asa 5510 with a WLC5508 on DMZ network

Darren Spooner · ‎06-15-2012

i have a unique thing to do i have been given a task of connecting a WLC5508 to a ASA5510 because the dont want to get a another switch.

how can i do this. i think it is possable to do but i cant get the NAT and ACL to work right.

here is what i have so far

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname CSL-GW
domain-name csl.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.6 Server2008 description Domain Controller
name 12.133.51.114 PublicIP_114 description Public IP Address - used for SharePoint Server
name 192.168.0.8 SharePoint description The SharePoint 2007 Server
name 12.133.51.115 PublicIP_115 description Public IP Address
name 12.133.51.116 PublicIP_116 description Public IP Address
name 192.168.2.0 corinth-network
name 192.168.3.0 decatur-network
name 192.168.4.0 florence-network
name 192.168.11.0 hartselle-network
name 192.168.5.0 hoover-network
name 192.168.6.0 huntsville-network
name 192.168.7.0 lawrenceburg-network
name 192.168.8.0 montgomery-network
name 192.168.9.0 mountain-network
name 192.168.10.0 russellville-network
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 12.133.51.120 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif dmz
security-level 50
ip address 192.168.12.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name csl.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 65100
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq 587
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 8443
access-list outside_access_in extended permit tcp any interface outside eq 81
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 3390
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any host PublicIP_114 object-group DM_INLINE_TCP_2
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0
access-list outside_5_cryptomap extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0
access-list outside_6_cryptomap extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0
access-list outside_7_cryptomap extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0
access-list outside_8_cryptomap extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0
access-list outside_9_cryptomap extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0
access-list outside_10_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
no pager
logging enable
logging trap debugging
logging asdm informational
logging host inside Server2008
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool RemoteClientPool 192.168.0.50-192.168.0.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www Server2008 www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.7 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 65100 192.168.0.2 65100 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server2008 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 587 Server2008 587 netmask 255.255.255.255
static (inside,outside) tcp interface https Server2008 https netmask 255.255.255.255
static (inside,outside) tcp interface 81 192.168.0.7 81 netmask 255.255.255.255
static (inside,outside) tcp interface smtp Server2008 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.0.251 3390 netmask 255.255.255.255
static (inside,outside) PublicIP_114 SharePoint netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 12.133.51.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server ADSERVERS protocol radius
aaa-server ADSERVERS (inside) host Server2008
key CSL-2820
http server enable
http hartselle-network 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http corinth-network 255.255.255.0 inside
http decatur-network 255.255.255.0 inside
http florence-network 255.255.255.0 inside
http hoover-network 255.255.255.0 inside
http huntsville-network 255.255.255.0 inside
http lawrenceburg-network 255.255.255.0 inside
http mountain-network 255.255.255.0 inside
http russellville-network 255.255.255.0 inside
http montgomery-network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 12.131.108.179
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 12.139.80.51
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 12.139.80.163
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer 12.23.150.67
crypto map outside_map 4 set transform-set ESP-AES-128-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer 12.133.51.195
crypto map outside_map 5 set transform-set ESP-AES-128-SHA
crypto map outside_map 6 match address outside_6_cryptomap
crypto map outside_map 6 set peer 12.164.17.19
crypto map outside_map 6 set transform-set ESP-AES-128-SHA
crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set peer 12.139.80.131
crypto map outside_map 7 set transform-set ESP-AES-128-SHA
crypto map outside_map 8 match address outside_8_cryptomap
crypto map outside_map 8 set peer 12.139.80.147
crypto map outside_map 8 set transform-set ESP-AES-128-SHA
crypto map outside_map 9 match address outside_9_cryptomap
crypto map outside_map 9 set peer 12.131.64.99
crypto map outside_map 9 set transform-set ESP-AES-128-SHA
crypto map outside_map 10 match address outside_10_cryptomap
crypto map outside_map 10 set peer 12.37.170.163
crypto map outside_map 10 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.0.0 255.255.255.0 inside
telnet corinth-network 255.255.255.0 inside
telnet decatur-network 255.255.255.0 inside
telnet florence-network 255.255.255.0 inside
telnet hoover-network 255.255.255.0 inside
telnet huntsville-network 255.255.255.0 inside
telnet lawrenceburg-network 255.255.255.0 inside
telnet mountain-network 255.255.255.0 inside
telnet russellville-network 255.255.255.0 inside
telnet montgomery-network 255.255.255.0 inside
telnet hartselle-network 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.0.100-192.168.0.150 inside
dhcpd dns Server2008 12.127.16.67 interface inside
dhcpd wins Server2008 interface inside
dhcpd lease 14400 interface inside
dhcpd domain csl.local interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
ntp server Server2008 source inside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.0.6
dns-server value 192.168.0.6 12.127.16.67
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value csl.local
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
tunnel-group DefaultRAGroup general-attributes
address-pool RemoteClientPool
authentication-server-group ADSERVERS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 12.131.108.179 type ipsec-l2l
tunnel-group 12.131.108.179 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.51 type ipsec-l2l
tunnel-group 12.139.80.51 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.163 type ipsec-l2l
tunnel-group 12.139.80.163 ipsec-attributes
pre-shared-key *
tunnel-group 12.23.150.67 type ipsec-l2l
tunnel-group 12.23.150.67 ipsec-attributes
pre-shared-key *
tunnel-group 12.133.51.195 type ipsec-l2l
tunnel-group 12.133.51.195 ipsec-attributes
pre-shared-key *
tunnel-group 12.164.17.19 type ipsec-l2l
tunnel-group 12.164.17.19 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.131 type ipsec-l2l
tunnel-group 12.139.80.131 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.147 type ipsec-l2l
tunnel-group 12.139.80.147 ipsec-attributes
pre-shared-key *
tunnel-group 12.131.64.99 type ipsec-l2l
tunnel-group 12.131.64.99 ipsec-attributes
pre-shared-key *
tunnel-group 12.37.170.163 type ipsec-l2l
tunnel-group 12.37.170.163 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:423721254cdd7681b11454f1b5f93b44
: end

on the dmz i did have a sub interface called WLC on vlan 12

but nothing i did worked.

Jennifer Halim · ‎06-15-2012

Your DMZ interface is currently shutdown, that's probably why nothing works:

interface Ethernet0/2

shutdown

nameif dmz

security-level 50

ip address 192.168.12.1 255.255.255.0

Darren Spooner · ‎06-15-2012

i know that i had it disable as i got tired of dealing with it for 3 days now.

is there anything else i should be looking at?

Jennifer Halim · ‎06-15-2012

To get internet access from DMZ, just add the following NAT entry:

nat (dmz) 1 0 0

Darren Spooner · ‎06-15-2012

i am not realy want it to have internet i just need it to talk to the inside network so that the ap will get the info that they need. also will need it go over the VPNs to the sites

hostname CSL-GW

domain-name csl.local

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.0.6 Server2008 description Domain Controller

name 12.133.51.114 PublicIP_114 description Public IP Address - used for SharePoint Server

name 192.168.0.8 SharePoint description The SharePoint 2007 Server

name 12.133.51.115 PublicIP_115 description Public IP Address

name 12.133.51.116 PublicIP_116 description Public IP Address

name 192.168.2.0 corinth-network

name 192.168.3.0 decatur-network

name 192.168.4.0 florence-network

name 192.168.11.0 hartselle-network

name 192.168.5.0 hoover-network

name 192.168.6.0 huntsville-network

name 192.168.7.0 lawrenceburg-network

name 192.168.8.0 montgomery-network

name 192.168.9.0 mountain-network

name 192.168.10.0 russellville-network

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 12.133.51.120 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/2.12

vlan 12

nameif WLC

security-level 100

ip address 192.168.12.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa724-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name csl.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any source-quench

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq 65100

access-list outside_access_in extended permit tcp any interface outside eq pop3

access-list outside_access_in extended permit tcp any interface outside eq 587

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in extended permit tcp any interface outside eq 8443

access-list outside_access_in extended permit tcp any interface outside eq 81

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any interface outside eq 3390

access-list outside_access_in extended permit tcp any interface outside eq 8080

access-list outside_access_in remark used for SharePoint

access-list outside_access_in extended permit tcp any host PublicIP_114 object-group DM_INLINE_TCP_2

access-list DefaultRAGroup_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0

access-list outside_3_cryptomap extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0

access-list outside_4_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0

access-list outside_5_cryptomap extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0

access-list outside_6_cryptomap extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0

access-list outside_7_cryptomap extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0

access-list outside_8_cryptomap extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0

access-list outside_9_cryptomap extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0

access-list outside_10_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0

access-list dmz_access_in extended permit ip any any

access-list inside_access_in extended permit ip any any

no pager

logging enable

logging trap debugging

logging asdm informational

logging host inside Server2008

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

mtu WLC 1500

ip local pool RemoteClientPool 192.168.0.50-192.168.0.99 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp deny any echo outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (management) 0 0.0.0.0 0.0.0.0

nat (WLC) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www Server2008 www netmask 255.255.255.255

static (inside,outside) tcp interface 3389 192.168.0.7 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 65100 192.168.0.2 65100 netmask 255.255.255.255

static (inside,outside) tcp interface pop3 Server2008 pop3 netmask 255.255.255.255

static (inside,outside) tcp interface 587 Server2008 587 netmask 255.255.255.255

static (inside,outside) tcp interface https Server2008 https netmask 255.255.255.255

static (inside,outside) tcp interface 81 192.168.0.7 81 netmask 255.255.255.255

static (inside,outside) tcp interface smtp Server2008 smtp netmask 255.255.255.255

static (inside,outside) tcp interface 3390 192.168.0.251 3390 netmask 255.255.255.255

static (inside,outside) PublicIP_114 SharePoint netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 12.133.51.113 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server ADSERVERS protocol radius

aaa-server ADSERVERS (inside) host Server2008

key CSL-2820

http server enable

http hartselle-network 255.255.255.0 inside

http 192.168.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

http corinth-network 255.255.255.0 inside

http decatur-network 255.255.255.0 inside

http florence-network 255.255.255.0 inside

http hoover-network 255.255.255.0 inside

http huntsville-network 255.255.255.0 inside

http lawrenceburg-network 255.255.255.0 inside

http mountain-network 255.255.255.0 inside

http russellville-network 255.255.255.0 inside

http montgomery-network 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec df-bit clear-df outside

crypto ipsec df-bit clear-df inside

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 12.131.108.179

crypto map outside_map 1 set transform-set ESP-AES-128-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 12.139.80.51

crypto map outside_map 2 set transform-set ESP-AES-128-SHA

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set peer 12.139.80.163

crypto map outside_map 3 set transform-set ESP-AES-128-SHA

crypto map outside_map 4 match address outside_4_cryptomap

crypto map outside_map 4 set peer 12.23.150.67

crypto map outside_map 4 set transform-set ESP-AES-128-SHA

crypto map outside_map 5 match address outside_5_cryptomap

crypto map outside_map 5 set peer 12.133.51.195

crypto map outside_map 5 set transform-set ESP-AES-128-SHA

crypto map outside_map 6 match address outside_6_cryptomap

crypto map outside_map 6 set peer 12.164.17.19

crypto map outside_map 6 set transform-set ESP-AES-128-SHA

crypto map outside_map 7 match address outside_7_cryptomap

crypto map outside_map 7 set peer 12.139.80.131

crypto map outside_map 7 set transform-set ESP-AES-128-SHA

crypto map outside_map 8 match address outside_8_cryptomap

crypto map outside_map 8 set peer 12.139.80.147

crypto map outside_map 8 set transform-set ESP-AES-128-SHA

crypto map outside_map 9 match address outside_9_cryptomap

crypto map outside_map 9 set peer 12.131.64.99

crypto map outside_map 9 set transform-set ESP-AES-128-SHA

crypto map outside_map 10 match address outside_10_cryptomap

crypto map outside_map 10 set peer 12.37.170.163

crypto map outside_map 10 set transform-set ESP-AES-128-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

crypto isakmp nat-traversal 20

telnet 192.168.0.0 255.255.255.0 inside

telnet corinth-network 255.255.255.0 inside

telnet decatur-network 255.255.255.0 inside

telnet florence-network 255.255.255.0 inside

telnet hoover-network 255.255.255.0 inside

telnet huntsville-network 255.255.255.0 inside

telnet lawrenceburg-network 255.255.255.0 inside

telnet mountain-network 255.255.255.0 inside

telnet russellville-network 255.255.255.0 inside

telnet montgomery-network 255.255.255.0 inside

telnet hartselle-network 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.0.100-192.168.0.150 inside

dhcpd dns Server2008 12.127.16.67 interface inside

dhcpd wins Server2008 interface inside

dhcpd lease 14400 interface inside

dhcpd domain csl.local interface inside

dhcpd update dns both override interface inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

ntp server Server2008 source inside

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 192.168.0.6

dns-server value 192.168.0.6 12.127.16.67

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

default-domain value csl.local

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 10

vpn-idle-timeout none

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

smartcard-removal-disconnect enable

client-firewall none

client-access-rule none

webvpn

functions url-entry

html-content-filter none

homepage none

keep-alive-ignore 4

http-comp gzip

filter none

url-list none

customization value DfltCustomization

port-forward none

port-forward-name value Application Access

sso-server none

deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

svc none

svc keep-installer installed

svc keepalive none

svc rekey time none

svc rekey method none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate

tunnel-group DefaultRAGroup general-attributes

address-pool RemoteClientPool

authentication-server-group ADSERVERS

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

authentication ms-chap-v2

tunnel-group 12.131.108.179 type ipsec-l2l

tunnel-group 12.131.108.179 ipsec-attributes

pre-shared-key *

tunnel-group 12.139.80.51 type ipsec-l2l

tunnel-group 12.139.80.51 ipsec-attributes

pre-shared-key *

tunnel-group 12.139.80.163 type ipsec-l2l

tunnel-group 12.139.80.163 ipsec-attributes

pre-shared-key *

tunnel-group 12.23.150.67 type ipsec-l2l

tunnel-group 12.23.150.67 ipsec-attributes

pre-shared-key *

tunnel-group 12.133.51.195 type ipsec-l2l

tunnel-group 12.133.51.195 ipsec-attributes

pre-shared-key *

tunnel-group 12.164.17.19 type ipsec-l2l

tunnel-group 12.164.17.19 ipsec-attributes

pre-shared-key *

tunnel-group 12.139.80.131 type ipsec-l2l

tunnel-group 12.139.80.131 ipsec-attributes

pre-shared-key *

tunnel-group 12.139.80.147 type ipsec-l2l

tunnel-group 12.139.80.147 ipsec-attributes

pre-shared-key *

tunnel-group 12.131.64.99 type ipsec-l2l

tunnel-group 12.131.64.99 ipsec-attributes

pre-shared-key *

tunnel-group 12.37.170.163 type ipsec-l2l

tunnel-group 12.37.170.163 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:423721254cdd7681b11454f1b5f93b44

: end