06-23-2018 02:05 PM - edited 02-21-2020 07:54 AM
Hope there is somebody that can help me berceuse i'm stuck set the back up 4 times back now but not working.
Vlan40 need to go out on vlan997 Back up line ADSL 110 mb up and runnin
Vlan45 main server Vlan needs to be on vlan998 500mb cable also running but in bridge mode
Al the rest needs to stay in Vlan999 als a bridge cabele network 500mb
The vlan settings on core switch and main switch are oke and it was working.
I try nat and travic zone and secure lvl is how it needs to be the same
Vlan 997 needs als to be a back up line if Vlan 998 and 999 go down that was also working.
My touble begon wenn i add the 997 vlan.
Can onlu ping the outside world on Vlan998 the other 2 give no respone if i conect my ltop direct to the roters all is fine and no troubles with speed or lag.
My back up config how it is running on the moment.
I set it back in the hope it wil work like it was eff disconect the VLan997.
On the moment i feel like a donkey runnin tru a rock every single time.
If any has a id plz let me know
: Serial Number: JAD2042014S : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.6(1) ! hostname ASA5506 enable password 8Ry2YjIyt7RRXU24 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd hVxRMGvjmxCeVxgf encrypted names ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0 ! interface GigabitEthernet1/1 description *** Ziggo2 *** mac-address aaaa.bbbb.cccc nameif VLAN999 security-level 0 ip address dhcp setroute ipv6 enable ! interface GigabitEthernet1/2 description *** Ziggo1 *** nameif VLAN998 security-level 2 ip address dhcp setroute ! interface GigabitEthernet1/3 no nameif no security-level no ip address ! interface GigabitEthernet1/3.1 description *** Management *** vlan 1 nameif VLAN1 security-level 25 ip address 10.10.50.2 255.255.255.0 ! interface GigabitEthernet1/3.20 description *** Office *** vlan 20 nameif VLAN20 security-level 0 ip address 10.10.20.2 255.255.255.0 policy-route route-map PBR-ZIGGO2 ipv6 enable ! interface GigabitEthernet1/3.30 description *** Wi-Fi *** vlan 30 nameif VLAN30 security-level 0 ip address 10.10.30.2 255.255.255.0 policy-route route-map PBR-ZIGGO2 ! interface GigabitEthernet1/3.40 description *** Printer *** vlan 40 nameif VLAN40 security-level 1 ip address 10.10.40.2 255.255.255.0 ! interface GigabitEthernet1/3.45 description *** Server *** vlan 45 nameif VLAN45 security-level 2 ip address 10.10.45.2 255.255.255.0 policy-route route-map RMAP-Gi1/3.45 ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 description ***Telfort*** nameif VlAN997 security-level 1 ip address dhcp setroute ! interface Management1/1 description *** ASA Management *** management-only nameif MNGT security-level 100 ip address 10.10.100.2 255.255.255.0 ! banner motd ************************************************************************ banner motd * Unauthorized access is prohibited * banner motd ************************************************************************ banner motd * This system is to be used only by specifically authorized personnel. * banner motd * Any unauthorized use of the system is unlawful, and may be subject * banner motd * to civil and/or criminal penalties. * banner motd * * banner motd * Any use of the system may be logged or monitored without further * banner motd * notice and resulting logs may be used as evidence in court. * banner motd ************************************************************************ ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network OBJ-NET-VLAN1 subnet 10.10.50.0 255.255.255.0 object network OBJ-NET-VLAN20 subnet 10.10.20.0 255.255.255.0 object network OBJ-NET-VLAN30 subnet 10.10.30.0 255.255.255.0 object network OBJ-NET-VLAN40 subnet 10.10.40.0 255.255.255.0 object network OBJ-NET-VLAN45 subnet 10.10.45.0 255.255.255.0 object network NETWORK_OBJ_192.168.100.0_26 subnet 192.168.100.0 255.255.255.192 object network OBJ-NET-HOST-10.10.20.105 host 10.10.20.105 object service OBJ-SRV-TCP-3389 service tcp source eq 3389 object service OBJ-SRV-TCP-5000_6000 service tcp source range 5000 6000 object network OBJ-NET-HOST-82.94.75.162 host 82.94.75.162 object network OBJ-NET-HOST-82.94.75.163 host 82.94.75.163 object network OBJ-NET-HOST-82.94.75.164 host 82.94.75.164 object network OBJ-NET-HOST-82.94.75.165 host 82.94.75.165 object network OBJ-NET-HOST-82.94.75.166 host 82.94.75.166 object network OBJ-NET-HOST-10.10.45.10 host 10.10.45.10 object network OBJ-NET-HOST-10.10.20.10 host 10.10.20.10 object network 10.10.60.2 host 10.10.60.2 object-group network OBJ-GRP-NET-RFC1918 network-object 10.0.0.0 255.0.0.0 network-object 172.16.0.0 255.240.0.0 network-object 192.168.0.0 255.255.0.0 access-list ACL-VLAN999-INBOUND remark *** Fritbox - Internetverkeer *** access-list ACL-VLAN999-INBOUND extended permit icmp any any echo-reply access-list ACL-VLAN999-INBOUND extended permit icmp any any unreachable access-list ACL-VLAN999-INBOUND extended permit icmp any any time-exceeded access-list ACL-VLAN999-INBOUND extended permit icmp any any source-quench access-list ACL-VLAN999-INBOUND extended permit tcp 193.173.85.0 255.255.255.192 object OBJ-NET-HOST-10.10.45.10 eq 3389 access-list ACL-VLAN999-INBOUND remark Trans_ip Rdp access-list ACL-VLAN999-INBOUND extended permit tcp host 37.97.201.18 object OBJ-NET-HOST-10.10.45.10 eq 3389 access-list ACL-VLAN999-INBOUND extended permit tcp any any range 5000 6000 access-list ACL-VLAN998-INBOUND remark *** Ziggo - Internetverkeer *** access-list ACL-VLAN998-INBOUND extended permit icmp any any echo-reply access-list ACL-VLAN998-INBOUND extended permit icmp any any unreachable access-list ACL-VLAN998-INBOUND extended permit icmp any any time-exceeded access-list ACL-VLAN998-INBOUND extended permit icmp any any source-quench access-list ACL-VLAN998-INBOUND remark Trans_ip Rdp access-list ACL-VLAN998-INBOUND extended permit tcp host 37.97.201.18 object OBJ-NET-HOST-10.10.45.10 eq 3389 access-list ACL-VLAN998-INBOUND extended permit ip any any access-list ACL-VLAN998-INBOUND extended permit tcp any host 10.10.20.10 eq 3389 access-list ACL-VLAN45-INBOUND remark *** RFC1918 *** access-list ACL-VLAN45-INBOUND extended deny ip object OBJ-NET-VLAN45 object-group OBJ-GRP-NET-RFC1918 access-list ACL-VLAN45-INBOUND remark *** Internetverkeer *** access-list ACL-VLAN45-INBOUND extended permit ip any any access-list ACL-RMAP-VLAN45 extended deny ip object OBJ-NET-VLAN45 object-group OBJ-GRP-NET-RFC1918 access-list ACL-RMAP-VLAN45 extended permit ip object OBJ-NET-VLAN45 any access-list ACL-VPN-SPLIT standard permit 10.10.0.0 255.255.0.0 access-list ACL-PBR-ZIGGO2 extended permit ip 10.10.20.0 255.255.255.0 any access-list VlAN997_access_in extended permit ip interface VLAN45 interface VlAN997 pager lines 24 logging enable logging asdm informational mtu VLAN999 1500 mtu VLAN998 1500 mtu VLAN1 1500 mtu VLAN20 1500 mtu VLAN30 1500 mtu VLAN40 1500 mtu VLAN45 1500 mtu VlAN997 1500 mtu MNGT 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-761.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (VLAN1,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN20,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN30,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN40,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN45,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN20,VLAN998) source static OBJ-NET-HOST-10.10.20.10 interface service OBJ-SRV-TCP-3389 OBJ-SRV-TCP-3389 nat (VLAN45,VLAN999) source static OBJ-NET-HOST-10.10.45.10 OBJ-NET-HOST-82.94.75.165 nat (VLAN1,VLAN999) source dynamic any interface nat (VLAN20,VLAN999) source dynamic any interface nat (VLAN30,VLAN999) source dynamic any interface nat (VLAN40,VLAN999) source dynamic any interface nat (VLAN1,VLAN998) source dynamic any interface nat (VLAN20,VLAN998) source dynamic any interface nat (VLAN30,VLAN998) source dynamic any interface nat (VLAN40,VLAN998) source dynamic any interface nat (VLAN45,VLAN999) source dynamic any interface nat (VLAN45,VLAN998) source dynamic any interface access-group ACL-VLAN999-INBOUND in interface VLAN999 access-group ACL-VLAN998-INBOUND in interface VLAN998 access-group ACL-VLAN45-INBOUND in interface VLAN45 access-group VlAN997_access_in in interface VlAN997 ! route-map PBR-ZIGGO1 permit 10 match ip address ACL-VLAN998-INBOUND match interface VLAN998 ! route-map PBR-ZIGGO2 permit 10 match ip address ACL-PBR-ZIGGO2 set ip next-hop 212.187.37.1 ! route-map RMAP-Gi1/3.45 permit 10 match ip address ACL-RMAP-VLAN45 set ip next-hop verify-availability 82.94.75.161 1 track 10 ! route-map PBR-Telfort permit 10 ! route VLAN999 8.8.4.4 255.255.255.255 192.168.200.1 1 route VLAN998 8.8.8.8 255.255.255.255 192.168.199.1 1 route VLAN999 193.173.85.5 255.255.255.255 192.168.200.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa authentication enable console LOCAL aaa authorization exec LOCAL auto-enable http server enable http 0.0.0.0 0.0.0.0 MNGT http 0.0.0.0 0.0.0.0 VLAN20 http 0.0.0.0 0.0.0.0 VLAN999 no snmp-server location no snmp-server contact sla monitor 1 type echo protocol ipIcmpEcho 8.8.8.8 interface VLAN998 timeout 300 threshold 15000 frequency 5 sla monitor schedule 1 life forever start-time now sla monitor 2 type echo protocol ipIcmpEcho 8.8.4.4 interface VLAN999 timeout 300 threshold 15000 frequency 5 sla monitor schedule 2 life forever start-time now sla monitor 3 type echo protocol ipIcmpEcho 8.8.8.8 interface VLAN999 sla monitor schedule 3 life forever start-time now service sw-reset-button crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map VLAN20_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN20_map interface VLAN20 crypto map VLAN30_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN30_map interface VLAN30 crypto map VLAN40_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN40_map interface VLAN40 crypto map VLAN998_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN998_map interface VLAN998 crypto map VLAN45_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto ca trustpoint localtrust enrollment self fqdn sslvpn.4udomein.com subject-name CN=sslvpn.4udomein.com keypair sslvpnkey crl configure crypto ca trustpool policy crypto ca certificate chain localtrust certificate 6bd0bf58 30820300 308201e8 a0030201 0202046b d0bf5830 0d06092a 864886f7 0d010105 05003042 311c301a 06035504 03131373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d3122 30200609 2a864886 f70d0109 02161373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d301e 170d3137 30333130 30373431 32305a17 0d323730 33303830 37343132 305a3042 311c301a 06035504 03131373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d3122 30200609 2a864886 f70d0109 02161373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d3082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100a1 b2fe7671 f610a388 6d51851c 502093f5 cb5a944b 6285bb0d 37a01743 532f1914 11494c9e fbdaae6e 2e08cdb0 328cb667 5942d4e6 cc5e61a5 fb692d38 f4d46f75 2f8227f8 245bc7df a467dc68 7621b0c2 13a36762 b7bfb486 14272c49 1eb14f1a a307c724 532cfa3d 50c8a646 9cc06d06 3f2efab4 e10d491b 54fc42cb bee423d0 4e8df04b 6154146e f095ee82 8f41364e c94c7533 913cc866 79c6a32a 11b13718 895e23cb bc7b3502 ad7e1013 78b34526 cee075c1 ffd74c4c 9f41299d 9f40207a dfe083b4 717c9853 96090207 6135d21d f0d55558 c952eda0 15a61b45 f13789d6 47c82828 4cdb6b03 806415d6 8c14157d f85f09c4 02ebe725 fe9bf345 f407c102 03010001 300d0609 2a864886 f70d0101 05050003 82010100 03b31914 58eeb2c6 3c23e006 8bd5a4f5 563503d2 03fcd341 8bcf451d 722a6d78 a57a9808 ad1a282c 77530dd5 24eca366 8455f14d 86e51ed9 426d9790 a1a274ec 2116ec1b 97506c2f 73fe491c b3706142 b5cba46f 890efa41 dc26053d 320204e4 2b21b7fc a6a2f521 1fffa05b c37de564 13cc4289 c8043907 b6b9f21c 0566c173 496a0a1d 5f9fa630 d51d76db 7e88a9d8 8c6aa3b0 29109dc6 d13dd6a5 01e17d31 5209671e ea139e42 40637c43 dbee0608 670fe6c1 72e73a85 e710bc1a 9d2f1d6b dded7d12 ffafe1d2 cc097a20 0595a446 a508f613 047250e7 1091bf87 68c813da 8cdd30d8 96598a1c 1a615f84 a21871a8 f8be0459 5dcfe69f 72a9fcf2 aadc283f quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable VLAN998 client-services port 443 crypto ikev2 enable VLAN20 client-services port 443 crypto ikev2 remote-access trustpoint localtrust crypto ikev1 enable VLAN20 crypto ikev1 enable VLAN30 crypto ikev1 enable VLAN40 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 ! track 10 rtr 1 reachability ! track 11 rtr 3 reachability ! track 20 rtr 2 reachability telnet timeout 5 ssh stricthostkeycheck ssh 193.173.85.0 255.255.255.192 VLAN999 ssh 193.173.85.0 255.255.255.192 VLAN998 ssh 0.0.0.0 0.0.0.0 VLAN20 ssh 0.0.0.0 0.0.0.0 MNGT ssh timeout 15 ssh key-exchange group dh-group1-sha1 console timeout 15 dhcp-client client-id interface VLAN999 dhcp-client client-id interface VLAN998 dhcp-client client-id interface VlAN997 dhcpd address 10.10.50.200-10.10.50.250 VLAN1 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN1 dhcpd enable VLAN1 ! dhcpd address 10.10.20.200-10.10.20.250 VLAN20 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN20 dhcpd enable VLAN20 ! dhcpd address 10.10.30.200-10.10.30.250 VLAN30 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN30 dhcpd enable VLAN30 ! dhcpd address 10.10.40.200-10.10.40.250 VLAN40 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN40 dhcpd enable VLAN40 ! dhcpd address 10.10.45.200-10.10.45.250 VLAN45 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN45 dhcpd enable VLAN45 ! dhcpd address 10.10.100.200-10.10.100.250 MNGT dhcpd dns 208.67.222.222 208.67.220.220 interface MNGT dhcpd enable MNGT ! ntp server 85.255.214.66 source VLAN999 ssl trust-point localtrust VLAN999 ssl trust-point localtrust VLAN998 ssl trust-point localtrust VLAN20 webvpn enable VLAN999 enable VLAN998 enable VLAN20 anyconnect image disk0:/anyconnect-linux64-4.4.01054-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg 2 anyconnect profiles 4uDomein_client_profile disk0:/4uDomein_client_profile.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy SSLCLient internal group-policy SSLCLient attributes dns-server value 192.168.200.5 vpn-tunnel-protocol ssl-client default-domain value mysite.com address-pools value SSLClientPool group-policy GroupPolicy_4uDomein internal group-policy GroupPolicy_4uDomein attributes wins-server none dns-server value 10.10.20.100 10.10.20.101 vpn-tunnel-protocol ikev1 ikev2 ssl-client password-storage disable split-tunnel-policy tunnelspecified split-tunnel-network-list value ACL-VPN-SPLIT default-domain none webvpn anyconnect profiles value 4uDomein_client_profile type user dynamic-access-policy-record DfltAccessPolicy username Dave password L4o29iC9zK9nTS7P encrypted privilege 15 username Dave attributes service-type admin username Davevpn password leb4YKzqGcsujPoJ encrypted privilege 15 username vlietd password Q101T2coMJVYHrL6 encrypted privilege 15 tunnel-group SSLClient type remote-access tunnel-group SSLClient general-attributes default-group-policy SSLCLient tunnel-group SSLClient webvpn-attributes group-alias MY_RA enable tunnel-group 4uDomein type remote-access tunnel-group 4uDomein general-attributes address-pool SSLClientPool default-group-policy GroupPolicy_4uDomein tunnel-group 4uDomein webvpn-attributes group-alias 4uDomein enable tunnel-group 4uDomein ipsec-attributes ikev1 trust-point localtrust ! class-map inspection_default match default-inspection-traffic class-map CMAP-DEFAULT match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options policy-map PMAP-GLOBAL class CMAP-DEFAULT inspect http inspect ftp inspect icmp class class-default user-statistics accounting ! service-policy global_policy global prompt hostname context ! jumbo-frame reservation ! no call-home reporting anonymous Cryptochecksum:3c559b8068d83a3e7f3c8077dc410dee : end asdm image disk0:/asdm-761.bin no asdm history enable
Solved! Go to Solution.
06-25-2018 12:50 PM
Which nat you removed? Good that everything works now.
07-06-2018 02:03 PM
06-23-2018 07:24 PM
06-24-2018 01:12 AM
Thank you Francesco
Not eff thought about that i will give it a try but never done some thinh like this. so i give it a try.
It is sunday so nice day to do things and have nobody around.
I will let you know and thanks for the offer to help
06-24-2018 02:44 AM
I did compleet step bij step like in https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/route-policy-based.pdf but all travic goes stil true VLAN999.
Here is the config like it is now: it seems i need a little help...
: Saved : : Serial Number: JAD2042014S : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.6(1) ! hostname ASA5506 enable password 8Ry2YjIyt7RRXU24 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd hVxRMGvjmxCeVxgf encrypted names ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0 ! interface GigabitEthernet1/1 description *** Ziggo2 *** mac-address aaaa.bbbb.cccc nameif VLAN999 security-level 0 ip address dhcp setroute ipv6 enable ! interface GigabitEthernet1/2 description *** Ziggo1 *** mac-address aaaa.bbbb.cccc nameif VLAN998 security-level 2 ip address dhcp setroute policy-route route-map PBR-ZIGGO1 ! interface GigabitEthernet1/3 no nameif no security-level no ip address ! interface GigabitEthernet1/3.1 description *** Management *** vlan 1 nameif VLAN1 security-level 25 ip address 10.10.50.2 255.255.255.0 ! interface GigabitEthernet1/3.20 description *** Office *** vlan 20 nameif VLAN20 security-level 0 ip address 10.10.20.2 255.255.255.0 policy-route route-map PBR-ZIGGO2 ipv6 enable ! interface GigabitEthernet1/3.30 description *** Wi-Fi *** vlan 30 nameif VLAN30 security-level 0 ip address 10.10.30.2 255.255.255.0 policy-route route-map PBR-ZIGGO2 ! interface GigabitEthernet1/3.40 description *** Printer *** vlan 40 nameif VLAN40 security-level 1 ip address 10.10.40.2 255.255.255.0 ! interface GigabitEthernet1/3.45 description *** Server *** vlan 45 nameif VLAN45 security-level 2 ip address 10.10.45.2 255.255.255.0 policy-route route-map RMAP-Gi1/3.45 ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 description ***Telfort*** mac-address aaaa.bbbb.cccc nameif VlAN997 security-level 1 ip address 10.10.60.2 255.255.255.0 policy-route route-map PBR-Telfort ! interface Management1/1 description *** ASA Management *** management-only nameif MNGT security-level 100 ip address 10.10.100.2 255.255.255.0 ! banner motd ************************************************************************ banner motd * Unauthorized access is prohibited * banner motd ************************************************************************ banner motd * This system is to be used only by specifically authorized personnel. * banner motd * Any unauthorized use of the system is unlawful, and may be subject * banner motd * to civil and/or criminal penalties. * banner motd * * banner motd * Any use of the system may be logged or monitored without further * banner motd * notice and resulting logs may be used as evidence in court. * banner motd ************************************************************************ ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network OBJ-NET-VLAN1 subnet 10.10.50.0 255.255.255.0 object network OBJ-NET-VLAN20 subnet 10.10.20.0 255.255.255.0 object network OBJ-NET-VLAN30 subnet 10.10.30.0 255.255.255.0 object network OBJ-NET-VLAN40 subnet 10.10.40.0 255.255.255.0 object network OBJ-NET-VLAN45 subnet 10.10.45.0 255.255.255.0 object network NETWORK_OBJ_192.168.100.0_26 subnet 192.168.100.0 255.255.255.192 object network OBJ-NET-HOST-10.10.20.105 host 10.10.20.105 object service OBJ-SRV-TCP-3389 service tcp source eq 3389 object service OBJ-SRV-TCP-5000_6000 service tcp source range 5000 6000 object network OBJ-NET-HOST-82.94.75.162 host 82.94.75.162 object network OBJ-NET-HOST-82.94.75.163 host 82.94.75.163 object network OBJ-NET-HOST-82.94.75.164 host 82.94.75.164 object network OBJ-NET-HOST-82.94.75.165 host 82.94.75.165 object network OBJ-NET-HOST-82.94.75.166 host 82.94.75.166 object network OBJ-NET-HOST-10.10.45.10 host 10.10.45.10 object network OBJ-NET-HOST-10.10.20.10 host 10.10.20.10 object network 10.10.60.2 host 10.10.60.2 object network VLAN997 host 8.8.4.4 description VLAN997 object-group network OBJ-GRP-NET-RFC1918 network-object 10.0.0.0 255.0.0.0 network-object 172.16.0.0 255.240.0.0 network-object 192.168.0.0 255.255.0.0 access-list ACL-VLAN999-INBOUND remark *** Fritbox - Internetverkeer *** access-list ACL-VLAN999-INBOUND extended permit icmp any any echo-reply access-list ACL-VLAN999-INBOUND extended permit icmp any any unreachable access-list ACL-VLAN999-INBOUND extended permit icmp any any time-exceeded access-list ACL-VLAN999-INBOUND extended permit icmp any any source-quench access-list ACL-VLAN999-INBOUND extended permit tcp 193.173.85.0 255.255.255.192 object OBJ-NET-HOST-10.10.45.10 eq 3389 access-list ACL-VLAN999-INBOUND remark Trans_ip Rdp access-list ACL-VLAN999-INBOUND extended permit tcp host 37.97.201.18 object OBJ-NET-HOST-10.10.45.10 eq 3389 access-list ACL-VLAN999-INBOUND extended permit tcp any any range 5000 6000 access-list ACL-VLAN998-INBOUND remark *** Ziggo - Internetverkeer *** access-list ACL-VLAN998-INBOUND extended permit icmp any any echo-reply access-list ACL-VLAN998-INBOUND extended permit icmp any any unreachable access-list ACL-VLAN998-INBOUND extended permit icmp any any time-exceeded access-list ACL-VLAN998-INBOUND extended permit icmp any any source-quench access-list ACL-VLAN998-INBOUND remark Trans_ip Rdp access-list ACL-VLAN998-INBOUND extended permit tcp host 37.97.201.18 object OBJ-NET-HOST-10.10.45.10 eq 3389 access-list ACL-VLAN998-INBOUND extended permit ip any any access-list ACL-VLAN998-INBOUND extended permit tcp any host 10.10.20.10 eq 3389 access-list ACL-VLAN45-INBOUND remark *** RFC1918 *** access-list ACL-VLAN45-INBOUND extended deny ip object OBJ-NET-VLAN45 object-group OBJ-GRP-NET-RFC1918 access-list ACL-VLAN45-INBOUND remark *** Internetverkeer *** access-list ACL-VLAN45-INBOUND extended permit ip any interface VLAN998 access-list ACL-RMAP-VLAN45 extended deny ip object OBJ-NET-VLAN45 object-group OBJ-GRP-NET-RFC1918 access-list ACL-RMAP-VLAN45 extended permit ip object OBJ-NET-VLAN45 any access-list ACL-VPN-SPLIT standard permit 10.10.0.0 255.255.0.0 access-list ACL-PBR-ZIGGO2 extended permit ip 10.10.20.0 255.255.255.0 any access-list VlAN997_access_in extended permit icmp interface VLAN45 interface VlAN997 echo-reply access-list VLAN40_access_in remark *** Internetverkeer telfort *** access-list VLAN40_access_in extended permit ip any interface VlAN997 pager lines 24 logging enable logging asdm informational mtu VLAN999 1500 mtu VLAN998 1500 mtu VLAN1 1500 mtu VLAN20 1500 mtu VLAN30 1500 mtu VLAN40 1500 mtu VLAN45 1500 mtu VlAN997 1500 mtu MNGT 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-761.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (VLAN1,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN20,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN30,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN40,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN45,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN20,VLAN998) source static OBJ-NET-HOST-10.10.20.10 interface service OBJ-SRV-TCP-3389 OBJ-SRV-TCP-3389 nat (VLAN45,VLAN999) source static OBJ-NET-HOST-10.10.45.10 OBJ-NET-HOST-82.94.75.165 nat (VLAN1,VLAN999) source dynamic any interface nat (VLAN20,VLAN999) source dynamic any interface nat (VLAN30,VLAN999) source dynamic any interface nat (VLAN40,VLAN999) source dynamic any interface nat (VLAN1,VLAN998) source dynamic any interface nat (VLAN20,VLAN998) source dynamic any interface nat (VLAN30,VLAN998) source dynamic any interface nat (VLAN40,VLAN998) source dynamic any interface nat (VLAN45,VLAN999) source dynamic any interface nat (VLAN45,VLAN998) source dynamic any interface nat (VlAN997,VLAN40) source static VLAN997 VLAN997 nat (VLAN998,VLAN45) source static any any access-group ACL-VLAN999-INBOUND in interface VLAN999 access-group ACL-VLAN998-INBOUND in interface VLAN998 access-group VLAN40_access_in in interface VLAN40 access-group ACL-VLAN45-INBOUND in interface VLAN45 access-group VlAN997_access_in in interface VlAN997 ! route-map PBR-ZIGGO1 permit 10 match ip address ACL-VLAN998-INBOUND match interface VLAN998 set ip next-hop 212.187.37.1 ! route-map PBR-ZIGGO2 permit 10 match ip address ACL-PBR-ZIGGO2 set ip next-hop 212.187.37.1 ! route-map RMAP-Gi1/3.45 permit 10 match ip address ACL-RMAP-VLAN45 set ip next-hop verify-availability 82.94.75.161 1 track 10 ! route-map PBR-Telfort permit 10 match ip address VlAN997_access_in match interface VlAN997 set ip next-hop 212.187.37.1 ! route VLAN999 8.8.4.4 255.255.255.255 192.168.200.1 1 route VLAN998 8.8.8.8 255.255.255.255 192.168.199.1 1 route VlAN997 193.173.85.4 255.255.255.255 192.168.200.1 1 route VLAN999 193.173.85.5 255.255.255.255 192.168.200.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa authentication enable console LOCAL aaa authorization exec LOCAL auto-enable http server enable http 0.0.0.0 0.0.0.0 MNGT http 0.0.0.0 0.0.0.0 VLAN20 http 0.0.0.0 0.0.0.0 VLAN999 no snmp-server location no snmp-server contact sla monitor 1 type echo protocol ipIcmpEcho 8.8.8.8 interface VLAN998 timeout 300 threshold 15000 frequency 5 sla monitor schedule 1 life forever start-time now sla monitor 2 type echo protocol ipIcmpEcho 8.8.4.4 interface VLAN999 timeout 300 threshold 15000 frequency 5 sla monitor schedule 2 life forever start-time now sla monitor 3 type echo protocol ipIcmpEcho 8.8.8.8 interface VLAN999 sla monitor schedule 3 life forever start-time now service sw-reset-button crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map VLAN20_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN20_map interface VLAN20 crypto map VLAN30_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN30_map interface VLAN30 crypto map VLAN40_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN40_map interface VLAN40 crypto map VLAN998_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN998_map interface VLAN998 crypto map VLAN45_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto ca trustpoint localtrust enrollment self fqdn sslvpn.4udomein.com subject-name CN=sslvpn.4udomein.com keypair sslvpnkey crl configure crypto ca trustpool policy crypto ca certificate chain localtrust certificate 6bd0bf58 30820300 308201e8 a0030201 0202046b d0bf5830 0d06092a 864886f7 0d010105 05003042 311c301a 06035504 03131373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d3122 30200609 2a864886 f70d0109 02161373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d301e 170d3137 30333130 30373431 32305a17 0d323730 33303830 37343132 305a3042 311c301a 06035504 03131373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d3122 30200609 2a864886 f70d0109 02161373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d3082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100a1 b2fe7671 f610a388 6d51851c 502093f5 cb5a944b 6285bb0d 37a01743 532f1914 11494c9e fbdaae6e 2e08cdb0 328cb667 5942d4e6 cc5e61a5 fb692d38 f4d46f75 2f8227f8 245bc7df a467dc68 7621b0c2 13a36762 b7bfb486 14272c49 1eb14f1a a307c724 532cfa3d 50c8a646 9cc06d06 3f2efab4 e10d491b 54fc42cb bee423d0 4e8df04b 6154146e f095ee82 8f41364e c94c7533 913cc866 79c6a32a 11b13718 895e23cb bc7b3502 ad7e1013 78b34526 cee075c1 ffd74c4c 9f41299d 9f40207a dfe083b4 717c9853 96090207 6135d21d f0d55558 c952eda0 15a61b45 f13789d6 47c82828 4cdb6b03 806415d6 8c14157d f85f09c4 02ebe725 fe9bf345 f407c102 03010001 300d0609 2a864886 f70d0101 05050003 82010100 03b31914 58eeb2c6 3c23e006 8bd5a4f5 563503d2 03fcd341 8bcf451d 722a6d78 a57a9808 ad1a282c 77530dd5 24eca366 8455f14d 86e51ed9 426d9790 a1a274ec 2116ec1b 97506c2f 73fe491c b3706142 b5cba46f 890efa41 dc26053d 320204e4 2b21b7fc a6a2f521 1fffa05b c37de564 13cc4289 c8043907 b6b9f21c 0566c173 496a0a1d 5f9fa630 d51d76db 7e88a9d8 8c6aa3b0 29109dc6 d13dd6a5 01e17d31 5209671e ea139e42 40637c43 dbee0608 670fe6c1 72e73a85 e710bc1a 9d2f1d6b dded7d12 ffafe1d2 cc097a20 0595a446 a508f613 047250e7 1091bf87 68c813da 8cdd30d8 96598a1c 1a615f84 a21871a8 f8be0459 5dcfe69f 72a9fcf2 aadc283f quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable VLAN998 client-services port 443 crypto ikev2 enable VLAN20 client-services port 443 crypto ikev2 remote-access trustpoint localtrust crypto ikev1 enable VLAN20 crypto ikev1 enable VLAN30 crypto ikev1 enable VLAN40 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 ! track 10 rtr 1 reachability ! track 11 rtr 3 reachability ! track 20 rtr 2 reachability telnet timeout 5 ssh stricthostkeycheck ssh 193.173.85.0 255.255.255.192 VLAN999 ssh 193.173.85.0 255.255.255.192 VLAN998 ssh 0.0.0.0 0.0.0.0 VLAN20 ssh 0.0.0.0 0.0.0.0 MNGT ssh timeout 15 ssh key-exchange group dh-group1-sha1 console timeout 15 dhcp-client client-id interface VLAN999 dhcp-client client-id interface VLAN998 dhcpd address 10.10.50.200-10.10.50.250 VLAN1 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN1 dhcpd enable VLAN1 ! dhcpd address 10.10.20.200-10.10.20.250 VLAN20 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN20 dhcpd enable VLAN20 ! dhcpd address 10.10.30.200-10.10.30.250 VLAN30 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN30 dhcpd enable VLAN30 ! dhcpd address 10.10.40.200-10.10.40.250 VLAN40 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN40 dhcpd enable VLAN40 ! dhcpd address 10.10.45.200-10.10.45.250 VLAN45 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN45 dhcpd enable VLAN45 ! dhcpd address 10.10.100.200-10.10.100.250 MNGT dhcpd dns 208.67.222.222 208.67.220.220 interface MNGT dhcpd enable MNGT ! ntp server 85.255.214.66 source VLAN999 ssl trust-point localtrust VLAN999 ssl trust-point localtrust VLAN998 ssl trust-point localtrust VLAN20 webvpn enable VLAN999 enable VLAN998 enable VLAN20 anyconnect image disk0:/anyconnect-linux64-4.4.01054-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg 2 anyconnect profiles 4uDomein_client_profile disk0:/4uDomein_client_profile.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy SSLCLient internal group-policy SSLCLient attributes dns-server value 192.168.200.5 vpn-tunnel-protocol ssl-client default-domain value mysite.com address-pools value SSLClientPool group-policy GroupPolicy_4uDomein internal group-policy GroupPolicy_4uDomein attributes wins-server none dns-server value 10.10.20.100 10.10.20.101 vpn-tunnel-protocol ikev1 ikev2 ssl-client password-storage disable split-tunnel-policy tunnelspecified split-tunnel-network-list value ACL-VPN-SPLIT default-domain none webvpn anyconnect profiles value 4uDomein_client_profile type user dynamic-access-policy-record DfltAccessPolicy username Dave password L4o29iC9zK9nTS7P encrypted privilege 15 username Dave attributes service-type admin username Davevpn password leb4YKzqGcsujPoJ encrypted privilege 15 username vlietd password Q101T2coMJVYHrL6 encrypted privilege 15 tunnel-group SSLClient type remote-access tunnel-group SSLClient general-attributes default-group-policy SSLCLient tunnel-group SSLClient webvpn-attributes group-alias MY_RA enable tunnel-group 4uDomein type remote-access tunnel-group 4uDomein general-attributes address-pool SSLClientPool default-group-policy GroupPolicy_4uDomein tunnel-group 4uDomein webvpn-attributes group-alias 4uDomein enable tunnel-group 4uDomein ipsec-attributes ikev1 trust-point localtrust ! class-map inspection_default match default-inspection-traffic class-map CMAP-DEFAULT match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options policy-map PMAP-GLOBAL class CMAP-DEFAULT inspect http inspect ftp inspect icmp class class-default user-statistics accounting ! service-policy global_policy global prompt hostname context ! jumbo-frame reservation ! no call-home reporting anonymous Cryptochecksum:2d3844e5552933eb811eb2e0798e1a5b : end asdm image disk0:/asdm-761.bin no asdm history enable
06-24-2018 04:03 PM
You were talking about vlan 997, 998 and 999 as wan interfaces but in your config I don't see 997.
Also you need to assign PBR on your inside interfaces and not outside. You've assigned PBR to vlan 998 which is a WAN if I understood correctly your design.
I'm not home right now and can't do a full config through my iphone but let me give you an example:
Let's assume you next hop (ISP router IP) for your WAN interfaces are as below:
- vlan 997: 1.1.1.1
- vlan 998: 2.2.2.2
- vlan 999: 3.3.3.3
Let's say your vlan 30 10.10.30.0/24 needs to go through vlan 997 when reaching Google IP 8.8.8.8 and vlan 999 for all others. The config would be:
access-list test-google extended permit ip 10.10.30.0 255.255.255.0 host 8.8.8.8
!
route-map PBR-VL30 permit 10
match ip address test-google
set ip next-hop 1.1.1.1
route-map PBR-VL30 permit 20
set ip next-hop 3.3.3.3
!
interface GigabitEthernet1/3.30
policy-route route-map PBR-VL30
If you don't want to filter based on source and destination for PBR, you can use standard ACL and subnets/IPs you will configure on these standard ACL will be for destination filter only.
Hope this helps to understand how PBR works.
06-25-2018 12:12 AM
Hello Again
Yesyerday i did some reading about this topic and yes you where right that you din't see 997 becouse i set it back with a back up config.
All trafic sill goes on vlan999.
My touble is a bit that i know enough but on this topic just not enough i think.
In the past there was a Cisco guru that did it and it was click click and 3 min laters you had it done.
Pitty he does not work here no more.
So i have to mamage it by my self and think there is a lot on the asa that is from the past and myby that is in the way.
But i'm a bid scary to set it back to Default to start clean.
There are always ghost from yesterdays past that spook you then, you know what i mean.
My config now and i did it like you say already yesterday but still all internet trafic from all vlans go tru vlan999.
Saved : : Serial Number: JAD2042014S : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.6(1) ! hostname ASA5506 enable password 8Ry2YjIyt7RRXU24 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd hVxRMGvjmxCeVxgf encrypted names ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0 ! interface GigabitEthernet1/1 description *** Ziggo2 *** mac-address aaaa.bbbb.cccc nameif VLAN999 security-level 0 ip address dhcp setroute ipv6 enable ! interface GigabitEthernet1/2 description *** Ziggo1 *** nameif VLAN998 security-level 75 ip address dhcp setroute ! interface GigabitEthernet1/3 no nameif no security-level no ip address ! interface GigabitEthernet1/3.1 description *** Management *** vlan 1 nameif VLAN1 security-level 25 ip address 10.10.50.2 255.255.255.0 ! interface GigabitEthernet1/3.20 description *** Office *** vlan 20 nameif VLAN20 security-level 0 ip address 10.10.20.2 255.255.255.0 policy-route route-map PBR-ZIGGO2 ipv6 enable ! interface GigabitEthernet1/3.30 description *** Wi-Fi *** vlan 30 nameif VLAN30 security-level 0 ip address 10.10.30.2 255.255.255.0 policy-route route-map PBR-ZIGGO2 ! interface GigabitEthernet1/3.40 description *** Printer *** vlan 40 nameif VLAN40 security-level 50 ip address 10.10.40.2 255.255.255.0 policy-route route-map PBR-VLAN40 ! interface GigabitEthernet1/3.45 description *** Server *** vlan 45 nameif VLAN45 security-level 75 ip address 10.10.45.2 255.255.255.0 policy-route route-map PBR-VLAN45 ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 description ***Telfort*** nameif VlAN997 security-level 50 ip address 10.10.60.2 255.255.255.0 policy-route route-map PBR-TELFORT ! interface Management1/1 description *** ASA Management *** management-only nameif MNGT security-level 100 ip address 10.10.100.2 255.255.255.0 ! banner motd ************************************************************************ banner motd * Unauthorized access is prohibited * banner motd ************************************************************************ banner motd * This system is to be used only by specifically authorized personnel. * banner motd * Any unauthorized use of the system is unlawful, and may be subject * banner motd * to civil and/or criminal penalties. * banner motd * * banner motd * Any use of the system may be logged or monitored without further * banner motd * notice and resulting logs may be used as evidence in court. * banner motd ************************************************************************ ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network OBJ-NET-VLAN1 subnet 10.10.50.0 255.255.255.0 object network OBJ-NET-VLAN20 subnet 10.10.20.0 255.255.255.0 object network OBJ-NET-VLAN30 subnet 10.10.30.0 255.255.255.0 object network OBJ-NET-VLAN40 subnet 10.10.40.0 255.255.255.0 object network OBJ-NET-VLAN45 subnet 10.10.45.0 255.255.255.0 object network NETWORK_OBJ_192.168.100.0_26 subnet 192.168.100.0 255.255.255.192 object network OBJ-NET-HOST-10.10.20.105 host 10.10.20.105 object service OBJ-SRV-TCP-3389 service tcp source eq 3389 object service OBJ-SRV-TCP-5000_6000 service tcp source range 5000 6000 object network OBJ-NET-HOST-82.94.75.162 host 82.94.75.162 object network OBJ-NET-HOST-82.94.75.163 host 82.94.75.163 object network OBJ-NET-HOST-82.94.75.164 host 82.94.75.164 object network OBJ-NET-HOST-82.94.75.165 host 82.94.75.165 object network OBJ-NET-HOST-82.94.75.166 host 82.94.75.166 object network OBJ-NET-HOST-10.10.45.10 host 10.10.45.10 object network OBJ-NET-HOST-10.10.20.10 host 10.10.20.10 object network VLAN997 host 192.168.2.2 description VLAN997 object-group network OBJ-GRP-NET-RFC1918 network-object 10.0.0.0 255.0.0.0 network-object 172.16.0.0 255.240.0.0 network-object 192.168.0.0 255.255.0.0 access-list ACL-VLAN999-INBOUND remark *** Fritbox - Internetverkeer *** access-list ACL-VLAN999-INBOUND extended permit icmp any any echo-reply access-list ACL-VLAN999-INBOUND extended permit icmp any any unreachable access-list ACL-VLAN999-INBOUND extended permit icmp any any time-exceeded access-list ACL-VLAN999-INBOUND extended permit icmp any any source-quench access-list ACL-VLAN999-INBOUND extended permit tcp 193.173.85.0 255.255.255.192 object OBJ-NET-HOST-10.10.45.10 eq 3389 access-list ACL-VLAN999-INBOUND remark Trans_ip Rdp access-list ACL-VLAN999-INBOUND extended permit tcp host 37.97.201.18 object OBJ-NET-HOST-10.10.45.10 eq 3389 access-list ACL-VLAN999-INBOUND extended permit tcp any any range 5000 6000 access-list ACL-VLAN998-INBOUND remark *** Ziggo - Internetverkeer *** access-list ACL-VLAN998-INBOUND extended permit icmp any any echo-reply access-list ACL-VLAN998-INBOUND extended permit icmp any any unreachable access-list ACL-VLAN998-INBOUND extended permit icmp any any time-exceeded access-list ACL-VLAN998-INBOUND extended permit icmp any any source-quench access-list ACL-VLAN998-INBOUND remark Trans_ip Rdp access-list ACL-VLAN998-INBOUND extended permit tcp host 37.97.201.18 object OBJ-NET-HOST-10.10.45.10 eq 3389 access-list ACL-VLAN998-INBOUND extended permit ip any any access-list ACL-VLAN998-INBOUND extended permit tcp any host 10.10.20.10 eq 3389 access-list ACL-VLAN45-INBOUND remark *** RFC1918 *** access-list ACL-VLAN45-INBOUND extended deny ip object OBJ-NET-VLAN45 object-group OBJ-GRP-NET-RFC1918 access-list ACL-VLAN45-INBOUND remark *** Internetverkeer *** access-list ACL-VLAN45-INBOUND extended permit ip any any access-list ACL-RMAP-VLAN45 extended deny ip object OBJ-NET-VLAN45 object-group OBJ-GRP-NET-RFC1918 access-list ACL-RMAP-VLAN45 extended permit ip object OBJ-NET-VLAN45 any access-list ACL-VPN-SPLIT standard permit 10.10.0.0 255.255.0.0 access-list ACL-PBR-ZIGGO2 extended permit ip 10.10.20.0 255.255.255.0 any access-list ACL-PBR-TELFORT extended permit ip 10.10.40.0 255.255.255.0 any access-list ACL-PBR-ZIGGO1 extended permit ip 10.10.45.0 255.255.255.0 any pager lines 24 logging enable logging asdm informational mtu VLAN999 1500 mtu VLAN998 1500 mtu VLAN1 1500 mtu VLAN20 1500 mtu VLAN30 1500 mtu VLAN40 1500 mtu VLAN45 1500 mtu VlAN997 1500 mtu MNGT 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-761.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (VLAN1,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN20,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN30,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN40,VlAN997) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN45,VLAN998) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN20,VLAN998) source static OBJ-NET-HOST-10.10.20.10 interface service OBJ-SRV-TCP-3389 OBJ-SRV-TCP-3389 nat (VLAN45,VLAN998) source static OBJ-NET-HOST-10.10.45.10 OBJ-NET-HOST-82.94.75.165 nat (VLAN1,VLAN999) source dynamic any interface nat (VLAN20,VLAN999) source dynamic any interface nat (VLAN30,VLAN999) source dynamic any interface nat (VLAN40,VLAN999) source dynamic any interface nat (VLAN1,VLAN998) source dynamic any interface nat (VLAN20,VLAN998) source dynamic any interface nat (VLAN30,VLAN998) source dynamic any interface nat (VLAN40,VLAN998) source dynamic any interface nat (VLAN45,VLAN999) source dynamic any interface nat (VLAN45,VLAN998) source dynamic any interface access-group ACL-VLAN999-INBOUND in interface VLAN999 access-group ACL-VLAN998-INBOUND in interface VLAN998 access-group ACL-VLAN45-INBOUND in interface VLAN45 ! route-map PBR-ZIGGO1 permit 10 match ip address ACL-PBR-ZIGGO1 set ip next-hop 212.187.37.1 ! route-map PBR-ZIGGO2 permit 10 match ip address ACL-PBR-ZIGGO2 set ip next-hop 212.187.37.1 ! route-map RMAP-Gi1/3.45 permit 10 match ip address ACL-RMAP-VLAN45 set ip next-hop verify-availability 82.94.75.161 1 track 10 ! route-map PBR-TELFORT permit 10 match ip address ACL-PBR-TELFORT match interface VlAN997 set ip next-hop verify-availability 10.10.60.1 10 track 1 set ip next-hop 10.10.60.1 ! route-map PBR-VLAN45 permit 10 match interface VlAN997 ! route-map PBR-VLAN30 permit 10 match ip address ACL-PBR-ZIGGO1 match interface VLAN998 set ip next-hop 212.187.37.1 ! route-map PBR-VLAN40 permit 10 match ip address ACL-PBR-TELFORT match interface VlAN997 set ip next-hop 10.10.60.1 ! route VLAN999 8.8.4.4 255.255.255.255 192.168.200.1 1 route VLAN998 8.8.8.8 255.255.255.255 192.168.199.1 1 route VlAN997 192.168.2.2 255.255.255.255 192.168.200.1 1 route VLAN998 193.173.85.0 255.255.255.192 192.168.200.1 1 route VLAN999 193.173.85.5 255.255.255.255 192.168.200.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa authentication enable console LOCAL aaa authorization exec LOCAL auto-enable http server enable http 0.0.0.0 0.0.0.0 MNGT http 0.0.0.0 0.0.0.0 VLAN20 http 0.0.0.0 0.0.0.0 VLAN999 no snmp-server location no snmp-server contact sla monitor 1 type echo protocol ipIcmpEcho 8.8.8.8 interface VLAN998 timeout 300 threshold 15000 frequency 5 sla monitor schedule 1 life forever start-time now sla monitor 2 type echo protocol ipIcmpEcho 8.8.4.4 interface VLAN999 timeout 300 threshold 15000 frequency 5 sla monitor schedule 2 life forever start-time now sla monitor 3 type echo protocol ipIcmpEcho 8.8.8.8 interface VLAN999 sla monitor schedule 3 life forever start-time now service sw-reset-button crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map VLAN20_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN20_map interface VLAN20 crypto map VLAN30_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN30_map interface VLAN30 crypto map VLAN40_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN40_map interface VLAN40 crypto map VLAN998_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN998_map interface VLAN998 crypto map VLAN45_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto ca trustpoint localtrust enrollment self fqdn sslvpn.4udomein.com subject-name CN=sslvpn.4udomein.com keypair sslvpnkey crl configure crypto ca trustpool policy crypto ca certificate chain localtrust certificate 6bd0bf58 30820300 308201e8 a0030201 0202046b d0bf5830 0d06092a 864886f7 0d010105 05003042 311c301a 06035504 03131373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d3122 30200609 2a864886 f70d0109 02161373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d301e 170d3137 30333130 30373431 32305a17 0d323730 33303830 37343132 305a3042 311c301a 06035504 03131373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d3122 30200609 2a864886 f70d0109 02161373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d3082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100a1 b2fe7671 f610a388 6d51851c 502093f5 cb5a944b 6285bb0d 37a01743 532f1914 11494c9e fbdaae6e 2e08cdb0 328cb667 5942d4e6 cc5e61a5 fb692d38 f4d46f75 2f8227f8 245bc7df a467dc68 7621b0c2 13a36762 b7bfb486 14272c49 1eb14f1a a307c724 532cfa3d 50c8a646 9cc06d06 3f2efab4 e10d491b 54fc42cb bee423d0 4e8df04b 6154146e f095ee82 8f41364e c94c7533 913cc866 79c6a32a 11b13718 895e23cb bc7b3502 ad7e1013 78b34526 cee075c1 ffd74c4c 9f41299d 9f40207a dfe083b4 717c9853 96090207 6135d21d f0d55558 c952eda0 15a61b45 f13789d6 47c82828 4cdb6b03 806415d6 8c14157d f85f09c4 02ebe725 fe9bf345 f407c102 03010001 300d0609 2a864886 f70d0101 05050003 82010100 03b31914 58eeb2c6 3c23e006 8bd5a4f5 563503d2 03fcd341 8bcf451d 722a6d78 a57a9808 ad1a282c 77530dd5 24eca366 8455f14d 86e51ed9 426d9790 a1a274ec 2116ec1b 97506c2f 73fe491c b3706142 b5cba46f 890efa41 dc26053d 320204e4 2b21b7fc a6a2f521 1fffa05b c37de564 13cc4289 c8043907 b6b9f21c 0566c173 496a0a1d 5f9fa630 d51d76db 7e88a9d8 8c6aa3b0 29109dc6 d13dd6a5 01e17d31 5209671e ea139e42 40637c43 dbee0608 670fe6c1 72e73a85 e710bc1a 9d2f1d6b dded7d12 ffafe1d2 cc097a20 0595a446 a508f613 047250e7 1091bf87 68c813da 8cdd30d8 96598a1c 1a615f84 a21871a8 f8be0459 5dcfe69f 72a9fcf2 aadc283f quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable VLAN998 client-services port 443 crypto ikev2 enable VLAN20 client-services port 443 crypto ikev2 remote-access trustpoint localtrust crypto ikev1 enable VLAN20 crypto ikev1 enable VLAN30 crypto ikev1 enable VLAN40 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 ! track 10 rtr 1 reachability ! track 11 rtr 3 reachability ! track 20 rtr 2 reachability telnet 0.0.0.0 0.0.0.0 VlAN997 telnet timeout 5 ssh stricthostkeycheck ssh 193.173.85.0 255.255.255.192 VLAN999 ssh 193.173.85.0 255.255.255.192 VLAN998 ssh 0.0.0.0 0.0.0.0 VLAN20 ssh 0.0.0.0 0.0.0.0 MNGT ssh timeout 15 ssh key-exchange group dh-group1-sha1 console timeout 15 dhcp-client client-id interface VLAN999 dhcp-client client-id interface VLAN998 dhcpd address 10.10.50.200-10.10.50.250 VLAN1 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN1 dhcpd enable VLAN1 ! dhcpd address 10.10.20.200-10.10.20.250 VLAN20 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN20 dhcpd enable VLAN20 ! dhcpd address 10.10.30.200-10.10.30.250 VLAN30 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN30 dhcpd enable VLAN30 ! dhcpd address 10.10.40.200-10.10.40.250 VLAN40 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN40 dhcpd enable VLAN40 ! dhcpd address 10.10.45.200-10.10.45.250 VLAN45 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN45 dhcpd enable VLAN45 ! dhcpd address 10.10.100.200-10.10.100.250 MNGT dhcpd dns 208.67.222.222 208.67.220.220 interface MNGT dhcpd enable MNGT ! ntp server 85.255.214.66 source VLAN999 ssl trust-point localtrust VLAN999 ssl trust-point localtrust VLAN998 ssl trust-point localtrust VLAN20 webvpn enable VLAN999 enable VLAN998 enable VLAN20 anyconnect image disk0:/anyconnect-linux64-4.4.01054-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg 2 anyconnect profiles 4uDomein_client_profile disk0:/4uDomein_client_profile.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy SSLCLient internal group-policy SSLCLient attributes dns-server value 192.168.200.5 vpn-tunnel-protocol ssl-client default-domain value mysite.com address-pools value SSLClientPool group-policy GroupPolicy_4uDomein internal group-policy GroupPolicy_4uDomein attributes wins-server none dns-server value 10.10.20.100 10.10.20.101 vpn-tunnel-protocol ikev1 ikev2 ssl-client password-storage disable split-tunnel-policy tunnelspecified split-tunnel-network-list value ACL-VPN-SPLIT default-domain none webvpn anyconnect profiles value 4uDomein_client_profile type user dynamic-access-policy-record DfltAccessPolicy username Dave password L4o29iC9zK9nTS7P encrypted privilege 15 username Dave attributes service-type admin username Davevpn password leb4YKzqGcsujPoJ encrypted privilege 15 username vlietd password Q101T2coMJVYHrL6 encrypted privilege 15 tunnel-group SSLClient type remote-access tunnel-group SSLClient general-attributes default-group-policy SSLCLient tunnel-group SSLClient webvpn-attributes group-alias MY_RA enable tunnel-group 4uDomein type remote-access tunnel-group 4uDomein general-attributes address-pool SSLClientPool default-group-policy GroupPolicy_4uDomein tunnel-group 4uDomein webvpn-attributes group-alias 4uDomein enable tunnel-group 4uDomein ipsec-attributes ikev1 trust-point localtrust ! class-map inspection_default match default-inspection-traffic class-map CMAP-DEFAULT match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options policy-map PMAP-GLOBAL class CMAP-DEFAULT inspect http inspect ftp inspect icmp class class-default user-statistics accounting ! service-policy global_policy global prompt hostname context ! jumbo-frame reservation ! no call-home reporting anonymous Cryptochecksum:a44412b46def762054929adcc0c1fb54 : end asdm image disk0:/asdm-761.bin no asdm history enable
06-25-2018 03:28 AM
06-25-2018 04:11 AM
Thank you
VLAN45 is now going on the VLAN998 an if i test it with what is my ip i have 62.194.166.32 so that is working fine.
But VLAN40 that need to be on VLAN997 is not working with the same i did for VLAN45
My config on this moment is:
That line is not in Bridge and gets its ip from a adsl router.line is up and working fine
: Saved : : Serial Number: JAD2042014S : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.6(1) ! hostname ASA5506 enable password 8Ry2YjIyt7RRXU24 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd hVxRMGvjmxCeVxgf encrypted names ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0 ! interface GigabitEthernet1/1 description *** Ziggo2 *** mac-address aaaa.bbbb.cccc nameif VLAN999 security-level 0 ip address dhcp setroute ipv6 enable ! interface GigabitEthernet1/2 description *** Ziggo1 *** nameif VLAN998 security-level 75 ip address dhcp setroute ! interface GigabitEthernet1/3 no nameif no security-level no ip address ! interface GigabitEthernet1/3.1 description *** Management *** vlan 1 nameif VLAN1 security-level 25 ip address 10.10.50.2 255.255.255.0 ! interface GigabitEthernet1/3.20 description *** Office *** vlan 20 nameif VLAN20 security-level 0 ip address 10.10.20.2 255.255.255.0 policy-route route-map PBR-ZIGGO2 ipv6 enable ! interface GigabitEthernet1/3.30 description *** Wi-Fi *** vlan 30 nameif VLAN30 security-level 0 ip address 10.10.30.2 255.255.255.0 policy-route route-map PBR-ZIGGO2 ! interface GigabitEthernet1/3.40 description *** Printer *** vlan 40 nameif VLAN40 security-level 50 ip address 10.10.40.2 255.255.255.0 policy-route route-map PBR-VLAN40 ! interface GigabitEthernet1/3.45 description *** Server *** vlan 45 nameif VLAN45 security-level 75 ip address 10.10.45.2 255.255.255.0 policy-route route-map PBR-VLAN45 ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 description ***Telfort*** nameif VlAN997 security-level 50 ip address 10.10.60.2 255.255.255.0 policy-route route-map PBR-TELFORT ! interface Management1/1 description *** ASA Management *** management-only nameif MNGT security-level 100 ip address 10.10.100.2 255.255.255.0 ! banner motd ************************************************************************ banner motd * Unauthorized access is prohibited * banner motd ************************************************************************ banner motd * This system is to be used only by specifically authorized personnel. * banner motd * Any unauthorized use of the system is unlawful, and may be subject * banner motd * to civil and/or criminal penalties. * banner motd * * banner motd * Any use of the system may be logged or monitored without further * banner motd * notice and resulting logs may be used as evidence in court. * banner motd ************************************************************************ ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network OBJ-NET-VLAN1 subnet 10.10.50.0 255.255.255.0 object network OBJ-NET-VLAN20 subnet 10.10.20.0 255.255.255.0 object network OBJ-NET-VLAN30 subnet 10.10.30.0 255.255.255.0 object network OBJ-NET-VLAN40 subnet 10.10.40.0 255.255.255.0 object network OBJ-NET-VLAN45 subnet 10.10.45.0 255.255.255.0 object network NETWORK_OBJ_192.168.100.0_26 subnet 192.168.100.0 255.255.255.192 object network OBJ-NET-HOST-10.10.20.105 host 10.10.20.105 object service OBJ-SRV-TCP-3389 service tcp source eq 3389 object service OBJ-SRV-TCP-5000_6000 service tcp source range 5000 6000 object network OBJ-NET-HOST-82.94.75.162 host 82.94.75.162 object network OBJ-NET-HOST-82.94.75.163 host 82.94.75.163 object network OBJ-NET-HOST-82.94.75.164 host 82.94.75.164 object network OBJ-NET-HOST-82.94.75.165 host 82.94.75.165 object network OBJ-NET-HOST-82.94.75.166 host 82.94.75.166 object network OBJ-NET-HOST-10.10.45.10 host 10.10.45.10 object network OBJ-NET-HOST-10.10.20.10 host 10.10.20.10 object network VLAN997 host 192.168.2.2 description VLAN997 object network VLAN45 host 10.10.45.2 description VLAN45 object network VLAN40 host 10.10.40.2 description VLAN40 object-group network OBJ-GRP-NET-RFC1918 network-object 10.0.0.0 255.0.0.0 network-object 172.16.0.0 255.240.0.0 network-object 192.168.0.0 255.255.0.0 access-list ACL-VLAN999-INBOUND remark *** Fritbox - Internetverkeer *** access-list ACL-VLAN999-INBOUND extended permit icmp any any echo-reply access-list ACL-VLAN999-INBOUND extended permit icmp any any unreachable access-list ACL-VLAN999-INBOUND extended permit icmp any any time-exceeded access-list ACL-VLAN999-INBOUND extended permit icmp any any source-quench access-list ACL-VLAN999-INBOUND extended permit tcp 193.173.85.0 255.255.255.192 object OBJ-NET-HOST-10.10.45.10 eq 3389 access-list ACL-VLAN999-INBOUND remark Trans_ip Rdp access-list ACL-VLAN999-INBOUND extended permit tcp host 37.97.201.18 object OBJ-NET-HOST-10.10.45.10 eq 3389 access-list ACL-VLAN999-INBOUND extended permit tcp any any range 5000 6000 access-list ACL-VLAN998-INBOUND remark *** Ziggo - Internetverkeer *** access-list ACL-VLAN998-INBOUND extended permit icmp any any echo-reply access-list ACL-VLAN998-INBOUND extended permit icmp any any unreachable access-list ACL-VLAN998-INBOUND extended permit icmp any any time-exceeded access-list ACL-VLAN998-INBOUND extended permit icmp any any source-quench access-list ACL-VLAN998-INBOUND remark Trans_ip Rdp access-list ACL-VLAN998-INBOUND extended permit tcp host 37.97.201.18 object OBJ-NET-HOST-10.10.45.10 eq 3389 access-list ACL-VLAN998-INBOUND extended permit ip any any access-list ACL-VLAN998-INBOUND extended permit tcp any host 10.10.20.10 eq 3389 access-list ACL-VLAN45-INBOUND remark *** RFC1918 *** access-list ACL-VLAN45-INBOUND extended deny ip object OBJ-NET-VLAN45 object-group OBJ-GRP-NET-RFC1918 access-list ACL-VLAN45-INBOUND remark *** Internetverkeer *** access-list ACL-VLAN45-INBOUND extended permit ip any any access-list ACL-RMAP-VLAN45 extended deny ip object OBJ-NET-VLAN45 object-group OBJ-GRP-NET-RFC1918 access-list ACL-RMAP-VLAN45 extended permit ip object OBJ-NET-VLAN45 any access-list ACL-VPN-SPLIT standard permit 10.10.0.0 255.255.0.0 access-list ACL-PBR-ZIGGO2 extended permit ip 10.10.20.0 255.255.255.0 any access-list ACL-PBR-TELFORT extended permit ip 10.10.40.0 255.255.255.0 any access-list ACL-PBR-ZIGGO1 extended permit ip 10.10.45.0 255.255.255.0 any pager lines 24 logging enable logging asdm informational mtu VLAN999 1500 mtu VLAN998 1500 mtu VLAN1 1500 mtu VLAN20 1500 mtu VLAN30 1500 mtu VLAN40 1500 mtu VLAN45 1500 mtu VlAN997 1500 mtu MNGT 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-761.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (VLAN1,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN20,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN30,any) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN40,VlAN997) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN45,VLAN998) source static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 destination static OBJ-GRP-NET-RFC1918 OBJ-GRP-NET-RFC1918 no-proxy-arp route-lookup nat (VLAN20,VLAN998) source static OBJ-NET-HOST-10.10.20.10 interface service OBJ-SRV-TCP-3389 OBJ-SRV-TCP-3389 nat (VLAN45,VLAN998) source static OBJ-NET-HOST-10.10.45.10 OBJ-NET-HOST-82.94.75.165 nat (VLAN1,VLAN999) source dynamic any interface nat (VLAN20,VLAN999) source dynamic any interface nat (VLAN30,VLAN999) source dynamic any interface nat (VLAN40,VLAN999) source dynamic any interface nat (VLAN1,VLAN998) source dynamic any interface nat (VLAN20,VLAN998) source dynamic any interface nat (VLAN30,VLAN998) source dynamic any interface nat (VLAN40,VLAN998) source dynamic any interface nat (VLAN45,VLAN999) source dynamic any interface nat (VLAN45,VLAN998) source dynamic any interface ! object network VLAN45 nat (any,VLAN998) static interface object network VLAN40 nat (any,VlAN997) static interface access-group ACL-VLAN999-INBOUND in interface VLAN999 access-group ACL-VLAN998-INBOUND in interface VLAN998 access-group ACL-VLAN45-INBOUND in interface VLAN45 ! route-map PBR-ZIGGO1 permit 10 match ip address ACL-PBR-ZIGGO1 set ip next-hop 212.187.37.1 ! route-map PBR-ZIGGO2 permit 10 match ip address ACL-PBR-ZIGGO2 set ip next-hop 212.187.37.1 ! route-map RMAP-Gi1/3.45 permit 10 match ip address ACL-RMAP-VLAN45 set ip next-hop verify-availability 82.94.75.161 1 track 10 ! route-map PBR-TELFORT permit 10 match ip address ACL-PBR-TELFORT match interface VlAN997 set ip next-hop verify-availability 10.10.60.1 10 track 1 set ip next-hop 10.10.60.1 ! route-map PBR-VLAN45 permit 10 match interface VlAN997 ! route-map PBR-VLAN30 permit 10 match ip address ACL-PBR-ZIGGO1 match interface VLAN998 set ip next-hop 212.187.37.1 ! route-map PBR-VLAN40 permit 10 match ip address ACL-PBR-TELFORT match interface VlAN997 set ip next-hop 10.10.60.1 ! route VLAN999 8.8.4.4 255.255.255.255 192.168.200.1 1 route VLAN998 8.8.8.8 255.255.255.255 192.168.199.1 1 route VlAN997 192.168.2.2 255.255.255.255 192.168.200.1 1 route VLAN998 193.173.85.0 255.255.255.192 192.168.200.1 1 route VLAN999 193.173.85.5 255.255.255.255 192.168.200.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa authentication enable console LOCAL aaa authorization exec LOCAL auto-enable http server enable http 0.0.0.0 0.0.0.0 MNGT http 0.0.0.0 0.0.0.0 VLAN20 http 0.0.0.0 0.0.0.0 VLAN999 no snmp-server location no snmp-server contact sla monitor 1 type echo protocol ipIcmpEcho 8.8.8.8 interface VLAN998 timeout 300 threshold 15000 frequency 5 sla monitor schedule 1 life forever start-time now sla monitor 2 type echo protocol ipIcmpEcho 8.8.4.4 interface VLAN999 timeout 300 threshold 15000 frequency 5 sla monitor schedule 2 life forever start-time now sla monitor 3 type echo protocol ipIcmpEcho 8.8.8.8 interface VLAN999 sla monitor schedule 3 life forever start-time now service sw-reset-button crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map VLAN20_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN20_map interface VLAN20 crypto map VLAN30_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN30_map interface VLAN30 crypto map VLAN40_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN40_map interface VLAN40 crypto map VLAN998_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VLAN998_map interface VLAN998 crypto map VLAN45_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto ca trustpoint localtrust enrollment self fqdn sslvpn.4udomein.com subject-name CN=sslvpn.4udomein.com keypair sslvpnkey crl configure crypto ca trustpool policy crypto ca certificate chain localtrust certificate 6bd0bf58 30820300 308201e8 a0030201 0202046b d0bf5830 0d06092a 864886f7 0d010105 05003042 311c301a 06035504 03131373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d3122 30200609 2a864886 f70d0109 02161373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d301e 170d3137 30333130 30373431 32305a17 0d323730 33303830 37343132 305a3042 311c301a 06035504 03131373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d3122 30200609 2a864886 f70d0109 02161373 736c7670 6e2e3475 646f6d65 696e2e63 6f6d3082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100a1 b2fe7671 f610a388 6d51851c 502093f5 cb5a944b 6285bb0d 37a01743 532f1914 11494c9e fbdaae6e 2e08cdb0 328cb667 5942d4e6 cc5e61a5 fb692d38 f4d46f75 2f8227f8 245bc7df a467dc68 7621b0c2 13a36762 b7bfb486 14272c49 1eb14f1a a307c724 532cfa3d 50c8a646 9cc06d06 3f2efab4 e10d491b 54fc42cb bee423d0 4e8df04b 6154146e f095ee82 8f41364e c94c7533 913cc866 79c6a32a 11b13718 895e23cb bc7b3502 ad7e1013 78b34526 cee075c1 ffd74c4c 9f41299d 9f40207a dfe083b4 717c9853 96090207 6135d21d f0d55558 c952eda0 15a61b45 f13789d6 47c82828 4cdb6b03 806415d6 8c14157d f85f09c4 02ebe725 fe9bf345 f407c102 03010001 300d0609 2a864886 f70d0101 05050003 82010100 03b31914 58eeb2c6 3c23e006 8bd5a4f5 563503d2 03fcd341 8bcf451d 722a6d78 a57a9808 ad1a282c 77530dd5 24eca366 8455f14d 86e51ed9 426d9790 a1a274ec 2116ec1b 97506c2f 73fe491c b3706142 b5cba46f 890efa41 dc26053d 320204e4 2b21b7fc a6a2f521 1fffa05b c37de564 13cc4289 c8043907 b6b9f21c 0566c173 496a0a1d 5f9fa630 d51d76db 7e88a9d8 8c6aa3b0 29109dc6 d13dd6a5 01e17d31 5209671e ea139e42 40637c43 dbee0608 670fe6c1 72e73a85 e710bc1a 9d2f1d6b dded7d12 ffafe1d2 cc097a20 0595a446 a508f613 047250e7 1091bf87 68c813da 8cdd30d8 96598a1c 1a615f84 a21871a8 f8be0459 5dcfe69f 72a9fcf2 aadc283f quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable VLAN998 client-services port 443 crypto ikev2 enable VLAN20 client-services port 443 crypto ikev2 remote-access trustpoint localtrust crypto ikev1 enable VLAN20 crypto ikev1 enable VLAN30 crypto ikev1 enable VLAN40 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 ! track 10 rtr 1 reachability ! track 11 rtr 3 reachability ! track 20 rtr 2 reachability telnet 0.0.0.0 0.0.0.0 VlAN997 telnet timeout 5 ssh stricthostkeycheck ssh 193.173.85.0 255.255.255.192 VLAN999 ssh 193.173.85.0 255.255.255.192 VLAN998 ssh 0.0.0.0 0.0.0.0 VLAN20 ssh 0.0.0.0 0.0.0.0 MNGT ssh timeout 15 ssh key-exchange group dh-group1-sha1 console timeout 15 dhcp-client client-id interface VLAN999 dhcp-client client-id interface VLAN998 dhcpd address 10.10.50.200-10.10.50.250 VLAN1 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN1 dhcpd enable VLAN1 ! dhcpd address 10.10.20.200-10.10.20.250 VLAN20 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN20 dhcpd enable VLAN20 ! dhcpd address 10.10.30.200-10.10.30.250 VLAN30 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN30 dhcpd enable VLAN30 ! dhcpd address 10.10.40.200-10.10.40.250 VLAN40 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN40 dhcpd enable VLAN40 ! dhcpd address 10.10.45.200-10.10.45.250 VLAN45 dhcpd dns 208.67.222.222 208.67.220.220 interface VLAN45 dhcpd enable VLAN45 ! dhcpd address 10.10.100.200-10.10.100.250 MNGT dhcpd dns 208.67.222.222 208.67.220.220 interface MNGT dhcpd enable MNGT ! ntp server 85.255.214.66 source VLAN999 ssl trust-point localtrust VLAN999 ssl trust-point localtrust VLAN998 ssl trust-point localtrust VLAN20 webvpn enable VLAN999 enable VLAN998 enable VLAN20 anyconnect image disk0:/anyconnect-linux64-4.4.01054-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-win-4.4.01054-webdeploy-k9.pkg 2 anyconnect profiles 4uDomein_client_profile disk0:/4uDomein_client_profile.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy SSLCLient internal group-policy SSLCLient attributes dns-server value 192.168.200.5 vpn-tunnel-protocol ssl-client default-domain value mysite.com address-pools value SSLClientPool group-policy GroupPolicy_4uDomein internal group-policy GroupPolicy_4uDomein attributes wins-server none dns-server value 10.10.20.100 10.10.20.101 vpn-tunnel-protocol ikev1 ikev2 ssl-client password-storage disable split-tunnel-policy tunnelspecified split-tunnel-network-list value ACL-VPN-SPLIT default-domain none webvpn anyconnect profiles value 4uDomein_client_profile type user dynamic-access-policy-record DfltAccessPolicy username Dave password L4o29iC9zK9nTS7P encrypted privilege 15 username Dave attributes service-type admin username Davevpn password leb4YKzqGcsujPoJ encrypted privilege 15 username vlietd password Q101T2coMJVYHrL6 encrypted privilege 15 tunnel-group SSLClient type remote-access tunnel-group SSLClient general-attributes default-group-policy SSLCLient tunnel-group SSLClient webvpn-attributes group-alias MY_RA enable tunnel-group 4uDomein type remote-access tunnel-group 4uDomein general-attributes address-pool SSLClientPool default-group-policy GroupPolicy_4uDomein tunnel-group 4uDomein webvpn-attributes group-alias 4uDomein enable tunnel-group 4uDomein ipsec-attributes ikev1 trust-point localtrust ! class-map inspection_default match default-inspection-traffic class-map CMAP-DEFAULT match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options policy-map PMAP-GLOBAL class CMAP-DEFAULT inspect http inspect ftp inspect icmp class class-default user-statistics accounting ! service-policy global_policy global prompt hostname context ! jumbo-frame reservation ! no call-home reporting anonymous Cryptochecksum:10d935385328b1cb4a531de89bc10a61 : end asdm image disk0:/asdm-761.bin no asdm history enable
06-25-2018 11:29 AM
06-25-2018 12:30 PM
06-25-2018 12:36 PM
06-25-2018 12:43 PM
Thx you both for the help i remved a old nat config where VLAN40 was in with his own public ip for internet printing and smart phones.
and now it is on the right ip 212.182.132.89.
so happy now
Great job
06-25-2018 12:49 PM
06-25-2018 12:50 PM
Which nat you removed? Good that everything works now.
06-25-2018 01:06 PM
if you look @ the old config there is a line with ***fritzbox internet*** and acess rule sip wlan40 with a ip that was with 89.xxx.xxx.xxx
yes so good that it work i saw my self setting it back to default in my hollyday already.
Many thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide