topic Confused with this ASA - VPN config issue in Network Security

Confused with this ASA - VPN config issue

JBeach2007 — Mon, 11 Mar 2019 23:59:05 GMT

Hello. Can anyone help me here? I am new to the ASA config and commands. Everything works well, enough, on this ASA except the VPN. A client can connect but cannot access anything inside or outside. Here is the config. Can someone please take a look and tell me why VPN is not working? I don't want to set up split-tunneling, I would prefer everything to go through the firewall. Also, if you see something else wrong (or have a better implementation) then please let me know.

------------------------------------------------------------------------------------------------------------------

ASA Version 8.4(2)
!
hostname FIREWALL_NAME
enable password Some_X's_here encrypted
passwd Some_X's_here encrypted
names
!
interface Ethernet0/0
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet0/0.22
description Public Internet space via VLAN 22
vlan 22
nameif Public_Internet
security-level 0
ip address 1.3.3.7 255.255.255.248
!
interface Ethernet0/1
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet0/1.42
description Private LAN space via VLAN 42
shutdown
vlan 42
nameif Private_CDATA
security-level 100
ip address 10.30.136.1 255.255.255.0
!
interface Ethernet0/1.69
description Private LAN space via VLAN 69
vlan 69
nameif Private_ODATA
security-level 100
ip address 10.30.133.1 255.255.255.0
!
interface Ethernet0/1.95
description Private LAN space via VLAN 95
shutdown
vlan 95
nameif Private_OVOICE
security-level 100
ip address 192.168.102.254 255.255.255.0
!
interface Ethernet0/1.96
description Private LAN space via VLAN 96
shutdown
vlan 96
nameif Private_CVOICE
security-level 100
ip address 192.168.91.254 255.255.255.0
!
interface Ethernet0/1.3610
description Private LAN subnet via VLAN 3610
shutdown
vlan 3610
nameif Private_CeDATA
security-level 100
ip address 10.10.100.18 255.255.255.240
!
interface Ethernet0/1.3611
description Private LAN space via VLAN 3611
shutdown
vlan 3611
nameif Private_CeVOICE
security-level 100
ip address 10.10.100.66 255.255.255.252
!
interface Ethernet0/2
shutdown
no nameif
security-level 0
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.69.1 255.255.255.0
management-only
!
banner exec WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest

extent of the law.
banner exec
banner exec                                    ,
banner exec                                  .';
banner exec                              .-'` .'
banner exec                            ,`.-'-.`\
banner exec                           ; /     '-'
banner exec                           | \       ,-,
banner exec                           \ '-.__   )_`'._                      \|/
banner exec                            '.     ```      ``'--._[]--------------*
banner exec                           .-' ,                   `'-.           /|\
banner exec                            '-'`-._           ((   o   )
banner exec                                   `'--....(`- ,__..--'
banner exec                                            '-'`
banner exec
banner exec frickin' sharks with frickin' laser beams attached to their frickin' heads
banner login WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest

extent of the law.
banner asdm WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest

extent of the law.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network CD_3610-GW
host 10.10.100.17
description First hop to 3610
object network CV_3611-GW
host 10.10.100.65
description First hop to 3611
object network GW_22-EXT
host 1.3.3.6
description First hop to 22
object service MS-RDC
service tcp source range 1024 65535 destination eq 3389
description Microsoft Remote Desktop Connection
object network HDC-LAN
subnet 192.168.200.0 255.255.255.0
description DC LAN subnet
object network HAM-LAN
subnet 192.168.110.0 255.255.255.0
description HAM LAN subnet
object service MSN
service tcp source range 1 65535 destination eq 1863
description MSN Messenger
object network BCCs
host 2.1.8.1
description BCCs server access
object network ODLW-EXT
host 7.1.1.5
description OTTDl
object network SWINDS-INT
host 10.30.133.67
description SWINDS server
object network SWINDS(192.x.x.x)-INT
host 192.168.100.67
description SWINDS server
object service YMSG
service tcp source range 1 65535 destination eq 5050
description Yahoo Messenger
object service c.b.ca1
service tcp source range 1 65535 destination eq citrix-ica
description Connections to the bc portal.
object service c.b.ca2
service tcp source range 1 65535 destination eq 2598
description Connections to the bc portal.
object service HTTP-EXT(7001)
service tcp source range 1 65535 destination eq 7001
description HTTP Extended on port 7001.
object service HTTP-EXT(8000-8001)
service tcp source range 1 65535 destination range 8000 8001
description HTTP Extended on ports 8000-8001.
object service HTTP-EXT(8080-8081)
service tcp source range 1 65535 destination range 8080 8081
description HTTP Extended on ports 8080-8081.
object service HTTP-EXT(8100)
service tcp source range 1 65535 destination eq 8100
description HTTP Extended on port 8100.
object service HTTP-EXT(8200)
service tcp source range 1 65535 destination eq 8200
description HTTP Extended on port 8200.
object service HTTP-EXT(8888)
service tcp source range 1 65535 destination eq 8888
description HTTP Extended on port 8888.
object service HTTP-EXT(9080)
service tcp source range 1 65535 destination eq 9080
description HTTP Extended on port 9080.
object service ntp
service tcp source range 1 65535 destination eq 123
description TCP NTP on port 123.
object network Pl-EXT
host 7.1.1.2
description OPl box.
object service Pl-Admin
service tcp source range 1 65535 destination eq 8443
description Pl Admin portal
object network FW-EXT
host 1.3.3.7
description External/Public interface IP address of firewall.
object network Rs-EXT
host 7.1.1.8
description Rs web portal External/Public IP.
object network DWDM-EXT
host 2.1.2.1
description DWDM.
object network HM_VPN-EXT
host 6.2.9.7
description HAM Man.
object network SIM_MGMT
host 2.1.1.1
description SIM Man.
object network TS_MGMT
host 2.1.1.4
description TS Man.
object network TS_MGMT
host 2.1.2.2
description TS Man.
object service VPN-TCP(1723)
service tcp source range 1 65535 destination eq pptp
description For PPTP control path.
object service VPN-UDP(4500)
service udp source range 1 65535 destination eq 4500
description For L2TP(IKEv1) and IKEv2.
object service VPN-TCP(443)
service tcp source range 1 65535 destination eq https
description For SSTP control and data path.
object service VPN-UDP(500)
service udp source range 1 65535 destination eq isakmp
description For L2TP(IKEv1) and IKEv2.
object network RCM
host 6.1.8.2
description RCM
object network RCM_Y
host 6.1.8.9
description RCM Y
object network r.r.r.c163
host 2.1.2.63
description RCV IP.
object network r.r.r.c227
host 2.1.2.27
description RCV IP.
object network v.t.c-EXT
host 2.5.1.2
description RTICR
object service VPN-TCP(10000)
service tcp source range 1 65535 destination eq 10000
description For TCP VPN over port 1000.
object service BGP-JY
service tcp source range 1 65535 destination eq 21174
description BPG
object network KooL
host 192.168.100.100
description KooL
object network FW_Test
host 1.3.3.7
description Testing other External IP
object network AO_10-30-133-0-LAN
range 10.30.133.0 10.30.133.229
description OLS 10.30.133.0/24
object network AC_10-30-136-0-LAN
subnet 10.30.136.0 255.255.255.0
description CLS 10.30.136.0/24
object network NETWORK_OBJ_192.168.238.0_27
subnet 192.168.238.0 255.255.255.224
object-group network All_Private_Interfaces
description All private interfaces
network-object 10.30.133.0 255.255.255.0
network-object 10.30.136.0 255.255.255.0
network-object 10.10.100.16 255.255.255.240
network-object 10.10.100.64 255.255.255.252
network-object 192.168.102.0 255.255.255.0
network-object 192.168.91.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service cb.ca
description All ports required for cb.ca connections.
service-object object c.b.ca1
service-object object c.b.ca2
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq https
service-object udp destination eq snmp
object-group service FTP
description All FTP ports (20 + 21)
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
object-group service HTTP-EXT
description HTTP Extended port ranges.
service-object object HTTP-EXT(7001)
service-object object HTTP-EXT(8000-8001)
service-object object HTTP-EXT(8080-8081)
service-object object HTTP-EXT(8100)
service-object object HTTP-EXT(8200)
service-object object HTTP-EXT(8888)
service-object object HTTP-EXT(9080)
object-group service ICMP_Any
description ICMP: Any Type, Any Code
service-object icmp alternate-address
service-object icmp conversion-error
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp mask-reply
service-object icmp mask-request
service-object icmp mobile-redirect
service-object icmp parameter-problem
service-object icmp redirect
service-object icmp router-advertisement
service-object icmp router-solicitation
service-object icmp source-quench
service-object icmp time-exceeded
service-object icmp timestamp-reply
service-object icmp timestamp-request
service-object icmp traceroute
service-object icmp unreachable
service-object icmp6 echo
service-object icmp6 echo-reply
service-object icmp6 membership-query
service-object icmp6 membership-reduction
service-object icmp6 membership-report
service-object icmp6 neighbor-advertisement
service-object icmp6 neighbor-redirect
service-object icmp6 neighbor-solicitation
service-object icmp6 packet-too-big
service-object icmp6 parameter-problem
service-object icmp6 router-advertisement
service-object icmp6 router-renumbering
service-object icmp6 router-solicitation
service-object icmp6 time-exceeded
service-object icmp6 unreachable
service-object icmp
object-group service NTP
description TCP and UPD NTP protocol
service-object object ntp
service-object udp destination eq ntp
object-group service DM_INLINE_SERVICE_3
group-object FTP
group-object HTTP-EXT
group-object ICMP_Any
group-object NTP
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object ip
object-group service DM_INLINE_SERVICE_4
group-object NTP
service-object tcp destination eq daytime
object-group network SWINDS
description Both Internal IP addresses (192 + 10)
network-object object SWINDS-INT
network-object object SWINDS(192.x.x.x)-INT
object-group service IM_Types
description All messenger type applications
service-object object MSN
service-object object YMSG
service-object tcp-udp destination eq talk
service-object tcp destination eq aol
service-object tcp destination eq irc
object-group service SNMP
description Both poll and trap ports.
service-object udp destination eq snmp
service-object udp destination eq snmptrap
object-group service DM_INLINE_SERVICE_2
group-object FTP
service-object object MS-RDC
service-object object Pl-Admin
group-object SNMP
object-group network DM_INLINE_NETWORK_1
network-object object FW-EXT
network-object object Rs-EXT
object-group network AMV
description connections for legacy AM
network-object object DWDM-EXT
network-object object HAM_MGMT
network-object object SIM_MGMT
network-object object TS_MGMT
network-object object TS_MGMT
object-group service IKEv2_L2TP
description IKEv2 and L2TP VPN configurations
service-object esp
service-object object VPN-UDP(4500)
service-object object VPN-UDP(500)
object-group service PPTP
description PPTP VPN configuration
service-object gre
service-object object VPN-TCP(1723)
object-group service SSTP
description SSTP VPN configuration
service-object object VPN-TCP(443)
object-group network RvIPs
description Rv IP addresses
network-object object RCM
network-object object RCM_Y
network-object object r.r.r.c163
network-object object r.r.r.c227
network-object object v.t.c-EXT
object-group service Rvs
description Rv configuration.
service-object object VPN-TCP(10000)
service-object object VPN-UDP(500)
object-group service DM_INLINE_SERVICE_5
service-object object BGP-JY
service-object tcp destination eq bgp
object-group network Local_Private_Subnets
description OandCl DATA
network-object 10.30.133.0 255.255.255.0
network-object 10.30.136.0 255.255.255.0
access-list Public/Internet_access_out remark Block all IM traffic out.
access-list Public/Internet_access_out extended deny object-group IM_Types object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Access from SWINDS to DLM portal
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_1 object-group SWINDS object ODLW-EXT
access-list Public/Internet_access_out remark Allow access to BMC portal
access-list Public/Internet_access_out extended permit object-group cb.ca object-group Local_Private_Subnets object BCCs
access-list Public/Internet_access_out remark Allow basic services out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_3 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow WhoIS traffic out.
access-list Public/Internet_access_out extended permit tcp object-group Local_Private_Subnets any eq whois
access-list Public/Internet_access_out remark Allow Network Time protocols out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_4 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow all IP based monitoring traffic to Pl.
access-list Public/Internet_access_out extended permit ip object-group SWINDS object Pl-EXT
access-list Public/Internet_access_out remark Allow Management traffic to Pl-JY.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_2 object-group Local_Private_Subnets object Pl-EXT
access-list Public/Internet_access_out remark Allow FTP traffic to Grimlock and RS FTP.
access-list Public/Internet_access_out extended permit object-group FTP object-group Local_Private_Subnets object-group DM_INLINE_NETWORK_1
access-list Public/Internet_access_out remark Allow VPN traffic to AM-JY.
access-list Public/Internet_access_out extended permit object-group IKEv2_L2TP object-group Local_Private_Subnets object-group AMV
access-list Public/Internet_access_out remark Allow VPN traffic to RCm devices.
access-list Public/Internet_access_out extended permit object-group Rvs object-group Local_Private_Subnets object-group RvIPs
access-list Public/Internet_access_out remark Allow BPG traffic out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_5 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow Kool server out.
access-list Public/Internet_access_out extended permit ip object KooL any
pager lines 24
logging enable
logging history informational
logging asdm informational
logging mail notifications
logging from-address thisemail@address.local
logging recipient-address sendhere@address.com level errors
mtu Public_Internet 1500
mtu Private_CDATA 1500
mtu Private_ODATA 1500
mtu Private_OVOICE 1500
mtu Private_CVOICE 1500
mtu Private_CeDATA 1500
mtu Private_CeVOICE 1500
mtu management 1500
ip local pool AO-VPN_Pool 192.168.238.2-192.168.238.30 mask 255.255.255.224
ip verify reverse-path interface Public_Internet
ip verify reverse-path interface Private_CDATA
ip verify reverse-path interface Private_ODATA
ip verify reverse-path interface Private_OVOICE
ip verify reverse-path interface Private_CVOICE
ip verify reverse-path interface Private_CeDATA
ip verify reverse-path interface Private_CeVOICE
ip verify reverse-path interface management
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Public_Internet
no asdm history enable
arp timeout 14400
nat (Private_ODATA,Public_Internet) source dynamic AO_10-30-133-0-LAN interface
nat (Private_CDATA,Public_Internet) source dynamic AC_10-30-136-0-LAN interface
nat (Private_ODATA,Public_Internet) source static any any destination static NETWORK_OBJ_192.168.238.0_27 NETWORK_OBJ_192.168.238.0_27 no-proxy-arp route-lookup
access-group Public/Internet_access_out out interface Public_Internet
route Public_Internet 0.0.0.0 0.0.0.0 1.3.3.6 1
route Private_CeDATA 10.0.0.0 255.0.0.0 10.10.100.17 1
route Private_CeDATA 10.1.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.3.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.5.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.11.106.74 255.255.255.255 10.10.100.17 1
route Private_CeDATA 10.30.128.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.130.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.131.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.132.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.134.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.135.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.67.31.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.224.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 4.1.1.19 255.255.255.255 10.10.100.17 1
route Private_CeDATA 1.1.1.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 1.1.1.13 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.11.24 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.11.27 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.17.105 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.64 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.66 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.110 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.251.57 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.21.56.105 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.21.57.152 255.255.255.255 10.10.100.17 1
route Private_CeDATA 192.168.3.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.9.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.20.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.21.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.30.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.31.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.40.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.41.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.50.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.60.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.61.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.70.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.101.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.110.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.200.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.251.177.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 2.1.2.7 255.255.255.255 10.10.100.17 1
route Private_CeDATA 2.1.2.74 255.255.255.255 10.10.100.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol nt
aaa-server AD (Private_ODATA) host 10.30.133.21
timeout 5
nt-auth-domain-controller Cool_Transformer_Name
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.69.0 255.255.255.0 management
snmp-server host Private_ODATA 10.30.133.67 poll community Some_*s_here version 2c
snmp-server location OT
snmp-server contact theseguys@address.com
snmp-server community Some_*s_here
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
sysopt noproxyarp Public_Internet
sysopt noproxyarp Private_CDATA
sysopt noproxyarp Private_ODATA
sysopt noproxyarp Private_OVOICE
sysopt noproxyarp Private_CVOICE
sysopt noproxyarp Private_CeDATA
sysopt noproxyarp Private_CeVOICE
sysopt noproxyarp management
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Public_Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Public_Internet_map interface Public_Internet
crypto ikev1 enable Public_Internet
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh 10.30.133.0 255.255.255.0 Private_ODATA
ssh 192.168.69.0 255.255.255.0 management
ssh timeout 2
ssh version 2
console timeout 5
dhcprelay server 10.30.133.13 Private_ODATA
dhcprelay enable Private_CDATA
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.30.133.13 prefer
ntp server 132.246.11.227
ntp server 10.30.133.21
webvpn
group-policy AO-VPN_Tunnel internal
group-policy AO-VPN_Tunnel attributes
dns-server value 10.30.133.21 10.30.133.13
vpn-tunnel-protocol ikev1
default-domain value ao.local
username helpme password Some_X's_here encrypted privilege 1
username helpme attributes
service-type nas-prompt
tunnel-group AO-VPN_Tunnel type remote-access
tunnel-group AO-VPN_Tunnel general-attributes
address-pool AO-VPN_Pool
authentication-server-group AD
default-group-policy AO-VPN_Tunnel
tunnel-group AO-VPN_Tunnel ipsec-attributes
ikev1 pre-shared-key Some_*s_here
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
smtp-server 192.168.200.25
prompt hostname context
no call-home reporting anonymous

------------------------------------------------------------------------------------------------------------------

Thanks,

Jeff.

Confused with this ASA - VPN config issue

Harish Balakrishnan — Tue, 25 Sep 2012 19:51:18 GMT

Hello jeff

Pretty long config .. can you give the following and see whether the PC can access internet after connecting to VPN

nat (Public_Internet,Public_Internet) dynamic interface

let me know the results , then we will troubleshoot further

Harish.

Confused with this ASA - VPN config issue

JBeach2007 — Tue, 25 Sep 2012 20:19:46 GMT

Yup, it is a looooong read. When I try to enter that command into the CLI I get an error stating, "ERROR: % Invalid input detected at '^' marker." The ^ marker is pointing under the start of the word "dynamic".

Jeff.

Confused with this ASA - VPN config issue

Harish Balakrishnan — Tue, 25 Sep 2012 20:32:07 GMT

try the following

object-group network VPNPOOL

network-object 192.168.238.0 255.255.255.224

//below command is to allow vpn devices to inside network

nat (Public_Internet,Private_ODATA) source static VPNPOOL VPNPOOL

//below command is to allow vpn devices to access internet

nat (Public_Internet,Public_Internet) source dynamic VPNPOOL interface

let me know how this goes

Harish.

Confused with this ASA - VPN config issue

Julio Carvajal — Wed, 26 Sep 2012 00:12:35 GMT

Hello Jeff,

Please try the following:

nat (Public_internet,Public_internet) 2 source dynamic NETWORK_OBJ_192.168.238.0_27 interface

Also with the configuration you have you should be able to access only the subnet behind the Private_ODATA interface that is 10.30.133.0 255.255.255.0

Any other question.. Sure.. Just remember to rate all of my answers.

Julio

Confused with this ASA - VPN config issue

JBeach2007 — Wed, 26 Sep 2012 18:13:20 GMT

I tried those commands but this started getting messy and so I looked at the current config and it was not the same as what I originally posted. Looks like some changes were implemented but not saved so the config that I posted what slightly different. Thank you for all your suggestions. Here is the new config, confirmed as the current running and saved config. Same situation as before though. I can connect using the Cisco VPN client but can only ping myself and can't get out to the Internet or access anything internal. If someone can take a look it would be greatly appreciated. The main difference is the VPN pool has been set as a subset of the 10.30.133.0 network instead of using a separate subnet (VPN pool is 10.30.133.200 - 10.30.133.230).

----------------------------------------------------------------------------------------------------------------

ASA Version 8.4(2)

hostname FIREWALL_NAME

enable password Some_X's_here encrypted

passwd Some_X's_here encrypted

names

interface Ethernet0/0

speed 100

duplex full

no nameif

no security-level

no ip address

interface Ethernet0/0.22

description Public Internet space via VLAN 22

vlan 22

nameif Public_Internet

security-level 0

ip address 1.3.3.7 255.255.255.248

interface Ethernet0/1

speed 100

duplex full

no nameif

no security-level

no ip address

interface Ethernet0/1.42

description Private LAN space via VLAN 42

shutdown

vlan 42

nameif Private_CDATA

security-level 100

ip address 10.30.136.1 255.255.255.0

interface Ethernet0/1.69

description Private LAN space via VLAN 69

vlan 69

nameif Private_ODATA

security-level 100

ip address 10.30.133.1 255.255.255.0

interface Ethernet0/1.95

description Private LAN space via VLAN 95

shutdown

vlan 95

nameif Private_OVOICE

security-level 100

ip address 192.168.102.254 255.255.255.0

interface Ethernet0/1.96

description Private LAN space via VLAN 96

shutdown

vlan 96

nameif Private_CVOICE

security-level 100

ip address 192.168.91.254 255.255.255.0

interface Ethernet0/1.3610

description Private LAN subnet via VLAN 3610

shutdown

vlan 3610

nameif Private_CeDATA

security-level 100

ip address 10.10.100.18 255.255.255.240

interface Ethernet0/1.3611

description Private LAN space via VLAN 3611

shutdown

vlan 3611

nameif Private_CeVOICE

security-level 100

ip address 10.10.100.66 255.255.255.252

interface Ethernet0/2

shutdown

no nameif

security-level 0

no ip address

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.69.1 255.255.255.0

management-only

banner exec WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.

banner exec

banner exec ,

banner exec .';

banner exec .-'` .'

banner exec ,`.-'-.`\

banner exec ; / '-'

banner exec | \ ,-,

banner exec \ '-.__ )_`'._ \|/

banner exec '. ``` ``'--._[]--------------*

banner exec .-' , `'-. /|\

banner exec '-'`-._ (( o )

banner exec `'--....(`- ,__..--'

banner exec '-'`

banner exec

banner exec frickin' sharks with frickin' laser beams attached to their frickin' heads

banner login WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.

banner asdm WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network CD_3610-GW

host 10.10.100.17

description First hop to 3610

object network CV_3611-GW

host 10.10.100.65

description First hop to 3611

object network GW_22-EXT

host 1.3.3.6

description First hop to 22

object network Ts-LAN

host 192.168.100.4

description TS

object service MS-RDC

service tcp source range 1024 65535 destination eq 3389

description Microsoft Remote Desktop Connection

object network HDC-LAN

subnet 192.168.200.0 255.255.255.0

description DC LAN subnet

object network HAM-LAN

subnet 192.168.110.0 255.255.255.0

description HAM LAN subnet

object service MSN

service tcp source range 1 65535 destination eq 1863

description MSN Messenger

object network BCCs

host 2.1.8.1

description BCCs server access

object network ODLW-EXT

host 7.1.1.5

description OTTDl

object network SWINDS-INT

host 10.30.133.67

description SWINDS server

object network SWINDS(192.x.x.x)-INT

host 192.168.100.67

description SWINDS server

object service YMSG

service tcp source range 1 65535 destination eq 5050

description Yahoo Messenger

object service c.b.ca1

service tcp source range 1 65535 destination eq citrix-ica

description Connections to the bc portal.

object service c.b.ca2

service tcp source range 1 65535 destination eq 2598

description Connections to the bc portal.

object service HTTP-EXT(7001)

service tcp source range 1 65535 destination eq 7001

description HTTP Extended on port 7001.

object service HTTP-EXT(8000-8001)

service tcp source range 1 65535 destination range 8000 8001

description HTTP Extended on ports 8000-8001.

object service HTTP-EXT(8080-8081)

service tcp source range 1 65535 destination range 8080 8081

description HTTP Extended on ports 8080-8081.

object service HTTP-EXT(8100)

service tcp source range 1 65535 destination eq 8100

description HTTP Extended on port 8100.

object service HTTP-EXT(8200)

service tcp source range 1 65535 destination eq 8200

description HTTP Extended on port 8200.

object service HTTP-EXT(8888)

service tcp source range 1 65535 destination eq 8888

description HTTP Extended on port 8888.

object service HTTP-EXT(9080)

service tcp source range 1 65535 destination eq 9080

description HTTP Extended on port 9080.

object service ntp

service tcp source range 1 65535 destination eq 123

description TCP NTP on port 123.

object network Pl-EXT

host 7.1.1.2

description OPl box.

object service Pl-Admin

service tcp source range 1 65535 destination eq 8443

description Pl Admin portal

object network FW-EXT

host 1.3.3.7

description External/Public interface IP address of firewall.

object network Rs-EXT

host 7.1.1.8

description Rs web portal External/Public IP.

object network DWDM-EXT

host 2.1.2.1

description DWDM.

object network HM_VPN-EXT

host 6.2.9.7

description HAM Man.

object network SIM_MGMT

host 2.1.1.1

description SIM Man.

object network TS_MGMT

host 2.1.1.4

description TS Man.

object network TS_MGMT

host 2.1.2.2

description TS Man.

object service VPN-TCP(1723)

service tcp source range 1 65535 destination eq pptp

description For PPTP control path.

object service VPN-UDP(4500)

service udp source range 1 65535 destination eq 4500

description For L2TP(IKEv1) and IKEv2.

object service VPN-TCP(443)

service tcp source range 1 65535 destination eq https

description For SSTP control and data path.

object service VPN-UDP(500)

service udp source range 1 65535 destination eq isakmp

description For L2TP(IKEv1) and IKEv2.

object network RCM

host 6.1.8.2

description RCM

object network RCM_Y

host 6.1.8.9

description RCM Y

object network r.r.r.c163

host 2.1.2.63

description RCV IP.

object network r.r.r.c227

host 2.1.2.27

description RCV IP.

object network v.t.c-EXT

host 2.5.1.2

description RTICR

object service VPN-TCP(10000)

service tcp source range 1 65535 destination eq 10000

description For TCP VPN over port 1000.

object service BGP-JY

service tcp source range 1 65535 destination eq 21174

description BPG

object network KooL

host 192.168.100.100

description KooL

object network FW_Test

host 1.3.3.7

description Testing other External IP

object network AO_10-30-133-0-LAN

subnet 10.30.133.0 255.255.255.0

description OLS 10.30.133.0/24

object network AC_10-30-136-0-LAN

subnet 10.30.136.0 255.255.255.0

description CLS 10.30.136.0/24

object-group network All_Private_Interfaces

description All private interfaces

network-object 10.30.133.0 255.255.255.0

network-object 10.30.136.0 255.255.255.0

network-object 10.10.100.16 255.255.255.240

network-object 10.10.100.64 255.255.255.252

network-object 192.168.102.0 255.255.255.0

network-object 192.168.91.0 255.255.255.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service cb.ca

description All ports required for cb.ca connections.

service-object object c.b.ca1

service-object object c.b.ca2

object-group service DM_INLINE_SERVICE_1

service-object tcp destination eq https

service-object udp destination eq snmp

object-group service FTP

description All FTP ports (20 + 21)

service-object tcp destination eq ftp

service-object tcp destination eq ftp-data

object-group service HTTP-EXT

description HTTP Extended port ranges.

service-object object HTTP-EXT(7001)

service-object object HTTP-EXT(8000-8001)

service-object object HTTP-EXT(8080-8081)

service-object object HTTP-EXT(8100)

service-object object HTTP-EXT(8200)

service-object object HTTP-EXT(8888)

service-object object HTTP-EXT(9080)

object-group service ICMP_Any

description ICMP: Any Type, Any Code

service-object icmp alternate-address

service-object icmp conversion-error

service-object icmp echo

service-object icmp echo-reply

service-object icmp information-reply

service-object icmp information-request

service-object icmp mask-reply

service-object icmp mask-request

service-object icmp mobile-redirect

service-object icmp parameter-problem

service-object icmp redirect

service-object icmp router-advertisement

service-object icmp router-solicitation

service-object icmp source-quench

service-object icmp time-exceeded

service-object icmp timestamp-reply

service-object icmp timestamp-request

service-object icmp traceroute

service-object icmp unreachable

service-object icmp6 echo

service-object icmp6 echo-reply

service-object icmp6 membership-query

service-object icmp6 membership-reduction

service-object icmp6 membership-report

service-object icmp6 neighbor-advertisement

service-object icmp6 neighbor-redirect

service-object icmp6 neighbor-solicitation

service-object icmp6 packet-too-big

service-object icmp6 parameter-problem

service-object icmp6 router-advertisement

service-object icmp6 router-renumbering

service-object icmp6 router-solicitation

service-object icmp6 time-exceeded

service-object icmp6 unreachable

service-object icmp

object-group service NTP

description TCP and UPD NTP protocol

service-object object ntp

service-object udp destination eq ntp

object-group service DM_INLINE_SERVICE_3

group-object FTP

group-object HTTP-EXT

group-object ICMP_Any

group-object NTP

service-object tcp-udp destination eq domain

service-object tcp-udp destination eq www

service-object tcp destination eq https

service-object tcp destination eq ssh

service-object ip

object-group service DM_INLINE_SERVICE_4

group-object NTP

service-object tcp destination eq daytime

object-group network SWINDS

description Both Internal IP addresses (192 + 10)

network-object object SWINDS-INT

network-object object SWINDS(192.x.x.x)-INT

object-group service IM_Types

description All messenger type applications

service-object object MSN

service-object object YMSG

service-object tcp-udp destination eq talk

service-object tcp destination eq aol

service-object tcp destination eq irc

object-group service SNMP

description Both poll and trap ports.

service-object udp destination eq snmp

service-object udp destination eq snmptrap

object-group service DM_INLINE_SERVICE_2

group-object FTP

service-object object MS-RDC

service-object object Pl-Admin

group-object SNMP

object-group network DM_INLINE_NETWORK_1

network-object object FW-EXT

network-object object Rs-EXT

object-group network AMV

description connections for legacy AM

network-object object DWDM-EXT

network-object object HAM_MGMT

network-object object SIM_MGMT

network-object object TS_MGMT

object-group service IKEv2_L2TP

description IKEv2 and L2TP VPN configurations

service-object esp

service-object object VPN-UDP(4500)

service-object object VPN-UDP(500)

object-group service PPTP

description PPTP VPN configuration

service-object gre

service-object object VPN-TCP(1723)

object-group service SSTP

description SSTP VPN configuration

service-object object VPN-TCP(443)

object-group network RvIPs

description Rv IP addresses

network-object object RCM

network-object object RCM_Y

network-object object r.r.r.c163

network-object object r.r.r.c227

network-object object v.t.c-EXT

object-group service Rvs

description Rv configuration.

service-object object VPN-TCP(10000)

service-object object VPN-UDP(500)

object-group service DM_INLINE_SERVICE_5

service-object object BGP-JY

service-object tcp destination eq bgp

object-group network Local_Private_Subnets

description OandCl DATA

network-object 10.30.133.0 255.255.255.0

network-object 10.30.136.0 255.255.255.0

object-group service IPSec

description IPSec traffic

service-object object VPN-UDP(4500)

service-object object VPN-UDP(500)

access-list Public/Internet_access_out remark Block all IM traffic out.

access-list Public/Internet_access_out extended deny object-group IM_Types object-group Local_Private_Subnets any

access-list Public/Internet_access_out remark Access from SWINDS to DLM portal

access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_1 object-group SWINDS object ODLW-EXT

access-list Public/Internet_access_out remark Allow access to BMC portal

access-list Public/Internet_access_out extended permit object-group cb.ca object-group Local_Private_Subnets object BCCs

access-list Public/Internet_access_out remark Allow basic services out.

access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_3 object-group Local_Private_Subnets any

access-list Public/Internet_access_out remark Allow WhoIS traffic out.

access-list Public/Internet_access_out extended permit tcp object-group Local_Private_Subnets any eq whois

access-list Public/Internet_access_out remark Allow Network Time protocols out.

access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_4 object-group Local_Private_Subnets any

access-list Public/Internet_access_out remark Allow all IP based monitoring traffic to Pl.

access-list Public/Internet_access_out extended permit ip object-group SWINDS object Pl-EXT

access-list Public/Internet_access_out remark Allow Management traffic to Pl-JY.

access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_2 object-group Local_Private_Subnets object Pl-EXT

access-list Public/Internet_access_out remark Allow FTP traffic to Grimlock and RS FTP.

access-list Public/Internet_access_out extended permit object-group FTP object-group Local_Private_Subnets object-group DM_INLINE_NETWORK_1

access-list Public/Internet_access_out remark Allow VPN traffic to AM-JY.

access-list Public/Internet_access_out extended permit object-group IKEv2_L2TP object-group Local_Private_Subnets object-group AMV

access-list Public/Internet_access_out remark Allow VPN traffic to RCm devices.

access-list Public/Internet_access_out extended permit object-group Rvs object-group Local_Private_Subnets object-group RvIPs

access-list Public/Internet_access_out remark Allow BPG traffic out.

access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_5 object-group Local_Private_Subnets any

access-list Public/Internet_access_out remark Allow Kool server out.

access-list Public/Internet_access_out extended permit ip object KooL any

pager lines 24

logging enable

logging history informational

logging asdm informational

logging mail notifications

logging from-address thisemail@address.local

logging recipient-address sendhere@address.com level errors

mtu Public_Internet 1500

mtu Private_CDATA 1500

mtu Private_ODATA 1500

mtu Private_OVOICE 1500

mtu Private_CVOICE 1500

mtu Private_CeDATA 1500

mtu Private_CeVOICE 1500

mtu management 1500

ip local pool AO-VPN_Pool 192.168.238.2-192.168.238.30 mask 255.255.255.224

ip verify reverse-path interface Public_Internet

ip verify reverse-path interface Private_CDATA

ip verify reverse-path interface Private_ODATA

ip verify reverse-path interface Private_OVOICE

ip verify reverse-path interface Private_CVOICE

ip verify reverse-path interface Private_CeDATA

ip verify reverse-path interface Private_CeVOICE

ip verify reverse-path interface management

icmp unreachable rate-limit 1 burst-size 1

icmp deny any Public_Internet

no asdm history enable

arp timeout 14400

nat (Private_ODATA,Public_Internet) source dynamic AO_10-30-133-0-LAN interface

nat (Private_CDATA,Public_Internet) source dynamic AC_10-30-136-0-LAN interface

nat (Private_ODATA,Public_Internet) source static any any destination static NETWORK_OBJ_192.168.238.0_27 NETWORK_OBJ_192.168.238.0_27 no-proxy-arp route-lookup

access-group Public/Internet_access_out out interface Public_Internet

route Public_Internet 0.0.0.0 0.0.0.0 1.3.3.6 1

route Private_CeDATA 10.0.0.0 255.0.0.0 10.10.100.17 1

route Private_CeDATA 10.1.0.0 255.255.0.0 10.10.100.17 1

route Private_CeDATA 10.3.0.0 255.255.0.0 10.10.100.17 1

route Private_CeDATA 10.5.0.0 255.255.0.0 10.10.100.17 1

route Private_CeDATA 10.11.106.74 255.255.255.255 10.10.100.17 1

route Private_CeDATA 10.30.128.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 10.30.130.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 10.30.131.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 10.30.132.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 10.30.134.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 10.30.135.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 10.67.31.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 10.224.0.0 255.255.0.0 10.10.100.17 1

route Private_CeDATA 4.1.1.19 255.255.255.255 10.10.100.17 1

route Private_CeDATA 1.1.1.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 1.1.1.13 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.19.11.24 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.19.11.27 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.19.11.29 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.19.17.105 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.19.147.64 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.19.147.66 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.19.147.110 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.19.251.57 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.21.56.105 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.21.57.152 255.255.255.255 10.10.100.17 1

route Private_CeDATA 192.168.3.0 255.255.255.0 10.10.100.17 1

route Private_CeVOICE 192.168.9.0 255.255.255.0 10.10.100.65 1

route Private_CeDATA 192.168.20.0 255.255.255.0 10.10.100.17 1

route Private_CeVOICE 192.168.21.0 255.255.255.0 10.10.100.65 1

route Private_CeDATA 192.168.30.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 192.168.31.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 192.168.40.0 255.255.255.0 10.10.100.17 1

route Private_CeVOICE 192.168.41.0 255.255.255.0 10.10.100.65 1

route Private_CeVOICE 192.168.50.0 255.255.255.0 10.10.100.65 1

route Private_CeDATA 192.168.60.0 255.255.255.0 10.10.100.17 1

route Private_CeVOICE 192.168.61.0 255.255.255.0 10.10.100.65 1

route Private_CeVOICE 192.168.70.0 255.255.255.0 10.10.100.65 1

route Private_CeVOICE 192.168.101.0 255.255.255.0 10.10.100.65 1

route Private_CeDATA 192.168.110.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 192.168.200.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 192.251.177.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 2.1.2.7 255.255.255.255 10.10.100.17 1

route Private_CeDATA 2.1.2.74 255.255.255.255 10.10.100.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server AD protocol nt

aaa-server AD (Private_ODATA) host 10.30.133.21

timeout 5

nt-auth-domain-controller Cool_Transformer_Name

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.69.0 255.255.255.0 management

snmp-server host Private_ODATA 10.30.133.67 poll community Some_*s_here version 2c

snmp-server location OT

snmp-server contact theseguys@address.com

snmp-server community Some_*s_here

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps memory-threshold

snmp-server enable traps interface-threshold

snmp-server enable traps remote-access session-threshold-exceeded

snmp-server enable traps connection-limit-reached

snmp-server enable traps cpu threshold rising

snmp-server enable traps ikev2 start stop

snmp-server enable traps nat packet-discard

sysopt noproxyarp Public_Internet

sysopt noproxyarp Private_CDATA

sysopt noproxyarp Private_ODATA

sysopt noproxyarp Private_OVOICE

sysopt noproxyarp Private_CVOICE

sysopt noproxyarp Private_CeDATA

sysopt noproxyarp Private_CeVOICE

sysopt noproxyarp management

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Public_Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Public_Internet_map interface Public_Internet

crypto ikev1 enable Public_Internet

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

client-update enable

telnet timeout 5

ssh 10.30.133.0 255.255.255.0 Private_ODATA

ssh 192.168.69.0 255.255.255.0 management

ssh timeout 2

ssh version 2

console timeout 5

dhcprelay server 10.30.133.13 Private_ODATA

dhcprelay enable Private_CDATA

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.30.133.13 prefer

ntp server 132.246.11.227

ntp server 10.30.133.21

webvpn

group-policy AO-VPN_Tunnel internal

group-policy AO-VPN_Tunnel attributes

dns-server value 10.30.133.21 10.30.133.13

vpn-tunnel-protocol ikev1

default-domain value ao.local

username helpme password Some_X's_here encrypted privilege 1

username helpme attributes

service-type nas-prompt

tunnel-group AO-VPN_Tunnel type remote-access

tunnel-group AO-VPN_Tunnel general-attributes

address-pool AO-VPN_Pool

authentication-server-group AD

default-group-policy AO-VPN_Tunnel

tunnel-group AO-VPN_Tunnel ipsec-attributes

ikev1 pre-shared-key Some_*s_here

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

class class-default

user-statistics accounting

service-policy global_policy global

smtp-server 192.168.200.25

prompt hostname context

no call-home reporting anonymous

----------------------------------------------------------------------------------------------------------------

Thanks in advance,

Jeff.

Confused with this ASA - VPN config issue

JBeach2007 — Thu, 27 Sep 2012 20:11:00 GMT

Just tried that and I got an error returned:

"ERROR: NETWORK_OBJ_192.168.238.0_27 doesn't match an existing object or object-group"

Cheers,

Jeff.