Here is the config.
Problem is they cannot get to the internet. All internal networks are functional. HELP!
Result of the command: "sho run"
: Saved
:
ASA Version 8.4(1)
!
hostname *******************
domain-name *************************
enable password **********************
passwd **********************
names
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Vlan10
description Outside vlan
nameif outside
security-level 0
ip address 68.222.254.178 255.255.255.248
!
interface Vlan136
description Data Vlan
nameif inside
security-level 100
ip address 10.5.136.1 255.255.255.0
!
interface Ethernet0/0
description OUTSIDE
switchport access vlan 10
!
interface Ethernet0/1
description Data Vlan
switchport access vlan 136
!
interface Ethernet0/2
description Data Vlan
switchport access vlan 136
!
interface Ethernet0/3
description Data Vlan
switchport access vlan 136
!
interface Ethernet0/4
description Data Vlan
switchport access vlan 136
!
interface Ethernet0/5
description Voice Vlan
switchport access vlan 136
!
interface Ethernet0/6
description Voice Vlan
switchport access vlan 136
!
interface Ethernet0/7
description Voice Vlan
switchport access vlan 136
!
banner motd -------------
banner motd W A R N I N G
banner motd -------------
banner motd
banner motd THIS IS A PRIVATE COMPUTER SYSTEM.
banner motd
banner motd This computer system including all related equipment, network devices
banner motd (specifically including Internet access), are provided only for
banner motd authorized use.
banner motd
banner motd All computer systems may be monitored for all lawful purposes, including
banner motd to ensure that their use is authorized, for management of the system, to
banner motd facilitate protection against unauthorized access, and to verify security
banner motd procedures, survivability and operational security.
banner motd
banner motd Monitoring includes active attacks by authorized personnel and their
banner motd entities to test or verify the security of the system. All information including
banner motd personal information, placed on or sent over this system may be monitored.
banner motd During monitoring, information may be examined, recorded, copied and
banner motd used for authorized purposes.
banner motd
banner motd Unauthorized use may subject you to criminal prosecution. Evidence of any such
banner motd unauthorized use collected during monitoring may be used for
banner motd administrative, criminal or other adverse action.
banner motd
banner motd Uses of this system, authorized or unauthorized, constitutes consent to monitoring
banner motd of this system for these purposes.
banner asdm -------------
banner asdm W A R N I N G
banner asdm -------------
banner asdm
banner asdm THIS IS A PRIVATE COMPUTER SYSTEM.
banner asdm
banner asdm This computer system including all related equipment, network devices
banner asdm (specifically including Internet access), are provided only for
banner asdm authorized use.
banner asdm
banner asdm All computer systems may be monitored for all lawful purposes, including
banner asdm to ensure that their use is authorized, for management of the system, to
banner asdm facilitate protection against unauthorized access, and to verify security
banner asdm procedures, survivability and operational security.
banner asdm
banner asdm Monitoring includes active attacks by authorized personnel and their
banner asdm entities to test or verify the security of the system. All information including
banner asdm personal information, placed on or sent over this system may be monitored.
banner asdm During monitoring, information may be examined, recorded, copied and
banner asdm used for authorized purposes.
banner asdm
banner asdm Unauthorized use may subject you to criminal prosecution. Evidence of any such
banner asdm unauthorized use collected during monitoring may be used for
banner asdm administrative, criminal or other adverse action.
banner asdm
banner asdm Uses of this system, authorized or unauthorized, constitutes consent to monitoring
banner asdm of this system for these purposes.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name **************
object network NETWORK_OBJ_10.0.0.0_8
subnet 10.0.0.0 255.0.0.0
object network NETWORK_OBJ_10.5.136.0_24
subnet 10.5.136.0 255.255.255.0
object network 10.10.0.0_16
subnet 10.10.0.0 255.255.0.0
object network 10.4.0.0_16
subnet 10.4.0.0 255.255.0.0
access-list outside_access_in extended permit ip 72.12.205.64 255.255.255.224 any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list outside_cryptomap_1 extended permit ip 10.5.136.0 255.255.255.0 10.0.0.0 255.0.0.0
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.5.136.0_24 NETWORK_OBJ_10.5.136.0_24 destination static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 68.222.254.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACS protocol tacacs+
aaa-server ACS (inside) host 10.10.10.252
key *****
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
http server enable
http 72.12.205.64 255.255.255.224 outside
http 10.10.225.0 255.255.255.0 inside
snmp-server host inside 10.4.113.152 community *****
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map outside_map1 2 match address outside_cryptomap_1
crypto map outside_map1 2 set peer 72.12.205.66
crypto map outside_map1 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map1 interface outside
crypto map vpnmap 2 set peer 68.222.254.178
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=***********************
crl configure
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 2
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.10.225.0 255.255.255.0 inside
ssh 10.4.113.0 255.255.255.0 inside
ssh timeout 45
ssh version 2
console timeout 0
management-access inside
dhcpd address 10.5.136.21-10.5.136.254 inside
dhcpd dns 10.5.128.10 10.10.10.4 interface inside
dhcpd wins 10.10.10.25 10.10.10.4 interface inside
dhcpd lease 691200 interface inside
dhcpd domain ************* interface inside
dhcpd option 150 ip 10.4.29.11 10.4.30.10 interface inside
dhcpd option 4 ip 10.10.10.25 interface inside
dhcpd option 5 ip 10.5.128.10 10.10.10.25 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.10.1.5 source inside prefer
webvpn
group-policy GroupPolicy_68.222.254.178 internal
group-policy GroupPolicy_68.222.254.178 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_72.12.205.66 internal
group-policy GroupPolicy_72.12.205.66 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 ikev2
username ************************************
tunnel-group 72.12.205.66 type ipsec-l2l
tunnel-group 72.12.205.66 general-attributes
default-group-policy GroupPolicy_72.12.205.66
tunnel-group 72.12.205.66 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 68.222.254.178 type ipsec-l2l
tunnel-group 68.222.254.178 general-attributes
default-group-policy GroupPolicy_68.222.254.178
tunnel-group 68.222.254.178 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
smtp-server 10.10.10.7
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:99af6ce8f4c98b7b4487f02bf012a0f0
: end
