cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1750
Views
0
Helpful
6
Replies

Cisco ASA - cannot reach local IP addresses

mark1mccorkle
Level 1
Level 1

Hi,

I am trying to use VPN to access our local network addresses from anywhere on the internet.  I have VPN setup on the ASA and I can connect with the Cisco VPN Client but I cannot telnet or ping any addresses on my local network.  I can access public IP addresses.  I don't se any routes under "Status/Statistics/Route Details" in my cisco VPN Client (when connected).  I have tried connecting with serveral pc's and iPads with the same results. 

We are trying to connect with users mark and t.reese using the DSIAdminUsers group.  When we try to telnet or ping an internal address such as 10.1.1.225 or 97.0.0.69, it times out.

Can someone please look at the config and see what I am doing wrong.  Any help is appreciated.

Thanks,

Mark

ASA Version 8.0(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password mDnUbb1nQkpe6eG9 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 97.0.0.250 tarantella

name 172.31.255.3 MGMT_HOST description Remote Network Management

name 97.0.0.56 axis-camera-1

name 10.99.0.60 axis-camera-2

!

interface GigabitEthernet0/0

nameif CABLE

security-level 0

ip address 95.36.115.66 255.255.255.248

!

interface GigabitEthernet0/1

shutdown

nameif DSL

security-level 0

ip address 64.173.93.28 255.255.255.128

!

interface GigabitEthernet0/2

nameif FIBER

security-level 0

ip address 25.181.205.2 255.255.255.240

!

interface GigabitEthernet0/3

nameif inside

security-level 100

ip address 97.0.0.100 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list 100 extended permit tcp any host 25.181.205.2 eq 3144

access-list 100 extended permit tcp any host 25.181.205.2 eq 8080

access-list 100 extended permit tcp any host 25.181.205.2 eq 100

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit tcp any host 25.181.205.2 eq https

access-list 100 extended permit tcp any host 25.181.205.2 eq www

access-list 100 extended permit tcp any host 25.181.205.2 eq 8081

access-list 100 extended permit tcp any host 25.181.205.2 eq 8082

access-list 80 extended permit ip any 192.168.222.0 255.255.255.0

access-list 80 extended permit ip any 172.31.253.0 255.255.254.0

access-list 80 extended permit ip host 97.0.0.50 192.168.223.0 255.255.255.240

access-list 80 extended permit ip any 192.168.222.0 255.255.255.224

access-list GLSVPN extended permit ip 10.1.100.0 255.255.255.0 172.31.253.0 255.255.254.0

access-list GLSVPN extended permit ip 172.17.254.0 255.255.255.0 172.31.253.0 255.255.254.0

access-list DSIVPNUser_splitTunnelAcl standard permit host 97.0.0.50

access-list DSIAdminUsers_splitTunnelAcl standard permit any

pager lines 24

logging enable

logging timestamp

logging buffered informational

logging trap errors

logging asdm informational

mtu CABLE 1500

mtu DSL 1500

mtu FIBER 1500

mtu inside 1500

ip local pool VPNPOOL 192.168.222.1-192.168.222.10

ip local pool AdminPool 192.168.222.11-192.168.222.20

ip local pool TestPool 1.1.1.2-1.1.1.254 mask 255.255.255.0

ip audit name DSI-Attack attack action alarm drop reset

ip audit name DSI-Alarm info action alarm

ip audit interface FIBER DSI-Alarm

ip audit interface FIBER DSI-Attack

ip audit interface inside DSI-Alarm

ip audit interface inside DSI-Attack

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo DSL

icmp permit any echo-reply DSL

icmp permit any unreachable DSL

icmp permit any unreachable FIBER

icmp permit any echo FIBER

icmp permit any echo-reply FIBER

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (DSL) 1 interface

global (FIBER) 1 interface

nat (inside) 0 access-list 80

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,FIBER) tcp interface 8080 tarantella 8080 netmask 255.255.255.255

static (inside,FIBER) tcp interface 3144 tarantella 3144 netmask 255.255.255.255

static (inside,FIBER) tcp interface telnet 97.0.0.2 telnet netmask 255.255.255.255

static (inside,FIBER) tcp interface 2222 97.0.0.179 ssh netmask 255.255.255.255

static (inside,FIBER) tcp interface 100 10.18.0.88 100 netmask 255.255.255.255

static (inside,FIBER) tcp interface https 97.0.0.34 https netmask 255.255.255.255

static (inside,FIBER) tcp interface www 97.0.0.34 www netmask 255.255.255.255

static (inside,FIBER) tcp interface 8081 axis-camera-1 www netmask 255.255.255.255

static (inside,FIBER) tcp interface 8082 axis-camera-2 www netmask 255.255.255.255

access-group 100 in interface FIBER

route FIBER 0.0.0.0 0.0.0.0 25.181.205.1 254

route inside 10.0.0.0 255.0.0.0 97.0.0.3 1

route inside 10.2.0.0 255.255.0.0 97.0.0.3 1

route inside 10.3.0.0 255.255.0.0 97.0.0.3 1

route inside 10.4.0.0 255.255.0.0 97.0.0.3 1

route inside 10.8.0.0 255.255.0.0 97.0.0.3 1

route inside 10.12.0.0 255.255.0.0 97.0.0.3 1

route inside 10.31.0.0 255.255.0.0 97.0.0.3 1

route inside 10.41.0.0 255.255.0.0 97.0.0.3 1

route inside 10.99.0.0 255.255.0.0 97.0.0.3 1

route inside 172.17.253.0 255.255.255.0 97.0.0.235 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

url-server (inside) vendor websense host 97.0.0.87 timeout 10 protocol TCP version 4 connections 5

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 88

type echo protocol ipIcmpEcho 96.36.115.65 interface CABLE

num-packets 3

timeout 1000

frequency 3

sla monitor schedule 88 life forever start-time now

crypto ipsec transform-set TSET esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DCMAP 10 set pfs

crypto dynamic-map DCMAP 10 set transform-set TSET

crypto dynamic-map DCMAP 10 set security-association lifetime seconds 28800

crypto dynamic-map DCMAP 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map inside_dyn_map 20 set pfs

crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map inside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map inside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto map CMAP 1 match address GLSVPN

crypto map CMAP 1 set peer 66.129.114.59

crypto map CMAP 1 set transform-set ESP-3DES-MD5

crypto map CMAP 1 set security-association lifetime seconds 28800

crypto map CMAP 1 set security-association lifetime kilobytes 4608000

crypto map CMAP 10 ipsec-isakmp dynamic DCMAP

crypto map CMAP interface FIBER

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map inside_map interface inside

crypto isakmp identity address

crypto isakmp enable FIBER

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 88 reachability

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 FIBER

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy ASAVPN internal

group-policy ASAVPN attributes

dns-server value 24.217.0.3 63.162.197.99

vpn-tunnel-protocol IPSec svc

default-domain value dsidsi.com

group-policy DSIAdminUsers internal

group-policy DSIAdminUsers attributes

dns-server value 97.0.0.21 97.0.0.22

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DSIAdminUsers_splitTunnelAcl

default-domain value dsi.local

group-policy DSIVPNUser internal

group-policy DSIVPNUser attributes

dns-server value 97.0.0.21 97.0.0.22

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DSIVPNUser_splitTunnelAcl

default-domain value dsi.local

username test password hmQhTUMT1T5Z4KHC encrypted

username test attributes

vpn-group-policy DSIAdminUsers

username akipper password 9PojOPiG2IXFp42B encrypted privilege 0

username akipper attributes

vpn-group-policy ASAVPN

username user1 password 0dldJICVF//EH4X3 encrypted

username user1 attributes

vpn-group-policy DSIVPNUser

username t.reese password JvMrGsialw4hFL/z encrypted privilege 15

username mark password g2vDAdNY1Hx6WOoS encrypted privilege 15

username mark attributes

vpn-group-policy DSIAdminUsers

tunnel-group DefaultRAGroup general-attributes

address-pool (FIBER) VPNPOOL

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool VPNPOOL

tunnel-group ASAVPN type remote-access

tunnel-group ASAVPN general-attributes

address-pool VPNPOOL

default-group-policy ASAVPN

tunnel-group ASAVPN ipsec-attributes

pre-shared-key *

tunnel-group 66.129.114.59 type ipsec-l2l

tunnel-group 66.129.114.59 ipsec-attributes

pre-shared-key *

tunnel-group DSIVPNUser type remote-access

tunnel-group DSIVPNUser general-attributes

address-pool VPNPOOL

default-group-policy DSIVPNUser

tunnel-group DSIVPNUser ipsec-attributes

pre-shared-key *

tunnel-group DSIAdminUsers type remote-access

tunnel-group DSIAdminUsers general-attributes

address-pool (FIBER) AdminPool

default-group-policy DSIAdminUsers

tunnel-group DSIAdminUsers ipsec-attributes

pre-shared-key *

tunnel-group TestUser type remote-access

tunnel-group TestUser general-attributes

address-pool (FIBER) AdminPool

default-group-policy DSIAdminUsers

tunnel-group TestUser ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:dfb0accab0916d7f7f3a886c6c7d1ca2

: end

ASA Version 8.0(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password mDnUbb1nQkpe6eG9 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 97.0.0.250 tarantella

name 172.31.255.3 MGMT_HOST description Remote Network Management

name 97.0.0.56 axis-camera-1

name 10.99.0.60 axis-camera-2

!

interface GigabitEthernet0/0

nameif CABLE

security-level 0

ip address 95.36.115.66 255.255.255.248

!

interface GigabitEthernet0/1

shutdown

nameif DSL

security-level 0

ip address 64.173.93.28 255.255.255.128

!

interface GigabitEthernet0/2

nameif FIBER

security-level 0

ip address 25.181.205.2 255.255.255.240

!

interface GigabitEthernet0/3

nameif inside

security-level 100

ip address 97.0.0.100 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list 100 extended permit tcp any host 25.181.205.2 eq 3144

access-list 100 extended permit tcp any host 25.181.205.2 eq 8080

access-list 100 extended permit tcp any host 25.181.205.2 eq 100

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit tcp any host 25.181.205.2 eq https

access-list 100 extended permit tcp any host 25.181.205.2 eq www

access-list 100 extended permit tcp any host 25.181.205.2 eq 8081

access-list 100 extended permit tcp any host 25.181.205.2 eq 8082

access-list 80 extended permit ip any 192.168.222.0 255.255.255.0

access-list 80 extended permit ip any 172.31.253.0 255.255.254.0

access-list 80 extended permit ip host 97.0.0.50 192.168.223.0 255.255.255.240

access-list 80 extended permit ip any 192.168.222.0 255.255.255.224

access-list GLSVPN extended permit ip 10.1.100.0 255.255.255.0 172.31.253.0 255.255.254.0

access-list GLSVPN extended permit ip 172.17.254.0 255.255.255.0 172.31.253.0 255.255.254.0

access-list DSIVPNUser_splitTunnelAcl standard permit host 97.0.0.50

access-list DSIAdminUsers_splitTunnelAcl standard permit any

pager lines 24

logging enable

logging timestamp

logging buffered informational

logging trap errors

logging asdm informational

mtu CABLE 1500

mtu DSL 1500

mtu FIBER 1500

mtu inside 1500

ip local pool VPNPOOL 192.168.222.1-192.168.222.10

ip local pool AdminPool 192.168.222.11-192.168.222.20

ip local pool TestPool 1.1.1.2-1.1.1.254 mask 255.255.255.0

ip audit name DSI-Attack attack action alarm drop reset

ip audit name DSI-Alarm info action alarm

ip audit interface FIBER DSI-Alarm

ip audit interface FIBER DSI-Attack

ip audit interface inside DSI-Alarm

ip audit interface inside DSI-Attack

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo DSL

icmp permit any echo-reply DSL

icmp permit any unreachable DSL

icmp permit any unreachable FIBER

icmp permit any echo FIBER

icmp permit any echo-reply FIBER

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (DSL) 1 interface

global (FIBER) 1 interface

nat (inside) 0 access-list 80

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,FIBER) tcp interface 8080 tarantella 8080 netmask 255.255.255.255

static (inside,FIBER) tcp interface 3144 tarantella 3144 netmask 255.255.255.255

static (inside,FIBER) tcp interface telnet 97.0.0.2 telnet netmask 255.255.255.255

static (inside,FIBER) tcp interface 2222 97.0.0.179 ssh netmask 255.255.255.255

static (inside,FIBER) tcp interface 100 10.18.0.88 100 netmask 255.255.255.255

static (inside,FIBER) tcp interface https 97.0.0.34 https netmask 255.255.255.255

static (inside,FIBER) tcp interface www 97.0.0.34 www netmask 255.255.255.255

static (inside,FIBER) tcp interface 8081 axis-camera-1 www netmask 255.255.255.255

static (inside,FIBER) tcp interface 8082 axis-camera-2 www netmask 255.255.255.255

access-group 100 in interface FIBER

route FIBER 0.0.0.0 0.0.0.0 25.181.205.1 254

route inside 10.0.0.0 255.0.0.0 97.0.0.3 1

route inside 10.2.0.0 255.255.0.0 97.0.0.3 1

route inside 10.3.0.0 255.255.0.0 97.0.0.3 1

route inside 10.4.0.0 255.255.0.0 97.0.0.3 1

route inside 10.8.0.0 255.255.0.0 97.0.0.3 1

route inside 10.12.0.0 255.255.0.0 97.0.0.3 1

route inside 10.31.0.0 255.255.0.0 97.0.0.3 1

route inside 10.41.0.0 255.255.0.0 97.0.0.3 1

route inside 10.99.0.0 255.255.0.0 97.0.0.3 1

route inside 172.17.253.0 255.255.255.0 97.0.0.235 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

url-server (inside) vendor websense host 97.0.0.87 timeout 10 protocol TCP version 4 connections 5

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 88

type echo protocol ipIcmpEcho 96.36.115.65 interface CABLE

num-packets 3

timeout 1000

frequency 3

sla monitor schedule 88 life forever start-time now

crypto ipsec transform-set TSET esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DCMAP 10 set pfs

crypto dynamic-map DCMAP 10 set transform-set TSET

crypto dynamic-map DCMAP 10 set security-association lifetime seconds 28800

crypto dynamic-map DCMAP 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map inside_dyn_map 20 set pfs

crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map inside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map inside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto map CMAP 1 match address GLSVPN

crypto map CMAP 1 set peer 66.129.114.59

crypto map CMAP 1 set transform-set ESP-3DES-MD5

crypto map CMAP 1 set security-association lifetime seconds 28800

crypto map CMAP 1 set security-association lifetime kilobytes 4608000

crypto map CMAP 10 ipsec-isakmp dynamic DCMAP

crypto map CMAP interface FIBER

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map inside_map interface inside

crypto isakmp identity address

crypto isakmp enable FIBER

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 88 reachability

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 FIBER

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy ASAVPN internal

group-policy ASAVPN attributes

dns-server value 24.217.0.3 63.162.197.99

vpn-tunnel-protocol IPSec svc

default-domain value dsidsi.com

group-policy DSIAdminUsers internal

group-policy DSIAdminUsers attributes

dns-server value 97.0.0.21 97.0.0.22

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DSIAdminUsers_splitTunnelAcl

default-domain value dsi.local

group-policy DSIVPNUser internal

group-policy DSIVPNUser attributes

dns-server value 97.0.0.21 97.0.0.22

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DSIVPNUser_splitTunnelAcl

default-domain value dsi.local

username test password hmQhTUMT1T5Z4KHC encrypted

username test attributes

vpn-group-policy DSIAdminUsers

username akipper password 9PojOPiG2IXFp42B encrypted privilege 0

username akipper attributes

vpn-group-policy ASAVPN

username user1 password 0dldJICVF//EH4X3 encrypted

username user1 attributes

vpn-group-policy DSIVPNUser

username t.reese password JvMrGsialw4hFL/z encrypted privilege 15

username mark password g2vDAdNY1Hx6WOoS encrypted privilege 15

username mark attributes

vpn-group-policy DSIAdminUsers

tunnel-group DefaultRAGroup general-attributes

address-pool (FIBER) VPNPOOL

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool VPNPOOL

tunnel-group ASAVPN type remote-access

tunnel-group ASAVPN general-attributes

address-pool VPNPOOL

default-group-policy ASAVPN

tunnel-group ASAVPN ipsec-attributes

pre-shared-key *

tunnel-group 66.129.114.59 type ipsec-l2l

tunnel-group 66.129.114.59 ipsec-attributes

pre-shared-key *

tunnel-group DSIVPNUser type remote-access

tunnel-group DSIVPNUser general-attributes

address-pool VPNPOOL

default-group-policy DSIVPNUser

tunnel-group DSIVPNUser ipsec-attributes

pre-shared-key *

tunnel-group DSIAdminUsers type remote-access

tunnel-group DSIAdminUsers general-attributes

address-pool (FIBER) AdminPool

default-group-policy DSIAdminUsers

tunnel-group DSIAdminUsers ipsec-attributes

pre-shared-key *

tunnel-group TestUser type remote-access

tunnel-group TestUser general-attributes

address-pool (FIBER) AdminPool

default-group-policy DSIAdminUsers

tunnel-group TestUser ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:dfb0accab0916d7f7f3a886c6c7d1ca2

: end

1 Accepted Solution

Accepted Solutions

access-list 80 extended permit ip 97.0.0.0 255.255.255.0 192.168.222.0 255.255.255.0

access-list 80 extended permit ip 10.1.1.0 255.255.255.0 192.168.222.0 255.255.255.0

your access list specifiying traffic to be encrypted can be this same access-list.  It should be nearly identical unless you have a reason to not allow some of it.

Basically you are telling the firewall not to nat the traffic from the inside networks to the vpn pool and vise versa.  Otherwise the asa will nat everything and the ip's won't be the same after passing nat.

Use the command packet-tracer and it'll step you through all of the flows and tell you whether or not the traffic would be allowed/nat'd/encrypted/etc.

View solution in original post

6 Replies 6

clooney
Level 4
Level 4

I didn't look at everything in this config so there might still be something else but one thing I did see is that your using a standard access-list to specify traffic to be tunneled that is permiting any. 

You need to use an extended acl to specify traffic to be encrypted.  Specifically the line below.

access-list DSIAdminUsers_splitTunnelAcl standard permit any

Also you need to include your inside subnets in access-list 80 in order to excluded from nat.

Hope this helps.

Hi Clooney,

Thanks for the reply.  I am a newbie so forgive the simple question.  My internal IP addresses are 97.0.0.1 thru 97.0.0.254 and 10.1.1.1 thru 10.1.1.254.  What would the access-list 80 look like?

Thanks,

Mark

access-list 80 extended permit ip 97.0.0.0 255.255.255.0 192.168.222.0 255.255.255.0

access-list 80 extended permit ip 10.1.1.0 255.255.255.0 192.168.222.0 255.255.255.0

your access list specifiying traffic to be encrypted can be this same access-list.  It should be nearly identical unless you have a reason to not allow some of it.

Basically you are telling the firewall not to nat the traffic from the inside networks to the vpn pool and vise versa.  Otherwise the asa will nat everything and the ip's won't be the same after passing nat.

Use the command packet-tracer and it'll step you through all of the flows and tell you whether or not the traffic would be allowed/nat'd/encrypted/etc.

Clooney,

THAT WORKED!!!

After adding the access-list 80 lines, I can now telnet to any address on my network from a vpn connection.

I appreciate your help.  I have been working on this for 3 days and was close to giving up...

Thanks,

Mark

Great! Glad I could help.

Well, I know this does not make any sense, but VPN is no longer working.  It was working earlier today, I tested with a PC and my iPad and it worked.  But I was checking things out one last time today and it is no longer working with either device.  I made no other changes to the config after adding the two lines to it that initially made it start working.  I saved the config after editing this morning and got a copy of the config just now.  I used diff and there are no changes since it was working.  I made no other network related changes since it was working.

Below is a copy of the current config.

Any other ideas before I just give up?

Thanks,

Mark

ASA Version 8.0(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password mDnUbb1nQkpe6eG9 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 97.0.0.250 tarantella

name 172.31.255.3 MGMT_HOST description Remote Network Management

name 97.0.0.56 axis-camera-1

name 10.99.0.60 axis-camera-2

!

interface GigabitEthernet0/0

nameif CABLE

security-level 0

ip address 95.36.115.66 255.255.255.248

!

interface GigabitEthernet0/1

shutdown

nameif DSL

security-level 0

ip address 64.173.93.28 255.255.255.128

!

interface GigabitEthernet0/2

nameif FIBER

security-level 0

ip address 25.181.205.2 255.255.255.240

!

interface GigabitEthernet0/3

nameif inside

security-level 100

ip address 97.0.0.100 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list 100 extended permit tcp any host 25.181.205.2 eq 3144

access-list 100 extended permit tcp any host 25.181.205.2 eq 8080

access-list 100 extended permit tcp any host 25.181.205.2 eq 100

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit tcp any host 25.181.205.2 eq https

access-list 100 extended permit tcp any host 25.181.205.2 eq www

access-list 100 extended permit tcp any host 25.181.205.2 eq 8081

access-list 100 extended permit tcp any host 25.181.205.2 eq 8082

access-list 80 extended permit ip any 192.168.222.0 255.255.255.0

access-list 80 extended permit ip any 172.31.253.0 255.255.254.0

access-list 80 extended permit ip host 97.0.0.50 192.168.223.0 255.255.255.240

access-list 80 extended permit ip any 192.168.222.0 255.255.255.224

access-list 80 extended permit ip 97.0.0.0 255.255.255.0 192.168.222.0 255.255.255.0

access-list 80 extended permit ip 10.1.1.0 255.255.255.0 192.168.222.0 255.255.255.0

access-list GLSVPN extended permit ip 10.1.100.0 255.255.255.0 172.31.253.0 255.255.254.0

access-list GLSVPN extended permit ip 172.17.254.0 255.255.255.0 172.31.253.0 255.255.254.0

access-list DSIVPNUser_splitTunnelAcl standard permit host 97.0.0.50

access-list DSIAdminUsers_splitTunnelAcl standard permit any

pager lines 24

logging enable

logging timestamp

logging buffered informational

logging trap errors

logging asdm informational

mtu CABLE 1500

mtu DSL 1500

mtu FIBER 1500

mtu inside 1500

ip local pool VPNPOOL 192.168.222.1-192.168.222.10

ip local pool AdminPool 192.168.222.11-192.168.222.20

ip local pool TestPool 1.1.1.2-1.1.1.254 mask 255.255.255.0

ip audit name DSI-Attack attack action alarm drop reset

ip audit name DSI-Alarm info action alarm

ip audit interface FIBER DSI-Alarm

ip audit interface FIBER DSI-Attack

ip audit interface inside DSI-Alarm

ip audit interface inside DSI-Attack

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo DSL

icmp permit any echo-reply DSL

icmp permit any unreachable DSL

icmp permit any unreachable FIBER

icmp permit any echo FIBER

icmp permit any echo-reply FIBER

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (DSL) 1 interface

global (FIBER) 1 interface

nat (inside) 0 access-list 80

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,FIBER) tcp interface 8080 tarantella 8080 netmask 255.255.255.255

static (inside,FIBER) tcp interface 3144 tarantella 3144 netmask 255.255.255.255

static (inside,FIBER) tcp interface telnet 97.0.0.2 telnet netmask 255.255.255.255

static (inside,FIBER) tcp interface 2222 97.0.0.179 ssh netmask 255.255.255.255

static (inside,FIBER) tcp interface 100 10.18.0.88 100 netmask 255.255.255.255

static (inside,FIBER) tcp interface https 97.0.0.34 https netmask 255.255.255.255

static (inside,FIBER) tcp interface www 97.0.0.34 www netmask 255.255.255.255

static (inside,FIBER) tcp interface 8081 axis-camera-1 www netmask 255.255.255.255

static (inside,FIBER) tcp interface 8082 axis-camera-2 www netmask 255.255.255.255

access-group 100 in interface FIBER

route FIBER 0.0.0.0 0.0.0.0 25.181.205.1 254

route inside 10.0.0.0 255.0.0.0 97.0.0.3 1

route inside 10.2.0.0 255.255.0.0 97.0.0.3 1

route inside 10.3.0.0 255.255.0.0 97.0.0.3 1

route inside 10.4.0.0 255.255.0.0 97.0.0.3 1

route inside 10.8.0.0 255.255.0.0 97.0.0.3 1

route inside 10.12.0.0 255.255.0.0 97.0.0.3 1

route inside 10.31.0.0 255.255.0.0 97.0.0.3 1

route inside 10.41.0.0 255.255.0.0 97.0.0.3 1

route inside 10.99.0.0 255.255.0.0 97.0.0.3 1

route inside 172.17.253.0 255.255.255.0 97.0.0.235 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

url-server (inside) vendor websense host 97.0.0.87 timeout 10 protocol TCP version 4 connections 5

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 88

type echo protocol ipIcmpEcho 96.36.115.65 interface CABLE

num-packets 3

timeout 1000

frequency 3

sla monitor schedule 88 life forever start-time now

crypto ipsec transform-set TSET esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DCMAP 10 set pfs

crypto dynamic-map DCMAP 10 set transform-set TSET

crypto dynamic-map DCMAP 10 set security-association lifetime seconds 28800

crypto dynamic-map DCMAP 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map inside_dyn_map 20 set pfs

crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map inside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map inside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto map CMAP 1 match address GLSVPN

crypto map CMAP 1 set peer 66.129.114.59

crypto map CMAP 1 set transform-set ESP-3DES-MD5

crypto map CMAP 1 set security-association lifetime seconds 28800

crypto map CMAP 1 set security-association lifetime kilobytes 4608000

crypto map CMAP 10 ipsec-isakmp dynamic DCMAP

crypto map CMAP interface FIBER

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map inside_map interface inside

crypto isakmp identity address

crypto isakmp enable FIBER

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 88 reachability

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 FIBER

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy ASAVPN internal

group-policy ASAVPN attributes

dns-server value 24.217.0.3 63.162.197.99

vpn-tunnel-protocol IPSec svc

default-domain value dsidsi.com

group-policy DSIAdminUsers internal

group-policy DSIAdminUsers attributes

dns-server value 97.0.0.21 97.0.0.22

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DSIAdminUsers_splitTunnelAcl

default-domain value dsi.local

group-policy DSIVPNUser internal

group-policy DSIVPNUser attributes

dns-server value 97.0.0.21 97.0.0.22

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DSIVPNUser_splitTunnelAcl

default-domain value dsi.local

username test password hmQhTUMT1T5Z4KHC encrypted

username test attributes

vpn-group-policy DSIAdminUsers

username akipper password 9PojOPiG2IXFp42B encrypted privilege 0

username akipper attributes

vpn-group-policy ASAVPN

username user1 password 0dldJICVF//EH4X3 encrypted

username user1 attributes

vpn-group-policy DSIVPNUser

username t.reese password JvMrGsialw4hFL/z encrypted privilege 15

username mark password g2vDAdNY1Hx6WOoS encrypted privilege 15

username mark attributes

vpn-group-policy DSIAdminUsers

tunnel-group DefaultRAGroup general-attributes

address-pool (FIBER) VPNPOOL

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool VPNPOOL

tunnel-group ASAVPN type remote-access

tunnel-group ASAVPN general-attributes

address-pool VPNPOOL

default-group-policy ASAVPN

tunnel-group ASAVPN ipsec-attributes

pre-shared-key *

tunnel-group 66.129.114.59 type ipsec-l2l

tunnel-group 66.129.114.59 ipsec-attributes

pre-shared-key *

tunnel-group DSIVPNUser type remote-access

tunnel-group DSIVPNUser general-attributes

address-pool VPNPOOL

default-group-policy DSIVPNUser

tunnel-group DSIVPNUser ipsec-attributes

pre-shared-key *

tunnel-group DSIAdminUsers type remote-access

tunnel-group DSIAdminUsers general-attributes

address-pool (FIBER) AdminPool

default-group-policy DSIAdminUsers

tunnel-group DSIAdminUsers ipsec-attributes

pre-shared-key *

tunnel-group TestUser type remote-access

tunnel-group TestUser general-attributes

address-pool (FIBER) AdminPool

default-group-policy DSIAdminUsers

tunnel-group TestUser ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:dfb0accab0916d7f7f3a886c6c7d1ca2

: end

ASA Version 8.0(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password mDnUbb1nQkpe6eG9 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 97.0.0.250 tarantella

name 172.31.255.3 MGMT_HOST description Remote Network Management

name 97.0.0.56 axis-camera-1

name 10.99.0.60 axis-camera-2

!

interface GigabitEthernet0/0

nameif CABLE

security-level 0

ip address 95.36.115.66 255.255.255.248

!

interface GigabitEthernet0/1

shutdown

nameif DSL

security-level 0

ip address 64.173.93.28 255.255.255.128

!

interface GigabitEthernet0/2

nameif FIBER

security-level 0

ip address 25.181.205.2 255.255.255.240

!

interface GigabitEthernet0/3

nameif inside

security-level 100

ip address 97.0.0.100 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list 100 extended permit tcp any host 25.181.205.2 eq 3144

access-list 100 extended permit tcp any host 25.181.205.2 eq 8080

access-list 100 extended permit tcp any host 25.181.205.2 eq 100

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit tcp any host 25.181.205.2 eq https

access-list 100 extended permit tcp any host 25.181.205.2 eq www

access-list 100 extended permit tcp any host 25.181.205.2 eq 8081

access-list 100 extended permit tcp any host 25.181.205.2 eq 8082

access-list 80 extended permit ip any 192.168.222.0 255.255.255.0

access-list 80 extended permit ip any 172.31.253.0 255.255.254.0

access-list 80 extended permit ip host 97.0.0.50 192.168.223.0 255.255.255.240

access-list 80 extended permit ip any 192.168.222.0 255.255.255.224

access-list 80 extended permit ip 97.0.0.0 255.255.255.0 192.168.222.0 255.255.255.0

access-list 80 extended permit ip 10.1.1.0 255.255.255.0 192.168.222.0 255.255.255.0

access-list GLSVPN extended permit ip 10.1.100.0 255.255.255.0 172.31.253.0 255.255.254.0

access-list GLSVPN extended permit ip 172.17.254.0 255.255.255.0 172.31.253.0 255.255.254.0

access-list DSIVPNUser_splitTunnelAcl standard permit host 97.0.0.50

access-list DSIAdminUsers_splitTunnelAcl standard permit any

pager lines 24

logging enable

logging timestamp

logging buffered informational

logging trap errors

logging asdm informational

mtu CABLE 1500

mtu DSL 1500

mtu FIBER 1500

mtu inside 1500

ip local pool VPNPOOL 192.168.222.1-192.168.222.10

ip local pool AdminPool 192.168.222.11-192.168.222.20

ip local pool TestPool 1.1.1.2-1.1.1.254 mask 255.255.255.0

ip audit name DSI-Attack attack action alarm drop reset

ip audit name DSI-Alarm info action alarm

ip audit interface FIBER DSI-Alarm

ip audit interface FIBER DSI-Attack

ip audit interface inside DSI-Alarm

ip audit interface inside DSI-Attack

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo DSL

icmp permit any echo-reply DSL

icmp permit any unreachable DSL

icmp permit any unreachable FIBER

icmp permit any echo FIBER

icmp permit any echo-reply FIBER

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (DSL) 1 interface

global (FIBER) 1 interface

nat (inside) 0 access-list 80

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,FIBER) tcp interface 8080 tarantella 8080 netmask 255.255.255.255

static (inside,FIBER) tcp interface 3144 tarantella 3144 netmask 255.255.255.255

static (inside,FIBER) tcp interface telnet 97.0.0.2 telnet netmask 255.255.255.255

static (inside,FIBER) tcp interface 2222 97.0.0.179 ssh netmask 255.255.255.255

static (inside,FIBER) tcp interface 100 10.18.0.88 100 netmask 255.255.255.255

static (inside,FIBER) tcp interface https 97.0.0.34 https netmask 255.255.255.255

static (inside,FIBER) tcp interface www 97.0.0.34 www netmask 255.255.255.255

static (inside,FIBER) tcp interface 8081 axis-camera-1 www netmask 255.255.255.255

static (inside,FIBER) tcp interface 8082 axis-camera-2 www netmask 255.255.255.255

access-group 100 in interface FIBER

route FIBER 0.0.0.0 0.0.0.0 25.181.205.1 254

route inside 10.0.0.0 255.0.0.0 97.0.0.3 1

route inside 10.2.0.0 255.255.0.0 97.0.0.3 1

route inside 10.3.0.0 255.255.0.0 97.0.0.3 1

route inside 10.4.0.0 255.255.0.0 97.0.0.3 1

route inside 10.8.0.0 255.255.0.0 97.0.0.3 1

route inside 10.12.0.0 255.255.0.0 97.0.0.3 1

route inside 10.31.0.0 255.255.0.0 97.0.0.3 1

route inside 10.41.0.0 255.255.0.0 97.0.0.3 1

route inside 10.99.0.0 255.255.0.0 97.0.0.3 1

route inside 172.17.253.0 255.255.255.0 97.0.0.235 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

url-server (inside) vendor websense host 97.0.0.87 timeout 10 protocol TCP version 4 connections 5

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 88

type echo protocol ipIcmpEcho 96.36.115.65 interface CABLE

num-packets 3

timeout 1000

frequency 3

sla monitor schedule 88 life forever start-time now

crypto ipsec transform-set TSET esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DCMAP 10 set pfs

crypto dynamic-map DCMAP 10 set transform-set TSET

crypto dynamic-map DCMAP 10 set security-association lifetime seconds 28800

crypto dynamic-map DCMAP 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map inside_dyn_map 20 set pfs

crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map inside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map inside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto map CMAP 1 match address GLSVPN

crypto map CMAP 1 set peer 66.129.114.59

crypto map CMAP 1 set transform-set ESP-3DES-MD5

crypto map CMAP 1 set security-association lifetime seconds 28800

crypto map CMAP 1 set security-association lifetime kilobytes 4608000

crypto map CMAP 10 ipsec-isakmp dynamic DCMAP

crypto map CMAP interface FIBER

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map inside_map interface inside

crypto isakmp identity address

crypto isakmp enable FIBER

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 88 reachability

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 FIBER

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy ASAVPN internal

group-policy ASAVPN attributes

dns-server value 24.217.0.3 63.162.197.99

vpn-tunnel-protocol IPSec svc

default-domain value dsidsi.com

group-policy DSIAdminUsers internal

group-policy DSIAdminUsers attributes

dns-server value 97.0.0.21 97.0.0.22

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DSIAdminUsers_splitTunnelAcl

default-domain value dsi.local

group-policy DSIVPNUser internal

group-policy DSIVPNUser attributes

dns-server value 97.0.0.21 97.0.0.22

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DSIVPNUser_splitTunnelAcl

default-domain value dsi.local

username test password hmQhTUMT1T5Z4KHC encrypted

username test attributes

vpn-group-policy DSIAdminUsers

username akipper password 9PojOPiG2IXFp42B encrypted privilege 0

username akipper attributes

vpn-group-policy ASAVPN

username user1 password 0dldJICVF//EH4X3 encrypted

username user1 attributes

vpn-group-policy DSIVPNUser

username t.reese password JvMrGsialw4hFL/z encrypted privilege 15

username mark password g2vDAdNY1Hx6WOoS encrypted privilege 15

username mark attributes

vpn-group-policy DSIAdminUsers

tunnel-group DefaultRAGroup general-attributes

address-pool (FIBER) VPNPOOL

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool VPNPOOL

tunnel-group ASAVPN type remote-access

tunnel-group ASAVPN general-attributes

address-pool VPNPOOL

default-group-policy ASAVPN

tunnel-group ASAVPN ipsec-attributes

pre-shared-key *

tunnel-group 66.129.114.59 type ipsec-l2l

tunnel-group 66.129.114.59 ipsec-attributes

pre-shared-key *

tunnel-group DSIVPNUser type remote-access

tunnel-group DSIVPNUser general-attributes

address-pool VPNPOOL

default-group-policy DSIVPNUser

tunnel-group DSIVPNUser ipsec-attributes

pre-shared-key *

tunnel-group DSIAdminUsers type remote-access

tunnel-group DSIAdminUsers general-attributes

address-pool (FIBER) AdminPool

default-group-policy DSIAdminUsers

tunnel-group DSIAdminUsers ipsec-attributes

pre-shared-key *

tunnel-group TestUser type remote-access

tunnel-group TestUser general-attributes

address-pool (FIBER) AdminPool

default-group-policy DSIAdminUsers

tunnel-group TestUser ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

: end

Review Cisco Networking for a $25 gift card