- Cisco Community
- Technology and Support
- Security
- Network Security
- Re: Cisco ASA - cannot reach local IP addresses
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2011 06:33 PM - edited 03-11-2019 02:05 PM
Hi,
I am trying to use VPN to access our local network addresses from anywhere on the internet. I have VPN setup on the ASA and I can connect with the Cisco VPN Client but I cannot telnet or ping any addresses on my local network. I can access public IP addresses. I don't se any routes under "Status/Statistics/Route Details" in my cisco VPN Client (when connected). I have tried connecting with serveral pc's and iPads with the same results.
We are trying to connect with users mark and t.reese using the DSIAdminUsers group. When we try to telnet or ping an internal address such as 10.1.1.225 or 97.0.0.69, it times out.
Can someone please look at the config and see what I am doing wrong. Any help is appreciated.
Thanks,
Mark
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password mDnUbb1nQkpe6eG9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 97.0.0.250 tarantella
name 172.31.255.3 MGMT_HOST description Remote Network Management
name 97.0.0.56 axis-camera-1
name 10.99.0.60 axis-camera-2
!
interface GigabitEthernet0/0
nameif CABLE
security-level 0
ip address 95.36.115.66 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
nameif DSL
security-level 0
ip address 64.173.93.28 255.255.255.128
!
interface GigabitEthernet0/2
nameif FIBER
security-level 0
ip address 25.181.205.2 255.255.255.240
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 97.0.0.100 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list 100 extended permit tcp any host 25.181.205.2 eq 3144
access-list 100 extended permit tcp any host 25.181.205.2 eq 8080
access-list 100 extended permit tcp any host 25.181.205.2 eq 100
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit tcp any host 25.181.205.2 eq https
access-list 100 extended permit tcp any host 25.181.205.2 eq www
access-list 100 extended permit tcp any host 25.181.205.2 eq 8081
access-list 100 extended permit tcp any host 25.181.205.2 eq 8082
access-list 80 extended permit ip any 192.168.222.0 255.255.255.0
access-list 80 extended permit ip any 172.31.253.0 255.255.254.0
access-list 80 extended permit ip host 97.0.0.50 192.168.223.0 255.255.255.240
access-list 80 extended permit ip any 192.168.222.0 255.255.255.224
access-list GLSVPN extended permit ip 10.1.100.0 255.255.255.0 172.31.253.0 255.255.254.0
access-list GLSVPN extended permit ip 172.17.254.0 255.255.255.0 172.31.253.0 255.255.254.0
access-list DSIVPNUser_splitTunnelAcl standard permit host 97.0.0.50
access-list DSIAdminUsers_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap errors
logging asdm informational
mtu CABLE 1500
mtu DSL 1500
mtu FIBER 1500
mtu inside 1500
ip local pool VPNPOOL 192.168.222.1-192.168.222.10
ip local pool AdminPool 192.168.222.11-192.168.222.20
ip local pool TestPool 1.1.1.2-1.1.1.254 mask 255.255.255.0
ip audit name DSI-Attack attack action alarm drop reset
ip audit name DSI-Alarm info action alarm
ip audit interface FIBER DSI-Alarm
ip audit interface FIBER DSI-Attack
ip audit interface inside DSI-Alarm
ip audit interface inside DSI-Attack
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo DSL
icmp permit any echo-reply DSL
icmp permit any unreachable DSL
icmp permit any unreachable FIBER
icmp permit any echo FIBER
icmp permit any echo-reply FIBER
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (DSL) 1 interface
global (FIBER) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,FIBER) tcp interface 8080 tarantella 8080 netmask 255.255.255.255
static (inside,FIBER) tcp interface 3144 tarantella 3144 netmask 255.255.255.255
static (inside,FIBER) tcp interface telnet 97.0.0.2 telnet netmask 255.255.255.255
static (inside,FIBER) tcp interface 2222 97.0.0.179 ssh netmask 255.255.255.255
static (inside,FIBER) tcp interface 100 10.18.0.88 100 netmask 255.255.255.255
static (inside,FIBER) tcp interface https 97.0.0.34 https netmask 255.255.255.255
static (inside,FIBER) tcp interface www 97.0.0.34 www netmask 255.255.255.255
static (inside,FIBER) tcp interface 8081 axis-camera-1 www netmask 255.255.255.255
static (inside,FIBER) tcp interface 8082 axis-camera-2 www netmask 255.255.255.255
access-group 100 in interface FIBER
route FIBER 0.0.0.0 0.0.0.0 25.181.205.1 254
route inside 10.0.0.0 255.0.0.0 97.0.0.3 1
route inside 10.2.0.0 255.255.0.0 97.0.0.3 1
route inside 10.3.0.0 255.255.0.0 97.0.0.3 1
route inside 10.4.0.0 255.255.0.0 97.0.0.3 1
route inside 10.8.0.0 255.255.0.0 97.0.0.3 1
route inside 10.12.0.0 255.255.0.0 97.0.0.3 1
route inside 10.31.0.0 255.255.0.0 97.0.0.3 1
route inside 10.41.0.0 255.255.0.0 97.0.0.3 1
route inside 10.99.0.0 255.255.0.0 97.0.0.3 1
route inside 172.17.253.0 255.255.255.0 97.0.0.235 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
url-server (inside) vendor websense host 97.0.0.87 timeout 10 protocol TCP version 4 connections 5
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 88
type echo protocol ipIcmpEcho 96.36.115.65 interface CABLE
num-packets 3
timeout 1000
frequency 3
sla monitor schedule 88 life forever start-time now
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DCMAP 10 set pfs
crypto dynamic-map DCMAP 10 set transform-set TSET
crypto dynamic-map DCMAP 10 set security-association lifetime seconds 28800
crypto dynamic-map DCMAP 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map inside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map CMAP 1 match address GLSVPN
crypto map CMAP 1 set peer 66.129.114.59
crypto map CMAP 1 set transform-set ESP-3DES-MD5
crypto map CMAP 1 set security-association lifetime seconds 28800
crypto map CMAP 1 set security-association lifetime kilobytes 4608000
crypto map CMAP 10 ipsec-isakmp dynamic DCMAP
crypto map CMAP interface FIBER
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp identity address
crypto isakmp enable FIBER
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 88 reachability
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 FIBER
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy ASAVPN internal
group-policy ASAVPN attributes
dns-server value 24.217.0.3 63.162.197.99
vpn-tunnel-protocol IPSec svc
default-domain value dsidsi.com
group-policy DSIAdminUsers internal
group-policy DSIAdminUsers attributes
dns-server value 97.0.0.21 97.0.0.22
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DSIAdminUsers_splitTunnelAcl
default-domain value dsi.local
group-policy DSIVPNUser internal
group-policy DSIVPNUser attributes
dns-server value 97.0.0.21 97.0.0.22
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DSIVPNUser_splitTunnelAcl
default-domain value dsi.local
username test password hmQhTUMT1T5Z4KHC encrypted
username test attributes
vpn-group-policy DSIAdminUsers
username akipper password 9PojOPiG2IXFp42B encrypted privilege 0
username akipper attributes
vpn-group-policy ASAVPN
username user1 password 0dldJICVF//EH4X3 encrypted
username user1 attributes
vpn-group-policy DSIVPNUser
username t.reese password JvMrGsialw4hFL/z encrypted privilege 15
username mark password g2vDAdNY1Hx6WOoS encrypted privilege 15
username mark attributes
vpn-group-policy DSIAdminUsers
tunnel-group DefaultRAGroup general-attributes
address-pool (FIBER) VPNPOOL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPNPOOL
tunnel-group ASAVPN type remote-access
tunnel-group ASAVPN general-attributes
address-pool VPNPOOL
default-group-policy ASAVPN
tunnel-group ASAVPN ipsec-attributes
pre-shared-key *
tunnel-group 66.129.114.59 type ipsec-l2l
tunnel-group 66.129.114.59 ipsec-attributes
pre-shared-key *
tunnel-group DSIVPNUser type remote-access
tunnel-group DSIVPNUser general-attributes
address-pool VPNPOOL
default-group-policy DSIVPNUser
tunnel-group DSIVPNUser ipsec-attributes
pre-shared-key *
tunnel-group DSIAdminUsers type remote-access
tunnel-group DSIAdminUsers general-attributes
address-pool (FIBER) AdminPool
default-group-policy DSIAdminUsers
tunnel-group DSIAdminUsers ipsec-attributes
pre-shared-key *
tunnel-group TestUser type remote-access
tunnel-group TestUser general-attributes
address-pool (FIBER) AdminPool
default-group-policy DSIAdminUsers
tunnel-group TestUser ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dfb0accab0916d7f7f3a886c6c7d1ca2
: end
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password mDnUbb1nQkpe6eG9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 97.0.0.250 tarantella
name 172.31.255.3 MGMT_HOST description Remote Network Management
name 97.0.0.56 axis-camera-1
name 10.99.0.60 axis-camera-2
!
interface GigabitEthernet0/0
nameif CABLE
security-level 0
ip address 95.36.115.66 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
nameif DSL
security-level 0
ip address 64.173.93.28 255.255.255.128
!
interface GigabitEthernet0/2
nameif FIBER
security-level 0
ip address 25.181.205.2 255.255.255.240
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 97.0.0.100 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list 100 extended permit tcp any host 25.181.205.2 eq 3144
access-list 100 extended permit tcp any host 25.181.205.2 eq 8080
access-list 100 extended permit tcp any host 25.181.205.2 eq 100
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit tcp any host 25.181.205.2 eq https
access-list 100 extended permit tcp any host 25.181.205.2 eq www
access-list 100 extended permit tcp any host 25.181.205.2 eq 8081
access-list 100 extended permit tcp any host 25.181.205.2 eq 8082
access-list 80 extended permit ip any 192.168.222.0 255.255.255.0
access-list 80 extended permit ip any 172.31.253.0 255.255.254.0
access-list 80 extended permit ip host 97.0.0.50 192.168.223.0 255.255.255.240
access-list 80 extended permit ip any 192.168.222.0 255.255.255.224
access-list GLSVPN extended permit ip 10.1.100.0 255.255.255.0 172.31.253.0 255.255.254.0
access-list GLSVPN extended permit ip 172.17.254.0 255.255.255.0 172.31.253.0 255.255.254.0
access-list DSIVPNUser_splitTunnelAcl standard permit host 97.0.0.50
access-list DSIAdminUsers_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap errors
logging asdm informational
mtu CABLE 1500
mtu DSL 1500
mtu FIBER 1500
mtu inside 1500
ip local pool VPNPOOL 192.168.222.1-192.168.222.10
ip local pool AdminPool 192.168.222.11-192.168.222.20
ip local pool TestPool 1.1.1.2-1.1.1.254 mask 255.255.255.0
ip audit name DSI-Attack attack action alarm drop reset
ip audit name DSI-Alarm info action alarm
ip audit interface FIBER DSI-Alarm
ip audit interface FIBER DSI-Attack
ip audit interface inside DSI-Alarm
ip audit interface inside DSI-Attack
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo DSL
icmp permit any echo-reply DSL
icmp permit any unreachable DSL
icmp permit any unreachable FIBER
icmp permit any echo FIBER
icmp permit any echo-reply FIBER
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (DSL) 1 interface
global (FIBER) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,FIBER) tcp interface 8080 tarantella 8080 netmask 255.255.255.255
static (inside,FIBER) tcp interface 3144 tarantella 3144 netmask 255.255.255.255
static (inside,FIBER) tcp interface telnet 97.0.0.2 telnet netmask 255.255.255.255
static (inside,FIBER) tcp interface 2222 97.0.0.179 ssh netmask 255.255.255.255
static (inside,FIBER) tcp interface 100 10.18.0.88 100 netmask 255.255.255.255
static (inside,FIBER) tcp interface https 97.0.0.34 https netmask 255.255.255.255
static (inside,FIBER) tcp interface www 97.0.0.34 www netmask 255.255.255.255
static (inside,FIBER) tcp interface 8081 axis-camera-1 www netmask 255.255.255.255
static (inside,FIBER) tcp interface 8082 axis-camera-2 www netmask 255.255.255.255
access-group 100 in interface FIBER
route FIBER 0.0.0.0 0.0.0.0 25.181.205.1 254
route inside 10.0.0.0 255.0.0.0 97.0.0.3 1
route inside 10.2.0.0 255.255.0.0 97.0.0.3 1
route inside 10.3.0.0 255.255.0.0 97.0.0.3 1
route inside 10.4.0.0 255.255.0.0 97.0.0.3 1
route inside 10.8.0.0 255.255.0.0 97.0.0.3 1
route inside 10.12.0.0 255.255.0.0 97.0.0.3 1
route inside 10.31.0.0 255.255.0.0 97.0.0.3 1
route inside 10.41.0.0 255.255.0.0 97.0.0.3 1
route inside 10.99.0.0 255.255.0.0 97.0.0.3 1
route inside 172.17.253.0 255.255.255.0 97.0.0.235 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
url-server (inside) vendor websense host 97.0.0.87 timeout 10 protocol TCP version 4 connections 5
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 88
type echo protocol ipIcmpEcho 96.36.115.65 interface CABLE
num-packets 3
timeout 1000
frequency 3
sla monitor schedule 88 life forever start-time now
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DCMAP 10 set pfs
crypto dynamic-map DCMAP 10 set transform-set TSET
crypto dynamic-map DCMAP 10 set security-association lifetime seconds 28800
crypto dynamic-map DCMAP 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map inside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map CMAP 1 match address GLSVPN
crypto map CMAP 1 set peer 66.129.114.59
crypto map CMAP 1 set transform-set ESP-3DES-MD5
crypto map CMAP 1 set security-association lifetime seconds 28800
crypto map CMAP 1 set security-association lifetime kilobytes 4608000
crypto map CMAP 10 ipsec-isakmp dynamic DCMAP
crypto map CMAP interface FIBER
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp identity address
crypto isakmp enable FIBER
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 88 reachability
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 FIBER
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy ASAVPN internal
group-policy ASAVPN attributes
dns-server value 24.217.0.3 63.162.197.99
vpn-tunnel-protocol IPSec svc
default-domain value dsidsi.com
group-policy DSIAdminUsers internal
group-policy DSIAdminUsers attributes
dns-server value 97.0.0.21 97.0.0.22
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DSIAdminUsers_splitTunnelAcl
default-domain value dsi.local
group-policy DSIVPNUser internal
group-policy DSIVPNUser attributes
dns-server value 97.0.0.21 97.0.0.22
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DSIVPNUser_splitTunnelAcl
default-domain value dsi.local
username test password hmQhTUMT1T5Z4KHC encrypted
username test attributes
vpn-group-policy DSIAdminUsers
username akipper password 9PojOPiG2IXFp42B encrypted privilege 0
username akipper attributes
vpn-group-policy ASAVPN
username user1 password 0dldJICVF//EH4X3 encrypted
username user1 attributes
vpn-group-policy DSIVPNUser
username t.reese password JvMrGsialw4hFL/z encrypted privilege 15
username mark password g2vDAdNY1Hx6WOoS encrypted privilege 15
username mark attributes
vpn-group-policy DSIAdminUsers
tunnel-group DefaultRAGroup general-attributes
address-pool (FIBER) VPNPOOL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPNPOOL
tunnel-group ASAVPN type remote-access
tunnel-group ASAVPN general-attributes
address-pool VPNPOOL
default-group-policy ASAVPN
tunnel-group ASAVPN ipsec-attributes
pre-shared-key *
tunnel-group 66.129.114.59 type ipsec-l2l
tunnel-group 66.129.114.59 ipsec-attributes
pre-shared-key *
tunnel-group DSIVPNUser type remote-access
tunnel-group DSIVPNUser general-attributes
address-pool VPNPOOL
default-group-policy DSIVPNUser
tunnel-group DSIVPNUser ipsec-attributes
pre-shared-key *
tunnel-group DSIAdminUsers type remote-access
tunnel-group DSIAdminUsers general-attributes
address-pool (FIBER) AdminPool
default-group-policy DSIAdminUsers
tunnel-group DSIAdminUsers ipsec-attributes
pre-shared-key *
tunnel-group TestUser type remote-access
tunnel-group TestUser general-attributes
address-pool (FIBER) AdminPool
default-group-policy DSIAdminUsers
tunnel-group TestUser ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dfb0accab0916d7f7f3a886c6c7d1ca2
: end
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2011 06:41 PM
access-list 80 extended permit ip 97.0.0.0 255.255.255.0 192.168.222.0 255.255.255.0
access-list 80 extended permit ip 10.1.1.0 255.255.255.0 192.168.222.0 255.255.255.0
your access list specifiying traffic to be encrypted can be this same access-list. It should be nearly identical unless you have a reason to not allow some of it.
Basically you are telling the firewall not to nat the traffic from the inside networks to the vpn pool and vise versa. Otherwise the asa will nat everything and the ip's won't be the same after passing nat.
Use the command packet-tracer and it'll step you through all of the flows and tell you whether or not the traffic would be allowed/nat'd/encrypted/etc.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2011 04:35 PM
I didn't look at everything in this config so there might still be something else but one thing I did see is that your using a standard access-list to specify traffic to be tunneled that is permiting any.
You need to use an extended acl to specify traffic to be encrypted. Specifically the line below.
access-list DSIAdminUsers_splitTunnelAcl standard permit any
Also you need to include your inside subnets in access-list 80 in order to excluded from nat.
Hope this helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2011 05:56 PM
Hi Clooney,
Thanks for the reply. I am a newbie so forgive the simple question. My internal IP addresses are 97.0.0.1 thru 97.0.0.254 and 10.1.1.1 thru 10.1.1.254. What would the access-list 80 look like?
Thanks,
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2011 06:41 PM
access-list 80 extended permit ip 97.0.0.0 255.255.255.0 192.168.222.0 255.255.255.0
access-list 80 extended permit ip 10.1.1.0 255.255.255.0 192.168.222.0 255.255.255.0
your access list specifiying traffic to be encrypted can be this same access-list. It should be nearly identical unless you have a reason to not allow some of it.
Basically you are telling the firewall not to nat the traffic from the inside networks to the vpn pool and vise versa. Otherwise the asa will nat everything and the ip's won't be the same after passing nat.
Use the command packet-tracer and it'll step you through all of the flows and tell you whether or not the traffic would be allowed/nat'd/encrypted/etc.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2011 06:47 AM
Clooney,
THAT WORKED!!!
After adding the access-list 80 lines, I can now telnet to any address on my network from a vpn connection.
I appreciate your help. I have been working on this for 3 days and was close to giving up...
Thanks,
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2011 09:51 AM
Great! Glad I could help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2011 03:13 PM
Well, I know this does not make any sense, but VPN is no longer working. It was working earlier today, I tested with a PC and my iPad and it worked. But I was checking things out one last time today and it is no longer working with either device. I made no other changes to the config after adding the two lines to it that initially made it start working. I saved the config after editing this morning and got a copy of the config just now. I used diff and there are no changes since it was working. I made no other network related changes since it was working.
Below is a copy of the current config.
Any other ideas before I just give up?
Thanks,
Mark
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password mDnUbb1nQkpe6eG9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 97.0.0.250 tarantella
name 172.31.255.3 MGMT_HOST description Remote Network Management
name 97.0.0.56 axis-camera-1
name 10.99.0.60 axis-camera-2
!
interface GigabitEthernet0/0
nameif CABLE
security-level 0
ip address 95.36.115.66 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
nameif DSL
security-level 0
ip address 64.173.93.28 255.255.255.128
!
interface GigabitEthernet0/2
nameif FIBER
security-level 0
ip address 25.181.205.2 255.255.255.240
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 97.0.0.100 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list 100 extended permit tcp any host 25.181.205.2 eq 3144
access-list 100 extended permit tcp any host 25.181.205.2 eq 8080
access-list 100 extended permit tcp any host 25.181.205.2 eq 100
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit tcp any host 25.181.205.2 eq https
access-list 100 extended permit tcp any host 25.181.205.2 eq www
access-list 100 extended permit tcp any host 25.181.205.2 eq 8081
access-list 100 extended permit tcp any host 25.181.205.2 eq 8082
access-list 80 extended permit ip any 192.168.222.0 255.255.255.0
access-list 80 extended permit ip any 172.31.253.0 255.255.254.0
access-list 80 extended permit ip host 97.0.0.50 192.168.223.0 255.255.255.240
access-list 80 extended permit ip any 192.168.222.0 255.255.255.224
access-list 80 extended permit ip 97.0.0.0 255.255.255.0 192.168.222.0 255.255.255.0
access-list 80 extended permit ip 10.1.1.0 255.255.255.0 192.168.222.0 255.255.255.0
access-list GLSVPN extended permit ip 10.1.100.0 255.255.255.0 172.31.253.0 255.255.254.0
access-list GLSVPN extended permit ip 172.17.254.0 255.255.255.0 172.31.253.0 255.255.254.0
access-list DSIVPNUser_splitTunnelAcl standard permit host 97.0.0.50
access-list DSIAdminUsers_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap errors
logging asdm informational
mtu CABLE 1500
mtu DSL 1500
mtu FIBER 1500
mtu inside 1500
ip local pool VPNPOOL 192.168.222.1-192.168.222.10
ip local pool AdminPool 192.168.222.11-192.168.222.20
ip local pool TestPool 1.1.1.2-1.1.1.254 mask 255.255.255.0
ip audit name DSI-Attack attack action alarm drop reset
ip audit name DSI-Alarm info action alarm
ip audit interface FIBER DSI-Alarm
ip audit interface FIBER DSI-Attack
ip audit interface inside DSI-Alarm
ip audit interface inside DSI-Attack
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo DSL
icmp permit any echo-reply DSL
icmp permit any unreachable DSL
icmp permit any unreachable FIBER
icmp permit any echo FIBER
icmp permit any echo-reply FIBER
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (DSL) 1 interface
global (FIBER) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,FIBER) tcp interface 8080 tarantella 8080 netmask 255.255.255.255
static (inside,FIBER) tcp interface 3144 tarantella 3144 netmask 255.255.255.255
static (inside,FIBER) tcp interface telnet 97.0.0.2 telnet netmask 255.255.255.255
static (inside,FIBER) tcp interface 2222 97.0.0.179 ssh netmask 255.255.255.255
static (inside,FIBER) tcp interface 100 10.18.0.88 100 netmask 255.255.255.255
static (inside,FIBER) tcp interface https 97.0.0.34 https netmask 255.255.255.255
static (inside,FIBER) tcp interface www 97.0.0.34 www netmask 255.255.255.255
static (inside,FIBER) tcp interface 8081 axis-camera-1 www netmask 255.255.255.255
static (inside,FIBER) tcp interface 8082 axis-camera-2 www netmask 255.255.255.255
access-group 100 in interface FIBER
route FIBER 0.0.0.0 0.0.0.0 25.181.205.1 254
route inside 10.0.0.0 255.0.0.0 97.0.0.3 1
route inside 10.2.0.0 255.255.0.0 97.0.0.3 1
route inside 10.3.0.0 255.255.0.0 97.0.0.3 1
route inside 10.4.0.0 255.255.0.0 97.0.0.3 1
route inside 10.8.0.0 255.255.0.0 97.0.0.3 1
route inside 10.12.0.0 255.255.0.0 97.0.0.3 1
route inside 10.31.0.0 255.255.0.0 97.0.0.3 1
route inside 10.41.0.0 255.255.0.0 97.0.0.3 1
route inside 10.99.0.0 255.255.0.0 97.0.0.3 1
route inside 172.17.253.0 255.255.255.0 97.0.0.235 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
url-server (inside) vendor websense host 97.0.0.87 timeout 10 protocol TCP version 4 connections 5
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 88
type echo protocol ipIcmpEcho 96.36.115.65 interface CABLE
num-packets 3
timeout 1000
frequency 3
sla monitor schedule 88 life forever start-time now
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DCMAP 10 set pfs
crypto dynamic-map DCMAP 10 set transform-set TSET
crypto dynamic-map DCMAP 10 set security-association lifetime seconds 28800
crypto dynamic-map DCMAP 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map inside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map CMAP 1 match address GLSVPN
crypto map CMAP 1 set peer 66.129.114.59
crypto map CMAP 1 set transform-set ESP-3DES-MD5
crypto map CMAP 1 set security-association lifetime seconds 28800
crypto map CMAP 1 set security-association lifetime kilobytes 4608000
crypto map CMAP 10 ipsec-isakmp dynamic DCMAP
crypto map CMAP interface FIBER
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp identity address
crypto isakmp enable FIBER
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 88 reachability
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 FIBER
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy ASAVPN internal
group-policy ASAVPN attributes
dns-server value 24.217.0.3 63.162.197.99
vpn-tunnel-protocol IPSec svc
default-domain value dsidsi.com
group-policy DSIAdminUsers internal
group-policy DSIAdminUsers attributes
dns-server value 97.0.0.21 97.0.0.22
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DSIAdminUsers_splitTunnelAcl
default-domain value dsi.local
group-policy DSIVPNUser internal
group-policy DSIVPNUser attributes
dns-server value 97.0.0.21 97.0.0.22
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DSIVPNUser_splitTunnelAcl
default-domain value dsi.local
username test password hmQhTUMT1T5Z4KHC encrypted
username test attributes
vpn-group-policy DSIAdminUsers
username akipper password 9PojOPiG2IXFp42B encrypted privilege 0
username akipper attributes
vpn-group-policy ASAVPN
username user1 password 0dldJICVF//EH4X3 encrypted
username user1 attributes
vpn-group-policy DSIVPNUser
username t.reese password JvMrGsialw4hFL/z encrypted privilege 15
username mark password g2vDAdNY1Hx6WOoS encrypted privilege 15
username mark attributes
vpn-group-policy DSIAdminUsers
tunnel-group DefaultRAGroup general-attributes
address-pool (FIBER) VPNPOOL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPNPOOL
tunnel-group ASAVPN type remote-access
tunnel-group ASAVPN general-attributes
address-pool VPNPOOL
default-group-policy ASAVPN
tunnel-group ASAVPN ipsec-attributes
pre-shared-key *
tunnel-group 66.129.114.59 type ipsec-l2l
tunnel-group 66.129.114.59 ipsec-attributes
pre-shared-key *
tunnel-group DSIVPNUser type remote-access
tunnel-group DSIVPNUser general-attributes
address-pool VPNPOOL
default-group-policy DSIVPNUser
tunnel-group DSIVPNUser ipsec-attributes
pre-shared-key *
tunnel-group DSIAdminUsers type remote-access
tunnel-group DSIAdminUsers general-attributes
address-pool (FIBER) AdminPool
default-group-policy DSIAdminUsers
tunnel-group DSIAdminUsers ipsec-attributes
pre-shared-key *
tunnel-group TestUser type remote-access
tunnel-group TestUser general-attributes
address-pool (FIBER) AdminPool
default-group-policy DSIAdminUsers
tunnel-group TestUser ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dfb0accab0916d7f7f3a886c6c7d1ca2
: end
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password mDnUbb1nQkpe6eG9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 97.0.0.250 tarantella
name 172.31.255.3 MGMT_HOST description Remote Network Management
name 97.0.0.56 axis-camera-1
name 10.99.0.60 axis-camera-2
!
interface GigabitEthernet0/0
nameif CABLE
security-level 0
ip address 95.36.115.66 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
nameif DSL
security-level 0
ip address 64.173.93.28 255.255.255.128
!
interface GigabitEthernet0/2
nameif FIBER
security-level 0
ip address 25.181.205.2 255.255.255.240
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 97.0.0.100 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list 100 extended permit tcp any host 25.181.205.2 eq 3144
access-list 100 extended permit tcp any host 25.181.205.2 eq 8080
access-list 100 extended permit tcp any host 25.181.205.2 eq 100
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit tcp any host 25.181.205.2 eq https
access-list 100 extended permit tcp any host 25.181.205.2 eq www
access-list 100 extended permit tcp any host 25.181.205.2 eq 8081
access-list 100 extended permit tcp any host 25.181.205.2 eq 8082
access-list 80 extended permit ip any 192.168.222.0 255.255.255.0
access-list 80 extended permit ip any 172.31.253.0 255.255.254.0
access-list 80 extended permit ip host 97.0.0.50 192.168.223.0 255.255.255.240
access-list 80 extended permit ip any 192.168.222.0 255.255.255.224
access-list 80 extended permit ip 97.0.0.0 255.255.255.0 192.168.222.0 255.255.255.0
access-list 80 extended permit ip 10.1.1.0 255.255.255.0 192.168.222.0 255.255.255.0
access-list GLSVPN extended permit ip 10.1.100.0 255.255.255.0 172.31.253.0 255.255.254.0
access-list GLSVPN extended permit ip 172.17.254.0 255.255.255.0 172.31.253.0 255.255.254.0
access-list DSIVPNUser_splitTunnelAcl standard permit host 97.0.0.50
access-list DSIAdminUsers_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap errors
logging asdm informational
mtu CABLE 1500
mtu DSL 1500
mtu FIBER 1500
mtu inside 1500
ip local pool VPNPOOL 192.168.222.1-192.168.222.10
ip local pool AdminPool 192.168.222.11-192.168.222.20
ip local pool TestPool 1.1.1.2-1.1.1.254 mask 255.255.255.0
ip audit name DSI-Attack attack action alarm drop reset
ip audit name DSI-Alarm info action alarm
ip audit interface FIBER DSI-Alarm
ip audit interface FIBER DSI-Attack
ip audit interface inside DSI-Alarm
ip audit interface inside DSI-Attack
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo DSL
icmp permit any echo-reply DSL
icmp permit any unreachable DSL
icmp permit any unreachable FIBER
icmp permit any echo FIBER
icmp permit any echo-reply FIBER
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (DSL) 1 interface
global (FIBER) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,FIBER) tcp interface 8080 tarantella 8080 netmask 255.255.255.255
static (inside,FIBER) tcp interface 3144 tarantella 3144 netmask 255.255.255.255
static (inside,FIBER) tcp interface telnet 97.0.0.2 telnet netmask 255.255.255.255
static (inside,FIBER) tcp interface 2222 97.0.0.179 ssh netmask 255.255.255.255
static (inside,FIBER) tcp interface 100 10.18.0.88 100 netmask 255.255.255.255
static (inside,FIBER) tcp interface https 97.0.0.34 https netmask 255.255.255.255
static (inside,FIBER) tcp interface www 97.0.0.34 www netmask 255.255.255.255
static (inside,FIBER) tcp interface 8081 axis-camera-1 www netmask 255.255.255.255
static (inside,FIBER) tcp interface 8082 axis-camera-2 www netmask 255.255.255.255
access-group 100 in interface FIBER
route FIBER 0.0.0.0 0.0.0.0 25.181.205.1 254
route inside 10.0.0.0 255.0.0.0 97.0.0.3 1
route inside 10.2.0.0 255.255.0.0 97.0.0.3 1
route inside 10.3.0.0 255.255.0.0 97.0.0.3 1
route inside 10.4.0.0 255.255.0.0 97.0.0.3 1
route inside 10.8.0.0 255.255.0.0 97.0.0.3 1
route inside 10.12.0.0 255.255.0.0 97.0.0.3 1
route inside 10.31.0.0 255.255.0.0 97.0.0.3 1
route inside 10.41.0.0 255.255.0.0 97.0.0.3 1
route inside 10.99.0.0 255.255.0.0 97.0.0.3 1
route inside 172.17.253.0 255.255.255.0 97.0.0.235 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
url-server (inside) vendor websense host 97.0.0.87 timeout 10 protocol TCP version 4 connections 5
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 88
type echo protocol ipIcmpEcho 96.36.115.65 interface CABLE
num-packets 3
timeout 1000
frequency 3
sla monitor schedule 88 life forever start-time now
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DCMAP 10 set pfs
crypto dynamic-map DCMAP 10 set transform-set TSET
crypto dynamic-map DCMAP 10 set security-association lifetime seconds 28800
crypto dynamic-map DCMAP 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map inside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map CMAP 1 match address GLSVPN
crypto map CMAP 1 set peer 66.129.114.59
crypto map CMAP 1 set transform-set ESP-3DES-MD5
crypto map CMAP 1 set security-association lifetime seconds 28800
crypto map CMAP 1 set security-association lifetime kilobytes 4608000
crypto map CMAP 10 ipsec-isakmp dynamic DCMAP
crypto map CMAP interface FIBER
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp identity address
crypto isakmp enable FIBER
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 88 reachability
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 FIBER
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy ASAVPN internal
group-policy ASAVPN attributes
dns-server value 24.217.0.3 63.162.197.99
vpn-tunnel-protocol IPSec svc
default-domain value dsidsi.com
group-policy DSIAdminUsers internal
group-policy DSIAdminUsers attributes
dns-server value 97.0.0.21 97.0.0.22
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DSIAdminUsers_splitTunnelAcl
default-domain value dsi.local
group-policy DSIVPNUser internal
group-policy DSIVPNUser attributes
dns-server value 97.0.0.21 97.0.0.22
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DSIVPNUser_splitTunnelAcl
default-domain value dsi.local
username test password hmQhTUMT1T5Z4KHC encrypted
username test attributes
vpn-group-policy DSIAdminUsers
username akipper password 9PojOPiG2IXFp42B encrypted privilege 0
username akipper attributes
vpn-group-policy ASAVPN
username user1 password 0dldJICVF//EH4X3 encrypted
username user1 attributes
vpn-group-policy DSIVPNUser
username t.reese password JvMrGsialw4hFL/z encrypted privilege 15
username mark password g2vDAdNY1Hx6WOoS encrypted privilege 15
username mark attributes
vpn-group-policy DSIAdminUsers
tunnel-group DefaultRAGroup general-attributes
address-pool (FIBER) VPNPOOL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPNPOOL
tunnel-group ASAVPN type remote-access
tunnel-group ASAVPN general-attributes
address-pool VPNPOOL
default-group-policy ASAVPN
tunnel-group ASAVPN ipsec-attributes
pre-shared-key *
tunnel-group 66.129.114.59 type ipsec-l2l
tunnel-group 66.129.114.59 ipsec-attributes
pre-shared-key *
tunnel-group DSIVPNUser type remote-access
tunnel-group DSIVPNUser general-attributes
address-pool VPNPOOL
default-group-policy DSIVPNUser
tunnel-group DSIVPNUser ipsec-attributes
pre-shared-key *
tunnel-group DSIAdminUsers type remote-access
tunnel-group DSIAdminUsers general-attributes
address-pool (FIBER) AdminPool
default-group-policy DSIAdminUsers
tunnel-group DSIAdminUsers ipsec-attributes
pre-shared-key *
tunnel-group TestUser type remote-access
tunnel-group TestUser general-attributes
address-pool (FIBER) AdminPool
default-group-policy DSIAdminUsers
tunnel-group TestUser ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
: end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
