule 2 permit show feature snmp
  rule 1 permit show feature system
username admin password 5 <removed>   role network-admin
username retail password 5 <removed>   role network-admin
username emc-ncm password 5 <removed>   role network-admin
username bart password 5 <removed>   role network-admin
enable secret 5 <removed>
 
   
banner motd #
WARNING:
    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****
                    **** AUTHORIZED USERS ONLY! ****
 
   
ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT
TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY
TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER
REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT
FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER
CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW
ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.
 
   
UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.
#
 
   
ssh login-attempts 6
 
   
ip domain-lookup
ip domain-name cisco-irn.com
ip host MDS-DC-2 192.168.41.52
ip host MDS-DC-2 192.168.41.52
tacacs-server key 7 "<removed>"
tacacs-server host 192.168.42.131 
aaa group server tacacs+ CiscoACS 
    server 192.168.42.131 
aaa group server radius radius 
snmp-server user bart network-admin auth md5 <removed>  priv <removed> localizedkey
snmp-server user admin network-admin auth md5 <removed> localizedkey
snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey
snmp-server user emc-ncm network-admin auth md5 <removed> priv <removed> localizedkey
snmp-server host 192.168.41.101 traps version 2c public  udp-port 2162
snmp-server host 192.168.42.121 traps version 3 auth public 
rmon event 1 log trap public description FATAL(1) owner PMON@FATAL
rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 log trap public description ERROR(3) owner PMON@ERROR
rmon event 4 log trap public description WARNING(4) owner PMON@WARNING
rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO
ntp server 192.168.62.161
ntp server 192.168.62.162
aaa authentication login default group CiscoACS 
aaa authentication login console group CiscoACS 
aaa authorization ssh-certificate default group CiscoACS 
aaa accounting default group CiscoACS 
aaa authentication login error-enable 
ip access-list 23 permit ip 127.0.0.1 0.0.0.0 192.168.41.52 0.0.0.0
ip access-list 23 permit ip 192.168.41.101 0.0.0.0 192.168.41.52 0.0.0.0
ip access-list 23 permit ip 192.168.41.102 0.0.0.0 192.168.41.52 0.0.0.0
ip access-list 23 permit ip 192.168.42.111 0.0.0.0 192.168.41.52 0.0.0.0
ip access-list 23 permit ip 192.168.42.121 0.0.0.0 192.168.41.52 0.0.0.0
ip access-list 23 permit ip 192.168.42.122 0.0.0.0 192.168.41.52 0.0.0.0
ip access-list 23 permit ip 192.168.42.131 0.0.0.0 192.168.41.52 0.0.0.0
ip access-list 23 permit ip 192.168.42.133 0.0.0.0 192.168.41.52 0.0.0.0
ip access-list 23 permit ip 192.168.42.138 0.0.0.0 192.168.41.52 0.0.0.0
ip access-list 23 permit ip 10.19.151.99 0.0.0.0 192.168.41.52 0.0.0.0
ip access-list 23 deny ip any any log-deny
vsan database
  vsan 2 name "Promise-2" 
  vsan 11 name "UIM_VSAN_B_11" 
fcdomain fcid database
  vsan 1 wwn 21:01:00:e0:8b:39:35:58 fcid 0x010000 area dynamic
  vsan 1 wwn 22:03:00:0d:ec:20:2b:40 fcid 0x010100 area dynamic
  vsan 11 wwn 20:41:00:05:9b:73:17:40 fcid 0xd40000 dynamic
  vsan 11 wwn 20:42:00:05:9b:73:17:40 fcid 0xd40001 dynamic
  vsan 1 wwn 21:00:00:e0:8b:19:35:58 fcid 0x010200 area dynamic
  vsan 11 wwn 50:06:01:69:46:e0:33:aa fcid 0xd400ef dynamic
  vsan 11 wwn 50:06:01:68:46:e0:33:aa fcid 0xd401ef dynamic
  vsan 1 wwn 26:01:00:01:55:35:7e:44 fcid 0x010300 dynamic
  vsan 2 wwn 26:01:00:01:55:35:7e:44 fcid 0x890000 dynamic
  vsan 2 wwn 20:64:00:0d:ec:38:76:00 fcid 0x890100 area dynamic
  vsan 11 wwn 20:00:00:25:b5:01:11:10 fcid 0xd40002 dynamic
  vsan 11 wwn 20:00:00:25:b5:01:11:19 fcid 0xd40003 dynamic
  vsan 11 wwn 20:00:00:25:b5:01:11:13 fcid 0xd40004 dynamic
  vsan 11 wwn 20:00:00:25:b5:01:11:16 fcid 0xd40005 dynamic
  vsan 11 wwn 20:00:00:25:b5:01:11:1a fcid 0xd40006 dynamic
  vsan 11 wwn 20:00:00:25:b5:01:11:12 fcid 0xd40007 dynamic
  vsan 11 wwn 20:00:00:25:b5:01:11:1d fcid 0xd40008 dynamic
  vsan 11 wwn 20:00:00:25:b5:01:11:26 fcid 0xd40009 dynamic
  vsan 11 wwn 20:00:00:25:b5:01:11:23 fcid 0xd4000a dynamic
  vsan 11 wwn 20:00:00:25:b5:01:11:20 fcid 0xd4000b dynamic
  vsan 11 wwn 20:00:00:25:b5:01:11:2c fcid 0xd4000c dynamic
  vsan 11 wwn 20:00:00:25:b5:01:11:29 fcid 0xd4000d dynamic
vsan database
  vsan 11 interface fc2/24
  vsan 11 interface fc2/25
  vsan 11 interface fc2/26
  vsan 11 interface fc2/48
clock timezone PST -8 0
clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60
ip default-gateway 192.168.41.1
switchname MDS-DC-2
line vty
  session-limit 32
  exec-timeout 15
line console
  exec-timeout 15
boot kickstart bootflash:/m9500-sf2ek9-kickstart-mz.5.0.4.bin sup-1
boot system bootflash:/m9500-sf2ek9-mz.5.0.4.bin sup-1
boot kickstart bootflash:/m9500-sf2ek9-kickstart-mz.5.0.4.bin sup-2
boot system bootflash:/m9500-sf2ek9-mz.5.0.4.bin sup-2
interface fc2/1
interface fc2/2
interface fc2/3
interface fc2/4
interface fc2/5
interface fc2/6
interface fc2/7
interface fc2/8
interface fc2/9
interface fc2/10
interface fc2/11
interface fc2/12
interface fc2/13
interface fc2/14
interface fc2/15
interface fc2/16
interface fc2/17
interface fc2/18
interface fc2/19
interface fc2/20
interface fc2/21
interface fc2/22
interface fc2/23
interface fc2/24
interface fc2/25
interface fc2/26
interface fc2/27
interface fc2/28
interface fc2/29
interface fc2/30
interface fc2/31
interface fc2/32
interface fc2/33
interface fc2/34
interface fc2/35
interface fc2/36
interface fc2/37
interface fc2/38
interface fc2/39
interface fc2/40
interface fc2/41
interface fc2/42
interface fc2/43
interface fc2/44
interface fc2/45
interface fc2/46
interface fc2/47
interface fc2/48
logging server 192.168.42.121
logging server 192.168.42.124 6
system default zone default-zone permit
system default zone distribute full
zone default-zone permit vsan 2
zone default-zone permit vsan 11
zoneset distribute full vsan 1-2
zoneset distribute full vsan 11
!Full Zone Database Section for vsan 2
zone name global_zone vsan 2
zoneset name promise-2_zs vsan 2
    member global_zone
 
   
!Full Zone Database Section for vsan 11
zone name UIM_20000025B5011110_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:10
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011112_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:12
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011110_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:10
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011112_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:12
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011110_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:10
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011112_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:12
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011110_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:10
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011112_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:12
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011116_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:16
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011115_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:15
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011116_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:16
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011115_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:15
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011116_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:16
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011115_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:15
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011116_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:16
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011115_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:15
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011119_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:19
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B501111A_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:1a
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011119_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:19
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B501111A_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:1a
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011119_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:19
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B501111A_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:1a
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011119_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:19
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B501111A_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:1a
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B501111D_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:1d
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B501111C_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:1c
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B501111D_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:1d
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B501111C_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:1c
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B501111D_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:1d
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B501111C_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:1c
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B501111D_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:1d
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B501111C_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:1c
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011120_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:20
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B501111F_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:1f
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011120_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:20
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B501111F_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:1f
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011120_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:20
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B501111F_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:1f
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011120_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:20
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B501111F_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:1f
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011122_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:22
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011123_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:23
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011122_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:22
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011123_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:23
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011122_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:22
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011123_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:23
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011122_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:22
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011123_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:23
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011126_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:26
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011125_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:25
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011126_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:26
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011125_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:25
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011126_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:26
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011125_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:25
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011126_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:26
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011125_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:25
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011128_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:28
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011129_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:29
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B5011128_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:28
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011129_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:29
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B5011128_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:28
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011129_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:29
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B5011128_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:28
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B5011129_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:29
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B501112C_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:2c
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B501112B_5006016046E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:2b
    member pwwn 50:06:01:60:46:e0:33:aa
 
   
zone name UIM_20000025B501112C_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:2c
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B501112B_5006016946E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:2b
    member pwwn 50:06:01:69:46:e0:33:aa
 
   
zone name UIM_20000025B501112C_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:2c
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B501112B_5006016846E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:2b
    member pwwn 50:06:01:68:46:e0:33:aa
 
   
zone name UIM_20000025B501112C_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:2c
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zone name UIM_20000025B501112B_5006016146E033AA vsan 11
    member pwwn 20:00:00:25:b5:01:11:2b
    member pwwn 50:06:01:61:46:e0:33:aa
 
   
zoneset name UIM_ZONESET_B vsan 11
    member UIM_20000025B5011110_5006016946E033AA
    member UIM_20000025B5011112_5006016946E033AA
    member UIM_20000025B5011110_5006016046E033AA
    member UIM_20000025B5011112_5006016046E033AA
    member UIM_20000025B5011110_5006016146E033AA
    member UIM_20000025B5011112_5006016146E033AA
    member UIM_20000025B5011110_5006016846E033AA
    member UIM_20000025B5011112_5006016846E033AA
    member UIM_20000025B5011116_5006016046E033AA
    member UIM_20000025B5011115_5006016046E033AA
    member UIM_20000025B5011116_5006016946E033AA
    member UIM_20000025B5011115_5006016946E033AA
    member UIM_20000025B5011116_5006016846E033AA
    member UIM_20000025B5011115_5006016846E033AA
    member UIM_20000025B5011116_5006016146E033AA
    member UIM_20000025B5011115_5006016146E033AA
    member UIM_20000025B5011119_5006016146E033AA
    member UIM_20000025B501111A_5006016146E033AA
    member UIM_20000025B5011119_5006016046E033AA
    member UIM_20000025B501111A_5006016046E033AA
    member UIM_20000025B5011119_5006016946E033AA
    member UIM_20000025B501111A_5006016946E033AA
    member UIM_20000025B5011119_5006016846E033AA
    member UIM_20000025B501111A_5006016846E033AA
    member UIM_20000025B501111D_5006016146E033AA
    member UIM_20000025B501111C_5006016146E033AA
    member UIM_20000025B501111D_5006016846E033AA
    member UIM_20000025B501111C_5006016846E033AA
    member UIM_20000025B501111D_5006016946E033AA
    member UIM_20000025B501111C_5006016946E033AA
    member UIM_20000025B501111D_5006016046E033AA
    member UIM_20000025B501111C_5006016046E033AA
    member UIM_20000025B5011120_5006016846E033AA
    member UIM_20000025B501111F_5006016846E033AA
    member UIM_20000025B5011120_5006016146E033AA
    member UIM_20000025B501111F_5006016146E033AA
    member UIM_20000025B5011120_5006016046E033AA
    member UIM_20000025B501111F_5006016046E033AA
    member UIM_20000025B5011120_5006016946E033AA
    member UIM_20000025B501111F_5006016946E033AA
    member UIM_20000025B5011122_5006016946E033AA
    member UIM_20000025B5011123_5006016946E033AA
    member UIM_20000025B5011122_5006016146E033AA
    member UIM_20000025B5011123_5006016146E033AA
    member UIM_20000025B5011122_5006016046E033AA
    member UIM_20000025B5011123_5006016046E033AA
    member UIM_20000025B5011122_5006016846E033AA
    member UIM_20000025B5011123_5006016846E033AA
    member UIM_20000025B5011126_5006016846E033AA
    member UIM_20000025B5011125_5006016846E033AA
    member UIM_20000025B5011126_5006016946E033AA
    member UIM_20000025B5011125_5006016946E033AA
    member UIM_20000025B5011126_5006016146E033AA
    member UIM_20000025B5011125_5006016146E033AA
    member UIM_20000025B5011126_5006016046E033AA
    member UIM_20000025B5011125_5006016046E033AA
    member UIM_20000025B5011128_5006016946E033AA
    member UIM_20000025B5011129_5006016946E033AA
    member UIM_20000025B5011128_5006016046E033AA
    member UIM_20000025B5011129_5006016046E033AA
    member UIM_20000025B5011128_5006016146E033AA
    member UIM_20000025B5011129_5006016146E033AA
    member UIM_20000025B5011128_5006016846E033AA
    member UIM_20000025B5011129_5006016846E033AA
    member UIM_20000025B501112C_5006016046E033AA
    member UIM_20000025B501112B_5006016046E033AA
    member UIM_20000025B501112C_5006016946E033AA
    member UIM_20000025B501112B_5006016946E033AA
    member UIM_20000025B501112C_5006016846E033AA
    member UIM_20000025B501112B_5006016846E033AA
    member UIM_20000025B501112C_5006016146E033AA
    member UIM_20000025B501112B_5006016146E033AA
 
   
zoneset activate name UIM_ZONESET_B vsan 11
 
   
interface fc2/1
 
   
interface fc2/2
 
   
interface fc2/3
 
   
interface fc2/4
 
   
interface fc2/5
 
   
interface fc2/6
 
   
interface fc2/7
 
   
interface fc2/8
 
   
interface fc2/9
 
   
interface fc2/10
 
   
interface fc2/11
 
   
interface fc2/12
 
   
interface fc2/13
 
   
interface fc2/14
 
   
interface fc2/15
 
   
interface fc2/16
 
   
interface fc2/17
 
   
interface fc2/18
 
   
interface fc2/19
 
   
interface fc2/20
 
   
interface fc2/21
 
   
interface fc2/22
 
   
interface fc2/23
 
   
interface fc2/24
 
   
interface fc2/25
 
   
interface fc2/26
 
   
interface fc2/27
 
   
interface fc2/28
 
   
interface fc2/29
 
   
interface fc2/30
 
   
interface fc2/31
 
   
interface fc2/32
 
   
interface fc2/33
 
   
interface fc2/34
 
   
interface fc2/35
 
   
interface fc2/36
 
   
interface fc2/37
 
   
interface fc2/38
 
   
interface fc2/39
 
   
interface fc2/40
 
   
interface fc2/41
 
   
interface fc2/42
 
   
interface fc2/43
 
   
interface fc2/44
 
   
interface fc2/45
 
   
interface fc2/46
 
   
interface fc2/47
 
   
interface fc2/48
 
   
interface mgmt0
  ip address 192.168.41.52 255.255.255.0
  ip access-group 23 in
no system default switchport shutdown
 
   

N1kv-1-running

 
!Command: show running-config
!Time: Sat Apr 30 03:02:54 2011
 
   
version 4.2(1)SV1(4)
no feature telnet
feature tacacs+
 
   
username admin password 5 <removed>   role network-admin
username retail password 5 <removed>   role network-admin
 
   
banner motd # 
WARNING: 
    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail **** 
                    **** AUTHORIZED USERS ONLY! **** 
 
ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT 
TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY 
TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER 
REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT 
FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER 
CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW 
ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW. 
 
UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS. 
#
 
   
ssh key rsa 2048 
ip domain-lookup
ip domain-lookup
tacacs-server key 7 "<removed>"
tacacs-server host 192.168.42.131 
aaa group server tacacs+ CiscoACS 
    server 192.168.42.131 
    use-vrf management
    source-interface mgmt0
aaa group server tacacs+ tacacs 
hostname N1kv-1
ip access-list 23
  10 permit ip 192.168.42.0/24 any 
  20 permit ip any any 
  30 deny ip any any 
ip access-list 88
  10 permit ip 192.168.42.0/24 any 
  20 permit ip any any 
  30 deny ip any any 
vem 3
  host vmware id 414e3537-3441-3255-5838-34353034544b
vem 4
  host vmware id 414e3537-3441-3255-5838-34353034544d
vem 5
  host vmware id 414e3537-3441-3255-5838-333930345046
vem 6
  host vmware id 414e3537-3441-3255-5838-34353034544c
vem 7
  host vmware id 414e3537-3441-3255-5838-333930344e59
vem 8
  host vmware id 414e3537-3441-3255-5838-333830333330
vem 9
  host vmware id 414e3537-3441-3255-5838-333930345057
vem 10
  host vmware id 414e3537-3441-3255-5838-343530345630
vem 11
  host vmware id 414e3537-3441-3255-5838-343530345448
vem 12
  host vmware id 414e3537-3441-3255-5838-333930345048
snmp-server user admin network-admin auth md5 <removed> priv <removed> localizedkey
snmp-server user retail network-admin auth md5 <removed> priv <removed> localizedkey
ntp server 192.168.62.161 use-vrf management
ntp server 192.168.62.162 use-vrf management
ntp source 192.168.41.61
aaa authentication login default group CiscoACS 
aaa authentication login console group CiscoACS 
 
   
vrf context management
  ip route 0.0.0.0/0 192.168.41.1
vlan 1
vlan 36
  name VLAN36
vlan 37
  name VLAN37
vlan 38
  name VLAN38
vlan 39
  name VLAN39
vlan 40
  name VLAN40
vlan 41
  name VLAN41
vlan 42
  name VLAN42
vlan 43
  name VLAN43
vlan 44
  name VLAN44
vlan 45
  name VLAN45
vlan 46
  name VLAN46
vlan 52
  name VLAN52
vlan 64
  name VLAN64
vlan 72
  name VLAN72
vlan 80
  name VLAN80
vlan 81
  name VLAN81
vlan 82
  name VLAN82
vlan 83
  name VLAN83
port-channel load-balance ethernet source-mac
port-profile default max-ports 32
port-profile type vethernet VLAN38
  vmware port-group
  switchport mode access
  switchport access vlan 38
  no shutdown
  state enabled
port-profile type vethernet VLAN36
  vmware port-group
  switchport mode access
  switchport access vlan 36
  no shutdown
  state enabled
port-profile type vethernet VLAN37
  vmware port-group
  switchport mode access
  switchport access vlan 37
  no shutdown
  state enabled
port-profile type vethernet VLAN39
  vmware port-group
  switchport mode access
  switchport access vlan 39
  no shutdown
  state enabled
port-profile type vethernet VLAN40
  vmware port-group
  switchport mode access
  switchport access vlan 40
  no shutdown
  state enabled
port-profile type vethernet VLAN41
  vmware port-group
  switchport mode access
  switchport access vlan 41
  no shutdown
  system vlan 41
  state enabled
port-profile type vethernet VLAN42
  vmware port-group
  switchport mode access
  switchport access vlan 42
  no shutdown
  state enabled
port-profile type vethernet VLAN43
  vmware port-group
  switchport mode access
  switchport access vlan 43
  no shutdown
  state enabled
port-profile type vethernet VLAN44
  vmware port-group
  switchport mode access
  switchport access vlan 44
  no shutdown
  state enabled
port-profile type vethernet VLAN45
  vmware port-group
  switchport mode access
  switchport access vlan 45
  no shutdown
  state enabled
port-profile type vethernet VLAN46
  vmware port-group
  switchport mode access
  switchport access vlan 46
  no shutdown
  state enabled
port-profile type vethernet VLAN52
  vmware port-group
  switchport mode access
  switchport access vlan 52
  no shutdown
  state enabled
port-profile type vethernet VLAN64
  vmware port-group
  switchport mode access
  switchport access vlan 64
  no shutdown
  state enabled
port-profile type vethernet VLAN72
  vmware port-group
  switchport mode access
  switchport access vlan 72
  no shutdown
  state enabled
port-profile type vethernet VLAN80
  vmware port-group
  switchport mode access
  switchport access vlan 80
  no shutdown
  state enabled
port-profile type vethernet VLAN81
  vmware port-group
  switchport mode access
  switchport access vlan 81
  no shutdown
  state enabled
port-profile type vethernet VLAN82
  vmware port-group
  switchport mode access
  switchport access vlan 82
  no shutdown
  state enabled
port-profile type vethernet VLAN83
  vmware port-group
  switchport mode access
  switchport access vlan 83
  no shutdown
  state enabled
port-profile type ethernet Unused_Or_Quarantine_Uplink
  vmware port-group
  shutdown
  description Port-group created for Nexus1000V internal usage. Do not use.
  state enabled
port-profile type vethernet Unused_Or_Quarantine_Veth
  vmware port-group
  shutdown
  description Port-group created for Nexus1000V internal usage. Do not use.
  state enabled
port-profile type ethernet sysuplink
  vmware port-group
  switchport mode trunk
  switchport trunk allowed vlan 36-83
  no shutdown
  system vlan 41
  state enabled
port-profile type vethernet VSG-DADA-HA
  vmware port-group
  switchport access vlan 41
  no shutdown
  state enabled
port-profile type vethernet Tenant-1
  vmware port-group
  org root/Tenant-1
  vn-service ip-address 192.168.52.11 vlan 52 security-profile SecurityProfile-1
  switchport mode access
  switchport access vlan 41
  no shutdown
  state enabled
 
   
vdc N1kv-1 id 1
  limit-resource vlan minimum 16 maximum 2049
  limit-resource monitor-session minimum 0 maximum 2
  limit-resource vrf minimum 16 maximum 8192
  limit-resource port-channel minimum 0 maximum 768
  limit-resource u4route-mem minimum 32 maximum 32
  limit-resource u6route-mem minimum 16 maximum 16
  limit-resource m4route-mem minimum 58 maximum 58
  limit-resource m6route-mem minimum 8 maximum 8
 
   
interface mgmt0
  ip address 192.168.41.61/24
 
   
interface Vethernet3
  inherit port-profile VLAN42
  description RSA-Archer,Network Adapter 1
  vmware dvport 207 dvswitch uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0"
  vmware vm mac 0050.56BB.001E
 
   
interface Vethernet5
  inherit port-profile VSG-DADA-HA
  description Nexus1000VSG,Network Adapter 3
  vmware dvport 1057 dvswitch uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0"
  vmware vm mac 0050.56BB.0004
 
   
interface Vethernet6
  inherit port-profile VSG-DADA-HA
  description Nexus1000VSG,Network Adapter 1
  vmware dvport 1056 dvswitch uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0"
  vmware vm mac 0050.56BB.0002
 
   
interface Vethernet7
  inherit port-profile VLAN52
  description POS Terminal,Network Adapter 1
  vmware dvport 352 dvswitch uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0"
  vmware vm mac 0050.56BB.0005
 
   
interface control0
clock timezone PST -8 0
clock summer-time PST 1 Sun April 02:00 5 Sun Oct 02:00 60
line vty
  exec-timeout 15
line console
  exec-timeout 15
boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4.bin sup-1
boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4.bin sup-1
boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4.bin sup-2
boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4.bin sup-2
svs-domain
  domain id 2
  control vlan 41
  packet vlan 41
  svs mode L2  
svs connection vc
  protocol vmware-vim
  remote ip address 192.168.41.102 port 80
  vmware dvs uuid "f9 31 3b 50 f5 23 1c a3-34 b1 f1 a6 d6 24 6c c0" datacenter-name Retail 
Lab-CMO
  connect
vnm-policy-agent
  registration-ip 192.168.41.65
  shared-secret **********
  policy-agent-image bootflash:/vnmc-vsmpa.1.0.1j.bin
  log-level 
logging server 192.168.42.124 7 facility syslog
logging timestamp milliseconds
 
   
 
   

r-a2-conv-1

 
   
!
! Last configuration change at 00:53:21 PST Sat Apr 30 2011 by retail
! NVRAM config last updated at 00:53:22 PST Sat Apr 30 2011 by retail
!
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
no service password-recovery
!
hostname R-A2-Conv-1
!
boot-start-marker
boot system flash c890-universalk9-mz.151-3.T.bin
boot-end-marker
!
!
security authentication failure rate 2 log
security passwords min-length 7
logging buffered 50000
no logging rate-limit
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login RETAIL group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated 
aaa accounting update newinfo
aaa accounting exec default
 action-type start-stop
 group tacacs+
!
aaa accounting commands 15 default
 action-type start-stop
 group tacacs+
!
aaa accounting system default
 action-type start-stop
 group tacacs+
!
!
!
!
!
!
aaa session-id common
!
clock timezone PST -8 0
clock summer-time PST recurring
service-module wlan-ap 0 bootimage autonomous
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-479252603
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-479252603
 revocation-check none
 rsakeypair TP-self-signed-479252603
!
!
crypto pki certificate chain TP-self-signed-479252603
 certificate self-signed 01
  <removed>
  	quit
no ip source-route
!
!
!
!
!
ip cef
no ip bootp server
ip domain name cisco-irn.com
ip name-server 192.168.42.130
ip multicast-routing 
ip port-map user-8443 port tcp 8443
ip ips config location flash: retries 1 timeout 1
ip ips name Store-IPS
!
ip ips signature-category
  category all
   retired true
  category ios_ips default
   retired false
!
ip inspect log drop-pkt
ip inspect audit-trail
ip wccp 61
ip wccp 62
login block-for 1800 attempts 6 within 1800
login quiet-mode access-class 23
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
parameter-map type inspect Inspect-1
 audit-trail on
parameter-map type inspect global
 WAAS enable
 
   
parameter-map type trend-global trend-glob-map
password encryption aes
license udi pid CISCO891W-AGN-N-K9 sn <removed>
!
!
archive
 log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys
object-group network ActiveDirectory.cisco-irn.com 
 host 192.168.42.130
!
object-group service CAPWAP 
 description CAPWAP UDP ports 5246 and 5247
 udp eq 5246
 udp eq 5247
!
object-group service CISCO-WAAS 
 description Ports for Cisco WAAS
 tcp eq 4050
!
object-group network DC-ALL 
 description All of the Data Center
 192.168.0.0 255.255.0.0
!
object-group network Stores-ALL 
 description all store networks
 10.10.0.0 255.255.0.0
!
object-group network CSM_INLINE_dst_rule_68719541425 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
!
object-group network WCSManager 
 description Wireless Manager
 host 192.168.43.135
!
object-group network DC-Wifi-Controllers 
 description Central Wireless Controllers for stores
 host 192.168.43.21
 host 192.168.43.22
!
object-group network DC-Wifi-MSE 
 description Mobility Service Engines
 host 192.168.43.31
 host 192.168.43.32
!
object-group network CSM_INLINE_dst_rule_68719541431 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)
 group-object WCSManager
 group-object DC-Wifi-Controllers
 group-object DC-Wifi-MSE
!
object-group network PAME-DC-1 
 host 192.168.44.111
!
object-group network MSP-DC-1 
 description Data Center VSOM
 host 192.168.44.121
!
object-group network CSM_INLINE_dst_rule_68719541435 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)
 group-object PAME-DC-1
 group-object MSP-DC-1
!
object-group network CSM_INLINE_dst_rule_68719541457 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
!
object-group network CSM_INLINE_dst_rule_68719541461 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
!
object-group network CSM_INLINE_dst_rule_68719541465 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
!
object-group network EMC-NCM 
 description EMC Network Configuration Manager
 host 192.168.42.122
!
object-group network RSA-enVision 
 description RSA EnVision Syslog collector and SIM
 host 192.168.42.124
!
object-group network CSM_INLINE_dst_rule_73014451187 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)
 group-object EMC-NCM
 group-object RSA-enVision
!
object-group network TACACS 
 description Csico Secure ACS server for TACACS and Radius
 host 192.168.42.131
!
object-group network RSA-AM 
 description RSA Authentication Manager for SecureID
 host 192.168.42.137
!
object-group network NAC-1 
 description ISE server for NAC
 host 192.168.42.111
!
object-group network CSM_INLINE_dst_rule_73014451193 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)
 group-object ActiveDirectory.cisco-irn.com
 group-object TACACS
 group-object RSA-AM
 group-object NAC-1
!
object-group network NAC-2 
 host 192.168.42.112
!
object-group network CSM_INLINE_dst_rule_73014451223 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-Small/mandatory)
 group-object NAC-2
 group-object NAC-1
!
object-group network DC-Admin 
 description DC Admin Systems
 host 192.168.41.101
 host 192.168.41.102
!
object-group network CSManager 
 description Cisco Security Manager
 host 192.168.42.133
!
object-group network CSM_INLINE_src_rule_68719541409 
 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)
 group-object DC-Admin
 group-object EMC-NCM
 group-object CSManager
!
object-group network CSM_INLINE_src_rule_68719541427 
 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
!
object-group network CSM_INLINE_src_rule_68719541429 
 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)
 group-object WCSManager
 group-object DC-Wifi-Controllers
 group-object DC-Wifi-MSE
!
object-group network CSM_INLINE_src_rule_68719541433 
 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)
 group-object PAME-DC-1
 group-object MSP-DC-1
!
object-group network DC-WAAS 
 description WAE Appliances in Data Center
 host 192.168.48.10
 host 192.168.49.10
 host 192.168.47.11
 host 192.168.47.12
!
object-group network CSM_INLINE_src_rule_68719541437 
 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)
 group-object DC-Admin
 group-object DC-WAAS
!
object-group network DC-POS-Tomax 
 description Tomax POS Communication from Store to Data Center
 192.168.52.96 255.255.255.224
!
object-group network DC-POS-SAP 
 description SAP POS Communication from Store to Data Center
 192.168.52.144 255.255.255.240
!
object-group network DC-POS-Oracle 
 description Oracle POS Communication from Store to Data Center
 192.168.52.128 255.255.255.240
!
object-group network CSM_INLINE_src_rule_73014451215 
 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)
 group-object DC-Admin
 group-object DC-POS-Tomax
 group-object DC-POS-SAP
 group-object DC-POS-Oracle
!
object-group network CSM_INLINE_src_rule_73014451217 
 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-Small/mandatory)
 group-object DC-Admin
 group-object DC-POS-Tomax
 group-object DC-POS-SAP
 group-object DC-POS-Oracle
!
object-group service CSM_INLINE_svc_rule_68719541409 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp eq 443
 tcp eq 22
!
object-group service CSM_INLINE_svc_rule_68719541425 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 icmp echo
 icmp echo-reply
 icmp traceroute
 icmp unreachable
!
object-group service CSM_INLINE_svc_rule_68719541427 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 icmp echo
 icmp echo-reply
 icmp traceroute
 icmp unreachable
!
object-group service LWAPP 
 description LWAPP UDP ports 12222 and 12223
 udp eq 12222
 udp eq 12223
!
object-group service TFTP 
 description Trivial File Transfer
 tcp eq 69
 udp eq tftp
!
object-group service IP-Protocol-97 
 description IP protocol 97
 97
!
object-group service CSM_INLINE_svc_rule_68719541429 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp eq 443
 tcp eq www
 tcp eq 22
 tcp eq telnet
 udp eq isakmp
 group-object CAPWAP
 group-object LWAPP
 group-object TFTP
 group-object IP-Protocol-97
!
object-group service Cisco-Mobility 
 description Mobility ports for Wireless
 udp eq 16666
 udp eq 16667
!
object-group service CSM_INLINE_svc_rule_68719541431 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 udp eq isakmp
 group-object CAPWAP
 group-object LWAPP
 group-object Cisco-Mobility
 group-object IP-Protocol-97
!
object-group service HTTPS-8443 
 tcp eq 8443
!
object-group service Microsoft-DS-SMB 
 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing
 tcp eq 445
!
object-group service CSM_INLINE_svc_rule_68719541437 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp
 tcp eq 139
 group-object CISCO-WAAS
 group-object HTTPS-8443
 group-object Microsoft-DS-SMB
!
object-group service CSM_INLINE_svc_rule_68719541439 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp
 tcp eq 139
 group-object CISCO-WAAS
 group-object HTTPS-8443
 group-object Microsoft-DS-SMB
!
object-group service CSM_INLINE_svc_rule_68719541455 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 icmp
 tcp-udp eq 5060
 tcp eq 2000
 tcp eq www
 tcp eq 443
 group-object TFTP
!
object-group service CSM_INLINE_svc_rule_68719541457 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp-udp eq 5060
 tcp eq 2000
!
object-group service Netbios 
 description Netbios Servers
 udp eq netbios-dgm
 udp eq netbios-ns
 tcp eq 139
!
object-group service ORACLE-SIM 
 description Oracle Store Inventory Management
 tcp eq 7777
 tcp eq 6003
 tcp range 12401 12500
!
object-group service RDP 
 description Windows Remote Desktop
 tcp eq 3389
!
object-group service Workbrain 
 tcp eq 8444
!
object-group service CSM_INLINE_svc_rule_68719541459 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp eq ftp
 tcp eq www
 tcp eq 443
 udp eq 88
 tcp-udp eq 42
 group-object Microsoft-DS-SMB
 group-object Netbios
 group-object ORACLE-SIM
 group-object RDP
 group-object Workbrain
!
object-group service CSM_INLINE_svc_rule_73014451187 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 udp eq syslog
 udp eq snmp
 udp eq snmptrap
!
object-group service CSM_INLINE_svc_rule_73014451193 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp eq tacacs
 udp eq 1812
 udp eq 1813
 tcp eq 389
 tcp eq 636
!
object-group service vCenter-to-ESX4 
 description Communication from vCetner to ESX hosts
 tcp eq 5989
 tcp eq 8000
 tcp eq 902
 tcp eq 903
!
object-group service CSM_INLINE_svc_rule_73014451195 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp eq www
 tcp eq 443
 tcp eq 22
 group-object vCenter-to-ESX4
!
object-group service ESX-SLP 
 description CIM Service Location Protocol (SLP) for VMware systems
 udp eq 427
 tcp eq 427
!
object-group service CSM_INLINE_svc_rule_73014451197 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp eq 443
 group-object vCenter-to-ESX4
 group-object ESX-SLP
!
object-group service ORACLE-RMI 
 description RMI TCP ports 1300 and 1301-1319.
 tcp range 1300 1319
!
object-group service ORACLE-Weblogic 
 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.
 tcp eq 7001
 tcp eq 7002
 tcp eq 1521
!
object-group service ORACLE-WAS 
 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414
 tcp eq 2809
 tcp eq 9443
 tcp eq 1414
!
object-group service ORACLE-OAS 
 description OAS uses one port for HTTP and RMI - 12601.
 tcp eq 12601
!
object-group service CSM_INLINE_svc_rule_73014451203 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp eq 443
 tcp eq 22
 group-object ORACLE-RMI
 group-object ORACLE-Weblogic
 group-object ORACLE-WAS
 group-object ORACLE-OAS
!
object-group service CSM_INLINE_svc_rule_73014451205 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp eq 443
 tcp eq 22
 group-object ORACLE-RMI
 group-object ORACLE-Weblogic
 group-object ORACLE-WAS
 group-object ORACLE-OAS
!
object-group service CSM_INLINE_svc_rule_73014451207 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp eq 443
 tcp eq 22
 group-object HTTPS-8443
!
object-group service CSM_INLINE_svc_rule_73014451209 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp eq 443
 tcp eq 22
 group-object HTTPS-8443
!
object-group service TOMAX-8990 
 description Tomax Application Port
 tcp eq 8990
!
object-group service CSM_INLINE_svc_rule_73014451211 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp eq 443
 group-object TOMAX-8990
!
object-group service CSM_INLINE_svc_rule_73014451213 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp eq 443
 group-object TOMAX-8990
!
object-group service ICMP-Requests 
 description ICMP requests
 icmp information-request
 icmp mask-request
 icmp timestamp-request
!
object-group service CSM_INLINE_svc_rule_73014451215 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 icmp echo
 icmp echo-reply
 icmp traceroute
 icmp unreachable
 icmp redirect
 icmp alternate-address
 group-object ICMP-Requests
!
object-group service CSM_INLINE_svc_rule_73014451217 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 icmp echo
 icmp echo-reply
 icmp traceroute
 icmp unreachable
 icmp redirect
 icmp alternate-address
 group-object ICMP-Requests
!
object-group service DNS-Resolving 
 description Domain Name Server
 tcp eq domain
 udp eq domain
!
object-group service CSM_INLINE_svc_rule_73014451221 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 udp eq bootps
 group-object DNS-Resolving
!
object-group service CSM_INLINE_svc_rule_73014451223 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp eq www
 tcp eq 443
 group-object HTTPS-8443
!
object-group service CSM_INLINE_svc_rule_73014451388 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp
 tcp eq 139
 group-object Microsoft-DS-SMB
!
object-group service CSM_INLINE_svc_rule_73014451393 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp eq www
 tcp eq 443
 tcp eq smtp
 tcp eq pop3
 tcp eq 143
!
object-group service CSM_INLINE_svc_rule_73014451395 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp eq www
 tcp eq 443
!
object-group service CSM_INLINE_svc_rule_73014451397 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp
 udp
 tcp eq 443
!
object-group service CSM_INLINE_svc_rule_73014451404 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp eq www
 tcp eq 443
!
object-group service CSM_INLINE_svc_rule_73014451406 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-Small/mandatory)
 tcp eq www
 tcp eq 443
 tcp eq smtp
 tcp eq pop3
 tcp eq 143
!
object-group network DC-Applications 
 description Applications in the Data Center that are non-PCI related(Optimized by 
CS-Manager)
 192.168.180.0 255.255.254.0
!
object-group network DC-Voice 
 description Data Center Voice
 192.168.45.0 255.255.255.0
!
object-group network MS-Update 
 description Windows Update Server
 host 192.168.42.150
!
object-group network MSExchange 
 description Mail Server
 host 192.168.42.140
!
object-group service NTP 
 description NTP Protocols
 tcp eq 123
 udp eq ntp
!
object-group network NTP-Servers 
 description NTP Servers
 host 192.168.62.161
 host 162.168.62.162
!
object-group network STORE-POS 
 10.10.0.0 255.255.0.0
!
object-group network vSphere-1 
 description vSphere server for Lab
 host 192.168.41.102
!
username retail privilege 15 secret 5 <removed>
username bart privilege 15 secret 5 <removed>
username emc-ncm privilege 15 secret 5 <removed>
username bmcgloth privilege 15 secret 5 <removed>
username csmadmin privilege 15 secret 5 <removed>
!
!
!
!
ip ssh time-out 30
ip ssh authentication-retries 2
ip ssh version 2
ip scp server enable
!
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7
 match protocol http
 match protocol https
 match protocol microsoft-ds
 match protocol ms-sql
 match protocol ms-sql-m
 match protocol netbios-dgm
 match protocol netbios-ns
 match protocol oracle
 match protocol oracle-em-vp
 match protocol oraclenames
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_10
 match access-group name CSM_ZBF_CMAP_ACL_10
 match class-map CSM_ZBF_CMAP_PLMAP_7
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16
 match protocol http
 match protocol https
 match protocol isakmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_23
 match access-group name CSM_ZBF_CMAP_ACL_23
 match class-map CSM_ZBF_CMAP_PLMAP_16
class-map type inspect match-all CSM_ZBF_CLASS_MAP_32
 match access-group name CSM_ZBF_CMAP_ACL_32
class-map type inspect match-all CSM_ZBF_CLASS_MAP_11
 match access-group name CSM_ZBF_CMAP_ACL_11
 match protocol icmp
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5
 match protocol http
 match protocol https
 match protocol netbios-dgm
 match protocol netbios-ns
 match protocol netbios-ssn
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_22
 match access-group name CSM_ZBF_CMAP_ACL_22
 match class-map CSM_ZBF_CMAP_PLMAP_5
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4
 match protocol http
 match protocol https
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_33
 match access-group name CSM_ZBF_CMAP_ACL_33
 match class-map CSM_ZBF_CMAP_PLMAP_4
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8
 match protocol sip
 match protocol sip-tls
 match protocol skinny
 match protocol tftp
 match protocol http
 match protocol https
 match protocol icmp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_12
 match access-group name CSM_ZBF_CMAP_ACL_12
 match class-map CSM_ZBF_CMAP_PLMAP_8
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15
 match protocol http
 match protocol https
 match protocol netbios-ns
 match protocol netbios-dgm
 match protocol netbios-ssn
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_21
 match access-group name CSM_ZBF_CMAP_ACL_21
 match class-map CSM_ZBF_CMAP_PLMAP_15
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17
 match protocol http
 match protocol https
 match protocol imap3
 match protocol pop3
 match protocol pop3s
 match protocol smtp
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_30
 match access-group name CSM_ZBF_CMAP_ACL_30
 match class-map CSM_ZBF_CMAP_PLMAP_17
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9
 match protocol syslog
 match protocol syslog-conn
 match protocol snmp
 match protocol snmptrap
class-map type inspect match-all CSM_ZBF_CLASS_MAP_13
 match access-group name CSM_ZBF_CMAP_ACL_13
 match class-map CSM_ZBF_CMAP_PLMAP_9
class-map type inspect match-all CSM_ZBF_CLASS_MAP_20
 match access-group name CSM_ZBF_CMAP_ACL_20
 match class-map CSM_ZBF_CMAP_PLMAP_4
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20
 match protocol http
 match protocol https
 match protocol netbios-dgm
 match protocol netbios-ns
 match protocol netbios-ssn
 match protocol ftp
 match protocol ssh
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_31
 match access-group name CSM_ZBF_CMAP_ACL_31
 match class-map CSM_ZBF_CMAP_PLMAP_20
class-map match-all BRANCH-BULK-DATA
 match protocol tftp
 match protocol nfs
 match access-group name BULK-DATA-APPS
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10
 match protocol ldaps
 match protocol ldap
 match protocol ldap-admin
 match protocol radius
 match protocol tacacs
 match protocol tacacs-ds
 match protocol tcp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_14
 match access-group name CSM_ZBF_CMAP_ACL_14
 match class-map CSM_ZBF_CMAP_PLMAP_10
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18
 match protocol http
 match protocol https
 match protocol udp
 match protocol tcp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_27
 match access-group name CSM_ZBF_CMAP_ACL_27
 match class-map CSM_ZBF_CMAP_PLMAP_18
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22
 match protocol sip
 match protocol sip-tls
 match protocol skinny
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_36
 match access-group name CSM_ZBF_CMAP_ACL_36
 match class-map CSM_ZBF_CMAP_PLMAP_22
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11
 match protocol ntp
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_15
 match access-group name CSM_ZBF_CMAP_ACL_15
 match class-map CSM_ZBF_CMAP_PLMAP_11
class-map type inspect match-all CSM_ZBF_CLASS_MAP_26
 match access-group name CSM_ZBF_CMAP_ACL_26
 match class-map CSM_ZBF_CMAP_PLMAP_17
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12
 match protocol bootpc
 match protocol bootps
 match protocol udp
 match protocol tcp
 match protocol dns
 match protocol dhcp-failover
class-map type inspect match-all CSM_ZBF_CLASS_MAP_16
 match access-group name CSM_ZBF_CMAP_ACL_16
 match class-map CSM_ZBF_CMAP_PLMAP_12
class-map type inspect match-all CSM_ZBF_CLASS_MAP_25
 match access-group name CSM_ZBF_CMAP_ACL_25
 match protocol icmp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_34
 match access-group name CSM_ZBF_CMAP_ACL_34
class-map type inspect match-all CSM_ZBF_CLASS_MAP_17
 match access-group name CSM_ZBF_CMAP_ACL_17
 match protocol icmp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_24
 match access-group name CSM_ZBF_CMAP_ACL_24
 match class-map CSM_ZBF_CMAP_PLMAP_7
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21
 match protocol tcp
 match protocol udp
 match protocol http
 match protocol https
class-map type inspect match-all CSM_ZBF_CLASS_MAP_35
 match access-group name CSM_ZBF_CMAP_ACL_35
 match class-map CSM_ZBF_CMAP_PLMAP_21
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13
 match protocol https
 match protocol tcp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_18
 match access-group name CSM_ZBF_CMAP_ACL_18
 match class-map CSM_ZBF_CMAP_PLMAP_13
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14
 match protocol http
 match protocol https
 match protocol user-8443
class-map type inspect match-all CSM_ZBF_CLASS_MAP_19
 match access-group name CSM_ZBF_CMAP_ACL_19
 match class-map CSM_ZBF_CMAP_PLMAP_14
class-map type inspect match-all CSM_ZBF_CLASS_MAP_29
 match access-group name CSM_ZBF_CMAP_ACL_29
 match class-map CSM_ZBF_CMAP_PLMAP_18
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19
 match protocol http
 match protocol https
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_28
 match access-group name CSM_ZBF_CMAP_ACL_28
 match class-map CSM_ZBF_CMAP_PLMAP_19
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1
 match protocol https
 match protocol ssh
class-map type inspect match-all CSM_ZBF_CLASS_MAP_1
 match access-group name CSM_ZBF_CMAP_ACL_1
 match class-map CSM_ZBF_CMAP_PLMAP_1
class-map type inspect match-all CSM_ZBF_CLASS_MAP_3
 match access-group name CSM_ZBF_CMAP_ACL_3
 match protocol icmp
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2
 match protocol https
 match protocol http
 match protocol tcp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_2
 match access-group name CSM_ZBF_CMAP_ACL_2
 match class-map CSM_ZBF_CMAP_PLMAP_2
class-map type inspect match-all CSM_ZBF_CLASS_MAP_5
 match access-group name CSM_ZBF_CMAP_ACL_5
 match class-map CSM_ZBF_CMAP_PLMAP_4
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3
 match protocol http
 match protocol https
 match protocol ssh
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_4
 match access-group name CSM_ZBF_CMAP_ACL_4
 match class-map CSM_ZBF_CMAP_PLMAP_3
class-map type inspect match-all CSM_ZBF_CLASS_MAP_7
 match access-group name CSM_ZBF_CMAP_ACL_7
 match class-map CSM_ZBF_CMAP_PLMAP_5
class-map type inspect match-all CSM_ZBF_CLASS_MAP_6
 match access-group name CSM_ZBF_CMAP_ACL_6
 match protocol tcp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_9
 match access-group name CSM_ZBF_CMAP_ACL_9
 match protocol tcp
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_6
 match protocol http
 match protocol https
 match protocol ssh
 match protocol telnet
 match protocol tftp
 match protocol isakmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_8
 match access-group name CSM_ZBF_CMAP_ACL_8
 match class-map CSM_ZBF_CMAP_PLMAP_6
class-map match-all BULK-DATA
 match ip dscp af11  af12 
class-map match-all INTERACTIVE-VIDEO
 match ip dscp af41  af42 
class-map match-any BRANCH-TRANSACTIONAL-DATA
 match protocol citrix
 match protocol ldap
 match protocol telnet
 match protocol sqlnet
 match protocol http url "*SalesReport*"
 match access-group name TRANSACTIONAL-DATA-APPS
class-map match-all BRANCH-MISSION-CRITICAL
 match access-group name MISSION-CRITICAL-SERVERS
class-map match-all VOICE
 match ip dscp ef 
class-map match-all MISSION-CRITICAL-DATA
 match ip dscp 25 
class-map match-any BRANCH-NET-MGMT
 match protocol snmp
 match protocol syslog
 match protocol dns
 match protocol icmp
 match protocol ssh
 match access-group name NET-MGMT-APPS
class-map match-all ROUTING
 match ip dscp cs6 
class-map match-all SCAVENGER
 match ip dscp cs1 
class-map match-all NET-MGMT
 match ip dscp cs2 
class-map match-any BRANCH-SCAVENGER
 match protocol gnutella
 match protocol fasttrack
 match protocol kazaa2
class-map match-any CALL-SIGNALING
 match ip dscp cs3 
class-map match-all TRANSACTIONAL-DATA
 match ip dscp af21  af22 
!
!
policy-map type inspect CSM_ZBF_POLICY_S_Security_S_POS-W
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_S_Data_S_POS-W
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_S_Data-W_S_POS
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_S_WAN_S_Guest
 class type inspect CSM_ZBF_CLASS_MAP_6
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_3
  inspect Inspect-1
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_S_WAN_S_Data-W
 class type inspect CSM_ZBF_CLASS_MAP_6
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_3
  inspect Inspect-1
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_S_Voice_S_POS
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_S_Guest_S_POS
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_S_MGMT_S_POS-W
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_LOOPBACK_S_POS-W
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_POS-W
 class class-default
  drop log
policy-map BRANCH-LAN-EDGE-OUT
 class class-default
policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_Partners
 class type inspect CSM_ZBF_CLASS_MAP_22
  inspect Inspect-1
 class class-default
  drop
policy-map type inspect CSM_ZBF_POLICY_S_WAAS_S_POS
 class class-default
  drop log
policy-map BRANCH-WAN-EDGE
 class VOICE
  priority percent 18
 class INTERACTIVE-VIDEO
  priority percent 15
 class CALL-SIGNALING
  bandwidth percent 5
 class ROUTING
  bandwidth percent 3
 class NET-MGMT
  bandwidth percent 2
 class MISSION-CRITICAL-DATA
  bandwidth percent 15
  random-detect
 class TRANSACTIONAL-DATA
  bandwidth percent 12
  random-detect dscp-based
 class BULK-DATA
  bandwidth percent 4
  random-detect dscp-based
 class SCAVENGER
  bandwidth percent 1
 class class-default
  bandwidth percent 25
  random-detect
policy-map type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS-W
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_MAP_18
 class type inspect CSM_ZBF_CLASS_MAP_28
  inspect Inspect-1
 class class-default
  drop
policy-map type inspect CSM_ZBF_POLICY_MAP_19
 class type inspect CSM_ZBF_CLASS_MAP_15
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_16
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_19
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_17
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_29
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_30
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_31
  inspect Inspect-1
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_MAP_16
 class type inspect CSM_ZBF_CLASS_MAP_24
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_25
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_26
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_27
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_15
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_16
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_19
  inspect Inspect-1
 class class-default
  drop
policy-map type inspect CSM_ZBF_POLICY_MAP_17
 class type inspect CSM_ZBF_CLASS_MAP_25
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_26
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_27
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_15
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_16
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_19
  inspect Inspect-1
 class class-default
  drop
policy-map type inspect CSM_ZBF_POLICY_MAP_14
 class type inspect CSM_ZBF_CLASS_MAP_22
  inspect Inspect-1
 class class-default
  drop
policy-map type inspect CSM_ZBF_POLICY_MAP_15
 class type inspect CSM_ZBF_CLASS_MAP_13
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_14
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_15
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_16
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_17
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_23
  inspect Inspect-1
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_MAP_12
 class type inspect CSM_ZBF_CLASS_MAP_13
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_14
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_15
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_16
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_19
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_17
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_20
  inspect Inspect-1
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_MAP_21
 class type inspect CSM_ZBF_CLASS_MAP_15
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_16
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_19
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_17
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_30
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_34
  drop log
 class type inspect CSM_ZBF_CLASS_MAP_35
  inspect Inspect-1
 class class-default
  drop
policy-map type inspect CSM_ZBF_POLICY_S_MGMT_S_POS
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_MAP_13
 class type inspect CSM_ZBF_CLASS_MAP_13
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_14
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_15
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_16
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_17
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_21
  inspect Inspect-1
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_MAP_20
 class type inspect CSM_ZBF_CLASS_MAP_15
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_16
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_19
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_17
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_32
  drop log
 class type inspect CSM_ZBF_CLASS_MAP_33
  inspect Inspect-1
 class class-default
  drop
policy-map type inspect CSM_ZBF_POLICY_MAP_10
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_MAP_11
 class type inspect CSM_ZBF_CLASS_MAP_13
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_14
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_18
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_15
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_16
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_17
  inspect Inspect-1
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_MAP_22
 class type inspect CSM_ZBF_CLASS_MAP_15
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_16
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_19
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_17
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_36
  inspect Inspect-1
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_S_Voice_S_POS-W
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_S_Guest_S_POS-W
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_MAP_9
 class type inspect CSM_ZBF_CLASS_MAP_13
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_14
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_15
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_16
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_17
  inspect Inspect-1
 class class-default
  drop
policy-map type inspect CSM_ZBF_POLICY_MAP_8
 class type inspect CSM_ZBF_CLASS_MAP_3
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_12
  inspect Inspect-1
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_MAP_7
 class type inspect CSM_ZBF_CLASS_MAP_9
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_10
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_11
  inspect Inspect-1
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_MAP_6
 class type inspect CSM_ZBF_CLASS_MAP_6
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_3
  inspect Inspect-1
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_MAP_5
 class type inspect CSM_ZBF_CLASS_MAP_1
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_3
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_8
  inspect Inspect-1
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_MAP_4
 class type inspect CSM_ZBF_CLASS_MAP_1
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_6
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_3
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_7
  inspect Inspect-1
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_MAP_3
 class type inspect CSM_ZBF_CLASS_MAP_1
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_3
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_5
  inspect Inspect-1
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_MAP_2
 class type inspect CSM_ZBF_CLASS_MAP_1
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_4
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_3
  inspect Inspect-1
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_MAP_1
 class type inspect CSM_ZBF_CLASS_MAP_1
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_2
  inspect Inspect-1
 class type inspect CSM_ZBF_CLASS_MAP_3
  inspect Inspect-1
 class class-default
  drop
policy-map type inspect CSM_ZBF_POLICY_S_Partners_S_POS
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_S_Security_S_POS
 class class-default
  drop log
policy-map BRANCH-LAN-EDGE-IN
 class BRANCH-MISSION-CRITICAL
  set ip dscp 25
 class BRANCH-TRANSACTIONAL-DATA
  set ip dscp af21
 class BRANCH-NET-MGMT
  set ip dscp cs2
 class BRANCH-BULK-DATA
  set ip dscp af11
 class BRANCH-SCAVENGER
  set ip dscp cs1
policy-map type inspect CSM_ZBF_POLICY_S_Data_S_POS
 class class-default
  drop log
policy-map type inspect CSM_ZBF_POLICY_S_Data-W_S_POS-W
 class class-default
  drop log
!
zone security S_WAN
 description Store WAN Link
zone security LOOPBACK
 description Loopback interface
zone security S_MGMT
 description VLAN1000 Management
zone security S_Security
 description VLAN20 Physical Security Systems
zone security S_WAAS
 description VLAN19 WAAS optimization
zone security S_WLC-AP
 description VLAN18 Wireless Systems
zone security S_Data
 description VLAN12 Store Data
zone security S_Data-W
 description VLAN14 Store Wireless Data
zone security S_Guest
 description VLAN17 Guest/Public Wireless
zone security S_Voice
 description VLAN13 Store Voice
zone security S_Partners
 description VLAN16 Partner network
zone security S_POS
 description VLAN 11 POS Data
zone security S_POS-W
 description VLAN15 Store Wireless POS
zone-pair security CSM_S_WAN-LOOPBACK_1 source S_WAN destination LOOPBACK
 service-policy type inspect CSM_ZBF_POLICY_MAP_1
zone-pair security CSM_S_WAN-S_MGMT_1 source S_WAN destination S_MGMT
 service-policy type inspect CSM_ZBF_POLICY_MAP_2
zone-pair security CSM_S_WAN-S_Security_1 source S_WAN destination S_Security
 service-policy type inspect CSM_ZBF_POLICY_MAP_3
zone-pair security CSM_S_WAN-S_WAAS_1 source S_WAN destination S_WAAS
 service-policy type inspect CSM_ZBF_POLICY_MAP_4
zone-pair security CSM_S_WAN-S_WLC-AP_1 source S_WAN destination S_WLC-AP
 service-policy type inspect CSM_ZBF_POLICY_MAP_5
zone-pair security CSM_S_WAN-S_Data_1 source S_WAN destination S_Data
 service-policy type inspect CSM_ZBF_POLICY_MAP_6
zone-pair security CSM_S_WAN-S_Data-W_1 source S_WAN destination S_Data-W
 service-policy type inspect CSM_ZBF_POLICY_S_WAN_S_Data-W
zone-pair security CSM_S_WAN-S_Guest_1 source S_WAN destination S_Guest
 service-policy type inspect CSM_ZBF_POLICY_S_WAN_S_Guest
zone-pair security CSM_S_WAN-S_Partners_1 source S_WAN destination S_Partners
 service-policy type inspect CSM_ZBF_POLICY_MAP_6
zone-pair security CSM_S_WAN-S_POS_1 source S_WAN destination S_POS
 service-policy type inspect CSM_ZBF_POLICY_MAP_7
zone-pair security CSM_S_WAN-S_POS-W_1 source S_WAN destination S_POS-W
 service-policy type inspect CSM_ZBF_POLICY_MAP_7
zone-pair security CSM_S_WAN-S_Voice_1 source S_WAN destination S_Voice
 service-policy type inspect CSM_ZBF_POLICY_MAP_8
zone-pair security CSM_LOOPBACK-S_WAN_1 source LOOPBACK destination S_WAN
 service-policy type inspect CSM_ZBF_POLICY_MAP_9
zone-pair security CSM_LOOPBACK-S_POS_1 source LOOPBACK destination S_POS
 service-policy type inspect CSM_ZBF_POLICY_MAP_10
zone-pair security CSM_LOOPBACK-S_POS-W_1 source LOOPBACK destination S_POS-W
 service-policy type inspect CSM_ZBF_POLICY_LOOPBACK_S_POS-W
zone-pair security CSM_S_MGMT-S_WAN_1 source S_MGMT destination S_WAN
 service-policy type inspect CSM_ZBF_POLICY_MAP_11
zone-pair security CSM_S_MGMT-S_POS_1 source S_MGMT destination S_POS
 service-policy type inspect CSM_ZBF_POLICY_S_MGMT_S_POS
zone-pair security CSM_S_MGMT-S_POS-W_1 source S_MGMT destination S_POS-W
 service-policy type inspect CSM_ZBF_POLICY_S_MGMT_S_POS-W
zone-pair security CSM_S_Security-S_WAN_1 source S_Security destination S_WAN
 service-policy type inspect CSM_ZBF_POLICY_MAP_12
zone-pair security CSM_S_Security-S_POS_1 source S_Security destination S_POS
 service-policy type inspect CSM_ZBF_POLICY_S_Security_S_POS
zone-pair security CSM_S_Security-S_POS-W_1 source S_Security destination S_POS-W
 service-policy type inspect CSM_ZBF_POLICY_S_Security_S_POS-W
zone-pair security CSM_S_WAAS-S_WAN_1 source S_WAAS destination S_WAN
 service-policy type inspect CSM_ZBF_POLICY_MAP_13
zone-pair security CSM_S_WAAS-S_POS_1 source S_WAAS destination S_POS
 service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_POS
zone-pair security CSM_S_WAAS-S_POS-W_1 source S_WAAS destination S_POS-W
 service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_POS-W
zone-pair security CSM_S_WAAS-S_Data_1 source S_WAAS destination S_Data
 service-policy type inspect CSM_ZBF_POLICY_MAP_14
zone-pair security CSM_S_WAAS-S_Data-W_1 source S_WAAS destination S_Data-W
 service-policy type inspect CSM_ZBF_POLICY_MAP_14
zone-pair security CSM_S_WAAS-S_Partners_1 source S_WAAS destination S_Partners
 service-policy type inspect CSM_ZBF_POLICY_S_WAAS_S_Partners
zone-pair security CSM_S_WLC-AP-S_WAN_1 source S_WLC-AP destination S_WAN
 service-policy type inspect CSM_ZBF_POLICY_MAP_15
zone-pair security CSM_S_WLC-AP-S_POS_1 source S_WLC-AP destination S_POS
 service-policy type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS
zone-pair security CSM_S_WLC-AP-S_POS-W_1 source S_WLC-AP destination S_POS-W
 service-policy type inspect CSM_ZBF_POLICY_S_WLC-AP_S_POS-W
zone-pair security CSM_S_POS-S_WAN_1 source S_POS destination S_WAN
 service-policy type inspect CSM_ZBF_POLICY_MAP_16
zone-pair security CSM_S_POS-W-S_WAN_1 source S_POS-W destination S_WAN
 service-policy type inspect CSM_ZBF_POLICY_MAP_17
zone-pair security CSM_S_POS-W-S_POS_1 source S_POS-W destination S_POS
 service-policy type inspect CSM_ZBF_POLICY_MAP_18
zone-pair security CSM_S_Data-S_POS_1 source S_Data destination S_POS
 service-policy type inspect CSM_ZBF_POLICY_S_Data_S_POS
zone-pair security CSM_S_Data-S_POS-W_1 source S_Data destination S_POS-W
 service-policy type inspect CSM_ZBF_POLICY_S_Data_S_POS-W
zone-pair security CSM_S_Data-S_WAN_1 source S_Data destination S_WAN
 service-policy type inspect CSM_ZBF_POLICY_MAP_19
zone-pair security CSM_S_Data-W-S_POS_1 source S_Data-W destination S_POS
 service-policy type inspect CSM_ZBF_POLICY_S_Data-W_S_POS
zone-pair security CSM_S_Data-W-S_POS-W_1 source S_Data-W destination S_POS-W
 service-policy type inspect CSM_ZBF_POLICY_S_Data-W_S_POS-W
zone-pair security CSM_S_Data-W-S_WAN_1 source S_Data-W destination S_WAN
 service-policy type inspect CSM_ZBF_POLICY_MAP_19
zone-pair security CSM_S_Guest-S_POS_1 source S_Guest destination S_POS
 service-policy type inspect CSM_ZBF_POLICY_S_Guest_S_POS
zone-pair security CSM_S_Guest-S_POS-W_1 source S_Guest destination S_POS-W
 service-policy type inspect CSM_ZBF_POLICY_S_Guest_S_POS-W
zone-pair security CSM_S_Guest-S_WAN_1 source S_Guest destination S_WAN
 service-policy type inspect CSM_ZBF_POLICY_MAP_20
zone-pair security CSM_S_Partners-S_POS_1 source S_Partners destination S_POS
 service-policy type inspect CSM_ZBF_POLICY_S_Partners_S_POS
zone-pair security CSM_S_Partners-S_POS-W_1 source S_Partners destination S_POS-W
 service-policy type inspect CSM_ZBF_POLICY_MAP_10
zone-pair security CSM_S_Partners-S_WAN_1 source S_Partners destination S_WAN
 service-policy type inspect CSM_ZBF_POLICY_MAP_21
zone-pair security CSM_S_Voice-S_POS_1 source S_Voice destination S_POS
 service-policy type inspect CSM_ZBF_POLICY_S_Voice_S_POS
zone-pair security CSM_S_Voice-S_POS-W_1 source S_Voice destination S_POS-W
 service-policy type inspect CSM_ZBF_POLICY_S_Voice_S_POS-W
zone-pair security CSM_S_Voice-S_WAN_1 source S_Voice destination S_WAN
 service-policy type inspect CSM_ZBF_POLICY_MAP_22
! 
!
!
!
!
!
!
interface Loopback0
 ip address 10.10.174.1 255.255.255.255
 ip pim sparse-dense-mode
 zone-member security LOOPBACK
!
interface FastEthernet0
 switchport mode trunk
!
interface FastEthernet1
 switchport access vlan 17
 switchport protected
!
interface FastEthernet2
 switchport access vlan 17
 switchport protected
!
interface FastEthernet3
 switchport access vlan 17
 switchport protected
!
interface FastEthernet4
 switchport access vlan 17
 switchport protected
!
interface FastEthernet5
 switchport access vlan 17
 switchport protected
!
interface FastEthernet6
 switchport access vlan 17
 switchport protected
!
interface FastEthernet7
 switchport access vlan 17
 switchport protected
!
interface FastEthernet8
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet8.1
!
interface GigabitEthernet0
 ip address 10.10.255.160 255.255.255.0
 ip ips Store-IPS in
 ip ips Store-IPS out
 zone-member security S_WAN
 duplex auto
 speed auto
 service-policy output BRANCH-WAN-EDGE
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip address 10.10.174.33 255.255.255.252
 zone-member security S_WLC-AP
 service-module ip address 10.10.174.34 255.255.255.252
 service-module ip default-gateway 10.10.174.33
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
 zone-member security S_WLC-AP
 service-module ip address 10.10.174.34 255.255.255.252
 service-module ip default-gateway 10.10.174.33
!
interface Vlan1
 no ip address
 ip ips Store-IPS in
 ip ips Store-IPS out
 zone-member security S_POS
!
interface Vlan11
 description POS
 ip address 10.10.160.2 255.255.255.0
 ip helper-address 192.168.42.130
 ip pim sparse-dense-mode
 ip ips Store-IPS in
 ip ips Store-IPS out
 zone-member security S_POS
 standby 11 ip 10.10.160.1
 standby 11 priority 101
 standby 11 preempt
 ip igmp query-interval 125
 service-policy input BRANCH-LAN-EDGE-IN
 service-policy output BRANCH-LAN-EDGE-OUT
!
interface Vlan12
 description DATA
 ip address 10.10.161.2 255.255.255.0
 ip helper-address 192.168.42.130
 ip wccp 61 redirect in
 ip pim sparse-dense-mode
 zone-member security S_Data
 standby 12 ip 10.10.161.1
 standby 12 priority 101
 standby 12 preempt
 service-policy input BRANCH-LAN-EDGE-IN
 service-policy output BRANCH-LAN-EDGE-OUT
!
interface Vlan13
 description VOICE
 ip address 10.10.162.2 255.255.255.0
 ip helper-address 192.168.42.130
 ip pim sparse-dense-mode
 zone-member security S_Voice
 standby 13 ip 10.10.162.1
 standby 13 priority 101
 standby 13 preempt
 service-policy output BRANCH-LAN-EDGE-OUT
!
interface Vlan14
 description WIRELESS
 ip address 10.10.163.2 255.255.255.0
 ip helper-address 192.168.42.130
 zone-member security S_Data-W
 standby 14 ip 10.10.163.1
 standby 14 priority 101
 standby 14 preempt
 service-policy input BRANCH-LAN-EDGE-IN
 service-policy output BRANCH-LAN-EDGE-OUT
!
interface Vlan15
 description WIRELESS-POS
 ip address 10.10.164.2 255.255.255.0
 ip helper-address 192.168.42.130
 ip ips Store-IPS in
 ip ips Store-IPS out
 zone-member security S_POS-W
 standby 15 ip 10.10.164.1
 standby 15 priority 101
 standby 15 preempt
 service-policy input BRANCH-LAN-EDGE-IN
 service-policy output BRANCH-LAN-EDGE-OUT
!
interface Vlan16
 description PARTNER
 ip address 10.10.165.2 255.255.255.0
 ip helper-address 192.168.42.130
 zone-member security S_Partners
 standby 16 ip 10.10.165.1
 standby 16 priority 101
 standby 16 preempt
 service-policy input BRANCH-LAN-EDGE-IN
 service-policy output BRANCH-LAN-EDGE-OUT
!
interface Vlan17
 description WIRELESS-GUEST
 ip address 10.10.166.2 255.255.255.0
 ip helper-address 192.168.42.130
 zone-member security S_Guest
 standby 17 ip 10.10.166.1
 standby 17 priority 101
 standby 17 preempt
 service-policy input BRANCH-LAN-EDGE-IN
 service-policy output BRANCH-LAN-EDGE-OUT
!
interface Vlan18
 description WIRELESS-CONTROL
 ip address 10.10.167.2 255.255.255.0
 ip helper-address 192.168.42.130
 zone-member security S_WLC-AP
 standby 18 ip 10.10.167.1
 standby 18 priority 101
 standby 18 preempt
 service-policy input BRANCH-LAN-EDGE-IN
 service-policy output BRANCH-LAN-EDGE-OUT
!
interface Vlan19
 description WAAS
 ip address 10.10.168.2 255.255.255.0
 ip helper-address 192.168.42.130
 zone-member security S_WAAS
 standby 19 ip 10.10.168.1
 standby 19 priority 101
 standby 19 preempt
 service-policy input BRANCH-LAN-EDGE-IN
 service-policy output BRANCH-LAN-EDGE-OUT
!
interface Vlan20
 description SECURITY
 ip address 10.10.169.2 255.255.255.0
 ip helper-address 192.168.42.130
 zone-member security S_Security
 standby 20 ip 10.10.169.1
 standby 20 priority 101
 standby 20 preempt
 service-policy input BRANCH-LAN-EDGE-IN
 service-policy output BRANCH-LAN-EDGE-OUT
!
interface Vlan1000
 description MANAGEMENT
 ip address 10.10.175.2 255.255.255.0
 zone-member security S_MGMT
 standby 100 ip 10.10.175.1
 standby 100 priority 101
 standby 100 preempt
 service-policy input BRANCH-LAN-EDGE-IN
 service-policy output BRANCH-LAN-EDGE-OUT
!
interface Async1
 no ip address
 encapsulation slip
!
interface Group-Async0
 physical-layer async
 no ip address
 encapsulation slip
 no group-range
!
router ospf 5
 router-id 10.10.174.1
 passive-interface default
!
no ip forward-protocol nd
!
!
no ip http server
ip http access-class 23
ip http authentication aaa login-authentication RETAIL
ip http secure-server
ip http secure-ciphersuite 3des-ede-cbc-sha 
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 0.0.0.0 0.0.0.0 10.10.255.11
ip tacacs source-interface Loopback0
!
ip access-list extended BULK-DATA-APPS
 remark ---File Transfer---
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 remark ---E-mail traffic---
 permit tcp any any eq smtp
 permit tcp any any eq pop3
 permit tcp any any eq 143
 remark ---other EDM app protocols---
 permit tcp any any range 3460 3466
 permit tcp any range 3460 3466 any
 remark ---messaging services---
 permit tcp any any eq 2980
 permit tcp any eq 2980 any
 remark ---Microsoft file services---
 permit tcp any any range 137 139
 permit tcp any range 137 139 any
ip access-list extended CSM_ZBF_CMAP_ACL_1
 remark Data Center Mgmt to Devices
 permit object-group CSM_INLINE_svc_rule_68719541409 object-group 
CSM_INLINE_src_rule_68719541409 object-group Stores-ALL
ip access-list extended CSM_ZBF_CMAP_ACL_10
 remark Permit POS systems to talk to Data Center Servers
 permit object-group CSM_INLINE_svc_rule_73014451205 object-group DC-POS-Oracle 
object-group STORE-POS
 remark Permit POS systems to talk to Data Center Servers
 permit object-group CSM_INLINE_svc_rule_73014451209 object-group DC-POS-SAP object-group 
STORE-POS
 remark Permit POS systems to talk to Data Center Servers
 permit object-group CSM_INLINE_svc_rule_73014451213 object-group DC-POS-Tomax 
object-group STORE-POS
ip access-list extended CSM_ZBF_CMAP_ACL_11
 remark Permit POS systems to talk to Data Center Servers
 permit object-group CSM_INLINE_svc_rule_73014451215 object-group 
CSM_INLINE_src_rule_73014451215 object-group STORE-POS
ip access-list extended CSM_ZBF_CMAP_ACL_12
 remark Data Center VOICE (wired and Wireless)
 permit object-group CSM_INLINE_svc_rule_68719541455 object-group DC-Voice object-group 
Stores-ALL
ip access-list extended CSM_ZBF_CMAP_ACL_13
 remark Syslog and SNMP Alerts
 permit object-group CSM_INLINE_svc_rule_73014451187 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451187
ip access-list extended CSM_ZBF_CMAP_ACL_14
 remark Store to Data Center Authentications
 permit object-group CSM_INLINE_svc_rule_73014451193 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451193
ip access-list extended CSM_ZBF_CMAP_ACL_15
 remark Store to Data Center for NTP
 permit object-group NTP object-group Stores-ALL object-group NTP-Servers
ip access-list extended CSM_ZBF_CMAP_ACL_16
 remark Store to Data Center for DHCP and DNS
 permit object-group CSM_INLINE_svc_rule_73014451221 object-group Stores-ALL object-group 
ActiveDirectory.cisco-irn.com
ip access-list extended CSM_ZBF_CMAP_ACL_17
 remark Permit ICMP traffic
 permit object-group CSM_INLINE_svc_rule_68719541425 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541425
ip access-list extended CSM_ZBF_CMAP_ACL_18
 remark Store UCS Express to Data Center vShphere
 permit object-group CSM_INLINE_svc_rule_73014451197 object-group Stores-ALL object-group 
vSphere-1
ip access-list extended CSM_ZBF_CMAP_ACL_19
 remark Store NAC
 permit object-group CSM_INLINE_svc_rule_73014451223 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_73014451223
ip access-list extended CSM_ZBF_CMAP_ACL_2
 remark Data Center subscribe to IPS SDEE events
 permit tcp object-group RSA-enVision object-group Stores-ALL eq 443
ip access-list extended CSM_ZBF_CMAP_ACL_20
 remark Store to Data Center Physical Security
 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541435
ip access-list extended CSM_ZBF_CMAP_ACL_21
 remark Store WAAS (WAAS Devices need their own zone)
 permit object-group CSM_INLINE_svc_rule_68719541439 object-group Stores-ALL object-group 
DC-WAAS
ip access-list extended CSM_ZBF_CMAP_ACL_22
 remark Store WAAS to Clients and Servers
 permit object-group CSM_INLINE_svc_rule_73014451388 object-group Stores-ALL object-group 
Stores-ALL
ip access-list extended CSM_ZBF_CMAP_ACL_23
 remark Store to Data Center wireless controller traffic
 permit object-group CSM_INLINE_svc_rule_68719541431 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541431
ip access-list extended CSM_ZBF_CMAP_ACL_24
 remark Permit POS systems to talk to Data Center Servers
 permit object-group CSM_INLINE_svc_rule_73014451203 object-group STORE-POS object-group 
DC-POS-Oracle
 remark Permit POS systems to talk to Data Center Servers
 permit object-group CSM_INLINE_svc_rule_73014451207 object-group STORE-POS object-group 
DC-POS-SAP
 remark Permit POS systems to talk to Data Center Servers
 permit object-group CSM_INLINE_svc_rule_73014451211 object-group STORE-POS object-group 
DC-POS-Tomax
ip access-list extended CSM_ZBF_CMAP_ACL_25
 remark Permit POS systems to talk to Data Center Servers
 permit object-group CSM_INLINE_svc_rule_73014451217 object-group 
CSM_INLINE_src_rule_73014451217 object-group STORE-POS
ip access-list extended CSM_ZBF_CMAP_ACL_26
 remark Store to Data Center for E-mail
 permit object-group CSM_INLINE_svc_rule_73014451393 object-group STORE-POS object-group 
MSExchange
ip access-list extended CSM_ZBF_CMAP_ACL_27
 remark Store to Data Center for Windows Updates
 permit object-group CSM_INLINE_svc_rule_73014451395 object-group STORE-POS object-group 
MS-Update
ip access-list extended CSM_ZBF_CMAP_ACL_28
 remark Permit POS clients to talk to store POS server
 permit object-group CSM_INLINE_svc_rule_73014451397 object-group STORE-POS object-group 
STORE-POS
ip access-list extended CSM_ZBF_CMAP_ACL_29
 remark Store to Data Center for Windows Updates
 permit object-group CSM_INLINE_svc_rule_73014451404 object-group Stores-ALL object-group 
MS-Update
ip access-list extended CSM_ZBF_CMAP_ACL_3
 remark Permit ICMP traffic
 permit object-group CSM_INLINE_svc_rule_68719541427 object-group 
CSM_INLINE_src_rule_68719541427 object-group Stores-ALL
ip access-list extended CSM_ZBF_CMAP_ACL_30
 remark Store to Data Center for E-mail
 permit object-group CSM_INLINE_svc_rule_73014451406 object-group Stores-ALL object-group 
MSExchange
ip access-list extended CSM_ZBF_CMAP_ACL_31
 remark Store DATA (wired and Wireless - Access to DC Other applications)
 permit object-group CSM_INLINE_svc_rule_68719541459 object-group Stores-ALL object-group 
DC-Applications
ip access-list extended CSM_ZBF_CMAP_ACL_32
 remark Store GUEST - Drop Traffic to Enterprise
 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541465
ip access-list extended CSM_ZBF_CMAP_ACL_33
 remark Store GUEST (access to internet/DMZ web servers)
 permit ip object-group Stores-ALL any
ip access-list extended CSM_ZBF_CMAP_ACL_34
 remark Store PARTNERS - Drop Traffic to Enterprise
 permit ip object-group Stores-ALL object-group CSM_INLINE_dst_rule_68719541461
ip access-list extended CSM_ZBF_CMAP_ACL_35
 remark Store PARTNERS (wired and wireless - Access to Partner site, Internet VPN)
 permit ip object-group Stores-ALL any
ip access-list extended CSM_ZBF_CMAP_ACL_36
 remark Store VOICE (wired and Wireless - Acess to corporate wide voice)
 permit object-group CSM_INLINE_svc_rule_68719541457 object-group Stores-ALL object-group 
CSM_INLINE_dst_rule_68719541457
ip access-list extended CSM_ZBF_CMAP_ACL_4
 remark Data Center vSphere to UCS Express
 permit object-group CSM_INLINE_svc_rule_73014451195 object-group vSphere-1 object-group 
Stores-ALL
ip access-list extended CSM_ZBF_CMAP_ACL_5
 remark Data Center to Store Physical Security
 permit ip object-group CSM_INLINE_src_rule_68719541433 object-group Stores-ALL
ip access-list extended CSM_ZBF_CMAP_ACL_6
 remark Data Center Mgmt to Devices
 permit object-group RDP object-group DC-Admin object-group Stores-ALL
ip access-list extended CSM_ZBF_CMAP_ACL_7
 remark Data Center WAAS to Store
 permit object-group CSM_INLINE_svc_rule_68719541437 object-group 
CSM_INLINE_src_rule_68719541437 object-group Stores-ALL
ip access-list extended CSM_ZBF_CMAP_ACL_8
 remark Data Center Wireless Control to AP's and Controllers in stores
 permit object-group CSM_INLINE_svc_rule_68719541429 object-group 
CSM_INLINE_src_rule_68719541429 object-group Stores-ALL
ip access-list extended CSM_ZBF_CMAP_ACL_9
 remark Data Center Mgmt to Devices
 permit object-group RDP object-group DC-Admin object-group STORE-POS
ip access-list extended MISSION-CRITICAL-SERVERS
 remark ---POS Applications---
 permit ip any 192.168.52.0 0.0.0.255
ip access-list extended NET-MGMT-APPS
 remark - Router user Authentication - Identifies TACACS Control traffic
 permit tcp any any eq tacacs
 permit tcp any eq tacacs any
ip access-list extended TRANSACTIONAL-DATA-APPS
 remark ---Workbrain Application---
 remark --Large Store Clock Server to Central Clock Application
 permit tcp host 10.10.49.94 host 192.168.46.72 eq 8444
 remark --Large store Clock Server to CUAE
 permit tcp host 10.10.49.94 host 192.168.45.185 eq 8000
 remark ---LiteScape Application---
 permit ip any host 192.168.46.82
 permit ip any 239.192.0.0 0.0.0.255
 permit ip any host 239.255.255.250
 remark ---Remote Desktop---
 permit tcp any any eq 3389
 permit tcp any eq 3389 any
 remark ---Oracle SIM---
 permit tcp any 192.168.46.0 0.0.0.255 eq 7777
 permit tcp any 192.168.46.0 0.0.0.255 eq 6003
 permit tcp any 192.168.46.0 0.0.0.255 range 12401 12500
 permit tcp 192.168.46.0 0.0.0.255 eq 7777 any
 permit tcp 192.168.46.0 0.0.0.255 eq 6003 any
 permit tcp 192.168.46.0 0.0.0.255 range 12401 12500 any
!
logging esm config
logging trap debugging
logging source-interface Loopback0
logging 192.168.42.124
access-list 23 permit 192.168.41.101 log
access-list 23 permit 192.168.41.102 log
access-list 23 permit 192.168.42.111 log
access-list 23 permit 192.168.42.122 log
access-list 23 permit 192.168.42.124 log
access-list 23 permit 127.0.0.1 log
access-list 23 permit 192.168.42.131 log
access-list 23 permit 192.168.42.133 log
access-list 23 permit 192.168.42.138 log
access-list 23 permit 10.19.151.99 log
access-list 23 deny   any log
access-list 88 permit 192.168.42.124 log
access-list 88 deny   any log
!
!
!
!
!
snmp-server engineID remote 192.168.42.124 0000000000 
snmp-server user remoteuser remoteuser remote 192.168.42.124 v3 access  88
snmp-server user remoteuser remoteuser v3 
snmp-server group causer v3 priv 
snmp-server group remoteuser v3 noauth 
snmp-server trap-source Loopback0
snmp-server packetsize 8192
snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps flash insertion removal
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps energywise
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps hsrp
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps ipsla
snmp-server enable traps syslog
snmp-server enable traps vtp
snmp-server host 192.168.42.124 remoteuser 
tacacs-server host 192.168.42.131
tacacs-server directed-request
tacacs-server domain-stripping
tacacs-server key 7 <removed>
!
!
control-plane
!
banner exec C
WARNING:
    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****
                    **** AUTHORIZED USERS ONLY! ****
 
   
ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT
TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY
TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER
REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT
FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER
CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW
ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.
 
   
UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.
 
   
banner incoming C
WARNING:
    **** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CMO Retail ****
                    **** AUTHORIZED USERS ONLY! ****
 
   
ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT
TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY
TO IDENTIFY ANY UNAUTHORIZED USER.  THE SYSTEM ADMINISTRATOR OR OTHER
REPRESENTATIVES OF THE SYSTEM OWNER  MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT
FURTHER NOTICE OR CONSENT.  UNAUTHORIZED USE OF  THIS SYSTEM AND ANY OTHER
CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW
ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.
 
   
UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.
 
   
banner login C
WARNING:
THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!
 
   
!
line con 0
 session-timeout 15  output
 exec-timeout 15 0
 login authentication RETAIL
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line 2
 no activation-character
 no exec
 transport preferred none
 transport input ssh
 transport output none
line aux 0
 session-timeout 1  output
 exec-timeout 0 1
 privilege level 0
 login authentication RETAIL
 no exec
 transport preferred none
 transport output none
line vty 0 4
 session-timeout 15  output
 access-class 23 in
 exec-timeout 15 0
 logging synchronous
 login authentication RETAIL
 transport preferred none
 transport input ssh
 transport output none
line vty 5 15
 session-timeout 15  output
 access-class 23 in
 exec-timeout 15 0
 logging synchronous
 login authentication RETAIL
 transport preferred none
 transport input ssh
 transport output none
!
scheduler max-task-time 5000
ntp source Loopback0
ntp server 192.168.62.161 prefer
ntp server 192.168.62.162
end
 
   

r-a2-lrg-1

 
   
!
! Last configuration change at 00:54:49 PST Sat Apr 30 2011 by retail
! NVRAM config last updated at 00:54:49 PST Sat Apr 30 2011 by retail
!
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
!
hostname R-A2-Lrg-1
!
boot-start-marker
boot system flash0 c3900-universalk9-mz.SPA.151-3.T.bin
boot-end-marker
!
!
security authentication failure rate 2 log
security passwords min-length 7
logging buffered 50000
no logging rate-limit
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login RETAIL group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated 
aaa accounting update newinfo
aaa accounting exec default
 action-type start-stop
 group tacacs+
!
aaa accounting commands 15 default
 action-type start-stop
 group tacacs+
!
aaa accounting system default
 action-type start-stop
 group tacacs+
!
!
!
!
!
!
aaa session-id common
!
clock timezone PST -8 0
clock summer-time PST recurring
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-72006796
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-72006796
 revocation-check none
!
!
crypto pki certificate chain TP-self-signed-72006796
 certificate self-signed 03
  <removed>
  	quit
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip multicast-routing 
!
!
no ip bootp server
ip domain name cisco-irn.com
ip name-server 192.168.42.130
ip port-map user-8443 port tcp 8443
ip inspect log drop-pkt
ip inspect audit-trail
ip ips config location flash0: retries 1 timeout 1
ip ips name Store-IPS
!
ip ips signature-category
  category all
   retired true
  category ios_ips default
   retired false
!
ip wccp 61
ip wccp 62
login block-for 1800 attempts 6 within 1800
login quiet-mode access-class 23
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
parameter-map type inspect global
 WAAS enable
parameter-map type inspect Inspect-1
 audit-trail on
 
   
parameter-map type trend-global trend-glob-map
!
!
!
!
password encryption aes
voice-card 0
!
!
!
!
!
!
!
license udi pid C3900-SPE150/K9 sn <removed>
hw-module pvdm 0/0
!
!
!
archive
 log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys
object-group network ActiveDirectory.cisco-irn.com 
 host 192.168.42.130
!
object-group service CAPWAP 
 description CAPWAP UDP ports 5246 and 5247
 udp eq 5246
 udp eq 5247
!
object-group service CISCO-WAAS 
 description Ports for Cisco WAAS
 tcp eq 4050
!
object-group network EMC-NCM 
 description EMC Network Configuration Manager
 host 192.168.42.122
!
object-group network RSA-enVision 
 description RSA EnVision Syslog collector and SIM
 host 192.168.42.124
!
object-group network CSM_INLINE_dst_rule_81604380995 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 group-object EMC-NCM
 group-object RSA-enVision
!
object-group network TACACS 
 description Csico Secure ACS server for TACACS and Radius
 host 192.168.42.131
!
object-group network RSA-AM 
 description RSA Authentication Manager for SecureID
 host 192.168.42.137
!
object-group network NAC-1 
 description ISE server for NAC
 host 192.168.42.111
!
object-group network CSM_INLINE_dst_rule_81604381001 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 group-object ActiveDirectory.cisco-irn.com
 group-object TACACS
 group-object RSA-AM
 group-object NAC-1
!
object-group network NAC-2 
 host 192.168.42.112
!
object-group network CSM_INLINE_dst_rule_81604381037 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 group-object NAC-2
 group-object NAC-1
!
object-group network DC-ALL 
 description All of the Data Center
 192.168.0.0 255.255.0.0
!
object-group network Stores-ALL 
 description all store networks
 10.10.0.0 255.255.0.0
!
object-group network CSM_INLINE_dst_rule_81604381039 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
!
object-group network WCSManager 
 description Wireless Manager
 host 192.168.43.135
!
object-group network DC-Wifi-Controllers 
 description Central Wireless Controllers for stores
 host 192.168.43.21
 host 192.168.43.22
!
object-group network DC-Wifi-MSE 
 description Mobility Service Engines
 host 192.168.43.31
 host 192.168.43.32
!
object-group network CSM_INLINE_dst_rule_81604381045 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 group-object WCSManager
 group-object DC-Wifi-Controllers
 group-object DC-Wifi-MSE
!
object-group network PAME-DC-1 
 host 192.168.44.111
!
object-group network MSP-DC-1 
 description Data Center VSOM
 host 192.168.44.121
!
object-group network CSM_INLINE_dst_rule_81604381049 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 group-object PAME-DC-1
 group-object MSP-DC-1
!
object-group network CSM_INLINE_dst_rule_81604381059 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
!
object-group network CSM_INLINE_dst_rule_81604381067 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
!
object-group network CSM_INLINE_dst_rule_81604381071 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
!
object-group network CSM_INLINE_dst_rule_81604381150 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 10.10.126.0 255.255.255.0
 10.10.110.0 255.255.255.0
!
object-group network CSM_INLINE_dst_rule_81604381152 
 description Generated by CS-Manager from dst of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 10.10.126.0 255.255.255.0
 10.10.110.0 255.255.255.0
!
object-group network DC-Admin 
 description DC Admin Systems
 host 192.168.41.101
 host 192.168.41.102
!
object-group network CSManager 
 description Cisco Security Manager
 host 192.168.42.133
!
object-group network CSM_INLINE_src_rule_81604380993 
 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 group-object DC-Admin
 group-object EMC-NCM
 group-object CSManager
!
object-group network DC-POS-Tomax 
 description Tomax POS Communication from Store to Data Center
 192.168.52.96 255.255.255.224
!
object-group network DC-POS-SAP 
 description SAP POS Communication from Store to Data Center
 192.168.52.144 255.255.255.240
!
object-group network DC-POS-Oracle 
 description Oracle POS Communication from Store to Data Center
 192.168.52.128 255.255.255.240
!
object-group network CSM_INLINE_src_rule_81604381021 
 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 group-object DC-Admin
 group-object DC-POS-Tomax
 group-object DC-POS-SAP
 group-object DC-POS-Oracle
!
object-group network CSM_INLINE_src_rule_81604381023 
 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 group-object DC-Admin
 group-object DC-POS-Tomax
 group-object DC-POS-SAP
 group-object DC-POS-Oracle
!
object-group network CSM_INLINE_src_rule_81604381041 
 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 group-object DC-ALL
 group-object Stores-ALL
!
object-group network CSM_INLINE_src_rule_81604381043 
 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 group-object WCSManager
 group-object DC-Wifi-Controllers
 group-object DC-Wifi-MSE
!
object-group network CSM_INLINE_src_rule_81604381047 
 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 group-object PAME-DC-1
 group-object MSP-DC-1
!
object-group network DC-WAAS 
 description WAE Appliances in Data Center
 host 192.168.48.10
 host 192.168.49.10
 host 192.168.47.11
 host 192.168.47.12
!
object-group network CSM_INLINE_src_rule_81604381051 
 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 group-object DC-Admin
 group-object DC-WAAS
!
object-group network CSM_INLINE_src_rule_81604381150 
 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 10.10.126.0 255.255.255.0
 10.10.110.0 255.255.255.0
!
object-group network CSM_INLINE_src_rule_81604381152 
 description Generated by CS-Manager from src of ZbfInspectRule# 0 (Store-HA_v1/mandatory)
 10.10.126.0 255.255.255.0
 10.10.110.0 255.255.255.0
!
object-group service CSM_INLINE_svc_rule_81604380993 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp eq 443
 tcp eq 22
!
object-group service CSM_INLINE_svc_rule_81604380995 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 udp eq syslog
 udp eq snmp
 udp eq snmptrap
!
object-group service CSM_INLINE_svc_rule_81604381001 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp eq tacacs
 udp eq 1812
 udp eq 1813
 tcp eq 389
 tcp eq 636
!
object-group service vCenter-to-ESX4 
 description Communication from vCetner to ESX hosts
 tcp eq 5989
 tcp eq 8000
 tcp eq 902
 tcp eq 903
!
object-group service CSM_INLINE_svc_rule_81604381003 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp eq www
 tcp eq 443
 tcp eq 22
 group-object vCenter-to-ESX4
!
object-group service ESX-SLP 
 description CIM Service Location Protocol (SLP) for VMware systems
 udp eq 427
 tcp eq 427
!
object-group service CSM_INLINE_svc_rule_81604381005 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp eq 443
 group-object vCenter-to-ESX4
 group-object ESX-SLP
!
object-group service ORACLE-RMI 
 description RMI TCP ports 1300 and 1301-1319.
 tcp range 1300 1319
!
object-group service ORACLE-Weblogic 
 description HTTP/RMI and HTTPS/RMI-SSL 7001 & 7002. OracleAQ uses 1521.
 tcp eq 7001
 tcp eq 7002
 tcp eq 1521
!
object-group service ORACLE-WAS 
 description RMI/IIOP over 2809  HTTP over 9443 IBM-MQ 1414
 tcp eq 2809
 tcp eq 9443
 tcp eq 1414
!
object-group service ORACLE-OAS 
 description OAS uses one port for HTTP and RMI - 12601.
 tcp eq 12601
!
object-group service CSM_INLINE_svc_rule_81604381009 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp eq 443
 tcp eq 22
 group-object ORACLE-RMI
 group-object ORACLE-Weblogic
 group-object ORACLE-WAS
 group-object ORACLE-OAS
!
object-group service CSM_INLINE_svc_rule_81604381011 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp eq 443
 tcp eq 22
 group-object ORACLE-RMI
 group-object ORACLE-Weblogic
 group-object ORACLE-WAS
 group-object ORACLE-OAS
!
object-group service HTTPS-8443 
 tcp eq 8443
!
object-group service CSM_INLINE_svc_rule_81604381013 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp eq 443
 tcp eq 22
 group-object HTTPS-8443
!
object-group service CSM_INLINE_svc_rule_81604381015 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp eq 443
 tcp eq 22
 group-object HTTPS-8443
!
object-group service TOMAX-8990 
 description Tomax Application Port
 tcp eq 8990
!
object-group service CSM_INLINE_svc_rule_81604381017 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp eq 443
 group-object TOMAX-8990
!
object-group service CSM_INLINE_svc_rule_81604381019 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp eq 443
 group-object TOMAX-8990
!
object-group service ICMP-Requests 
 description ICMP requests
 icmp information-request
 icmp mask-request
 icmp timestamp-request
!
object-group service CSM_INLINE_svc_rule_81604381021 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 icmp echo
 icmp echo-reply
 icmp traceroute
 icmp unreachable
 icmp redirect
 icmp alternate-address
 group-object ICMP-Requests
!
object-group service CSM_INLINE_svc_rule_81604381023 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 icmp echo
 icmp echo-reply
 icmp traceroute
 icmp unreachable
 icmp redirect
 icmp alternate-address
 group-object ICMP-Requests
!
object-group service CSM_INLINE_svc_rule_81604381025 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp eq www
 tcp eq 443
 tcp eq smtp
 tcp eq pop3
 tcp eq 143
!
object-group service CSM_INLINE_svc_rule_81604381027 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp eq www
 tcp eq 443
!
object-group service CSM_INLINE_svc_rule_81604381029 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp
 udp
 tcp eq 443
!
object-group service DNS-Resolving 
 description Domain Name Server
 tcp eq domain
 udp eq domain
!
object-group service CSM_INLINE_svc_rule_81604381035 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 udp eq bootps
 group-object DNS-Resolving
!
object-group service CSM_INLINE_svc_rule_81604381037 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp eq www
 tcp eq 443
 group-object HTTPS-8443
!
object-group service CSM_INLINE_svc_rule_81604381039 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 icmp echo
 icmp echo-reply
 icmp traceroute
 icmp unreachable
!
object-group service CSM_INLINE_svc_rule_81604381041 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 icmp echo
 icmp echo-reply
 icmp traceroute
 icmp unreachable
!
object-group service LWAPP 
 description LWAPP UDP ports 12222 and 12223
 udp eq 12222
 udp eq 12223
!
object-group service TFTP 
 description Trivial File Transfer
 tcp eq 69
 udp eq tftp
!
object-group service IP-Protocol-97 
 description IP protocol 97
 97
!
object-group service CSM_INLINE_svc_rule_81604381043 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp eq 443
 tcp eq www
 tcp eq 22
 tcp eq telnet
 udp eq isakmp
 group-object CAPWAP
 group-object LWAPP
 group-object TFTP
 group-object IP-Protocol-97
!
object-group service Cisco-Mobility 
 description Mobility ports for Wireless
 udp eq 16666
 udp eq 16667
!
object-group service CSM_INLINE_svc_rule_81604381045 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 udp eq isakmp
 group-object CAPWAP
 group-object LWAPP
 group-object Cisco-Mobility
 group-object IP-Protocol-97
!
object-group service Microsoft-DS-SMB 
 description Microsoft-DS Active Directory, Windows shares Microsoft-DS SMB file sharing
 tcp eq 445
!
object-group service CSM_INLINE_svc_rule_81604381051 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp
 tcp eq 139
 group-object CISCO-WAAS
 group-object HTTPS-8443
 group-object Microsoft-DS-SMB
!
object-group service CSM_INLINE_svc_rule_81604381053 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp
 tcp eq 139
 group-object CISCO-WAAS
 group-object HTTPS-8443
 group-object Microsoft-DS-SMB
!
object-group service CSM_INLINE_svc_rule_81604381055 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp
 tcp eq 139
 group-object Microsoft-DS-SMB
!
object-group service CSM_INLINE_svc_rule_81604381057 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 icmp
 tcp-udp eq 5060
 tcp eq 2000
 tcp eq www
 tcp eq 443
 group-object TFTP
!
object-group service CSM_INLINE_svc_rule_81604381059 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp-udp eq 5060
 tcp eq 2000
!
object-group service CSM_INLINE_svc_rule_81604381061 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp eq www
 tcp eq 443
!
object-group service CSM_INLINE_svc_rule_81604381063 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp eq www
 tcp eq 443
 tcp eq smtp
 tcp eq pop3
 tcp eq 143
!
object-group service Netbios 
 description Netbios Servers
 udp eq netbios-dgm
 udp eq netbios-ns
 tcp eq 139
!
object-group service ORACLE-SIM 
 description Oracle Store Inventory Management
 tcp eq 7777
 tcp eq 6003
 tcp range 12401 12500
!
object-group service RDP 
 description Windows Remote Desktop
 tcp eq 3389
!
object-group service Workbrain 
 tcp eq 8444
!
object-group service CSM_INLINE_svc_rule_81604381065 
 description Generated by CS-Manager from service of ZbfInspectRule# 0 
(Store-HA_v1/mandatory)
 tcp eq ftp
 tcp eq www
 tcp eq 443
 udp eq 88
 tcp-udp eq 42
 group-object Microsoft-DS-SMB
 group-object Netbios
 group-object ORACLE-SIM
 group-object RDP
 group-object Workbrain
!
object-group network DC-Applications 
 description Applications in the Data Center that are non-PCI related(Optimized by 
CS-Manager)
 192.168.180.0 255.255.254.0
!
object-group network DC-Voice 
 description Data Center Voice
 192.168.45.0 255.255.255.0
!
object-group network MS-Update 
 description Windows Update Server
 host 192.168.42.150
!
object-group network MSExchange 
 description Mail Server
 host 192.168.42.140
!
object-group service NTP 
 description NTP Protocols
 tcp eq 123
 udp eq ntp
!
object-group network NTP-Servers 
 description NTP Servers
 host 192.168.62.161
 host 162.168.62.162
!
object-group network STORE-POS 
 10.10.0.0 255.255.0.0
!
object-group network vSphere-1 
 description vSphere server for Lab
 host 192.168.41.102
!
username retail privilege 15 secret 5 <removed>
username bart privilege 15 secret 5 <removed>
username emc-ncm privilege 15 secret 5 <removed>
username bmcgloth privilege 15 secret 5 <removed>
username csmadmin privilege 15 secret 5 <removed>
!
redundancy
!
!
!
!
ip ssh time-out 30
ip ssh authentication-retries 2
ip ssh version 2
ip scp server enable
!
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_7
 match protocol http
 match protocol https
 match protocol microsoft-ds
 match protocol ms-sql
 match protocol ms-sql-m
 match protocol netbios-dgm
 match protocol netbios-ns
 match protocol oracle
 match protocol oracle-em-vp
 match protocol oraclenames
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_10
 match access-group name CSM_ZBF_CMAP_ACL_10
 match class-map CSM_ZBF_CMAP_PLMAP_7
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_4
 match protocol http
 match protocol https
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_23
 match access-group name CSM_ZBF_CMAP_ACL_23
 match class-map CSM_ZBF_CMAP_PLMAP_4
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_17
 match protocol http
 match protocol https
 match protocol imap3
 match protocol pop3
 match protocol pop3s
 match protocol smtp
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_32
 match access-group name CSM_ZBF_CMAP_ACL_32
 match class-map CSM_ZBF_CMAP_PLMAP_17
class-map type inspect match-all CSM_ZBF_CLASS_MAP_11
 match access-group name CSM_ZBF_CMAP_ACL_11
 match protocol icmp
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_14
 match protocol http
 match protocol https
 match protocol user-8443
class-map type inspect match-all CSM_ZBF_CLASS_MAP_22
 match access-group name CSM_ZBF_CMAP_ACL_22
 match class-map CSM_ZBF_CMAP_PLMAP_14
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_20
 match protocol http
 match protocol https
 match protocol netbios-dgm
 match protocol netbios-ns
 match protocol netbios-ssn
 match protocol ftp
 match protocol ssh
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_33
 match access-group name CSM_ZBF_CMAP_ACL_33
 match class-map CSM_ZBF_CMAP_PLMAP_20
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_8
 match protocol sip
 match protocol sip-tls
 match protocol skinny
 match protocol tftp
 match protocol http
 match protocol https
 match protocol icmp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_12
 match access-group name CSM_ZBF_CMAP_ACL_12
 match class-map CSM_ZBF_CMAP_PLMAP_8
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_13
 match protocol https
 match protocol tcp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_21
 match access-group name CSM_ZBF_CMAP_ACL_21
 match class-map CSM_ZBF_CMAP_PLMAP_13
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_19
 match protocol http
 match protocol https
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_30
 match access-group name CSM_ZBF_CMAP_ACL_30
 match class-map CSM_ZBF_CMAP_PLMAP_19
class-map type inspect match-all CSM_ZBF_CLASS_MAP_13
 match access-group name CSM_ZBF_CMAP_ACL_13
class-map type inspect match-all CSM_ZBF_CLASS_MAP_20
 match access-group name CSM_ZBF_CMAP_ACL_20
 match protocol icmp
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_18
 match protocol http
 match protocol https
 match protocol udp
 match protocol tcp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_31
 match access-group name CSM_ZBF_CMAP_ACL_31
 match class-map CSM_ZBF_CMAP_PLMAP_18
class-map match-all BRANCH-BULK-DATA
 match protocol tftp
 match protocol nfs
 match access-group name BULK-DATA-APPS
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_5
 match protocol http
 match protocol https
 match protocol netbios-dgm
 match protocol netbios-ns
 match protocol netbios-ssn
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_14
 match access-group name CSM_ZBF_CMAP_ACL_14
 match class-map CSM_ZBF_CMAP_PLMAP_5
class-map type inspect match-all CSM_ZBF_CLASS_MAP_27
 match access-group name CSM_ZBF_CMAP_ACL_27
 match protocol icmp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_36
 match access-group name CSM_ZBF_CMAP_ACL_36
class-map type inspect match-all CSM_ZBF_CLASS_MAP_15
 match access-group name CSM_ZBF_CMAP_ACL_15
class-map type inspect match-all CSM_ZBF_CLASS_MAP_26
 match access-group name CSM_ZBF_CMAP_ACL_26
 match class-map CSM_ZBF_CMAP_PLMAP_7
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_21
 match protocol tcp
 match protocol udp
 match protocol http
 match protocol https
class-map type inspect match-all CSM_ZBF_CLASS_MAP_37
 match access-group name CSM_ZBF_CMAP_ACL_37
 match class-map CSM_ZBF_CMAP_PLMAP_21
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_9
 match protocol syslog
 match protocol syslog-conn
 match protocol snmp
 match protocol snmptrap
class-map type inspect match-all CSM_ZBF_CLASS_MAP_16
 match access-group name CSM_ZBF_CMAP_ACL_16
 match class-map CSM_ZBF_CMAP_PLMAP_9
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_16
 match protocol http
 match protocol https
 match protocol isakmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_25
 match access-group name CSM_ZBF_CMAP_ACL_25
 match class-map CSM_ZBF_CMAP_PLMAP_16
class-map type inspect match-all CSM_ZBF_CLASS_MAP_34
 match access-group name CSM_ZBF_CMAP_ACL_34
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_10
 match protocol ldaps
 match protocol ldap
 match protocol ldap-admin
 match protocol radius
 match protocol tacacs
 match protocol tacacs-ds
 match protocol tcp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_17
 match access-group name CSM_ZBF_CMAP_ACL_17
 match class-map CSM_ZBF_CMAP_PLMAP_10
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_15
 match protocol http
 match protocol https
 match protocol netbios-ns
 match protocol netbios-dgm
 match protocol netbios-ssn
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_24
 match access-group name CSM_ZBF_CMAP_ACL_24
 match class-map CSM_ZBF_CMAP_PLMAP_15
class-map type inspect match-all CSM_ZBF_CLASS_MAP_35
 match access-group name CSM_ZBF_CMAP_ACL_35
 match class-map CSM_ZBF_CMAP_PLMAP_4
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_11
 match protocol ntp
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_18
 match access-group name CSM_ZBF_CMAP_ACL_18
 match class-map CSM_ZBF_CMAP_PLMAP_11
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_12
 match protocol bootpc
 match protocol bootps
 match protocol udp
 match protocol tcp
 match protocol dns
 match protocol dhcp-failover
class-map type inspect match-all CSM_ZBF_CLASS_MAP_19
 match access-group name CSM_ZBF_CMAP_ACL_19
 match class-map CSM_ZBF_CMAP_PLMAP_12
class-map type inspect match-all CSM_ZBF_CLASS_MAP_29
 match access-group name CSM_ZBF_CMAP_ACL_29
 match class-map CSM_ZBF_CMAP_PLMAP_18
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_22
 match protocol sip
 match protocol sip-tls
 match protocol skinny
 match protocol tcp
 match protocol udp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_38
 match access-group name CSM_ZBF_CMAP_ACL_38
 match class-map CSM_ZBF_CMAP_PLMAP_22
class-map type inspect match-all CSM_ZBF_CLASS_MAP_28
 match access-group name CSM_ZBF_CMAP_ACL_28
 match class-map CSM_ZBF_CMAP_PLMAP_17
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1
 match protocol https
 match protocol ssh
class-map type inspect match-all CSM_ZBF_CLASS_MAP_1
 match access-group name CSM_ZBF_CMAP_ACL_1
 match class-map CSM_ZBF_CMAP_PLMAP_1
class-map type inspect match-all CSM_ZBF_CLASS_MAP_3
 match access-group name CSM_ZBF_CMAP_ACL_3
 match protocol icmp
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_2
 match protocol https
 match protocol http
 match protocol tcp
class-map type inspect match-all CSM_ZBF_CLASS_MAP_2
 match access-group name CSM_ZBF_CMAP_ACL_2
 match class-map CSM_ZBF_CMAP_PLMAP_2
class-map type inspect match-all CSM_ZBF_CLASS_MAP_5
 match access-group name CSM_ZBF_CMAP_ACL_5
 match class-map CSM_ZBF_CMAP_PLMAP_4
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_3
 match protocol http
 match protocol https
 match protocol ssh
<