06-15-2012 05:42 AM - edited 03-11-2019 04:19 PM
i have a unique thing to do i have been given a task of connecting a WLC5508 to a ASA5510 because the dont want to get a another switch.
how can i do this. i think it is possable to do but i cant get the NAT and ACL to work right.
here is what i have so far
Result of the command: "sh run"
: Saved
:
ASA Version 7.2(4)
!
hostname CSL-GW
domain-name csl.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.6 Server2008 description Domain Controller
name 12.133.51.114 PublicIP_114 description Public IP Address - used for SharePoint Server
name 192.168.0.8 SharePoint description The SharePoint 2007 Server
name 12.133.51.115 PublicIP_115 description Public IP Address
name 12.133.51.116 PublicIP_116 description Public IP Address
name 192.168.2.0 corinth-network
name 192.168.3.0 decatur-network
name 192.168.4.0 florence-network
name 192.168.11.0 hartselle-network
name 192.168.5.0 hoover-network
name 192.168.6.0 huntsville-network
name 192.168.7.0 lawrenceburg-network
name 192.168.8.0 montgomery-network
name 192.168.9.0 mountain-network
name 192.168.10.0 russellville-network
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 12.133.51.120 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif dmz
security-level 50
ip address 192.168.12.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name csl.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 65100
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq 587
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 8443
access-list outside_access_in extended permit tcp any interface outside eq 81
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 3390
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any host PublicIP_114 object-group DM_INLINE_TCP_2
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0
access-list outside_5_cryptomap extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0
access-list outside_6_cryptomap extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0
access-list outside_7_cryptomap extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0
access-list outside_8_cryptomap extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0
access-list outside_9_cryptomap extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0
access-list outside_10_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
no pager
logging enable
logging trap debugging
logging asdm informational
logging host inside Server2008
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool RemoteClientPool 192.168.0.50-192.168.0.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www Server2008 www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.7 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 65100 192.168.0.2 65100 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server2008 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 587 Server2008 587 netmask 255.255.255.255
static (inside,outside) tcp interface https Server2008 https netmask 255.255.255.255
static (inside,outside) tcp interface 81 192.168.0.7 81 netmask 255.255.255.255
static (inside,outside) tcp interface smtp Server2008 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.0.251 3390 netmask 255.255.255.255
static (inside,outside) PublicIP_114 SharePoint netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 12.133.51.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server ADSERVERS protocol radius
aaa-server ADSERVERS (inside) host Server2008
key CSL-2820
http server enable
http hartselle-network 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http corinth-network 255.255.255.0 inside
http decatur-network 255.255.255.0 inside
http florence-network 255.255.255.0 inside
http hoover-network 255.255.255.0 inside
http huntsville-network 255.255.255.0 inside
http lawrenceburg-network 255.255.255.0 inside
http mountain-network 255.255.255.0 inside
http russellville-network 255.255.255.0 inside
http montgomery-network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 12.131.108.179
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 12.139.80.51
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 12.139.80.163
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer 12.23.150.67
crypto map outside_map 4 set transform-set ESP-AES-128-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer 12.133.51.195
crypto map outside_map 5 set transform-set ESP-AES-128-SHA
crypto map outside_map 6 match address outside_6_cryptomap
crypto map outside_map 6 set peer 12.164.17.19
crypto map outside_map 6 set transform-set ESP-AES-128-SHA
crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set peer 12.139.80.131
crypto map outside_map 7 set transform-set ESP-AES-128-SHA
crypto map outside_map 8 match address outside_8_cryptomap
crypto map outside_map 8 set peer 12.139.80.147
crypto map outside_map 8 set transform-set ESP-AES-128-SHA
crypto map outside_map 9 match address outside_9_cryptomap
crypto map outside_map 9 set peer 12.131.64.99
crypto map outside_map 9 set transform-set ESP-AES-128-SHA
crypto map outside_map 10 match address outside_10_cryptomap
crypto map outside_map 10 set peer 12.37.170.163
crypto map outside_map 10 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.0.0 255.255.255.0 inside
telnet corinth-network 255.255.255.0 inside
telnet decatur-network 255.255.255.0 inside
telnet florence-network 255.255.255.0 inside
telnet hoover-network 255.255.255.0 inside
telnet huntsville-network 255.255.255.0 inside
telnet lawrenceburg-network 255.255.255.0 inside
telnet mountain-network 255.255.255.0 inside
telnet russellville-network 255.255.255.0 inside
telnet montgomery-network 255.255.255.0 inside
telnet hartselle-network 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.0.100-192.168.0.150 inside
dhcpd dns Server2008 12.127.16.67 interface inside
dhcpd wins Server2008 interface inside
dhcpd lease 14400 interface inside
dhcpd domain csl.local interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
ntp server Server2008 source inside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.0.6
dns-server value 192.168.0.6 12.127.16.67
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value csl.local
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
tunnel-group DefaultRAGroup general-attributes
address-pool RemoteClientPool
authentication-server-group ADSERVERS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 12.131.108.179 type ipsec-l2l
tunnel-group 12.131.108.179 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.51 type ipsec-l2l
tunnel-group 12.139.80.51 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.163 type ipsec-l2l
tunnel-group 12.139.80.163 ipsec-attributes
pre-shared-key *
tunnel-group 12.23.150.67 type ipsec-l2l
tunnel-group 12.23.150.67 ipsec-attributes
pre-shared-key *
tunnel-group 12.133.51.195 type ipsec-l2l
tunnel-group 12.133.51.195 ipsec-attributes
pre-shared-key *
tunnel-group 12.164.17.19 type ipsec-l2l
tunnel-group 12.164.17.19 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.131 type ipsec-l2l
tunnel-group 12.139.80.131 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.147 type ipsec-l2l
tunnel-group 12.139.80.147 ipsec-attributes
pre-shared-key *
tunnel-group 12.131.64.99 type ipsec-l2l
tunnel-group 12.131.64.99 ipsec-attributes
pre-shared-key *
tunnel-group 12.37.170.163 type ipsec-l2l
tunnel-group 12.37.170.163 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:423721254cdd7681b11454f1b5f93b44
: end
on the dmz i did have a sub interface called WLC on vlan 12
but nothing i did worked.
06-15-2012 05:48 AM
Your DMZ interface is currently shutdown, that's probably why nothing works:
interface Ethernet0/2
shutdown
nameif dmz
security-level 50
ip address 192.168.12.1 255.255.255.0
06-15-2012 06:27 AM
i know that i had it disable as i got tired of dealing with it for 3 days now.
is there anything else i should be looking at?
06-15-2012 06:31 AM
To get internet access from DMZ, just add the following NAT entry:
nat (dmz) 1 0 0
06-15-2012 07:34 AM
i am not realy want it to have internet i just need it to talk to the inside network so that the ap will get the info that they need. also will need it go over the VPNs to the sites
hostname CSL-GW
domain-name csl.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.6 Server2008 description Domain Controller
name 12.133.51.114 PublicIP_114 description Public IP Address - used for SharePoint Server
name 192.168.0.8 SharePoint description The SharePoint 2007 Server
name 12.133.51.115 PublicIP_115 description Public IP Address
name 12.133.51.116 PublicIP_116 description Public IP Address
name 192.168.2.0 corinth-network
name 192.168.3.0 decatur-network
name 192.168.4.0 florence-network
name 192.168.11.0 hartselle-network
name 192.168.5.0 hoover-network
name 192.168.6.0 huntsville-network
name 192.168.7.0 lawrenceburg-network
name 192.168.8.0 montgomery-network
name 192.168.9.0 mountain-network
name 192.168.10.0 russellville-network
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 12.133.51.120 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/2.12
vlan 12
nameif WLC
security-level 100
ip address 192.168.12.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name csl.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 65100
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq 587
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 8443
access-list outside_access_in extended permit tcp any interface outside eq 81
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 3390
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in remark used for SharePoint
access-list outside_access_in extended permit tcp any host PublicIP_114 object-group DM_INLINE_TCP_2
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0
access-list outside_5_cryptomap extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0
access-list outside_6_cryptomap extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0
access-list outside_7_cryptomap extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0
access-list outside_8_cryptomap extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0
access-list outside_9_cryptomap extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0
access-list outside_10_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
no pager
logging enable
logging trap debugging
logging asdm informational
logging host inside Server2008
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
mtu WLC 1500
ip local pool RemoteClientPool 192.168.0.50-192.168.0.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
nat (WLC) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www Server2008 www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.7 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 65100 192.168.0.2 65100 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server2008 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 587 Server2008 587 netmask 255.255.255.255
static (inside,outside) tcp interface https Server2008 https netmask 255.255.255.255
static (inside,outside) tcp interface 81 192.168.0.7 81 netmask 255.255.255.255
static (inside,outside) tcp interface smtp Server2008 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.0.251 3390 netmask 255.255.255.255
static (inside,outside) PublicIP_114 SharePoint netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 12.133.51.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server ADSERVERS protocol radius
aaa-server ADSERVERS (inside) host Server2008
key CSL-2820
http server enable
http hartselle-network 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http corinth-network 255.255.255.0 inside
http decatur-network 255.255.255.0 inside
http florence-network 255.255.255.0 inside
http hoover-network 255.255.255.0 inside
http huntsville-network 255.255.255.0 inside
http lawrenceburg-network 255.255.255.0 inside
http mountain-network 255.255.255.0 inside
http russellville-network 255.255.255.0 inside
http montgomery-network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 12.131.108.179
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 12.139.80.51
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 12.139.80.163
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer 12.23.150.67
crypto map outside_map 4 set transform-set ESP-AES-128-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer 12.133.51.195
crypto map outside_map 5 set transform-set ESP-AES-128-SHA
crypto map outside_map 6 match address outside_6_cryptomap
crypto map outside_map 6 set peer 12.164.17.19
crypto map outside_map 6 set transform-set ESP-AES-128-SHA
crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set peer 12.139.80.131
crypto map outside_map 7 set transform-set ESP-AES-128-SHA
crypto map outside_map 8 match address outside_8_cryptomap
crypto map outside_map 8 set peer 12.139.80.147
crypto map outside_map 8 set transform-set ESP-AES-128-SHA
crypto map outside_map 9 match address outside_9_cryptomap
crypto map outside_map 9 set peer 12.131.64.99
crypto map outside_map 9 set transform-set ESP-AES-128-SHA
crypto map outside_map 10 match address outside_10_cryptomap
crypto map outside_map 10 set peer 12.37.170.163
crypto map outside_map 10 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.0.0 255.255.255.0 inside
telnet corinth-network 255.255.255.0 inside
telnet decatur-network 255.255.255.0 inside
telnet florence-network 255.255.255.0 inside
telnet hoover-network 255.255.255.0 inside
telnet huntsville-network 255.255.255.0 inside
telnet lawrenceburg-network 255.255.255.0 inside
telnet mountain-network 255.255.255.0 inside
telnet russellville-network 255.255.255.0 inside
telnet montgomery-network 255.255.255.0 inside
telnet hartselle-network 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.0.100-192.168.0.150 inside
dhcpd dns Server2008 12.127.16.67 interface inside
dhcpd wins Server2008 interface inside
dhcpd lease 14400 interface inside
dhcpd domain csl.local interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
ntp server Server2008 source inside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.0.6
dns-server value 192.168.0.6 12.127.16.67
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value csl.local
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
tunnel-group DefaultRAGroup general-attributes
address-pool RemoteClientPool
authentication-server-group ADSERVERS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 12.131.108.179 type ipsec-l2l
tunnel-group 12.131.108.179 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.51 type ipsec-l2l
tunnel-group 12.139.80.51 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.163 type ipsec-l2l
tunnel-group 12.139.80.163 ipsec-attributes
pre-shared-key *
tunnel-group 12.23.150.67 type ipsec-l2l
tunnel-group 12.23.150.67 ipsec-attributes
pre-shared-key *
tunnel-group 12.133.51.195 type ipsec-l2l
tunnel-group 12.133.51.195 ipsec-attributes
pre-shared-key *
tunnel-group 12.164.17.19 type ipsec-l2l
tunnel-group 12.164.17.19 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.131 type ipsec-l2l
tunnel-group 12.139.80.131 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.147 type ipsec-l2l
tunnel-group 12.139.80.147 ipsec-attributes
pre-shared-key *
tunnel-group 12.131.64.99 type ipsec-l2l
tunnel-group 12.131.64.99 ipsec-attributes
pre-shared-key *
tunnel-group 12.37.170.163 type ipsec-l2l
tunnel-group 12.37.170.163 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:423721254cdd7681b11454f1b5f93b44
: end
hostname CSL-GW
domain-name csl.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.6 Server2008 description Domain Controller
name 12.133.51.114 PublicIP_114 description Public IP Address - used for SharePoint Server
name 192.168.0.8 SharePoint description The SharePoint 2007 Server
name 12.133.51.115 PublicIP_115 description Public IP Address
name 12.133.51.116 PublicIP_116 description Public IP Address
name 192.168.2.0 corinth-network
name 192.168.3.0 decatur-network
name 192.168.4.0 florence-network
name 192.168.11.0 hartselle-network
name 192.168.5.0 hoover-network
name 192.168.6.0 huntsville-network
name 192.168.7.0 lawrenceburg-network
name 192.168.8.0 montgomery-network
name 192.168.9.0 mountain-network
name 192.168.10.0 russellville-network
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 12.133.51.120 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/2.12
vlan 12
nameif WLC
security-level 100
ip address 192.168.12.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name csl.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 65100
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq 587
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 8443
access-list outside_access_in extended permit tcp any interface outside eq 81
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 3390
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in remark used for SharePoint
access-list outside_access_in extended permit tcp any host PublicIP_114 object-group DM_INLINE_TCP_2
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0
access-list outside_5_cryptomap extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0
access-list outside_6_cryptomap extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0
access-list outside_7_cryptomap extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0
access-list outside_8_cryptomap extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0
access-list outside_9_cryptomap extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0
access-list outside_10_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
no pager
logging enable
logging trap debugging
logging asdm informational
logging host inside Server2008
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
mtu WLC 1500
ip local pool RemoteClientPool 192.168.0.50-192.168.0.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
nat (WLC) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www Server2008 www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.7 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 65100 192.168.0.2 65100 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server2008 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 587 Server2008 587 netmask 255.255.255.255
static (inside,outside) tcp interface https Server2008 https netmask 255.255.255.255
static (inside,outside) tcp interface 81 192.168.0.7 81 netmask 255.255.255.255
static (inside,outside) tcp interface smtp Server2008 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.0.251 3390 netmask 255.255.255.255
static (inside,outside) PublicIP_114 SharePoint netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 12.133.51.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server ADSERVERS protocol radius
aaa-server ADSERVERS (inside) host Server2008
key CSL-2820
http server enable
http hartselle-network 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http corinth-network 255.255.255.0 inside
http decatur-network 255.255.255.0 inside
http florence-network 255.255.255.0 inside
http hoover-network 255.255.255.0 inside
http huntsville-network 255.255.255.0 inside
http lawrenceburg-network 255.255.255.0 inside
http mountain-network 255.255.255.0 inside
http russellville-network 255.255.255.0 inside
http montgomery-network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 12.131.108.179
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 12.139.80.51
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 12.139.80.163
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer 12.23.150.67
crypto map outside_map 4 set transform-set ESP-AES-128-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer 12.133.51.195
crypto map outside_map 5 set transform-set ESP-AES-128-SHA
crypto map outside_map 6 match address outside_6_cryptomap
crypto map outside_map 6 set peer 12.164.17.19
crypto map outside_map 6 set transform-set ESP-AES-128-SHA
crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set peer 12.139.80.131
crypto map outside_map 7 set transform-set ESP-AES-128-SHA
crypto map outside_map 8 match address outside_8_cryptomap
crypto map outside_map 8 set peer 12.139.80.147
crypto map outside_map 8 set transform-set ESP-AES-128-SHA
crypto map outside_map 9 match address outside_9_cryptomap
crypto map outside_map 9 set peer 12.131.64.99
crypto map outside_map 9 set transform-set ESP-AES-128-SHA
crypto map outside_map 10 match address outside_10_cryptomap
crypto map outside_map 10 set peer 12.37.170.163
crypto map outside_map 10 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.0.0 255.255.255.0 inside
telnet corinth-network 255.255.255.0 inside
telnet decatur-network 255.255.255.0 inside
telnet florence-network 255.255.255.0 inside
telnet hoover-network 255.255.255.0 inside
telnet huntsville-network 255.255.255.0 inside
telnet lawrenceburg-network 255.255.255.0 inside
telnet mountain-network 255.255.255.0 inside
telnet russellville-network 255.255.255.0 inside
telnet montgomery-network 255.255.255.0 inside
telnet hartselle-network 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.0.100-192.168.0.150 inside
dhcpd dns Server2008 12.127.16.67 interface inside
dhcpd wins Server2008 interface inside
dhcpd lease 14400 interface inside
dhcpd domain csl.local interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
ntp server Server2008 source inside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.0.6
dns-server value 192.168.0.6 12.127.16.67
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value csl.local
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
tunnel-group DefaultRAGroup general-attributes
address-pool RemoteClientPool
authentication-server-group ADSERVERS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 12.131.108.179 type ipsec-l2l
tunnel-group 12.131.108.179 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.51 type ipsec-l2l
tunnel-group 12.139.80.51 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.163 type ipsec-l2l
tunnel-group 12.139.80.163 ipsec-attributes
pre-shared-key *
tunnel-group 12.23.150.67 type ipsec-l2l
tunnel-group 12.23.150.67 ipsec-attributes
pre-shared-key *
tunnel-group 12.133.51.195 type ipsec-l2l
tunnel-group 12.133.51.195 ipsec-attributes
pre-shared-key *
tunnel-group 12.164.17.19 type ipsec-l2l
tunnel-group 12.164.17.19 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.131 type ipsec-l2l
tunnel-group 12.139.80.131 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.147 type ipsec-l2l
tunnel-group 12.139.80.147 ipsec-attributes
pre-shared-key *
tunnel-group 12.131.64.99 type ipsec-l2l
tunnel-group 12.131.64.99 ipsec-attributes
pre-shared-key *
tunnel-group 12.37.170.163 type ipsec-l2l
tunnel-group 12.37.170.163 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:423721254cdd7681b11454f1b5f93b44
: end
06-15-2012 07:38 AM
To access the inside network, you would need to configure the following:
static (inside,WLC) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
And for VPN, which particular VPN peer do you want to have access? For VPN, you would need to make changes on both ends of the VPN tunnel.
06-15-2012 07:51 AM
i am wanting to get to all of the but for now just the the peer 12.133.51.195
06-15-2012 07:54 AM
For peer 12.133.51.195:
access-list outside_5_cryptomap extended permit ip 192.168.12.0 255.255.255.0 huntsville-network 255.255.255.0
access-list nonat-wlc extended permit ip 192.168.12.0 255.255.255.0 huntsville-network 255.255.255.0
nat (WLC) 0 access-list nonat-wlc
And you would need to add the mirror image ACL on the remote end (12.133.51.195).
06-15-2012 08:39 AM
ok thanks
i have not put in the vpn stuff but want you to take a look as i cannot ping on the WLC network.
also i cannot get on the internet.
Result of the command: "sh run"
: Saved
:
ASA Version 7.2(4)
!
hostname CSL-GW
domain-name csl.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.6 Server2008 description Domain Controller
name 12.133.51.114 PublicIP_114 description Public IP Address - used for SharePoint Server
name 192.168.0.8 SharePoint description The SharePoint 2007 Server
name 12.133.51.115 PublicIP_115 description Public IP Address
name 12.133.51.116 PublicIP_116 description Public IP Address
name 192.168.2.0 corinth-network
name 192.168.3.0 decatur-network
name 192.168.4.0 florence-network
name 192.168.11.0 hartselle-network
name 192.168.5.0 hoover-network
name 192.168.6.0 huntsville-network
name 192.168.7.0 lawrenceburg-network
name 192.168.8.0 montgomery-network
name 192.168.9.0 mountain-network
name 192.168.10.0 russellville-network
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 12.133.51.120 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/2.12
description Wireless Lan Contoller
vlan 12
nameif WLC
security-level 100
ip address 192.168.12.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name csl.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 65100
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq 587
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 8443
access-list outside_access_in extended permit tcp any interface outside eq 81
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 3390
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in remark used for SharePoint
access-list outside_access_in extended permit tcp any host PublicIP_114 object-group DM_INLINE_TCP_2
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0
access-list outside_5_cryptomap extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0
access-list outside_6_cryptomap extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0
access-list outside_7_cryptomap extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0
access-list outside_8_cryptomap extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0
access-list outside_9_cryptomap extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0
access-list outside_10_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
no pager
logging enable
logging trap debugging
logging asdm informational
logging host inside Server2008
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
mtu WLC 1500
ip local pool RemoteClientPool 192.168.0.50-192.168.0.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
nat (WLC) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www Server2008 www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.7 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 65100 192.168.0.2 65100 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server2008 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 587 Server2008 587 netmask 255.255.255.255
static (inside,outside) tcp interface https Server2008 https netmask 255.255.255.255
static (inside,outside) tcp interface 81 192.168.0.7 81 netmask 255.255.255.255
static (inside,outside) tcp interface smtp Server2008 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.0.251 3390 netmask 255.255.255.255
static (inside,outside) PublicIP_114 SharePoint netmask 255.255.255.255
static (inside,WLC) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (WLC,inside) 192.168.12.0 192.168.12.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 12.133.51.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server ADSERVERS protocol radius
aaa-server ADSERVERS (inside) host Server2008
key CSL-2820
http server enable
http hartselle-network 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http corinth-network 255.255.255.0 inside
http decatur-network 255.255.255.0 inside
http florence-network 255.255.255.0 inside
http hoover-network 255.255.255.0 inside
http huntsville-network 255.255.255.0 inside
http lawrenceburg-network 255.255.255.0 inside
http mountain-network 255.255.255.0 inside
http russellville-network 255.255.255.0 inside
http montgomery-network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 12.131.108.179
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 12.139.80.51
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 12.139.80.163
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer 12.23.150.67
crypto map outside_map 4 set transform-set ESP-AES-128-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer 12.133.51.195
crypto map outside_map 5 set transform-set ESP-AES-128-SHA
crypto map outside_map 6 match address outside_6_cryptomap
crypto map outside_map 6 set peer 12.164.17.19
crypto map outside_map 6 set transform-set ESP-AES-128-SHA
crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set peer 12.139.80.131
crypto map outside_map 7 set transform-set ESP-AES-128-SHA
crypto map outside_map 8 match address outside_8_cryptomap
crypto map outside_map 8 set peer 12.139.80.147
crypto map outside_map 8 set transform-set ESP-AES-128-SHA
crypto map outside_map 9 match address outside_9_cryptomap
crypto map outside_map 9 set peer 12.131.64.99
crypto map outside_map 9 set transform-set ESP-AES-128-SHA
crypto map outside_map 10 match address outside_10_cryptomap
crypto map outside_map 10 set peer 12.37.170.163
crypto map outside_map 10 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.0.0 255.255.255.0 inside
telnet corinth-network 255.255.255.0 inside
telnet decatur-network 255.255.255.0 inside
telnet florence-network 255.255.255.0 inside
telnet hoover-network 255.255.255.0 inside
telnet huntsville-network 255.255.255.0 inside
telnet lawrenceburg-network 255.255.255.0 inside
telnet mountain-network 255.255.255.0 inside
telnet russellville-network 255.255.255.0 inside
telnet montgomery-network 255.255.255.0 inside
telnet hartselle-network 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.0.100-192.168.0.150 inside
dhcpd dns Server2008 12.127.16.67 interface inside
dhcpd wins Server2008 interface inside
dhcpd lease 14400 interface inside
dhcpd domain csl.local interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
ntp server Server2008 source inside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.0.6
dns-server value 192.168.0.6 12.127.16.67
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value csl.local
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
tunnel-group DefaultRAGroup general-attributes
address-pool RemoteClientPool
authentication-server-group ADSERVERS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 12.131.108.179 type ipsec-l2l
tunnel-group 12.131.108.179 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.51 type ipsec-l2l
tunnel-group 12.139.80.51 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.163 type ipsec-l2l
tunnel-group 12.139.80.163 ipsec-attributes
pre-shared-key *
tunnel-group 12.23.150.67 type ipsec-l2l
tunnel-group 12.23.150.67 ipsec-attributes
pre-shared-key *
tunnel-group 12.133.51.195 type ipsec-l2l
tunnel-group 12.133.51.195 ipsec-attributes
pre-shared-key *
tunnel-group 12.164.17.19 type ipsec-l2l
tunnel-group 12.164.17.19 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.131 type ipsec-l2l
tunnel-group 12.139.80.131 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.147 type ipsec-l2l
tunnel-group 12.139.80.147 ipsec-attributes
pre-shared-key *
tunnel-group 12.131.64.99 type ipsec-l2l
tunnel-group 12.131.64.99 ipsec-attributes
pre-shared-key *
tunnel-group 12.37.170.163 type ipsec-l2l
tunnel-group 12.37.170.163 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:423721254cdd7681b11454f1b5f93b44
: end
06-15-2012 11:11 AM
YOu don't need the following:
static (WLC,inside) 192.168.12.0 192.168.12.0 netmask 255.255.255.0
To ping, please configure the following:
policy-map global_policy
class inspection_default
inspect icmp
You should be able to access the internet. Can you ping 4.2.2.2 from the WLC network? What is your IP Address?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide