topic Re: Cisco ASA - cannot reach local IP addresses in Network Security https://community.cisco.com/t5/network-security/cisco-asa-cannot-reach-local-ip-addresses/m-p/1708241#M534616 <HTML><HEAD></HEAD><BODY><P>Great! Glad I could help.</P></BODY></HTML> Sun, 31 Jul 2011 16:51:34 GMT clooney 2011-07-31T16:51:34Z Cisco ASA - cannot reach local IP addresses https://community.cisco.com/t5/network-security/cisco-asa-cannot-reach-local-ip-addresses/m-p/1708236#M534609 <P>Hi,</P><P>I am trying to use VPN to access our local network addresses from anywhere on the internet.&nbsp; I have VPN setup on the ASA and I can connect with the Cisco VPN Client but I cannot telnet or ping any addresses on my local network.&nbsp; I can access public IP addresses.&nbsp; I don't se any routes under "Status/Statistics/Route Details" in my cisco VPN Client (when connected).&nbsp; I have tried connecting with serveral pc's and iPads with the same results.&nbsp; </P><P></P><P>We are trying to connect with users mark and t.reese using the DSIAdminUsers group.&nbsp; When we try to telnet or ping an internal address such as 10.1.1.225 or 97.0.0.69, it times out.</P><P></P><P>Can someone please look at the config and see what I am doing wrong.&nbsp; Any help is appreciated.</P><P></P><P>Thanks,</P><P>Mark</P><P></P><P>ASA Version 8.0(4) </P><P>!</P><P>hostname ciscoasa</P><P>domain-name default.domain.invalid</P><P>enable password mDnUbb1nQkpe6eG9 encrypted</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>names</P><P>name 97.0.0.250 tarantella</P><P>name 172.31.255.3 MGMT_HOST description Remote Network Management</P><P>name 97.0.0.56 axis-camera-1</P><P>name 10.99.0.60 axis-camera-2</P><P>!</P><P>interface GigabitEthernet0/0</P><P>nameif CABLE</P><P>security-level 0</P><P>ip address 95.36.115.66 255.255.255.248 </P><P>!</P><P>interface GigabitEthernet0/1</P><P>shutdown</P><P>nameif DSL</P><P>security-level 0</P><P>ip address 64.173.93.28 255.255.255.128 </P><P>!</P><P>interface GigabitEthernet0/2</P><P>nameif FIBER</P><P>security-level 0</P><P>ip address 25.181.205.2 255.255.255.240 </P><P>!</P><P>interface GigabitEthernet0/3</P><P>nameif inside</P><P>security-level 100</P><P>ip address 97.0.0.100 255.255.255.0 </P><P>!</P><P>interface Management0/0</P><P>shutdown</P><P>no nameif</P><P>no security-level</P><P>no ip address</P><P>!</P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P>domain-name default.domain.invalid</P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 3144 </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 8080 </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 100 </P><P>access-list 100 extended permit icmp any any echo-reply </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq https </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq www </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 8081 </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 8082 </P><P>access-list 80 extended permit ip any 192.168.222.0 255.255.255.0 </P><P>access-list 80 extended permit ip any 172.31.253.0 255.255.254.0 </P><P>access-list 80 extended permit ip host 97.0.0.50 192.168.223.0 255.255.255.240 </P><P>access-list 80 extended permit ip any 192.168.222.0 255.255.255.224 </P><P>access-list GLSVPN extended permit ip 10.1.100.0 255.255.255.0 172.31.253.0 255.255.254.0 </P><P>access-list GLSVPN extended permit ip 172.17.254.0 255.255.255.0 172.31.253.0 255.255.254.0 </P><P>access-list DSIVPNUser_splitTunnelAcl standard permit host 97.0.0.50 </P><P>access-list DSIAdminUsers_splitTunnelAcl standard permit any </P><P>pager lines 24</P><P>logging enable</P><P>logging timestamp</P><P>logging buffered informational</P><P>logging trap errors</P><P>logging asdm informational</P><P>mtu CABLE 1500</P><P>mtu DSL 1500</P><P>mtu FIBER 1500</P><P>mtu inside 1500</P><P>ip local pool VPNPOOL 192.168.222.1-192.168.222.10</P><P>ip local pool AdminPool 192.168.222.11-192.168.222.20</P><P>ip local pool TestPool 1.1.1.2-1.1.1.254 mask 255.255.255.0</P><P>ip audit name DSI-Attack attack action alarm drop reset</P><P>ip audit name DSI-Alarm info action alarm</P><P>ip audit interface FIBER DSI-Alarm</P><P>ip audit interface FIBER DSI-Attack</P><P>ip audit interface inside DSI-Alarm</P><P>ip audit interface inside DSI-Attack</P><P>no failover</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp permit any echo DSL</P><P>icmp permit any echo-reply DSL</P><P>icmp permit any unreachable DSL</P><P>icmp permit any unreachable FIBER</P><P>icmp permit any echo FIBER</P><P>icmp permit any echo-reply FIBER</P><P>asdm image disk0:/asdm-613.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (DSL) 1 interface</P><P>global (FIBER) 1 interface</P><P>nat (inside) 0 access-list 80</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>static (inside,FIBER) tcp interface 8080 tarantella 8080 netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 3144 tarantella 3144 netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface telnet 97.0.0.2 telnet netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 2222 97.0.0.179 ssh netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 100 10.18.0.88 100 netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface https 97.0.0.34 https netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface www 97.0.0.34 www netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 8081 axis-camera-1 www netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 8082 axis-camera-2 www netmask 255.255.255.255 </P><P>access-group 100 in interface FIBER</P><P>route FIBER 0.0.0.0 0.0.0.0 25.181.205.1 254</P><P>route inside 10.0.0.0 255.0.0.0 97.0.0.3 1</P><P>route inside 10.2.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.3.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.4.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.8.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.12.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.31.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.41.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.99.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 172.17.253.0 255.255.255.0 97.0.0.235 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>url-server (inside) vendor websense host 97.0.0.87 timeout 10 protocol TCP version 4 connections 5</P><P>aaa authentication http console LOCAL </P><P>aaa authentication ssh console LOCAL </P><P>aaa authentication telnet console LOCAL </P><P>filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow </P><P>http server enable</P><P>http 0.0.0.0 0.0.0.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>sla monitor 88</P><P>type echo protocol ipIcmpEcho 96.36.115.65 interface CABLE</P><P>num-packets 3</P><P>timeout 1000</P><P>frequency 3</P><P>sla monitor schedule 88 life forever start-time now</P><P>crypto ipsec transform-set TSET esp-3des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map DCMAP 10 set pfs </P><P>crypto dynamic-map DCMAP 10 set transform-set TSET</P><P>crypto dynamic-map DCMAP 10 set security-association lifetime seconds 28800</P><P>crypto dynamic-map DCMAP 10 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map inside_dyn_map 20 set pfs </P><P>crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map inside_dyn_map 20 set security-association lifetime seconds 28800</P><P>crypto dynamic-map inside_dyn_map 20 set security-association lifetime kilobytes 4608000</P><P>crypto map CMAP 1 match address GLSVPN</P><P>crypto map CMAP 1 set peer 66.129.114.59 </P><P>crypto map CMAP 1 set transform-set ESP-3DES-MD5</P><P>crypto map CMAP 1 set security-association lifetime seconds 28800</P><P>crypto map CMAP 1 set security-association lifetime kilobytes 4608000</P><P>crypto map CMAP 10 ipsec-isakmp dynamic DCMAP</P><P>crypto map CMAP interface FIBER</P><P>crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map</P><P>crypto map inside_map interface inside</P><P>crypto isakmp identity address </P><P>crypto isakmp enable FIBER</P><P>crypto isakmp enable inside</P><P>crypto isakmp policy 10</P><P>authentication pre-share</P><P>encryption 3des</P><P>hash md5</P><P>group 2</P><P>lifetime 86400</P><P>crypto isakmp policy 65535</P><P>authentication pre-share</P><P>encryption 3des</P><P>hash sha</P><P>group 2</P><P>lifetime 86400</P><P>!</P><P>track 1 rtr 88 reachability</P><P>telnet 0.0.0.0 0.0.0.0 inside</P><P>telnet timeout 5</P><P>ssh 0.0.0.0 0.0.0.0 FIBER</P><P>ssh 0.0.0.0 0.0.0.0 inside</P><P>ssh timeout 5</P><P>console timeout 0</P><P>threat-detection basic-threat</P><P>threat-detection statistics host</P><P>threat-detection statistics port</P><P>threat-detection statistics protocol</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>webvpn</P><P>group-policy DfltGrpPolicy attributes</P><P>vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn</P><P>group-policy ASAVPN internal</P><P>group-policy ASAVPN attributes</P><P>dns-server value 24.217.0.3 63.162.197.99</P><P>vpn-tunnel-protocol IPSec svc </P><P>default-domain value dsidsi.com</P><P>group-policy DSIAdminUsers internal</P><P>group-policy DSIAdminUsers attributes</P><P>dns-server value 97.0.0.21 97.0.0.22</P><P>vpn-tunnel-protocol IPSec </P><P>split-tunnel-policy tunnelspecified</P><P>split-tunnel-network-list value DSIAdminUsers_splitTunnelAcl</P><P>default-domain value dsi.local</P><P>group-policy DSIVPNUser internal</P><P>group-policy DSIVPNUser attributes</P><P>dns-server value 97.0.0.21 97.0.0.22</P><P>vpn-tunnel-protocol IPSec </P><P>split-tunnel-policy tunnelspecified</P><P>split-tunnel-network-list value DSIVPNUser_splitTunnelAcl</P><P>default-domain value dsi.local</P><P>username test password hmQhTUMT1T5Z4KHC encrypted</P><P>username test attributes</P><P>vpn-group-policy DSIAdminUsers</P><P>username akipper password 9PojOPiG2IXFp42B encrypted privilege 0</P><P>username akipper attributes</P><P>vpn-group-policy ASAVPN</P><P>username user1 password 0dldJICVF//EH4X3 encrypted</P><P>username user1 attributes</P><P>vpn-group-policy DSIVPNUser</P><P>username t.reese password JvMrGsialw4hFL/z encrypted privilege 15</P><P>username mark password g2vDAdNY1Hx6WOoS encrypted privilege 15</P><P>username mark attributes</P><P>vpn-group-policy DSIAdminUsers</P><P>tunnel-group DefaultRAGroup general-attributes</P><P>address-pool (FIBER) VPNPOOL</P><P>tunnel-group DefaultRAGroup ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group DefaultWEBVPNGroup general-attributes</P><P>address-pool VPNPOOL</P><P>tunnel-group ASAVPN type remote-access</P><P>tunnel-group ASAVPN general-attributes</P><P>address-pool VPNPOOL</P><P>default-group-policy ASAVPN</P><P>tunnel-group ASAVPN ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group 66.129.114.59 type ipsec-l2l</P><P>tunnel-group 66.129.114.59 ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group DSIVPNUser type remote-access</P><P>tunnel-group DSIVPNUser general-attributes</P><P>address-pool VPNPOOL</P><P>default-group-policy DSIVPNUser</P><P>tunnel-group DSIVPNUser ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group DSIAdminUsers type remote-access</P><P>tunnel-group DSIAdminUsers general-attributes</P><P>address-pool (FIBER) AdminPool</P><P>default-group-policy DSIAdminUsers</P><P>tunnel-group DSIAdminUsers ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group TestUser type remote-access</P><P>tunnel-group TestUser general-attributes</P><P>address-pool (FIBER) AdminPool</P><P>default-group-policy DSIAdminUsers</P><P>tunnel-group TestUser ipsec-attributes</P><P>pre-shared-key *</P><P>!</P><P>class-map inspection_default</P><P>match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P>parameters</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P>class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect xdmcp </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>Cryptochecksum:dfb0accab0916d7f7f3a886c6c7d1ca2</P><P>: end<SPAN id="mce_marker"> </SPAN></P><P>ASA Version 8.0(4) </P><P>!</P><P>hostname ciscoasa</P><P>domain-name default.domain.invalid</P><P>enable password mDnUbb1nQkpe6eG9 encrypted</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>names</P><P>name 97.0.0.250 tarantella</P><P>name 172.31.255.3 MGMT_HOST description Remote Network Management</P><P>name 97.0.0.56 axis-camera-1</P><P>name 10.99.0.60 axis-camera-2</P><P>!</P><P>interface GigabitEthernet0/0</P><P>nameif CABLE</P><P>security-level 0</P><P>ip address 95.36.115.66 255.255.255.248 </P><P>!</P><P>interface GigabitEthernet0/1</P><P>shutdown</P><P>nameif DSL</P><P>security-level 0</P><P>ip address 64.173.93.28 255.255.255.128 </P><P>!</P><P>interface GigabitEthernet0/2</P><P>nameif FIBER</P><P>security-level 0</P><P>ip address 25.181.205.2 255.255.255.240 </P><P>!</P><P>interface GigabitEthernet0/3</P><P>nameif inside</P><P>security-level 100</P><P>ip address 97.0.0.100 255.255.255.0 </P><P>!</P><P>interface Management0/0</P><P>shutdown</P><P>no nameif</P><P>no security-level</P><P>no ip address</P><P>!</P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P>domain-name default.domain.invalid</P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 3144 </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 8080 </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 100 </P><P>access-list 100 extended permit icmp any any echo-reply </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq https </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq www </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 8081 </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 8082 </P><P>access-list 80 extended permit ip any 192.168.222.0 255.255.255.0 </P><P>access-list 80 extended permit ip any 172.31.253.0 255.255.254.0 </P><P>access-list 80 extended permit ip host 97.0.0.50 192.168.223.0 255.255.255.240 </P><P>access-list 80 extended permit ip any 192.168.222.0 255.255.255.224 </P><P>access-list GLSVPN extended permit ip 10.1.100.0 255.255.255.0 172.31.253.0 255.255.254.0 </P><P>access-list GLSVPN extended permit ip 172.17.254.0 255.255.255.0 172.31.253.0 255.255.254.0 </P><P>access-list DSIVPNUser_splitTunnelAcl standard permit host 97.0.0.50 </P><P>access-list DSIAdminUsers_splitTunnelAcl standard permit any </P><P>pager lines 24</P><P>logging enable</P><P>logging timestamp</P><P>logging buffered informational</P><P>logging trap errors</P><P>logging asdm informational</P><P>mtu CABLE 1500</P><P>mtu DSL 1500</P><P>mtu FIBER 1500</P><P>mtu inside 1500</P><P>ip local pool VPNPOOL 192.168.222.1-192.168.222.10</P><P>ip local pool AdminPool 192.168.222.11-192.168.222.20</P><P>ip local pool TestPool 1.1.1.2-1.1.1.254 mask 255.255.255.0</P><P>ip audit name DSI-Attack attack action alarm drop reset</P><P>ip audit name DSI-Alarm info action alarm</P><P>ip audit interface FIBER DSI-Alarm</P><P>ip audit interface FIBER DSI-Attack</P><P>ip audit interface inside DSI-Alarm</P><P>ip audit interface inside DSI-Attack</P><P>no failover</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp permit any echo DSL</P><P>icmp permit any echo-reply DSL</P><P>icmp permit any unreachable DSL</P><P>icmp permit any unreachable FIBER</P><P>icmp permit any echo FIBER</P><P>icmp permit any echo-reply FIBER</P><P>asdm image disk0:/asdm-613.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (DSL) 1 interface</P><P>global (FIBER) 1 interface</P><P>nat (inside) 0 access-list 80</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>static (inside,FIBER) tcp interface 8080 tarantella 8080 netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 3144 tarantella 3144 netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface telnet 97.0.0.2 telnet netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 2222 97.0.0.179 ssh netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 100 10.18.0.88 100 netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface https 97.0.0.34 https netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface www 97.0.0.34 www netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 8081 axis-camera-1 www netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 8082 axis-camera-2 www netmask 255.255.255.255 </P><P>access-group 100 in interface FIBER</P><P>route FIBER 0.0.0.0 0.0.0.0 25.181.205.1 254</P><P>route inside 10.0.0.0 255.0.0.0 97.0.0.3 1</P><P>route inside 10.2.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.3.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.4.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.8.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.12.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.31.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.41.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.99.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 172.17.253.0 255.255.255.0 97.0.0.235 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>url-server (inside) vendor websense host 97.0.0.87 timeout 10 protocol TCP version 4 connections 5</P><P>aaa authentication http console LOCAL </P><P>aaa authentication ssh console LOCAL </P><P>aaa authentication telnet console LOCAL </P><P>filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow </P><P>http server enable</P><P>http 0.0.0.0 0.0.0.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>sla monitor 88</P><P>type echo protocol ipIcmpEcho 96.36.115.65 interface CABLE</P><P>num-packets 3</P><P>timeout 1000</P><P>frequency 3</P><P>sla monitor schedule 88 life forever start-time now</P><P>crypto ipsec transform-set TSET esp-3des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map DCMAP 10 set pfs </P><P>crypto dynamic-map DCMAP 10 set transform-set TSET</P><P>crypto dynamic-map DCMAP 10 set security-association lifetime seconds 28800</P><P>crypto dynamic-map DCMAP 10 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map inside_dyn_map 20 set pfs </P><P>crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map inside_dyn_map 20 set security-association lifetime seconds 28800</P><P>crypto dynamic-map inside_dyn_map 20 set security-association lifetime kilobytes 4608000</P><P>crypto map CMAP 1 match address GLSVPN</P><P>crypto map CMAP 1 set peer 66.129.114.59 </P><P>crypto map CMAP 1 set transform-set ESP-3DES-MD5</P><P>crypto map CMAP 1 set security-association lifetime seconds 28800</P><P>crypto map CMAP 1 set security-association lifetime kilobytes 4608000</P><P>crypto map CMAP 10 ipsec-isakmp dynamic DCMAP</P><P>crypto map CMAP interface FIBER</P><P>crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map</P><P>crypto map inside_map interface inside</P><P>crypto isakmp identity address </P><P>crypto isakmp enable FIBER</P><P>crypto isakmp enable inside</P><P>crypto isakmp policy 10</P><P>authentication pre-share</P><P>encryption 3des</P><P>hash md5</P><P>group 2</P><P>lifetime 86400</P><P>crypto isakmp policy 65535</P><P>authentication pre-share</P><P>encryption 3des</P><P>hash sha</P><P>group 2</P><P>lifetime 86400</P><P>!</P><P>track 1 rtr 88 reachability</P><P>telnet 0.0.0.0 0.0.0.0 inside</P><P>telnet timeout 5</P><P>ssh 0.0.0.0 0.0.0.0 FIBER</P><P>ssh 0.0.0.0 0.0.0.0 inside</P><P>ssh timeout 5</P><P>console timeout 0</P><P>threat-detection basic-threat</P><P>threat-detection statistics host</P><P>threat-detection statistics port</P><P>threat-detection statistics protocol</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>webvpn</P><P>group-policy DfltGrpPolicy attributes</P><P>vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn</P><P>group-policy ASAVPN internal</P><P>group-policy ASAVPN attributes</P><P>dns-server value 24.217.0.3 63.162.197.99</P><P>vpn-tunnel-protocol IPSec svc </P><P>default-domain value dsidsi.com</P><P>group-policy DSIAdminUsers internal</P><P>group-policy DSIAdminUsers attributes</P><P>dns-server value 97.0.0.21 97.0.0.22</P><P>vpn-tunnel-protocol IPSec </P><P>split-tunnel-policy tunnelspecified</P><P>split-tunnel-network-list value DSIAdminUsers_splitTunnelAcl</P><P>default-domain value dsi.local</P><P>group-policy DSIVPNUser internal</P><P>group-policy DSIVPNUser attributes</P><P>dns-server value 97.0.0.21 97.0.0.22</P><P>vpn-tunnel-protocol IPSec </P><P>split-tunnel-policy tunnelspecified</P><P>split-tunnel-network-list value DSIVPNUser_splitTunnelAcl</P><P>default-domain value dsi.local</P><P>username test password hmQhTUMT1T5Z4KHC encrypted</P><P>username test attributes</P><P>vpn-group-policy DSIAdminUsers</P><P>username akipper password 9PojOPiG2IXFp42B encrypted privilege 0</P><P>username akipper attributes</P><P>vpn-group-policy ASAVPN</P><P>username user1 password 0dldJICVF//EH4X3 encrypted</P><P>username user1 attributes</P><P>vpn-group-policy DSIVPNUser</P><P>username t.reese password JvMrGsialw4hFL/z encrypted privilege 15</P><P>username mark password g2vDAdNY1Hx6WOoS encrypted privilege 15</P><P>username mark attributes</P><P>vpn-group-policy DSIAdminUsers</P><P>tunnel-group DefaultRAGroup general-attributes</P><P>address-pool (FIBER) VPNPOOL</P><P>tunnel-group DefaultRAGroup ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group DefaultWEBVPNGroup general-attributes</P><P>address-pool VPNPOOL</P><P>tunnel-group ASAVPN type remote-access</P><P>tunnel-group ASAVPN general-attributes</P><P>address-pool VPNPOOL</P><P>default-group-policy ASAVPN</P><P>tunnel-group ASAVPN ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group 66.129.114.59 type ipsec-l2l</P><P>tunnel-group 66.129.114.59 ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group DSIVPNUser type remote-access</P><P>tunnel-group DSIVPNUser general-attributes</P><P>address-pool VPNPOOL</P><P>default-group-policy DSIVPNUser</P><P>tunnel-group DSIVPNUser ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group DSIAdminUsers type remote-access</P><P>tunnel-group DSIAdminUsers general-attributes</P><P>address-pool (FIBER) AdminPool</P><P>default-group-policy DSIAdminUsers</P><P>tunnel-group DSIAdminUsers ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group TestUser type remote-access</P><P>tunnel-group TestUser general-attributes</P><P>address-pool (FIBER) AdminPool</P><P>default-group-policy DSIAdminUsers</P><P>tunnel-group TestUser ipsec-attributes</P><P>pre-shared-key *</P><P>!</P><P>class-map inspection_default</P><P>match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P>parameters</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P>class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect xdmcp </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>Cryptochecksum:dfb0accab0916d7f7f3a886c6c7d1ca2</P><P>: end</P> Mon, 11 Mar 2019 21:05:47 GMT https://community.cisco.com/t5/network-security/cisco-asa-cannot-reach-local-ip-addresses/m-p/1708236#M534609 mark1mccorkle 2019-03-11T21:05:47Z Cisco ASA - cannot reach local IP addresses https://community.cisco.com/t5/network-security/cisco-asa-cannot-reach-local-ip-addresses/m-p/1708237#M534610 <HTML><HEAD></HEAD><BODY><P>I didn't look at everything in this config so there might still be something else but one thing I did see is that your using a standard access-list to specify traffic to be tunneled that is permiting any.&nbsp; </P><P></P><P>You need to use an extended acl to specify traffic to be encrypted.&nbsp; Specifically the line below.</P><P></P><P>access-list DSIAdminUsers_splitTunnelAcl standard permit any </P><P></P><P>Also you need to include your inside subnets in access-list 80 in order to excluded from nat.</P><P></P><P>Hope this helps.</P></BODY></HTML> Sat, 30 Jul 2011 23:35:58 GMT https://community.cisco.com/t5/network-security/cisco-asa-cannot-reach-local-ip-addresses/m-p/1708237#M534610 clooney 2011-07-30T23:35:58Z Re: Cisco ASA - cannot reach local IP addresses https://community.cisco.com/t5/network-security/cisco-asa-cannot-reach-local-ip-addresses/m-p/1708238#M534612 <HTML><HEAD></HEAD><BODY><P>Hi Clooney,</P><P>Thanks for the reply.&nbsp; I am a newbie so forgive the simple question.&nbsp; My internal IP addresses are 97.0.0.1 thru 97.0.0.254 and 10.1.1.1 thru 10.1.1.254.&nbsp; What would the access-list 80 look like?</P><P></P><P>Thanks,</P><P>Mark</P></BODY></HTML> Sun, 31 Jul 2011 00:56:18 GMT https://community.cisco.com/t5/network-security/cisco-asa-cannot-reach-local-ip-addresses/m-p/1708238#M534612 mark1mccorkle 2011-07-31T00:56:18Z Re: Cisco ASA - cannot reach local IP addresses https://community.cisco.com/t5/network-security/cisco-asa-cannot-reach-local-ip-addresses/m-p/1708239#M534614 <HTML><HEAD></HEAD><BODY><P>access-list 80 extended permit ip 97.0.0.0 255.255.255.0 192.168.222.0 255.255.255.0</P><P>access-list 80 extended permit ip 10.1.1.0 255.255.255.0 192.168.222.0 255.255.255.0</P><P></P><P>your access list specifiying traffic to be encrypted can be this same access-list.&nbsp; It should be nearly identical unless you have a reason to not allow some of it.</P><P></P><P>Basically you are telling the firewall not to nat the traffic from the inside networks to the vpn pool and vise versa.&nbsp; Otherwise the asa will nat everything and the ip's won't be the same after passing nat.</P><P></P><P>Use the command packet-tracer and it'll step you through all of the flows and tell you whether or not the traffic would be allowed/nat'd/encrypted/etc.</P></BODY></HTML> Sun, 31 Jul 2011 01:41:57 GMT https://community.cisco.com/t5/network-security/cisco-asa-cannot-reach-local-ip-addresses/m-p/1708239#M534614 clooney 2011-07-31T01:41:57Z Re: Cisco ASA - cannot reach local IP addresses https://community.cisco.com/t5/network-security/cisco-asa-cannot-reach-local-ip-addresses/m-p/1708240#M534615 <HTML><HEAD></HEAD><BODY><P>Clooney,</P><P>THAT WORKED!!!</P><P></P><P>After adding the access-list 80 lines, I can now telnet to any address on my network from a vpn connection.</P><P></P><P>I appreciate your help.&nbsp; I have been working on this for 3 days and was close to giving up...</P><P></P><P>Thanks,</P><P>Mark</P></BODY></HTML> Sun, 31 Jul 2011 13:47:38 GMT https://community.cisco.com/t5/network-security/cisco-asa-cannot-reach-local-ip-addresses/m-p/1708240#M534615 mark1mccorkle 2011-07-31T13:47:38Z Re: Cisco ASA - cannot reach local IP addresses https://community.cisco.com/t5/network-security/cisco-asa-cannot-reach-local-ip-addresses/m-p/1708241#M534616 <HTML><HEAD></HEAD><BODY><P>Great! Glad I could help.</P></BODY></HTML> Sun, 31 Jul 2011 16:51:34 GMT https://community.cisco.com/t5/network-security/cisco-asa-cannot-reach-local-ip-addresses/m-p/1708241#M534616 clooney 2011-07-31T16:51:34Z Re: Cisco ASA - cannot reach local IP addresses https://community.cisco.com/t5/network-security/cisco-asa-cannot-reach-local-ip-addresses/m-p/1708242#M534617 <HTML><HEAD></HEAD><BODY><P>Well, I know this does not make any sense, but VPN is no longer working.&nbsp; It was working earlier today, I tested with a PC and my iPad and it worked.&nbsp; But I was checking things out one last time today and it is no longer working with either device.&nbsp; I made no other changes to the config after adding the two lines to it that initially made it start working.&nbsp; I saved the config after editing this morning and got a copy of the config just now.&nbsp; I used diff and there are no changes since it was working.&nbsp; I made no other network related changes since it was working.</P><P></P><P>Below is a copy of the current config.</P><P></P><P>Any other ideas before I just give up?</P><P></P><P>Thanks,</P><P>Mark</P><P></P><P>ASA Version 8.0(4) </P><P>!</P><P>hostname ciscoasa</P><P>domain-name default.domain.invalid</P><P>enable password mDnUbb1nQkpe6eG9 encrypted</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>names</P><P>name 97.0.0.250 tarantella</P><P>name 172.31.255.3 MGMT_HOST description Remote Network Management</P><P>name 97.0.0.56 axis-camera-1</P><P>name 10.99.0.60 axis-camera-2</P><P>!</P><P>interface GigabitEthernet0/0</P><P>nameif CABLE</P><P>security-level 0</P><P>ip address 95.36.115.66 255.255.255.248 </P><P>!</P><P>interface GigabitEthernet0/1</P><P>shutdown</P><P>nameif DSL</P><P>security-level 0</P><P>ip address 64.173.93.28 255.255.255.128 </P><P>!</P><P>interface GigabitEthernet0/2</P><P>nameif FIBER</P><P>security-level 0</P><P>ip address 25.181.205.2 255.255.255.240 </P><P>!</P><P>interface GigabitEthernet0/3</P><P>nameif inside</P><P>security-level 100</P><P>ip address 97.0.0.100 255.255.255.0 </P><P>!</P><P>interface Management0/0</P><P>shutdown</P><P>no nameif</P><P>no security-level</P><P>no ip address</P><P>!</P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P>domain-name default.domain.invalid</P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 3144 </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 8080 </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 100 </P><P>access-list 100 extended permit icmp any any echo-reply </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq https </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq www </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 8081 </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 8082 </P><P>access-list 80 extended permit ip any 192.168.222.0 255.255.255.0 </P><P>access-list 80 extended permit ip any 172.31.253.0 255.255.254.0 </P><P>access-list 80 extended permit ip host 97.0.0.50 192.168.223.0 255.255.255.240 </P><P>access-list 80 extended permit ip any 192.168.222.0 255.255.255.224 </P><P>access-list 80 extended permit ip 97.0.0.0 255.255.255.0 192.168.222.0 255.255.255.0</P><P>access-list 80 extended permit ip 10.1.1.0 255.255.255.0 192.168.222.0 255.255.255.0</P><P>access-list GLSVPN extended permit ip 10.1.100.0 255.255.255.0 172.31.253.0 255.255.254.0 </P><P>access-list GLSVPN extended permit ip 172.17.254.0 255.255.255.0 172.31.253.0 255.255.254.0 </P><P>access-list DSIVPNUser_splitTunnelAcl standard permit host 97.0.0.50 </P><P>access-list DSIAdminUsers_splitTunnelAcl standard permit any </P><P>pager lines 24</P><P>logging enable</P><P>logging timestamp</P><P>logging buffered informational</P><P>logging trap errors</P><P>logging asdm informational</P><P>mtu CABLE 1500</P><P>mtu DSL 1500</P><P>mtu FIBER 1500</P><P>mtu inside 1500</P><P>ip local pool VPNPOOL 192.168.222.1-192.168.222.10</P><P>ip local pool AdminPool 192.168.222.11-192.168.222.20</P><P>ip local pool TestPool 1.1.1.2-1.1.1.254 mask 255.255.255.0</P><P>ip audit name DSI-Attack attack action alarm drop reset</P><P>ip audit name DSI-Alarm info action alarm</P><P>ip audit interface FIBER DSI-Alarm</P><P>ip audit interface FIBER DSI-Attack</P><P>ip audit interface inside DSI-Alarm</P><P>ip audit interface inside DSI-Attack</P><P>no failover</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp permit any echo DSL</P><P>icmp permit any echo-reply DSL</P><P>icmp permit any unreachable DSL</P><P>icmp permit any unreachable FIBER</P><P>icmp permit any echo FIBER</P><P>icmp permit any echo-reply FIBER</P><P>asdm image disk0:/asdm-613.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (DSL) 1 interface</P><P>global (FIBER) 1 interface</P><P>nat (inside) 0 access-list 80</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>static (inside,FIBER) tcp interface 8080 tarantella 8080 netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 3144 tarantella 3144 netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface telnet 97.0.0.2 telnet netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 2222 97.0.0.179 ssh netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 100 10.18.0.88 100 netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface https 97.0.0.34 https netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface www 97.0.0.34 www netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 8081 axis-camera-1 www netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 8082 axis-camera-2 www netmask 255.255.255.255 </P><P>access-group 100 in interface FIBER</P><P>route FIBER 0.0.0.0 0.0.0.0 25.181.205.1 254</P><P>route inside 10.0.0.0 255.0.0.0 97.0.0.3 1</P><P>route inside 10.2.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.3.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.4.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.8.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.12.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.31.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.41.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.99.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 172.17.253.0 255.255.255.0 97.0.0.235 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>url-server (inside) vendor websense host 97.0.0.87 timeout 10 protocol TCP version 4 connections 5</P><P>aaa authentication http console LOCAL </P><P>aaa authentication ssh console LOCAL </P><P>aaa authentication telnet console LOCAL </P><P>filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow </P><P>http server enable</P><P>http 0.0.0.0 0.0.0.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>sla monitor 88</P><P>type echo protocol ipIcmpEcho 96.36.115.65 interface CABLE</P><P>num-packets 3</P><P>timeout 1000</P><P>frequency 3</P><P>sla monitor schedule 88 life forever start-time now</P><P>crypto ipsec transform-set TSET esp-3des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map DCMAP 10 set pfs </P><P>crypto dynamic-map DCMAP 10 set transform-set TSET</P><P>crypto dynamic-map DCMAP 10 set security-association lifetime seconds 28800</P><P>crypto dynamic-map DCMAP 10 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map inside_dyn_map 20 set pfs </P><P>crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map inside_dyn_map 20 set security-association lifetime seconds 28800</P><P>crypto dynamic-map inside_dyn_map 20 set security-association lifetime kilobytes 4608000</P><P>crypto map CMAP 1 match address GLSVPN</P><P>crypto map CMAP 1 set peer 66.129.114.59 </P><P>crypto map CMAP 1 set transform-set ESP-3DES-MD5</P><P>crypto map CMAP 1 set security-association lifetime seconds 28800</P><P>crypto map CMAP 1 set security-association lifetime kilobytes 4608000</P><P>crypto map CMAP 10 ipsec-isakmp dynamic DCMAP</P><P>crypto map CMAP interface FIBER</P><P>crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map</P><P>crypto map inside_map interface inside</P><P>crypto isakmp identity address </P><P>crypto isakmp enable FIBER</P><P>crypto isakmp enable inside</P><P>crypto isakmp policy 10</P><P>authentication pre-share</P><P>encryption 3des</P><P>hash md5</P><P>group 2</P><P>lifetime 86400</P><P>crypto isakmp policy 65535</P><P>authentication pre-share</P><P>encryption 3des</P><P>hash sha</P><P>group 2</P><P>lifetime 86400</P><P>!</P><P>track 1 rtr 88 reachability</P><P>telnet 0.0.0.0 0.0.0.0 inside</P><P>telnet timeout 5</P><P>ssh 0.0.0.0 0.0.0.0 FIBER</P><P>ssh 0.0.0.0 0.0.0.0 inside</P><P>ssh timeout 5</P><P>console timeout 0</P><P>threat-detection basic-threat</P><P>threat-detection statistics host</P><P>threat-detection statistics port</P><P>threat-detection statistics protocol</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>webvpn</P><P>group-policy DfltGrpPolicy attributes</P><P>vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn</P><P>group-policy ASAVPN internal</P><P>group-policy ASAVPN attributes</P><P>dns-server value 24.217.0.3 63.162.197.99</P><P>vpn-tunnel-protocol IPSec svc </P><P>default-domain value dsidsi.com</P><P>group-policy DSIAdminUsers internal</P><P>group-policy DSIAdminUsers attributes</P><P>dns-server value 97.0.0.21 97.0.0.22</P><P>vpn-tunnel-protocol IPSec </P><P>split-tunnel-policy tunnelspecified</P><P>split-tunnel-network-list value DSIAdminUsers_splitTunnelAcl</P><P>default-domain value dsi.local</P><P>group-policy DSIVPNUser internal</P><P>group-policy DSIVPNUser attributes</P><P>dns-server value 97.0.0.21 97.0.0.22</P><P>vpn-tunnel-protocol IPSec </P><P>split-tunnel-policy tunnelspecified</P><P>split-tunnel-network-list value DSIVPNUser_splitTunnelAcl</P><P>default-domain value dsi.local</P><P>username test password hmQhTUMT1T5Z4KHC encrypted</P><P>username test attributes</P><P>vpn-group-policy DSIAdminUsers</P><P>username akipper password 9PojOPiG2IXFp42B encrypted privilege 0</P><P>username akipper attributes</P><P>vpn-group-policy ASAVPN</P><P>username user1 password 0dldJICVF//EH4X3 encrypted</P><P>username user1 attributes</P><P>vpn-group-policy DSIVPNUser</P><P>username t.reese password JvMrGsialw4hFL/z encrypted privilege 15</P><P>username mark password g2vDAdNY1Hx6WOoS encrypted privilege 15</P><P>username mark attributes</P><P>vpn-group-policy DSIAdminUsers</P><P>tunnel-group DefaultRAGroup general-attributes</P><P>address-pool (FIBER) VPNPOOL</P><P>tunnel-group DefaultRAGroup ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group DefaultWEBVPNGroup general-attributes</P><P>address-pool VPNPOOL</P><P>tunnel-group ASAVPN type remote-access</P><P>tunnel-group ASAVPN general-attributes</P><P>address-pool VPNPOOL</P><P>default-group-policy ASAVPN</P><P>tunnel-group ASAVPN ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group 66.129.114.59 type ipsec-l2l</P><P>tunnel-group 66.129.114.59 ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group DSIVPNUser type remote-access</P><P>tunnel-group DSIVPNUser general-attributes</P><P>address-pool VPNPOOL</P><P>default-group-policy DSIVPNUser</P><P>tunnel-group DSIVPNUser ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group DSIAdminUsers type remote-access</P><P>tunnel-group DSIAdminUsers general-attributes</P><P>address-pool (FIBER) AdminPool</P><P>default-group-policy DSIAdminUsers</P><P>tunnel-group DSIAdminUsers ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group TestUser type remote-access</P><P>tunnel-group TestUser general-attributes</P><P>address-pool (FIBER) AdminPool</P><P>default-group-policy DSIAdminUsers</P><P>tunnel-group TestUser ipsec-attributes</P><P>pre-shared-key *</P><P>!</P><P>class-map inspection_default</P><P>match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P>parameters</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P>class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect xdmcp </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>Cryptochecksum:dfb0accab0916d7f7f3a886c6c7d1ca2</P><P>: end </P><P>ASA Version 8.0(4) </P><P>!</P><P>hostname ciscoasa</P><P>domain-name default.domain.invalid</P><P>enable password mDnUbb1nQkpe6eG9 encrypted</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>names</P><P>name 97.0.0.250 tarantella</P><P>name 172.31.255.3 MGMT_HOST description Remote Network Management</P><P>name 97.0.0.56 axis-camera-1</P><P>name 10.99.0.60 axis-camera-2</P><P>!</P><P>interface GigabitEthernet0/0</P><P>nameif CABLE</P><P>security-level 0</P><P>ip address 95.36.115.66 255.255.255.248 </P><P>!</P><P>interface GigabitEthernet0/1</P><P>shutdown</P><P>nameif DSL</P><P>security-level 0</P><P>ip address 64.173.93.28 255.255.255.128 </P><P>!</P><P>interface GigabitEthernet0/2</P><P>nameif FIBER</P><P>security-level 0</P><P>ip address 25.181.205.2 255.255.255.240 </P><P>!</P><P>interface GigabitEthernet0/3</P><P>nameif inside</P><P>security-level 100</P><P>ip address 97.0.0.100 255.255.255.0 </P><P>!</P><P>interface Management0/0</P><P>shutdown</P><P>no nameif</P><P>no security-level</P><P>no ip address</P><P>!</P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P>domain-name default.domain.invalid</P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 3144 </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 8080 </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 100 </P><P>access-list 100 extended permit icmp any any echo-reply </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq https </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq www </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 8081 </P><P>access-list 100 extended permit tcp any host 25.181.205.2 eq 8082 </P><P>access-list 80 extended permit ip any 192.168.222.0 255.255.255.0 </P><P>access-list 80 extended permit ip any 172.31.253.0 255.255.254.0 </P><P>access-list 80 extended permit ip host 97.0.0.50 192.168.223.0 255.255.255.240 </P><P>access-list 80 extended permit ip any 192.168.222.0 255.255.255.224 </P><P>access-list 80 extended permit ip 97.0.0.0 255.255.255.0 192.168.222.0 255.255.255.0</P><P>access-list 80 extended permit ip 10.1.1.0 255.255.255.0 192.168.222.0 255.255.255.0</P><P>access-list GLSVPN extended permit ip 10.1.100.0 255.255.255.0 172.31.253.0 255.255.254.0 </P><P>access-list GLSVPN extended permit ip 172.17.254.0 255.255.255.0 172.31.253.0 255.255.254.0 </P><P>access-list DSIVPNUser_splitTunnelAcl standard permit host 97.0.0.50 </P><P>access-list DSIAdminUsers_splitTunnelAcl standard permit any </P><P>pager lines 24</P><P>logging enable</P><P>logging timestamp</P><P>logging buffered informational</P><P>logging trap errors</P><P>logging asdm informational</P><P>mtu CABLE 1500</P><P>mtu DSL 1500</P><P>mtu FIBER 1500</P><P>mtu inside 1500</P><P>ip local pool VPNPOOL 192.168.222.1-192.168.222.10</P><P>ip local pool AdminPool 192.168.222.11-192.168.222.20</P><P>ip local pool TestPool 1.1.1.2-1.1.1.254 mask 255.255.255.0</P><P>ip audit name DSI-Attack attack action alarm drop reset</P><P>ip audit name DSI-Alarm info action alarm</P><P>ip audit interface FIBER DSI-Alarm</P><P>ip audit interface FIBER DSI-Attack</P><P>ip audit interface inside DSI-Alarm</P><P>ip audit interface inside DSI-Attack</P><P>no failover</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp permit any echo DSL</P><P>icmp permit any echo-reply DSL</P><P>icmp permit any unreachable DSL</P><P>icmp permit any unreachable FIBER</P><P>icmp permit any echo FIBER</P><P>icmp permit any echo-reply FIBER</P><P>asdm image disk0:/asdm-613.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (DSL) 1 interface</P><P>global (FIBER) 1 interface</P><P>nat (inside) 0 access-list 80</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>static (inside,FIBER) tcp interface 8080 tarantella 8080 netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 3144 tarantella 3144 netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface telnet 97.0.0.2 telnet netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 2222 97.0.0.179 ssh netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 100 10.18.0.88 100 netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface https 97.0.0.34 https netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface www 97.0.0.34 www netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 8081 axis-camera-1 www netmask 255.255.255.255 </P><P>static (inside,FIBER) tcp interface 8082 axis-camera-2 www netmask 255.255.255.255 </P><P>access-group 100 in interface FIBER</P><P>route FIBER 0.0.0.0 0.0.0.0 25.181.205.1 254</P><P>route inside 10.0.0.0 255.0.0.0 97.0.0.3 1</P><P>route inside 10.2.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.3.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.4.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.8.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.12.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.31.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.41.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 10.99.0.0 255.255.0.0 97.0.0.3 1</P><P>route inside 172.17.253.0 255.255.255.0 97.0.0.235 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>url-server (inside) vendor websense host 97.0.0.87 timeout 10 protocol TCP version 4 connections 5</P><P>aaa authentication http console LOCAL </P><P>aaa authentication ssh console LOCAL </P><P>aaa authentication telnet console LOCAL </P><P>filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow </P><P>http server enable</P><P>http 0.0.0.0 0.0.0.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>sla monitor 88</P><P>type echo protocol ipIcmpEcho 96.36.115.65 interface CABLE</P><P>num-packets 3</P><P>timeout 1000</P><P>frequency 3</P><P>sla monitor schedule 88 life forever start-time now</P><P>crypto ipsec transform-set TSET esp-3des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map DCMAP 10 set pfs </P><P>crypto dynamic-map DCMAP 10 set transform-set TSET</P><P>crypto dynamic-map DCMAP 10 set security-association lifetime seconds 28800</P><P>crypto dynamic-map DCMAP 10 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map inside_dyn_map 20 set pfs </P><P>crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map inside_dyn_map 20 set security-association lifetime seconds 28800</P><P>crypto dynamic-map inside_dyn_map 20 set security-association lifetime kilobytes 4608000</P><P>crypto map CMAP 1 match address GLSVPN</P><P>crypto map CMAP 1 set peer 66.129.114.59 </P><P>crypto map CMAP 1 set transform-set ESP-3DES-MD5</P><P>crypto map CMAP 1 set security-association lifetime seconds 28800</P><P>crypto map CMAP 1 set security-association lifetime kilobytes 4608000</P><P>crypto map CMAP 10 ipsec-isakmp dynamic DCMAP</P><P>crypto map CMAP interface FIBER</P><P>crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map</P><P>crypto map inside_map interface inside</P><P>crypto isakmp identity address </P><P>crypto isakmp enable FIBER</P><P>crypto isakmp enable inside</P><P>crypto isakmp policy 10</P><P>authentication pre-share</P><P>encryption 3des</P><P>hash md5</P><P>group 2</P><P>lifetime 86400</P><P>crypto isakmp policy 65535</P><P>authentication pre-share</P><P>encryption 3des</P><P>hash sha</P><P>group 2</P><P>lifetime 86400</P><P>!</P><P>track 1 rtr 88 reachability</P><P>telnet 0.0.0.0 0.0.0.0 inside</P><P>telnet timeout 5</P><P>ssh 0.0.0.0 0.0.0.0 FIBER</P><P>ssh 0.0.0.0 0.0.0.0 inside</P><P>ssh timeout 5</P><P>console timeout 0</P><P>threat-detection basic-threat</P><P>threat-detection statistics host</P><P>threat-detection statistics port</P><P>threat-detection statistics protocol</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>webvpn</P><P>group-policy DfltGrpPolicy attributes</P><P>vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn</P><P>group-policy ASAVPN internal</P><P>group-policy ASAVPN attributes</P><P>dns-server value 24.217.0.3 63.162.197.99</P><P>vpn-tunnel-protocol IPSec svc </P><P>default-domain value dsidsi.com</P><P>group-policy DSIAdminUsers internal</P><P>group-policy DSIAdminUsers attributes</P><P>dns-server value 97.0.0.21 97.0.0.22</P><P>vpn-tunnel-protocol IPSec </P><P>split-tunnel-policy tunnelspecified</P><P>split-tunnel-network-list value DSIAdminUsers_splitTunnelAcl</P><P>default-domain value dsi.local</P><P>group-policy DSIVPNUser internal</P><P>group-policy DSIVPNUser attributes</P><P>dns-server value 97.0.0.21 97.0.0.22</P><P>vpn-tunnel-protocol IPSec </P><P>split-tunnel-policy tunnelspecified</P><P>split-tunnel-network-list value DSIVPNUser_splitTunnelAcl</P><P>default-domain value dsi.local</P><P>username test password hmQhTUMT1T5Z4KHC encrypted</P><P>username test attributes</P><P>vpn-group-policy DSIAdminUsers</P><P>username akipper password 9PojOPiG2IXFp42B encrypted privilege 0</P><P>username akipper attributes</P><P>vpn-group-policy ASAVPN</P><P>username user1 password 0dldJICVF//EH4X3 encrypted</P><P>username user1 attributes</P><P>vpn-group-policy DSIVPNUser</P><P>username t.reese password JvMrGsialw4hFL/z encrypted privilege 15</P><P>username mark password g2vDAdNY1Hx6WOoS encrypted privilege 15</P><P>username mark attributes</P><P>vpn-group-policy DSIAdminUsers</P><P>tunnel-group DefaultRAGroup general-attributes</P><P>address-pool (FIBER) VPNPOOL</P><P>tunnel-group DefaultRAGroup ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group DefaultWEBVPNGroup general-attributes</P><P>address-pool VPNPOOL</P><P>tunnel-group ASAVPN type remote-access</P><P>tunnel-group ASAVPN general-attributes</P><P>address-pool VPNPOOL</P><P>default-group-policy ASAVPN</P><P>tunnel-group ASAVPN ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group 66.129.114.59 type ipsec-l2l</P><P>tunnel-group 66.129.114.59 ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group DSIVPNUser type remote-access</P><P>tunnel-group DSIVPNUser general-attributes</P><P>address-pool VPNPOOL</P><P>default-group-policy DSIVPNUser</P><P>tunnel-group DSIVPNUser ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group DSIAdminUsers type remote-access</P><P>tunnel-group DSIAdminUsers general-attributes</P><P>address-pool (FIBER) AdminPool</P><P>default-group-policy DSIAdminUsers</P><P>tunnel-group DSIAdminUsers ipsec-attributes</P><P>pre-shared-key *</P><P>tunnel-group TestUser type remote-access</P><P>tunnel-group TestUser general-attributes</P><P>address-pool (FIBER) AdminPool</P><P>default-group-policy DSIAdminUsers</P><P>tunnel-group TestUser ipsec-attributes</P><P>pre-shared-key *</P><P>!</P><P>class-map inspection_default</P><P>match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P>parameters</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P>class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect xdmcp </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>: end</P></BODY></HTML> Sun, 31 Jul 2011 22:13:32 GMT https://community.cisco.com/t5/network-security/cisco-asa-cannot-reach-local-ip-addresses/m-p/1708242#M534617 mark1mccorkle 2011-07-31T22:13:32Z