: Saved : ASA Version 7.2(4) ! hostname KKSPHQFW domain-name kkscrew.com enable password r7M9n5ux/WgJLKtp encrypted passwd r7M9n5ux/WgJLKtp encrypted names name 192.168.25.0 PPWisc-internal description Pleasant Prairie, WI internal LAN name 192.168.23.0 ECMich-internal description East China, MI internal LAN name 192.168.24.0 SLMexi-internal description Mexico internal LAN name 192.168.222.0 DMZ01-network description Glendale Heights, IL DMZ LAN name 74.xx.xx.xx HQoutside-network description Glendale Heights, IL outside LAN name 192.168.222.10 MAIL2 description Internal DMZ IP address of MAIL2 Server name 74.xx.xx.xx MAIL2-public description Public IP address of MAIL2 server name 74.xx.xx.xx Citrix-outside description Public address of Citrix Server name 192.168.22.30 Citrix-inside description Internal address of Citrix Server name 192.168.22.3 FoxWeb-inside description Internal IP address of FoxWeb Server name 74.xx.xx.xx FoxWeb-outside description Public address of FoxWeb Server name 192.168.22.135 HQCameras-inside description Internal IP address of DVR Camera system name 74.xx.xx.xx HQCameras-outside description Public IP address of Camera / DVR system. name 192.168.22.40 Inside-CFONEW description Mark Ollinger's Workstation name 192.168.22.4 Inside-IT02 description Bob Brown's Workstation name 74.xx.xx.xx Outside-CFONEW description Mark Ollinger's External Public IP address name 74.xx.xx.xx Outside-IT02 description Public IP address to Bob's Workstation name 192.168.22.0 HQinside-network description Glendale Heights, IL internal LAN name 192.168.22.24 TFTP-inside name 74.xx.xx.xx TFTP-outside name 10.10.10.0 Remote-Access-Clients name 192.168.26.0 Backup-Internal description Backup Link Subnet name 192.168.22.165 BESServer description BlackBerry Enterprise Server name 192.168.222.11 MAIL description Domain Integrated Mail Server ! interface Vlan1 description Ethernet interface connected to the Internal LAN of KKSP nameif inside security-level 100 ip address 192.168.22.254 255.255.255.0 ospf cost 10 ! interface Vlan2 description Ethernet insterface connected to WAN Router (Samsung Ubigate iBG1000 on COVAD 2xT1s) nameif outside security-level 0 ip address 74.xx.xx.xx 255.255.255.224 ospf cost 10 ! interface Vlan12 description DMZ for MAIL2 / Web Server nameif DMZ security-level 50 ip address 192.168.222.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 switchport access vlan 12 ! interface Ethernet0/5 switchport access vlan 12 ! interface Ethernet0/6 switchport trunk allowed vlan 1,9 ! interface Ethernet0/7 ! banner motd \\|// banner motd (o o) banner motd -----oOO---(_)------------ banner motd ************************************************************** banner motd * WARNING: This is a controlled access system with login * banner motd * restricted to those with proper authorization. Authorized * banner motd * parties are limited to those functions which have been * banner motd * assigned to perform work related duties. Any unauthorized * banner motd * access attempt will be investigated and prosecuted to the * banner motd * full extent of the law. * banner motd * -------------------------------------------------------- * banner motd * YOUR IP ADDRESS HAS BEEN CAPTURED * banner motd * -------------------------------------------------------- * banner motd * If you are not an authorized user, disconnect now. * banner motd ************************************************************** banner motd ------------------oOO----- banner motd |__| |__| banner motd | | | | boot system disk0:/asa724-k8.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns server-group DefaultDNS domain-name kkscrew.com object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object echo-reply object-group icmp-type DM_INLINE_ICMP_2 icmp-object echo icmp-object echo-reply object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group network all_networks network-object HQinside-network 255.255.255.0 network-object Backup-Internal 255.255.255.0 access-list inside_nat0_outbound extended permit ip HQinside-network 255.255.255.0 PPWisc-internal 255.255.255.0 access-list inside_nat0_outbound extended permit ip HQinside-network 255.255.255.0 SLMexi-internal 255.255.255.0 access-list inside_nat0_outbound extended permit ip HQinside-network 255.255.255.0 ECMich-internal 255.255.255.0 access-list inside_nat0_outbound extended permit ip HQinside-network 255.255.255.0 Remote-Access-Clients 255.255.255.224 access-list inside_nat0_outbound extended permit ip Remote-Access-Clients 255.255.255.224 Remote-Access-Clients 255.255.255.224 access-list inside_nat0_outbound extended permit ip HQinside-network 255.255.255.0 Backup-Internal 255.255.255.0 access-list inside_nat0_outbound extended permit ip DMZ01-network 255.255.255.0 Backup-Internal 255.255.255.0 access-list outside_1_cryptomap extended permit ip HQinside-network 255.255.255.0 PPWisc-internal 255.255.255.0 access-list outside_2_cryptomap extended permit ip HQinside-network 255.255.255.0 SLMexi-internal 255.255.255.0 access-list outside_access_in extended permit tcp any any eq https access-list outside_access_in extended permit udp any host TFTP-outside eq tftp inactive access-list outside_access_in extended permit tcp any host MAIL2-public eq www access-list outside_access_in extended permit tcp any host MAIL2-public eq smtp access-list outside_access_in extended permit tcp any host MAIL2-public eq pop3 access-list outside_access_in extended permit tcp any host MAIL2-public eq 3389 inactive access-list outside_access_in extended permit tcp any host FoxWeb-outside eq www access-list outside_access_in extended permit udp any host FoxWeb-outside eq 1604 access-list outside_access_in extended permit tcp any host FoxWeb-outside eq citrix-ica access-list outside_access_in extended permit tcp any host FoxWeb-outside eq ftp access-list outside_access_in remark This rule allows public access for our Citrix clients. access-list outside_access_in extended permit tcp any host Citrix-outside eq citrix-ica access-list outside_access_in extended permit udp any host Citrix-outside eq 1604 access-list outside_access_in extended permit tcp any host Citrix-outside eq ftp access-list outside_access_in extended permit tcp any host HQCameras-outside eq 3389 access-list outside_access_in extended permit tcp any host HQCameras-outside eq 85 access-list outside_access_in remark This rule allows public access to Mark Ollinger's workstation via PC Anywhere access-list outside_access_in extended permit tcp any host Outside-CFONEW eq pcanywhere-data access-list outside_access_in remark This rule allows public access to Mark Ollinger's workstation via PC Anywhere access-list outside_access_in extended permit udp any host Outside-CFONEW eq pcanywhere-status access-list outside_access_in extended permit tcp any host Outside-IT02 eq pcanywhere-data access-list outside_access_in extended permit udp any host Outside-IT02 eq pcanywhere-status access-list outside_access_in extended permit icmp any host Citrix-outside object-group DM_INLINE_ICMP_1 access-list outside_access_in extended permit icmp any host MAIL2-public object-group DM_INLINE_ICMP_2 access-list outside_access_in extended permit tcp any host Citrix-outside eq 3389 inactive access-list outside_cryptomap_3 extended permit ip HQinside-network 255.255.255.0 ECMich-internal 255.255.255.0 access-list DMZ_access_in extended permit tcp HQinside-network 255.255.255.0 DMZ01-network 255.255.255.0 eq www access-list DMZ_access_in extended permit tcp any host MAIL2 eq www access-list DMZ_access_in extended permit tcp any host MAIL eq www access-list DMZ_access_in extended permit tcp any host MAIL2 eq pop3 access-list DMZ_access_in extended permit tcp any host MAIL eq pop3 access-list DMZ_access_in extended permit ip host MAIL2 any access-list DMZ_access_in extended permit ip host MAIL any access-list DMZ_access_in extended permit ip HQinside-network 255.255.255.0 host MAIL2 access-list DMZ_access_in extended permit ip HQinside-network 255.255.255.0 host MAIL access-list DMZ_access_in extended permit ip any host MAIL2 access-list DMZ_access_in extended permit ip any host MAIL access-list vpnclients_splitTunnelAcl standard permit HQinside-network 255.255.255.0 access-list vpnclients_splitTunnelAcl standard permit DMZ01-network 255.255.255.0 access-list vpnclients_splitTunnelAcl standard permit Remote-Access-Clients 255.255.255.224 access-list vpnclients_splitTunnelAcl standard permit Backup-Internal 255.255.255.0 access-list kksphqvpn_splitTunnelAcl standard permit Remote-Access-Clients 255.255.255.224 access-list kksphqvpn_splitTunnelAcl standard permit DMZ01-network 255.255.255.0 access-list kksphqvpn_splitTunnelAcl standard permit HQinside-network 255.255.255.0 access-list kksphqvpn_splitTunnelAcl standard permit Backup-Internal 255.255.255.0 access-list outside_4_cryptomap extended permit ip HQinside-network 255.255.255.0 Backup-Internal 255.255.255.0 access-list Split_Tunnel_for_L2L standard permit DMZ01-network 255.255.255.0 access-list Split_Tunnel_for_L2L standard permit SLMexi-internal 255.255.255.0 access-list Split_Tunnel_for_L2L standard permit ECMich-internal 255.255.255.0 access-list inside_nat0_outbound_1 extended permit ip Backup-Internal 255.255.255.0 DMZ01-network 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu DMZ 1500 ip local pool VPNIPPOOL 10.10.10.1-10.10.10.25 mask 255.255.255.0 no failover monitor-interface inside monitor-interface outside monitor-interface DMZ icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any outside asdm image disk0:/asdm/asdm-524.bin no asdm history enable arp timeout 14400 nat-control global (outside) 101 interface global (DMZ) 102 MAIL-192.168.222.30 netmask 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 0 access-list inside_nat0_outbound_1 outside nat (inside) 101 0.0.0.0 0.0.0.0 static (DMZ,outside) MAIL2-public MAIL2 netmask 255.255.255.255 static (DMZ,inside) MAIL2 MAIL2 netmask 255.255.255.255 static (inside,outside) Outside-CFONEW Inside-CFONEW netmask 255.255.255.255 static (inside,outside) Citrix-outside Citrix-inside netmask 255.255.255.255 static (inside,outside) FoxWeb-outside FoxWeb-inside netmask 255.255.255.255 static (inside,outside) HQCameras-outside HQCameras-inside netmask 255.255.255.255 static (inside,outside) Outside-IT02 Inside-IT02 netmask 255.255.255.255 static (inside,DMZ) HQinside-network HQinside-network netmask 255.255.255.0 static (inside,outside) TFTP-outside TFTP-inside netmask 255.255.255.255 access-group outside_access_in in interface outside access-group DMZ_access_in in interface DMZ route outside 0.0.0.0 0.0.0.0 74.xx.xx.xx 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http HQinside-network 255.255.255.0 inside http PPWisc-internal 255.255.255.0 inside http SLMexi-internal 255.255.255.0 inside http ECMich-internal 255.255.255.0 inside snmp-server host inside HQCameras-inside community KKSPSNMP udp-port 161 snmp-server location KKSP HQ snmp-server contact IS Administrator snmp-server community KKSPSNMP snmp-server enable traps snmp authentication linkup linkdown coldstart snmp-server enable traps ipsec start stop snmp-server enable traps entity config-change fru-insert fru-remove snmp-server enable traps remote-access session-threshold-exceeded crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set vpn-set esp-des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 12.xx.xx.xx crypto map outside_map 1 set transform-set ESP-3DES-SHA vpn-set crypto map outside_map 2 match address outside_2_cryptomap crypto map outside_map 2 set peer 32.xx.xx.xx crypto map outside_map 2 set transform-set ESP-3DES-SHA vpn-set crypto map outside_map 3 match address outside_cryptomap_3 crypto map outside_map 3 set peer 12.xx.xx.xx crypto map outside_map 3 set transform-set ESP-3DES-SHA vpn-set crypto map outside_map 4 match address outside_4_cryptomap crypto map outside_map 4 set peer 12.xx.xx.xx crypto map outside_map 4 set transform-set vpn-set crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption des hash md5 group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 50 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 70 authentication pre-share encryption 3des hash md5 group 1 lifetime 86400 crypto isakmp policy 90 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 20 telnet HQinside-network 255.255.255.0 inside telnet PPWisc-internal 255.255.255.0 inside telnet SLMexi-internal 255.255.255.0 inside telnet ECMich-internal 255.255.255.0 inside telnet HQoutside-network 255.255.255.224 outside telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd auto_config outside ! ntp server 18.103.0.198 source outside prefer tftp-server inside TFTP-inside HQFW group-policy kksphqvpn internal group-policy kksphqvpn attributes dns-server value 192.168.22.33 64.105.189.26 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value vpnclients_splitTunnelAcl default-domain value kkscrew.com group-policy DfltGrpPolicy_Split-Tunnel internal group-policy DfltGrpPolicy_Split-Tunnel attributes password-storage disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value Split_Tunnel_for_L2L intercept-dhcp 255.255.255.255 disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable client-access-rule none group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout none ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none smartcard-removal-disconnect enable client-firewall none client-access-rule none webvpn functions url-entry html-content-filter none homepage none keep-alive-ignore 4 http-comp gzip filter none url-list none customization value DfltCustomization port-forward none port-forward-name value Application Access sso-server none deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information svc none svc keep-installer installed svc keepalive none svc rekey time none svc rekey method none svc dpd-interval client none svc dpd-interval gateway none svc compression deflate username rbrown password 2NfxSVhq4Ty9nQjM encrypted privilege 15 username rbrown attributes vpn-group-policy kksphqvpn username lflorey password eXE9L2BpD7bbc.gD encrypted privilege 15 username k&kadmin password aWIS8YyiM.zy0FNN encrypted privilege 15 username ekaras password UouxrXDDotX3LkuG encrypted privilege 15 username ekaras attributes vpn-group-policy kksphqvpn tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key * tunnel-group 12.xx.xx.xx type ipsec-l2l tunnel-group 12.xx.xx.xx ipsec-attributes pre-shared-key * tunnel-group 32.xx.xx.xx type ipsec-l2l tunnel-group 32.xx.xx.xx ipsec-attributes pre-shared-key * tunnel-group 12.xx.xx.xx type ipsec-l2l tunnel-group 12.xx.xx.xx ipsec-attributes pre-shared-key * tunnel-group kksphqvpn type ipsec-ra tunnel-group kksphqvpn general-attributes address-pool VPNIPPOOL default-group-policy kksphqvpn tunnel-group kksphqvpn ipsec-attributes pre-shared-key * tunnel-group 12.xx.xx.xx type ipsec-l2l tunnel-group 12.xx.xx.xx general-attributes default-group-policy DfltGrpPolicy_Split-Tunnel tunnel-group 12.xx.xx.xx ipsec-attributes pre-shared-key * ! class-map global-class match default-inspection-traffic ! ! policy-map global-policy class global-class inspect dns inspect esmtp inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect sip inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect xdmcp ! service-policy global-policy global prompt hostname context Cryptochecksum:2d96cd5f1491c479bf1b0d0220828225 : end asdm image disk0:/asdm/asdm-524.bin asdm location PPWisc-internal 255.255.255.0 inside asdm location ECMich-internal 255.255.255.0 inside asdm location SLMexi-internal 255.255.255.0 inside asdm location MAIL2 255.255.255.255 inside asdm location Outside-CFONEW 255.255.255.255 inside asdm location Inside-CFONEW 255.255.255.255 inside asdm location Citrix-outside 255.255.255.255 inside asdm location Citrix-inside 255.255.255.255 inside asdm location Outside-IT02 255.255.255.255 inside asdm location Inside-IT02 255.255.255.255 inside asdm location FoxWeb-outside 255.255.255.255 inside asdm location FoxWeb-inside 255.255.255.255 inside asdm location HQCameras-outside 255.255.255.255 inside asdm location HQCameras-inside 255.255.255.255 inside asdm location TFTP-inside 255.255.255.255 inside asdm location TFTP-outside 255.255.255.255 inside asdm location Backup-Internal 255.255.255.0 inside asdm location BESServer 255.255.255.255 inside asdm location MAIL 255.255.255.255 inside no asdm history enable