=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2021.05.

25 16:47:54 =~=~=~=~=~=~=~=~=~=~=~=

Firewall Mode [Routed]:

User enable_1 logged in to ciscoasa

Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
ciscoasa> write erase
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa> en
Password:
ciscoasa# write erase
Erase configuration in flash memory? [confirm]
[OK]
ciscoasa# reload
Proceed with reload? [confirm]
ciscoasa#

***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down sw-module
Shutting down License Controller
Shutting down File system

***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting... (status 0x9)
..
INIT: INIT: Sending processes the TERM signal
Deconfiguring network interfaces... done.
Sending all processes the TERM signal...
Sending all processes the KILL signal...
Deactivating swap...
Unmounting local filesystems...
Rebooting...
Rom image verified correctly

Cisco Systems ROMMON, Version 1.1.15, RELEASE SOFTWARE

Copyright (c) 1994-2019 by Cisco Systems, Inc.
Compiled Sat 03/30/2019 7:00:46.51 by wchen64

Current image running: Boot ROM0

Last reset cause: PowerCycleRequest
DIMM Slot 0 : Present

Platform ASA5506 with 4096 Mbytes of main memory

MAC Address: ac:7a:56:1d:32:e3
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 10 seconds. Boot in 9 seconds. Boot in 8
seconds. Boot in 7 seconds. Boot in 6 seconds.
Boot in 5 seconds. Boot in 4 seconds. Boot in 3
seconds. Boot in 2 seconds. Boot in 1 second.

Located '.boot_string' @ cluster 882887.

#
Attempt autoboot: "boot disk0:"
Located 'asa982-lfbff-k8.SPA' @ cluster 11.

###################################################################################
###################################################################################
###################################################################################
###################################################################################
###################################################################################
###################################################################################
###################################################################################
###################################################################################
###################################################################################
###################################################################################
###################################################################################
###################################################################################
################################################################
LFBFF signature verified.
INIT: version 2.88 booting
Starting udev
Configuring network interfaces... done.
Populating dev cache
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
There are differences between boot sector and its backup.
Differences: (offset:original/backup)
65:01/00
Not automatically fixing this.
Starting check/repair pass.
Starting verification pass.
/dev/sdb1: 122 files, 821026/1918808 clusters
dosfsck(/dev/sdb1) returned 0
Mounting /dev/sdb1
IO Memory Nodes: 1
IO Memory Per Node: 205520896 bytes

Global Reserve Memory Per Node: 314572800 bytes Nodes=1

LCMB: got 205520896 bytes on numa-id=0, phys=0x108400000, virt=0x2aaaab000000

LCMB: HEAP-CACHE POOL got 312475648 bytes on numa-id=0, virt=0x7f7a51000000
LCMB: HEAP-CACHE POOL got 2097152 bytes on numa-id=0, virt=0x2aaaaac00000
Processor memory: 1527782315
POST started...
POST finished, result is 0 (hint: 1 means it failed)

Compiled on Sun 27-Aug-17 13:06 PDT by builders

Total NICs found: 14

i354 rev03 Gigabit Ethernet @ irq255 dev 20 index 08 MAC: ac7a.561d.32e3
ivshmem rev03 Backplane Data Interface @ index 09 MAC: 0000.0001.0002
en_vtun rev00 Backplane Control Interface @ index 10 MAC: 0000.0001.0001
en_vtun rev00 Backplane Int-Mgmt Interface @ index 11 MAC: 0000.0001.0003
en_vtun rev00 Backplane Ext-Mgmt Interface @ index 12 MAC: 0000.0000.0000
en_vtun rev00 Backplane Tap Interface @ index 13 MAC: 0000.0100.0001
WARNING: Attribute already exists in the dictionary.
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0xed19fd7a 0xa4fec1b2 0xd49015b4 0x9ac8c454
0x8f2c2291

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 5 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual

This platform has a Base license.

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)

Cisco Adaptive Security Appliance Software Version 9.8(2)

****************************** Warning *******************************

This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic

products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by

sending email to export@cisco.com.
******************************* Warning *******************************
Cisco Adaptive Security Appliance Software, version 9.8
Copyright (c) 1996-2017 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please
visit
http://www.cisco.com/go/asa-opensource

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.

170 West Tasman Drive
San Jose, California 95134-1706

Reading from flash...

Flash read failed
ERROR: MIGRATION - Could not get the startup configuration.

Cryptochecksum (changed): d41d8cd9 8f00b204 e9800998 ecf8427e

INFO: converting 'fixup protocol dns maximum-length 512' to MPF commands
ERROR: Inspect configuration of this type exists, first remove
that configuration and then add the new configuration
INFO: converting 'fixup protocol ftp 21' to MPF commands
INFO: converting 'fixup protocol h323_h225 1720' to MPF commands
INFO: converting 'fixup protocol h323_ras 1718-1719' to MPF commands
INFO: converting 'fixup protocol ip-options 1' to MPF commands
INFO: converting 'fixup protocol netbios 137-138' to MPF commands
INFO: converting 'fixup protocol rsh 514' to MPF commands
INFO: converting 'fixup protocol rtsp 554' to MPF commands
INFO: converting 'fixup protocol sip 5060' to MPF commands
INFO: converting 'fixup protocol skinny 2000' to MPF commands
INFO: converting 'fixup protocol smtp 25' to MPF commands
INFO: converting 'fixup protocol sqlnet 1521' to MPF commands
INFO: converting 'fixup protocol sunrpc 111' to MPF commands
INFO: converting 'fixup protocol sunrpc_udp 111' to MPF commands
INFO: converting 'fixup protocol tftp 69' to MPF commands
INFO: converting 'fixup protocol sip udp 5060' to MPF commands
INFO: converting 'fixup protocol xdmcp 177' to MPF commands

INFO: Power-On Self-Test in process.

.......................................................................
INFO: Power-On Self-Test complete.

INFO: Starting HW-DRBG health test...

INFO: HW-DRBG health test passed.

INFO: Starting SW-DRBG health test...

INFO: SW-DRBG health test passed.
Pre-configure Firewall now through interactive prompts [yes]?
Firewall Mode [Routed]: no
Firewall Mode [Routed]: no
Firewall Mode [Routed]:
User enable_1 logged in to ciscoasa
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
ciscoasa> en
Password:
ciscoasa# show run
: Saved

:
: Serial Number: JAD24170C1R
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname ciscoasa
enable password $sha512$5000$y5LcwQse2oE3MLTdwr1fCA==$RjvwkdKq2S8cCupbnU86Ng==
pbkdf2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names

!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
<--- More ---> no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
<--- More ---> no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
<--- More ---> no security-level
no ip address
!
ftp mode passive
pager lines 24
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
<--- More ---> service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
<--- More ---> class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
<--- More ---> message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa# conf t
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve

the product? [Y]es, [N]o, [A]sk later: no

In the future, if you would like to enable this feature,

issue the command "call-home reporting anonymous".

Please remember to save your configuration.

ciscoasa(config)# hostname CCNAS-ASA-A

CCNAS-ASA-A(config)# domain-name ccnaS security-com
CCNAS-ASA-A(config)# hostname CCNAS-SA ASA
CCNAS-ASA(config)# enable password cisco12345
CCNAS-ASA(config)# ing t g1/2
CCNAS-ASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
CCNAS-ASA(config-if)# security -level 1000
^
ERROR: % Invalid input detected at '^' marker.
CCNAS-ASA(config-if)# security-level 1000
CCNAS-ASA(config-if)# ip add
CCNAS-ASA(config-if)# ip address 192.168.1.1 255.255.255.0
CCNAS-ASA(config-if)# no shut
CCNAS-ASA(config-if)# int g1/1
CCNAS-ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
CCNAS-ASA(config-if)# a sec
CCNAS-ASA(config-if)# security-level 0
CCNAS-ASA(config-if)# ip add
CCNAS-ASA(config-if)# ip address 209.15 65.200.226 255.255.255.248
CCNAS-ASA(config-if)# no shut
CCNAS-ASA(config-if)# ing t g1/3
CCNAS-ASA(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
CCNAS-ASA(config-if)# sec
CCNAS-ASA(config-if)# security-level 70
CCNAS-ASA(config-if)# ip add
CCNAS-ASA(config-if)# ip address 192.168.2.1 255.255.255.0
CCNAS-ASA(config-if)# no shut
CCNAS-ASA(config-if)# objec
CCNAS-ASA(config-if)# object net
CCNAS-ASA(config-if)# object network ins
CCNAS-ASA(config-if)# object network inside-net
CCNAS-ASA(config-network-object)# sub
CCNAS-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
CCNAS-ASA(config-network-object)# obj
CCNAS-ASA(config-network-object)# objectnet net
CCNAS-ASA(config-network-object)# object network dmz-server
CCNAS-ASA(config-network-object)# host 191 2.168.2.3
CCNAS-ASA(config-network-object)# acc
CCNAS-ASA(config-network-object)# access-li
CCNAS-ASA(config-network-object)# access-list OUTSIDE-DMZ exte
CCNAS-ASA(config-network-object)# access-list OUTSIDE-DMZ extended per
CCNAS-ASA(config-network-object)# access-list OUTSIDE-DMZ extended permit ip
an$ended permit ip any host 192.168.2.3access-list
OUTSIDE-DMZ extended permit ip a$
CCNAS-ASA(config)# object t net
CCNAS-ASA(config)# object network inside-net
CCNAS-ASA(config-network-object)# nat (inside,outside) dynamic interface
CCNAS-ASA(config-network-object)# i object network dmz-server
CCNAS-ASA(config-network-object)# net (dmz,outside) static 02 209.165.200.227
^
ERROR: % Invalid input detected at '^' marker.
CCNAS-ASA(config-network-object)# net (dmz,outside) static 209.165.200.227
?
ERROR: % Unrecognized command
CCNAS-ASA(config-network-object)# net ( ?

configure mode commands/options:

local Define a local pool of NET addresses
CCNAS-ASA(config-network-object)# net (dmz object network dmz-servernat
(inside,outside) dynamic interfacenat (inside,outside) dyobject network dmz-server
net (dmz,outside) static 209.165.200.227net (dmz,outside) static 209.165.200.227 at
(dmz,outside) static 209.165.200.227
CCNAS-ASA(config-network-object)# acc
CCNAS-ASA(config-network-object)# access-gr
CCNAS-ASA(config-network-object)# access-group OUTSIDE-DMZ in inte
CCNAS-ASA(config-network-object)# access-group OUTSIDE-DMZ in interface out
CCNAS-ASA(config-network-object)# $ interface outside access-group OUTSIDE-DMZ in
interface outsid$
CCNAS-ASA(config)# access-group OUTSIDE-DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 209.165.200.225 1
CCNAS-ASA(config)# username admin01 password admin01pass
CCNAS-ASA(config)#
CCNAS-ASA(config)# aaa aut
CCNAS-ASA(config)# aaa authentication
CCNAS-ASA(config)# aaa authentication te
CCNAS-ASA(config)# aaa authentication telnet con
CCNAS-ASA(config)# aaa authentication telnet console LOCAL
CCNAS-ASA(config)# aaa authentication telnet console LOCALsusername admin01
password admin01pass aaa authentication telnet console LOCALt console LOCAL
console LOCAL console LOCAL console LOCAL console LOCAL console LOCAL s console
LOCALs console LOCALh console LOCAL
CCNAS-ASA(config)# aaa authentication ssh console LOCAL console LOCAL console
LOCAL console LOCAL h console LOCALt console LOCALt console LOCALp console LOCAL
CCNAS-ASA(config)# http e server enable
CCNAS-ASA(config)# http 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# ssh 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# telnet 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# telnet timeout 10
CCNAS-ASA(config)# ssh timeout 10
CCNAS-ASA(config)# class-map ins
CCNAS-ASA(config)# class-map inspection_default
CCNAS-ASA(config-cmap)# match def
CCNAS-ASA(config-cmap)# match default-inspection-traffic
CCNAS-ASA(config-cmap)# policy -map global_policy
CCNAS-ASA(config-pmap)# class ins
CCNAS-ASA(config-pmap)# class inspection_default
CCNAS-ASA(config-pmap-c)# inspect icmp
CCNAS-ASA(config-pmap-c)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: yes

Keypair generation process begin. Please wait...
CCNAS-ASA(config)# copy run start

Source filename [running-config]?

Cryptochecksum: 72503e9d b6de4ade c45841af 0aae4f17

4968 bytes copied in 0.260 secs

CCNAS-ASA(config)# USERNAME ss use username SSL- -VPN-USER password
cisco12345
CCNAS-ASA(config)# e write erase
Erase configuration in flash memory? [confirm]
[OK]
CCNAS-ASA(config)# reload
System config has been modified. Save? [Y]es/[N]o: n
Proceed with reload? [confirm]
CCNAS-ASA(config)#

***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down sw-module
Shutting down License Controller
Shutting down File system

***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting... (status 0x9)
..
INIT: INIT: Sending processes the TERM signal
Deconfiguring network interfaces... done.
Sending all processes the TERM signal...
Sending all processes the KILL signal...
Deactivating swap...
Unmounting local filesystems...
Rebooting...
Rom image verified correctly

Cisco Systems ROMMON, Version 1.1.15, RELEASE SOFTWARE

Copyright (c) 1994-2019 by Cisco Systems, Inc.
Compiled Sat 03/30/2019 7:00:46.51 by wchen64

Current image running: Boot ROM0

Last reset cause: PowerCycleRequest
DIMM Slot 0 : Present

Platform ASA5506 with 4096 Mbytes of main memory

MAC Address: ac:7a:56:1d:32:e3

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.
Boot in 10 seconds. Boot in 9 seconds. Boot in 8
seconds. Boot in 7 seconds. Boot in 6 seconds.
Boot in 5 seconds. Boot in 4 seconds. Boot in 3
seconds. Boot in 2 seconds. Boot in 1 second.

Located '.boot_string' @ cluster 884626.

#
Attempt autoboot: "boot disk0:"
Located 'asa982-lfbff-k8.SPA' @ cluster 11.

###################################################################################
###################################################################################
###################################################################################
###################################################################################
###################################################################################
###################################################################################
###################################################################################
###################################################################################
###################################################################################
###################################################################################
###################################################################################
###################################################################################
################################################################
LFBFF signature verified.
INIT: version 2.88 booting
Starting udev
Configuring network interfaces... done.
Populating dev cache
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
There are differences between boot sector and its backup.
Differences: (offset:original/backup)
65:01/00
Not automatically fixing this.
Starting check/repair pass.
Starting verification pass.
/dev/sdb1: 120 files, 821025/1918808 clusters
dosfsck(/dev/sdb1) returned 0
Mounting /dev/sdb1
IO Memory Nodes: 1
IO Memory Per Node: 205520896 bytes

Global Reserve Memory Per Node: 314572800 bytes Nodes=1

LCMB: got 205520896 bytes on numa-id=0, phys=0x108000000, virt=0x2aaaab000000

LCMB: HEAP-CACHE POOL got 312475648 bytes on numa-id=0, virt=0x7f0ec9400000
LCMB: HEAP-CACHE POOL got 2097152 bytes on numa-id=0, virt=0x2aaaaac00000
Processor memory: 1527782315
POST started...
POST finished, result is 0 (hint: 1 means it failed)

Compiled on Sun 27-Aug-17 13:06 PDT by builders

Total NICs found: 14

i354 rev03 Gigabit Ethernet @ irq255 dev 20 index 08 MAC: ac7a.561d.32e3
ivshmem rev03 Backplane Data Interface @ index 09 MAC: 0000.0001.0002
en_vtun rev00 Backplane Control Interface @ index 10 MAC: 0000.0001.0001
en_vtun rev00 Backplane Int-Mgmt Interface @ index 11 MAC: 0000.0001.0003
en_vtun rev00 Backplane Ext-Mgmt Interface @ index 12 MAC: 0000.0000.0000
en_vtun rev00 Backplane Tap Interface @ index 13 MAC: 0000.0100.0001
WARNING: Attribute already exists in the dictionary.
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0xed19fd7a 0xa4fec1b2 0xd49015b4 0x9ac8c454
0x8f2c2291

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 5 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual

This platform has a Base license.

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)

Cisco Adaptive Security Appliance Software Version 9.8(2)

****************************** Warning *******************************

This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic

products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by

sending email to export@cisco.com.
******************************* Warning *******************************
Cisco Adaptive Security Appliance Software, version 9.8
Copyright (c) 1996-2017 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please
visit
http://www.cisco.com/go/asa-opensource

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.

170 West Tasman Drive
San Jose, California 95134-1706

Reading from flash...

Flash read failed
ERROR: MIGRATION - Could not get the startup configuration.

Cryptochecksum (changed): d41d8cd9 8f00b204 e9800998 ecf8427e

INFO: converting 'fixup protocol dns maximum-length 512' to MPF commands
ERROR: Inspect configuration of this type exists, first remove
that configuration and then add the new configuration
INFO: converting 'fixup protocol ftp 21' to MPF commands
INFO: converting 'fixup protocol h323_h225 1720' to MPF commands
INFO: converting 'fixup protocol h323_ras 1718-1719' to MPF commands
INFO: converting 'fixup protocol ip-options 1' to MPF commands
INFO: converting 'fixup protocol netbios 137-138' to MPF commands
INFO: converting 'fixup protocol rsh 514' to MPF commands
INFO: converting 'fixup protocol rtsp 554' to MPF commands
INFO: converting 'fixup protocol sip 5060' to MPF commands
INFO: converting 'fixup protocol skinny 2000' to MPF commands
INFO: converting 'fixup protocol smtp 25' to MPF commands
INFO: converting 'fixup protocol sqlnet 1521' to MPF commands
INFO: converting 'fixup protocol sunrpc 111' to MPF commands
INFO: converting 'fixup protocol sunrpc_udp 111' to MPF commands
INFO: converting 'fixup protocol tftp 69' to MPF commands
INFO: converting 'fixup protocol sip udp 5060' to MPF commands
INFO: converting 'fixup protocol xdmcp 177' to MPF commands

INFO: Power-On Self-Test in process.

.......................................................................
INFO: Power-On Self-Test complete.

INFO: Starting HW-DRBG health test...

INFO: HW-DRBG health test passed.

INFO: Starting SW-DRBG health test...

INFO: SW-DRBG health test passed.
Pre-configure Firewall now through interactive prompts [yes]? no

User enable_1 logged in to ciscoasa

Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
ciscoasa> en
Password:
ciscoasa# show run
: Saved

:
: Serial Number: JAD24170C1R
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname ciscoasa
enable password $sha512$5000$vuhzI6h54/E94bYFsTro8Q==$zAYuV9cciNEzB9ojHC99Rg==
pbkdf2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names

!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
<--- More ---> no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
<--- More ---> no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
 no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
<--- More ---> no security-level
no ip address
!
ftp mode passive
pager lines 24
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
<--- More ---> service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
<--- More ---> class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
<--- More ---> message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa# conf
ERROR: % Incomplete command
ciscoasa# conf t
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,

which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve

the product? [Y]es, [N]o, [A]sk later: no
In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".

Please remember to save your configuration.

ciscoasa(config)# hostname CCNAS-ASA

CCNAS-ASA(config)# domain-name ccnasecurity.com
CCNAS-ASA(config)# enable password cisco12345
CCNAS-ASA(config)# interface G1/2
CCNAS-ASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
CCNAS-ASA(config-if)# security-level 100
CCNAS-ASA(config-if)# ip address 192.168.1.1 255.255.255.0
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# interface G1/1
CCNAS-ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
CCNAS-ASA(config-if)# security-level 0
CCNAS-ASA(config-if)# ip address 209.165.200.226 255.255.255.248
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# interface G1/3
CCNAS-ASA(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
CCNAS-ASA(config-if)# security-level 70
CCNAS-ASA(config-if)# ip address 192.168.2.1 255.255.255.0
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# object network inside-net
CCNAS-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
CCNAS-ASA(config-network-object)# object network dmz-server
CCNAS-ASA(config-network-object)# host 192.168.2.3
CCNAS-ASA(config-network-object)# access-list OUTSIDE-DMZ extended permit ip
an$ended permit ip any host 192.168.2.3access-list
OUTSIDE-DMZ extended permit ip a$
CCNAS-ASA(config)# object network inside-net
CCNAS-ASA(config-network-object)# nat (inside,outside) dynamic interface
CCNAS-ASA(config-network-object)# object network dmz-server
CCNAS-ASA(config-network-object)# nat (dmz,outside) static 209.165.200.227
CCNAS-ASA(config-network-object)# access-group OUTSIDE-DMZ in interface outside
CCNAS-ASA(config)# route outside 0.0.0.0 0.0.0.0 209.165.200.225 1
CCNAS-ASA(config)# username admin01 password admin01pass
CCNAS-ASA(config)# aaa authentication telnet console LOCAL
CCNAS-ASA(config)# aaa authentication ssh console LOCAL
CCNAS-ASA(config)# aaa authentication http console LOCAL
CCNAS-ASA(config)# http server enable
CCNAS-ASA(config)# http 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# ssh 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# telnet 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# telnet timeout 10
CCNAS-ASA(config)# ssh timeout 10
CCNAS-ASA(config)# class-map inspection_default
CCNAS-ASA(config-cmap)# match default-inspection-traffic
CCNAS-ASA(config-cmap)# policy-map global_policy
CCNAS-ASA(config-pmap)# class inspection_default
CCNAS-ASA(config-pmap-c)# inspect icmp
CCNAS-ASA(config-pmap-c)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: yes

Keypair generation process begin. Please wait...
CCNAS-ASA(config)# copy u run start

Source filename [running-config]?

Cryptochecksum: 4ac0ff74 4f64f474 a186baaf df0b4e17

4968 bytes copied in 0.280 secs

CCNAS-ASA(config)# username REMOTE-USER password cisco12345
CCNAS-ASA(config)# =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2021.05.25 18:20:02
=~=~=~=~=~=~=~=~=~=~=~=