- Cisco Community
- Technology and Support
- Security
- Network Security
- Re: Cannot access internal network when vpn into ASA
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Cannot access internal network when vpn into ASA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2019 08:37 PM
ASA Version 9.8(2)
!
hostname billyasa
names
ip local pool vpn_DHCP 192.168.2.0-192.168.2.254 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network VPN
range 192.168.1.50 192.168.1.70
object network vpn_pool
range 192.168.2.0 192.168.2.254
object network billy_internal
subnet 192.168.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_5
network-object object vpn_pool
object-group service RDP
service-object tcp destination eq 3389
service-object udp destination eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network inside_networks
network-object 192.168.1.0 255.255.255.0
object-group network vpn_pool_obj
network-object object vpn_pool
object-group network DM_INLINE_NETWORK_2
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 10.0.0.0 255.0.0.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any object PLEX eq 32400
access-list outside_access_in extended permit object-group RDP any object vm
access-list outside_access_in extended permit tcp any host 192.168.1.20 eq 3389
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list LOCAL_LAN standard permit host 0.0.0.0
access-list 192.168.1.0 standard permit 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 1048576
logging monitor errors
logging buffered debugging
logging trap informational
logging history errors
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-781.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source dynamic any interface
nat (any,any) source static any any destination static VPN VPN
nat (inside,outside) source dynamic inside_networks interface
nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
object network PLEX
nat (inside,outside) static interface service tcp 32400 32400
object network vm
nat (any,outside) static interface
object network VPN
nat (outside,outside) dynamic interface
object network billy_internal
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint1
certificate 0342eaadaff26045
3082062e 30820516 a0030201 02020803 42eaadaf f2604530 0d06092a 864886f7
0d01010b 05003081 b4310b30 09060355 04061302 55533110 300e0603 55040813
07417269 7a6f6e61 31133011 06035504 07130a53 636f7474 7364616c 65311a30
18060355 040a1311 476f4461 6464792e 636f6d2c 20496e63 2e312d30 2b060355
040b1324 68747470 3a2f2f63 65727473 2e676f64 61646479 2e636f6d 2f726570
6f736974 6f72792f 31333031 06035504 03132a47 6f204461 64647920 53656375
72652043 65727469 66696361 74652041 7574686f 72697479 202d2047 32301e17
0d313930 35303132 30323232 395a170d 32303034 32363031 32303133 5a303731
21301f06 0355040b 1318446f 6d61696e 20436f6e 74726f6c 2056616c 69646174
65643112 30100603 55040313 09706372 75732e6e 65743082 0122300d 06092a86
4886f70d 01010105 00038201 0f003082 010a0282 010100ac a56cfeb4 f083ce66
76bfd626 2347edc4 dc97d08c afedf20a 6dc94f04 bf986997 1778ebb0 873ce57f
348a2ba7 10f9843b 20d26c4d c86fff00 f45dbed6 1e74838f 642d9658 522173db
dd8b6085 bed2dcf5 d36933f8 552c62aa 5bc33763 61a7ee3b e648b505 c9c029a7
85b8b490 e48a1812 8a0e9444 9c419845 9993c61b fe10c135 0327d229 ad221524
1d495e5b 346c6eaf 201381ae 51c59c6d 43fe93bf 3218f8ac 4e18b6d2 21f30b38
d6357d0e f082544d ba100418 51771c0c fc2fdc51 42173a05 b43ab406 852f77c5
5ca64f54 ae2022fa 5f622c6b a3a486c7 54084d1d d2997f81 446725a1 727dd56f
af057947 0f88761f a476e105 1d4ce583 dfc52a3a afb7cd02 03010001 a38202be
308202ba 300c0603 551d1301 01ff0402 3000301d 0603551d 25041630 1406082b
06010505 07030106 082b0601 05050703 02300e06 03551d0f 0101ff04 04030205
a0303806 03551d1f 0431302f 302da02b a0298627 68747470 3a2f2f63 726c2e67
6f646164 64792e63 6f6d2f67 64696732 73312d31 3038362e 63726c30 5d060355
1d200456 30543048 060b6086 480186fd 6d010717 01303930 3706082b 06010505
07020116 2b687474 703a2f2f 63657274 69666963 61746573 2e676f64 61646479
2e636f6d 2f726570 6f736974 6f72792f 30080606 67810c01 02013076 06082b06
01050507 0101046a 30683024 06082b06 01050507 30018618 68747470 3a2f2f6f
6373702e 676f6461 6464792e 636f6d2f 30400608 2b060105 05073002 86346874
74703a2f 2f636572 74696669 63617465 732e676f 64616464 792e636f 6d2f7265
706f7369 746f7279 2f676469 67322e63 7274301f 0603551d 23041830 16801440
c2bd278e cc348330 a233d7fb 6cb3f0b4 2c80ce30 23060355 1d11041c 301a8209
70637275 732e6e65 74820d77 77772e70 63727573 2e6e6574 301d0603 551d0e04
160414ea 771dc554 070f6b1f d695a483 ce86302a 718d8430 82010306 0a2b0601
0401d679 02040204 81f40481 f100ef00 7500a4b9 0990b418 581487bb 13a2cc67
700a3c35 9804f91b dfb8e377 cd0ec80d dc100000 016a7510 1b500000 04030046
30440220 1b49ba34 3654cfe8 a2753118 801d17ce 89650406 1f4c5a3e c3814d6f
98978dab 02201566 cf49fe83 3b07c5f7 815ccea2 cca1545d ee426cab 23d75a0a
5974fb72 af950076 005ea773 f9df56c0 e7b53648 7dd049e0 327a919a 0c84a112
12841875 96817145 58000001 6a751020 41000004 03004730 45022069 015ad24f
631a718a 88f6cf16 6ba29089 c74b35a7 8be0c764 b56ea22e bd6fbd02 2100e577
05676b1f 5edf03b3 a3ff6ce0 dd67f3f6 270ecf5a 05d4637a c341d011 99ae300d
06092a86 4886f70d 01010b05 00038201 01000577 ff8268cf 2931d469 d67429fc
398cb690 3f7606d5 b3d6580a 60da329f c1addcbb a7081835 50f2219e c64ad69c
06a7fc00 89c2acbf 486afc36 9b8ffafd 1818dd99 e183c695 e44eba03 85d197a2
6164b80f cede2d05 0e0155b0 bd071dd7 f93c51a0 9c997e5a e05219f8 7000cddd
15c0f802 06ef83b4 ae10b15a df3d3191 b2214581 2fe0918a f4f68819 f9480eef
0c903108 63555f85 3fd76403 86befd98 7e7d2e23 7f7f570b 56168575 1a28c815
4b52e238 e96a74b9 2b3e3532 96966464 27927f1a e849290b f3218990 a7359542
a9458ff0 f236460e 93850bcf 161d0b0c 1591cf85 501fb0b7 1ca77790 68fc2ba3
19dcefd4 ee888e27 82fe8cd6 8c717933 6a28
quit
crypto ca certificate chain ASDM_TrustPoint2
certificate ca 07
308204d0 308203b8 a0030201 02020107 300d0609 2a864886 f70d0101 0b050030
8183310b 30090603 55040613 02555331 10300e06 03550408 13074172 697a6f6e
61311330 11060355 0407130a 53636f74 74736461 6c65311a 30180603 55040a13
11476f44 61646479 2e636f6d 2c20496e 632e3131 302f0603 55040313 28476f20
44616464 7920526f 6f742043 65727469 66696361 74652041 7574686f 72697479
202d2047 32301e17 0d313130 35303330 37303030 305a170d 33313035 30333037
30303030 5a3081b4 310b3009 06035504 06130255 53311030 0e060355 04081307
4172697a 6f6e6131 13301106 03550407 130a5363 6f747473 64616c65 311a3018
06035504 0a131147 6f446164 64792e63 6f6d2c20 496e632e 312d302b 06035504
0b132468 7474703a 2f2f6365 7274732e 676f6461 6464792e 636f6d2f 7265706f
7369746f 72792f31 33303106 03550403 132a476f 20446164 64792053 65637572
65204365 72746966 69636174 65204175 74686f72 69747920 2d204732 30820122
300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00b9e0cb
10d4af76 bdd49362 eb3064b8 81086cc3 04d96217 8e2fff3e 65cf8fce 62e63c52
1cda1645 4b55ab78 6b638362 90ce0f69 6c99c81a 148b4ccc 4533ea88 dc9ea3af
2bfe8061 9d7957c4 cf2ef43f 303c5d47 fc9a16bc c3379641 518e114b 54f828be
d08cbef0 30381ef3 b026f866 47636dde 7126478f 384753d1 461db4e3 dc00ea45
acbdbc71 d9aa6f00 dbdbcd30 3a794f5f 4c47f81d ef5bc2c4 9d603bb1 b24391d8
a4334eea b3d6274f ad258aa5 c6f4d5d0 a6ae7405 645788b5 4455d42d 2a3a3ef8
b8bde932 0a029464 c4163a50 f14aaee7 7933af0c 20077fe8 df0439c2 69026c63
52fa77c1 1bc87487 c8b99318 5054354b 694ebc3b d3492e1f dcc1d252 fb020301
0001a382 011a3082 0116300f 0603551d 130101ff 04053003 0101ff30 0e060355
1d0f0101 ff040403 02010630 1d060355 1d0e0416 041440c2 bd278ecc 348330a2
33d7fb6c b3f0b42c 80ce301f 0603551d 23041830 1680143a 9a850710 6728b6ef
f6bd0541 6e20c194 da0fde30 3406082b 06010505 07010104 28302630 2406082b
06010505 07300186 18687474 703a2f2f 6f637370 2e676f64 61646479 2e636f6d
2f303506 03551d1f 042e302c 302aa028 a0268624 68747470 3a2f2f63 726c2e67
6f646164 64792e63 6f6d2f67 64726f6f 742d6732 2e63726c 30460603 551d2004
3f303d30 3b060455 1d200030 33303106 082b0601 05050702 01162568 74747073
3a2f2f63 65727473 2e676f64 61646479 2e636f6d 2f726570 6f736974 6f72792f
300d0609 2a864886 f70d0101 0b050003 82010100 087e6c93 10c838b8 96a9904b
ffa15f4f 04ef6c3e 9c8806c9 508fa673 f757311b bebce42f dbf8bad3 5be0b4e7
e679620e 0ca2d76a 637331b5 f5a848a4 3b082da2 5d90d7b4 7c254f11 5630c4b6
449d7b2c 9de55ee6 ef0c61aa bfe42a1b ee849eb8 837dc143 ce44a713 700d911f
f4c813ad 8360d9d8 72a87324 1eb5ac22 0eca1789 6258441b ab892501 000fcdc4
1b62db51 b4d30f51 2a9bf4bc 73fc76ce 36a4cdd9 d82ceaae 9bf52ab2 90d14d75
188a3f8a 4190237d 5b4bfea4 03589b46 b2c36060 83f87d50 41cec2a1 90c3bbef
022fd215 54ee4415 d90aaea7 8a33edb1 2d763626 dc04eb9f f7611f15 dc876fee
469628ad a1267d0a 09a72e04 a38dbcf8 bc043001
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
- Labels:
-
Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2019 09:02 PM
I don't see your anyconnect vpn configuration on what you shared. I'm reading through my phone then i maybe missed it but checked twice.
You have an acl AnyConnect_Client_Local_Print that denies any to any as first line. Don't see it's used but webvpn is missing from the config i must point it out.
Avoid doing nat with any as source and destination, specify the source and destination interface.
You are doing a nat for vpn object which doesn't match your vpn pool.
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2019 06:22 AM
Add the changes but have the same issue.
ASA Version 9.8(2)
!
hostname c140asa01
names
ip local pool vpn_DHCP 192.168.2.0-192.168.2.254 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.241.239.247
host 192.241.239.247
description malicious
object network PLEX
host 192.168.1.21
object network vm
host 192.168.1.20
object network NETWORK_OBJ_10.1.1.0_28
subnet 10.1.1.0 255.255.255.240
object network VPN
range 192.168.1.50 192.168.1.70
object network vpn_pool
range 192.168.2.0 192.168.2.254
object network billy_internal
subnet 192.168.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_5
network-object object vpn_pool
object-group service RDP
service-object tcp destination eq 3389
service-object udp destination eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network inside_networks
network-object 192.168.1.0 255.255.255.0
object-group network vpn_pool_obj
network-object object vpn_pool
object-group network DM_INLINE_NETWORK_2
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 10.0.0.0 255.0.0.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any object PLEX eq 32400
access-list outside_access_in extended permit object-group RDP any object vm
access-list outside_access_in extended permit tcp any host 192.168.1.20 eq 3389
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list LOCAL_LAN standard permit host 0.0.0.0
access-list 192.168.1.0 standard permit 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 1048576
logging monitor errors
logging buffered debugging
logging trap informational
logging history errors
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-781.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source dynamic any interface
nat (any,any) source static any any destination static VPN VPN
nat (inside,outside) source dynamic inside_networks interface
nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
object network PLEX
nat (inside,outside) static interface service tcp 32400 32400
object network vm
nat (any,outside) static interface
object network VPN
nat (outside,outside) dynamic interface
object network billy_internal
nat (outside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 76.20.200.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=billyasa.pcrus.net
keypair godaddy.key
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=billyasa.pcrus.net
keypair godaddy.key
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint1
certificate 0342eaadaff26045
3082062e 30820516 a0030201 02020803 42eaadaf f2604530 0d06092a 864886f7
0d01010b 05003081 b4310b30 09060355 04061302 55533110 300e0603 55040813
07417269 7a6f6e61 31133011 06035504 07130a53 636f7474 7364616c 65311a30
18060355 040a1311 476f4461 6464792e 636f6d2c 20496e63 2e312d30 2b060355
040b1324 68747470 3a2f2f63 65727473 2e676f64 61646479 2e636f6d 2f726570
6f736974 6f72792f 31333031 06035504 03132a47 6f204461 64647920 53656375
72652043 65727469 66696361 74652041 7574686f 72697479 202d2047 32301e17
0d313930 35303132 30323232 395a170d 32303034 32363031 32303133 5a303731
21301f06 0355040b 1318446f 6d61696e 20436f6e 74726f6c 2056616c 69646174
65643112 30100603 55040313 09706372 75732e6e 65743082 0122300d 06092a86
4886f70d 01010105 00038201 0f003082 010a0282 010100ac a56cfeb4 f083ce66
76bfd626 2347edc4 dc97d08c afedf20a 6dc94f04 bf986997 1778ebb0 873ce57f
348a2ba7 10f9843b 20d26c4d c86fff00 f45dbed6 1e74838f 642d9658 522173db
dd8b6085 bed2dcf5 d36933f8 552c62aa 5bc33763 61a7ee3b e648b505 c9c029a7
85b8b490 e48a1812 8a0e9444 9c419845 9993c61b fe10c135 0327d229 ad221524
1d495e5b 346c6eaf 201381ae 51c59c6d 43fe93bf 3218f8ac 4e18b6d2 21f30b38
d6357d0e f082544d ba100418 51771c0c fc2fdc51 42173a05 b43ab406 852f77c5
5ca64f54 ae2022fa 5f622c6b a3a486c7 54084d1d d2997f81 446725a1 727dd56f
af057947 0f88761f a476e105 1d4ce583 dfc52a3a afb7cd02 03010001 a38202be
308202ba 300c0603 551d1301 01ff0402 3000301d 0603551d 25041630 1406082b
06010505 07030106 082b0601 05050703 02300e06 03551d0f 0101ff04 04030205
a0303806 03551d1f 0431302f 302da02b a0298627 68747470 3a2f2f63 726c2e67
6f646164 64792e63 6f6d2f67 64696732 73312d31 3038362e 63726c30 5d060355
1d200456 30543048 060b6086 480186fd 6d010717 01303930 3706082b 06010505
07020116 2b687474 703a2f2f 63657274 69666963 61746573 2e676f64 61646479
2e636f6d 2f726570 6f736974 6f72792f 30080606 67810c01 02013076 06082b06
01050507 0101046a 30683024 06082b06 01050507 30018618 68747470 3a2f2f6f
6373702e 676f6461 6464792e 636f6d2f 30400608 2b060105 05073002 86346874
74703a2f 2f636572 74696669 63617465 732e676f 64616464 792e636f 6d2f7265
706f7369 746f7279 2f676469 67322e63 7274301f 0603551d 23041830 16801440
c2bd278e cc348330 a233d7fb 6cb3f0b4 2c80ce30 23060355 1d11041c 301a8209
70637275 732e6e65 74820d77 77772e70 63727573 2e6e6574 301d0603 551d0e04
160414ea 771dc554 070f6b1f d695a483 ce86302a 718d8430 82010306 0a2b0601
0401d679 02040204 81f40481 f100ef00 7500a4b9 0990b418 581487bb 13a2cc67
700a3c35 9804f91b dfb8e377 cd0ec80d dc100000 016a7510 1b500000 04030046
30440220 1b49ba34 3654cfe8 a2753118 801d17ce 89650406 1f4c5a3e c3814d6f
98978dab 02201566 cf49fe83 3b07c5f7 815ccea2 cca1545d ee426cab 23d75a0a
5974fb72 af950076 005ea773 f9df56c0 e7b53648 7dd049e0 327a919a 0c84a112
12841875 96817145 58000001 6a751020 41000004 03004730 45022069 015ad24f
631a718a 88f6cf16 6ba29089 c74b35a7 8be0c764 b56ea22e bd6fbd02 2100e577
05676b1f 5edf03b3 a3ff6ce0 dd67f3f6 270ecf5a 05d4637a c341d011 99ae300d
06092a86 4886f70d 01010b05 00038201 01000577 ff8268cf 2931d469 d67429fc
398cb690 3f7606d5 b3d6580a 60da329f c1addcbb a7081835 50f2219e c64ad69c
06a7fc00 89c2acbf 486afc36 9b8ffafd 1818dd99 e183c695 e44eba03 85d197a2
6164b80f cede2d05 0e0155b0 bd071dd7 f93c51a0 9c997e5a e05219f8 7000cddd
15c0f802 06ef83b4 ae10b15a df3d3191 b2214581 2fe0918a f4f68819 f9480eef
0c903108 63555f85 3fd76403 86befd98 7e7d2e23 7f7f570b 56168575 1a28c815
4b52e238 e96a74b9 2b3e3532 96966464 27927f1a e849290b f3218990 a7359542
a9458ff0 f236460e 93850bcf 161d0b0c 1591cf85 501fb0b7 1ca77790 68fc2ba3
19dcefd4 ee888e27 82fe8cd6 8c717933 6a28
quit
crypto ca certificate chain ASDM_TrustPoint2
certificate ca 07
308204d0 308203b8 a0030201 02020107 300d0609 2a864886 f70d0101 0b050030
8183310b 30090603 55040613 02555331 10300e06 03550408 13074172 697a6f6e
61311330 11060355 0407130a 53636f74 74736461 6c65311a 30180603 55040a13
11476f44 61646479 2e636f6d 2c20496e 632e3131 302f0603 55040313 28476f20
44616464 7920526f 6f742043 65727469 66696361 74652041 7574686f 72697479
202d2047 32301e17 0d313130 35303330 37303030 305a170d 33313035 30333037
30303030 5a3081b4 310b3009 06035504 06130255 53311030 0e060355 04081307
4172697a 6f6e6131 13301106 03550407 130a5363 6f747473 64616c65 311a3018
06035504 0a131147 6f446164 64792e63 6f6d2c20 496e632e 312d302b 06035504
0b132468 7474703a 2f2f6365 7274732e 676f6461 6464792e 636f6d2f 7265706f
7369746f 72792f31 33303106 03550403 132a476f 20446164 64792053 65637572
65204365 72746966 69636174 65204175 74686f72 69747920 2d204732 30820122
300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00b9e0cb
10d4af76 bdd49362 eb3064b8 81086cc3 04d96217 8e2fff3e 65cf8fce 62e63c52
1cda1645 4b55ab78 6b638362 90ce0f69 6c99c81a 148b4ccc 4533ea88 dc9ea3af
2bfe8061 9d7957c4 cf2ef43f 303c5d47 fc9a16bc c3379641 518e114b 54f828be
d08cbef0 30381ef3 b026f866 47636dde 7126478f 384753d1 461db4e3 dc00ea45
acbdbc71 d9aa6f00 dbdbcd30 3a794f5f 4c47f81d ef5bc2c4 9d603bb1 b24391d8
a4334eea b3d6274f ad258aa5 c6f4d5d0 a6ae7405 645788b5 4455d42d 2a3a3ef8
b8bde932 0a029464 c4163a50 f14aaee7 7933af0c 20077fe8 df0439c2 69026c63
52fa77c1 1bc87487 c8b99318 5054354b 694ebc3b d3492e1f dcc1d252 fb020301
0001a382 011a3082 0116300f 0603551d 130101ff 04053003 0101ff30 0e060355
1d0f0101 ff040403 02010630 1d060355 1d0e0416 041440c2 bd278ecc 348330a2
33d7fb6c b3f0b42c 80ce301f 0603551d 23041830 1680143a 9a850710 6728b6ef
f6bd0541 6e20c194 da0fde30 3406082b 06010505 07010104 28302630 2406082b
06010505 07300186 18687474 703a2f2f 6f637370 2e676f64 61646479 2e636f6d
2f303506 03551d1f 042e302c 302aa028 a0268624 68747470 3a2f2f63 726c2e67
6f646164 64792e63 6f6d2f67 64726f6f 742d6732 2e63726c 30460603 551d2004
3f303d30 3b060455 1d200030 33303106 082b0601 05050702 01162568 74747073
3a2f2f63 65727473 2e676f64 61646479 2e636f6d 2f726570 6f736974 6f72792f
300d0609 2a864886 f70d0101 0b050003 82010100 087e6c93 10c838b8 96a9904b
ffa15f4f 04ef6c3e 9c8806c9 508fa673 f757311b bebce42f dbf8bad3 5be0b4e7
e679620e 0ca2d76a 637331b5 f5a848a4 3b082da2 5d90d7b4 7c254f11 5630c4b6
449d7b2c 9de55ee6 ef0c61aa bfe42a1b ee849eb8 837dc143 ce44a713 700d911f
f4c813ad 8360d9d8 72a87324 1eb5ac22 0eca1789 6258441b ab892501 000fcdc4
1b62db51 b4d30f51 2a9bf4bc 73fc76ce 36a4cdd9 d82ceaae 9bf52ab2 90d14d75
188a3f8a 4190237d 5b4bfea4 03589b46 b2c36060 83f87d50 41cec2a1 90c3bbef
022fd215 54ee4415 d90aaea7 8a33edb1 2d763626 dc04eb9f f7611f15 dc876fee
469628ad a1267d0a 09a72e04 a38dbcf8 bc043001
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 outside
ssl trust-point ASDM_TrustPoint1 inside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 1
anyconnect profiles billyvpn_client_profile disk0:/billyvpn_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_billyvpn internal
group-policy GroupPolicy_billyvpn attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain none
webvpn
anyconnect profiles value billyvpn_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username billy password $sha512$5000$oL/20hFF4ju8A9l1YT3KUw==$ejzgfNeD7PnrXT2L/GAuSA== pbkdf2
tunnel-group billyvpn type remote-access
tunnel-group billyvpn general-attributes
address-pool vpn_DHCP
authorization-server-group LOCAL
default-group-policy GroupPolicy_billyvpn
tunnel-group billyvpn webvpn-attributes
group-alias billyvpn enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:992fec429cd78df402da1fbe11183fe8
: end
c140asa01#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
