Yup, it is a looooong read. When I try to enter that command into the CLI I get an error stating, "ERROR: % Invalid input detected at '^' marker."  The ^ marker is pointing under the start of the word "dynamic".

Jeff.

try the following

object-group network VPNPOOL

network-object 192.168.238.0  255.255.255.224

//below command is to allow vpn devices to inside network

nat (Public_Internet,Private_ODATA) source static VPNPOOL VPNPOOL

//below command is to allow vpn devices to access internet

nat (Public_Internet,Public_Internet) source dynamic VPNPOOL interface

let me know how this goes

Harish.

I tried those commands but this started getting messy and so I looked at the current config and it was not the same as what I originally posted.  Looks like some changes were implemented but not saved so the config that I posted what slightly different.  Thank you for all your suggestions.  Here is the new config, confirmed as the current running and saved config.  Same situation as before though.  I can connect using the Cisco VPN client but can only ping myself and can't get out to the Internet or access anything internal.  If someone can take a look it would be greatly appreciated.  The main difference is the VPN pool has been set as a subset of the 10.30.133.0 network instead of using a separate subnet (VPN pool is 10.30.133.200 - 10.30.133.230).

----------------------------------------------------------------------------------------------------------------

ASA Version 8.4(2)

!

hostname FIREWALL_NAME

enable password Some_X's_here encrypted

passwd Some_X's_here encrypted

names

!

interface Ethernet0/0

speed 100

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet0/0.22

description Public Internet space via VLAN 22

vlan 22

nameif Public_Internet

security-level 0

ip address 1.3.3.7 255.255.255.248

!

interface Ethernet0/1

speed 100

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet0/1.42

description Private LAN space via VLAN 42

shutdown

vlan 42

nameif Private_CDATA

security-level 100

ip address 10.30.136.1 255.255.255.0

!

interface Ethernet0/1.69

description Private LAN space via VLAN 69

vlan 69

nameif Private_ODATA

security-level 100

ip address 10.30.133.1 255.255.255.0

!

interface Ethernet0/1.95

description Private LAN space via VLAN 95

shutdown

vlan 95

nameif Private_OVOICE

security-level 100

ip address 192.168.102.254 255.255.255.0

!

interface Ethernet0/1.96

description Private LAN space via VLAN 96

shutdown

vlan 96

nameif Private_CVOICE

security-level 100

ip address 192.168.91.254 255.255.255.0

!

interface Ethernet0/1.3610

description Private LAN subnet via VLAN 3610

shutdown

vlan 3610

nameif Private_CeDATA

security-level 100

ip address 10.10.100.18 255.255.255.240

!

interface Ethernet0/1.3611

description Private LAN space via VLAN 3611

shutdown

vlan 3611

nameif Private_CeVOICE

security-level 100

ip address 10.10.100.66 255.255.255.252

!

interface Ethernet0/2

shutdown

no nameif

security-level 0

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.69.1 255.255.255.0

management-only

!

banner exec WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.

banner exec

banner exec                                    ,

banner exec                                  .';

banner exec                              .-'` .'

banner exec                            ,`.-'-.`\

banner exec                           ; /     '-'

banner exec                           | \       ,-,

banner exec                           \  '-.__   )_`'._                      \|/

banner exec                            '.     ```      ``'--._[]--------------*

banner exec                           .-' ,                   `'-.           /|\

banner exec                            '-'`-._           ((   o   )

banner exec                                   `'--....(`- ,__..--'

banner exec                                            '-'`

banner exec

banner exec frickin' sharks with frickin' laser beams attached to their frickin' heads

banner login WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.

banner asdm WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network CD_3610-GW

host 10.10.100.17

description First hop to 3610

object network CV_3611-GW

host 10.10.100.65

description First hop to 3611

object network GW_22-EXT

host 1.3.3.6

description First hop to 22

object network Ts-LAN

host 192.168.100.4

description TS

object service MS-RDC

service tcp source range 1024 65535 destination eq 3389

description Microsoft Remote Desktop Connection

object network HDC-LAN

subnet 192.168.200.0 255.255.255.0

description DC LAN subnet

object network HAM-LAN

subnet 192.168.110.0 255.255.255.0

description HAM LAN subnet

object service MSN

service tcp source range 1 65535 destination eq 1863

description MSN Messenger

object network BCCs

host 2.1.8.1

description BCCs server access

object network ODLW-EXT

host 7.1.1.5

description OTTDl

object network SWINDS-INT

host 10.30.133.67

description SWINDS server

object network SWINDS(192.x.x.x)-INT

host 192.168.100.67

description SWINDS server

object service YMSG

service tcp source range 1 65535 destination eq 5050

description Yahoo Messenger

object service c.b.ca1

service tcp source range 1 65535 destination eq citrix-ica

description Connections to the bc portal.

object service c.b.ca2

service tcp source range 1 65535 destination eq 2598

description Connections to the bc portal.

object service HTTP-EXT(7001)

service tcp source range 1 65535 destination eq 7001

description HTTP Extended on port 7001.

object service HTTP-EXT(8000-8001)

service tcp source range 1 65535 destination range 8000 8001

description HTTP Extended on ports 8000-8001.

object service HTTP-EXT(8080-8081)

service tcp source range 1 65535 destination range 8080 8081

description HTTP Extended on ports 8080-8081.

object service HTTP-EXT(8100)

service tcp source range 1 65535 destination eq 8100

description HTTP Extended on port 8100.

object service HTTP-EXT(8200)

service tcp source range 1 65535 destination eq 8200

description HTTP Extended on port 8200.

object service HTTP-EXT(8888)

service tcp source range 1 65535 destination eq 8888

description HTTP Extended on port 8888.

object service HTTP-EXT(9080)

service tcp source range 1 65535 destination eq 9080

description HTTP Extended on port 9080.

object service ntp

service tcp source range 1 65535 destination eq 123

description TCP NTP on port 123.

object network Pl-EXT

host 7.1.1.2

description OPl box.

object service Pl-Admin

service tcp source range 1 65535 destination eq 8443

description Pl Admin portal

object network FW-EXT

host 1.3.3.7

description External/Public interface IP address of firewall.

object network Rs-EXT

host 7.1.1.8

description Rs web portal External/Public IP.

object network DWDM-EXT

host 2.1.2.1

description DWDM.

object network HM_VPN-EXT

host 6.2.9.7

description HAM Man.

object network SIM_MGMT

host 2.1.1.1

description SIM Man.

object network TS_MGMT

host 2.1.1.4

description TS Man.

object network TS_MGMT

host 2.1.2.2

description TS Man.

object service VPN-TCP(1723)

service tcp source range 1 65535 destination eq pptp

description For PPTP control path.

object service VPN-UDP(4500)

service udp source range 1 65535 destination eq 4500

description For L2TP(IKEv1) and IKEv2.

object service VPN-TCP(443)

service tcp source range 1 65535 destination eq https

description For SSTP control and data path.

object service VPN-UDP(500)

service udp source range 1 65535 destination eq isakmp

description For L2TP(IKEv1) and IKEv2.

object network RCM

host 6.1.8.2

description RCM

object network RCM_Y

host 6.1.8.9

description RCM Y

object network r.r.r.c163

host 2.1.2.63

description RCV IP.

object network r.r.r.c227

host 2.1.2.27

description RCV IP.

object network v.t.c-EXT

host 2.5.1.2

description RTICR

object service VPN-TCP(10000)

service tcp source range 1 65535 destination eq 10000

description For TCP VPN over port 1000.

object service BGP-JY

service tcp source range 1 65535 destination eq 21174

description BPG

object network KooL

host 192.168.100.100

description KooL

object network FW_Test

host 1.3.3.7

description Testing other External IP

object network AO_10-30-133-0-LAN

subnet 10.30.133.0 255.255.255.0

description OLS 10.30.133.0/24

object network AC_10-30-136-0-LAN

subnet 10.30.136.0 255.255.255.0

description CLS 10.30.136.0/24

object-group network All_Private_Interfaces

description All private interfaces

network-object 10.30.133.0 255.255.255.0

network-object 10.30.136.0 255.255.255.0

network-object 10.10.100.16 255.255.255.240

network-object 10.10.100.64 255.255.255.252

network-object 192.168.102.0 255.255.255.0

network-object 192.168.91.0 255.255.255.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service cb.ca

description All ports required for cb.ca connections.

service-object object c.b.ca1

service-object object c.b.ca2

object-group service DM_INLINE_SERVICE_1

service-object tcp destination eq https

service-object udp destination eq snmp

object-group service FTP

description All FTP ports (20 + 21)

service-object tcp destination eq ftp

service-object tcp destination eq ftp-data

object-group service HTTP-EXT

description HTTP Extended port ranges.

service-object object HTTP-EXT(7001)

service-object object HTTP-EXT(8000-8001)

service-object object HTTP-EXT(8080-8081)

service-object object HTTP-EXT(8100)

service-object object HTTP-EXT(8200)

service-object object HTTP-EXT(8888)

service-object object HTTP-EXT(9080)

object-group service ICMP_Any

description ICMP: Any Type, Any Code

service-object icmp alternate-address

service-object icmp conversion-error

service-object icmp echo

service-object icmp echo-reply

service-object icmp information-reply

service-object icmp information-request

service-object icmp mask-reply

service-object icmp mask-request

service-object icmp mobile-redirect

service-object icmp parameter-problem

service-object icmp redirect

service-object icmp router-advertisement

service-object icmp router-solicitation

service-object icmp source-quench

service-object icmp time-exceeded

service-object icmp timestamp-reply

service-object icmp timestamp-request

service-object icmp traceroute

service-object icmp unreachable

service-object icmp6 echo

service-object icmp6 echo-reply

service-object icmp6 membership-query

service-object icmp6 membership-reduction

service-object icmp6 membership-report

service-object icmp6 neighbor-advertisement

service-object icmp6 neighbor-redirect

service-object icmp6 neighbor-solicitation

service-object icmp6 packet-too-big

service-object icmp6 parameter-problem

service-object icmp6 router-advertisement

service-object icmp6 router-renumbering

service-object icmp6 router-solicitation

service-object icmp6 time-exceeded

service-object icmp6 unreachable

service-object icmp

object-group service NTP

description TCP and UPD NTP protocol

service-object object ntp

service-object udp destination eq ntp

object-group service DM_INLINE_SERVICE_3

group-object FTP

group-object HTTP-EXT

group-object ICMP_Any

group-object NTP

service-object tcp-udp destination eq domain

service-object tcp-udp destination eq www

service-object tcp destination eq https

service-object tcp destination eq ssh

service-object ip

object-group service DM_INLINE_SERVICE_4

group-object NTP

service-object tcp destination eq daytime

object-group network SWINDS

description Both Internal IP addresses (192 + 10)

network-object object SWINDS-INT

network-object object SWINDS(192.x.x.x)-INT

object-group service IM_Types

description All messenger type applications

service-object object MSN

service-object object YMSG

service-object tcp-udp destination eq talk

service-object tcp destination eq aol

service-object tcp destination eq irc

object-group service SNMP

description Both poll and trap ports.

service-object udp destination eq snmp

service-object udp destination eq snmptrap

object-group service DM_INLINE_SERVICE_2

group-object FTP

service-object object MS-RDC

service-object object Pl-Admin

group-object SNMP

object-group network DM_INLINE_NETWORK_1

network-object object FW-EXT

network-object object Rs-EXT

object-group network AMV

description connections for legacy AM

network-object object DWDM-EXT

network-object object HAM_MGMT

network-object object SIM_MGMT

network-object object TS_MGMT

network-object object TS_MGMT

object-group service IKEv2_L2TP

description IKEv2 and L2TP VPN configurations

service-object esp

service-object object VPN-UDP(4500)

service-object object VPN-UDP(500)

object-group service PPTP

description PPTP VPN configuration

service-object gre

service-object object VPN-TCP(1723)

object-group service SSTP

description SSTP VPN configuration

service-object object VPN-TCP(443)

object-group network RvIPs

description Rv IP addresses

network-object object RCM

network-object object RCM_Y

network-object object r.r.r.c163

network-object object r.r.r.c227

network-object object v.t.c-EXT

object-group service Rvs

description Rv configuration.

service-object object VPN-TCP(10000)

service-object object VPN-UDP(500)

object-group service DM_INLINE_SERVICE_5

service-object object BGP-JY

service-object tcp destination eq bgp

object-group network Local_Private_Subnets

description OandCl DATA

network-object 10.30.133.0 255.255.255.0

network-object 10.30.136.0 255.255.255.0

object-group service IPSec

description IPSec traffic

service-object object VPN-UDP(4500)

service-object object VPN-UDP(500)

access-list Public/Internet_access_out remark Block all IM traffic out.

access-list Public/Internet_access_out extended deny object-group IM_Types object-group Local_Private_Subnets any

access-list Public/Internet_access_out remark Access from SWINDS to DLM portal

access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_1 object-group SWINDS object ODLW-EXT

access-list Public/Internet_access_out remark Allow access to BMC portal

access-list Public/Internet_access_out extended permit object-group cb.ca object-group Local_Private_Subnets object BCCs

access-list Public/Internet_access_out remark Allow basic services out.

access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_3 object-group Local_Private_Subnets any

access-list Public/Internet_access_out remark Allow WhoIS traffic out.

access-list Public/Internet_access_out extended permit tcp object-group Local_Private_Subnets any eq whois

access-list Public/Internet_access_out remark Allow Network Time protocols out.

access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_4 object-group Local_Private_Subnets any

access-list Public/Internet_access_out remark Allow all IP based monitoring traffic to Pl.

access-list Public/Internet_access_out extended permit ip object-group SWINDS object Pl-EXT

access-list Public/Internet_access_out remark Allow Management traffic to Pl-JY.

access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_2 object-group Local_Private_Subnets object Pl-EXT

access-list Public/Internet_access_out remark Allow FTP traffic to Grimlock and RS FTP.

access-list Public/Internet_access_out extended permit object-group FTP object-group Local_Private_Subnets object-group DM_INLINE_NETWORK_1

access-list Public/Internet_access_out remark Allow VPN traffic to AM-JY.

access-list Public/Internet_access_out extended permit object-group IKEv2_L2TP object-group Local_Private_Subnets object-group AMV

access-list Public/Internet_access_out remark Allow VPN traffic to RCm devices.

access-list Public/Internet_access_out extended permit object-group Rvs object-group Local_Private_Subnets object-group RvIPs

access-list Public/Internet_access_out remark Allow BPG traffic out.

access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_5 object-group Local_Private_Subnets any

access-list Public/Internet_access_out remark Allow Kool server out.

access-list Public/Internet_access_out extended permit ip object KooL any

pager lines 24

logging enable

logging history informational

logging asdm informational

logging mail notifications

logging from-address thisemail@address.local

logging recipient-address sendhere@address.com level errors

mtu Public_Internet 1500

mtu Private_CDATA 1500

mtu Private_ODATA 1500

mtu Private_OVOICE 1500

mtu Private_CVOICE 1500

mtu Private_CeDATA 1500

mtu Private_CeVOICE 1500

mtu management 1500

ip local pool AO-VPN_Pool 192.168.238.2-192.168.238.30 mask 255.255.255.224

ip verify reverse-path interface Public_Internet

ip verify reverse-path interface Private_CDATA

ip verify reverse-path interface Private_ODATA

ip verify reverse-path interface Private_OVOICE

ip verify reverse-path interface Private_CVOICE

ip verify reverse-path interface Private_CeDATA

ip verify reverse-path interface Private_CeVOICE

ip verify reverse-path interface management

icmp unreachable rate-limit 1 burst-size 1

icmp deny any Public_Internet

no asdm history enable

arp timeout 14400

nat (Private_ODATA,Public_Internet) source dynamic AO_10-30-133-0-LAN interface

nat (Private_CDATA,Public_Internet) source dynamic AC_10-30-136-0-LAN interface

nat (Private_ODATA,Public_Internet) source static any any destination static NETWORK_OBJ_192.168.238.0_27 NETWORK_OBJ_192.168.238.0_27 no-proxy-arp route-lookup

access-group Public/Internet_access_out out interface Public_Internet

route Public_Internet 0.0.0.0 0.0.0.0 1.3.3.6 1

route Private_CeDATA 10.0.0.0 255.0.0.0 10.10.100.17 1

route Private_CeDATA 10.1.0.0 255.255.0.0 10.10.100.17 1

route Private_CeDATA 10.3.0.0 255.255.0.0 10.10.100.17 1

route Private_CeDATA 10.5.0.0 255.255.0.0 10.10.100.17 1

route Private_CeDATA 10.11.106.74 255.255.255.255 10.10.100.17 1

route Private_CeDATA 10.30.128.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 10.30.130.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 10.30.131.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 10.30.132.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 10.30.134.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 10.30.135.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 10.67.31.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 10.224.0.0 255.255.0.0 10.10.100.17 1

route Private_CeDATA 4.1.1.19 255.255.255.255 10.10.100.17 1

route Private_CeDATA 1.1.1.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 1.1.1.13 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.19.11.24 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.19.11.27 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.19.11.29 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.19.17.105 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.19.147.64 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.19.147.66 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.19.147.110 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.19.251.57 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.21.56.105 255.255.255.255 10.10.100.17 1

route Private_CeDATA 172.21.57.152 255.255.255.255 10.10.100.17 1

route Private_CeDATA 192.168.3.0 255.255.255.0 10.10.100.17 1

route Private_CeVOICE 192.168.9.0 255.255.255.0 10.10.100.65 1

route Private_CeDATA 192.168.20.0 255.255.255.0 10.10.100.17 1

route Private_CeVOICE 192.168.21.0 255.255.255.0 10.10.100.65 1

route Private_CeDATA 192.168.30.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 192.168.31.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 192.168.40.0 255.255.255.0 10.10.100.17 1

route Private_CeVOICE 192.168.41.0 255.255.255.0 10.10.100.65 1

route Private_CeVOICE 192.168.50.0 255.255.255.0 10.10.100.65 1

route Private_CeDATA 192.168.60.0 255.255.255.0 10.10.100.17 1

route Private_CeVOICE 192.168.61.0 255.255.255.0 10.10.100.65 1

route Private_CeVOICE 192.168.70.0 255.255.255.0 10.10.100.65 1

route Private_CeVOICE 192.168.101.0 255.255.255.0 10.10.100.65 1

route Private_CeDATA 192.168.110.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 192.168.200.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 192.251.177.0 255.255.255.0 10.10.100.17 1

route Private_CeDATA 2.1.2.7 255.255.255.255 10.10.100.17 1

route Private_CeDATA 2.1.2.74 255.255.255.255 10.10.100.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server AD protocol nt

aaa-server AD (Private_ODATA) host 10.30.133.21

timeout 5

nt-auth-domain-controller Cool_Transformer_Name

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.69.0 255.255.255.0 management

snmp-server host Private_ODATA 10.30.133.67 poll community Some_*s_here version 2c

snmp-server location OT

snmp-server contact theseguys@address.com

snmp-server community Some_*s_here

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps memory-threshold

snmp-server enable traps interface-threshold

snmp-server enable traps remote-access session-threshold-exceeded

snmp-server enable traps connection-limit-reached

snmp-server enable traps cpu threshold rising

snmp-server enable traps ikev2 start stop

snmp-server enable traps nat packet-discard

sysopt noproxyarp Public_Internet

sysopt noproxyarp Private_CDATA

sysopt noproxyarp Private_ODATA

sysopt noproxyarp Private_OVOICE

sysopt noproxyarp Private_CVOICE

sysopt noproxyarp Private_CeDATA

sysopt noproxyarp Private_CeVOICE

sysopt noproxyarp management

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Public_Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Public_Internet_map interface Public_Internet

crypto ikev1 enable Public_Internet

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

client-update enable

telnet timeout 5

ssh 10.30.133.0 255.255.255.0 Private_ODATA

ssh 192.168.69.0 255.255.255.0 management

ssh timeout 2

ssh version 2

console timeout 5

dhcprelay server 10.30.133.13 Private_ODATA

dhcprelay enable Private_CDATA

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.30.133.13 prefer

ntp server 132.246.11.227

ntp server 10.30.133.21

webvpn

group-policy AO-VPN_Tunnel internal

group-policy AO-VPN_Tunnel attributes

dns-server value 10.30.133.21 10.30.133.13

vpn-tunnel-protocol ikev1

default-domain value ao.local

username helpme password Some_X's_here encrypted privilege 1

username helpme attributes

service-type nas-prompt

tunnel-group AO-VPN_Tunnel type remote-access

tunnel-group AO-VPN_Tunnel general-attributes

address-pool AO-VPN_Pool

authentication-server-group AD

default-group-policy AO-VPN_Tunnel

tunnel-group AO-VPN_Tunnel ipsec-attributes

ikev1 pre-shared-key Some_*s_here

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny 

inspect sunrpc

inspect xdmcp

inspect sip 

inspect netbios

inspect tftp

inspect ip-options

class class-default

user-statistics accounting

!

service-policy global_policy global

smtp-server 192.168.200.25

prompt hostname context

no call-home reporting anonymous

----------------------------------------------------------------------------------------------------------------

Thanks in advance,

Jeff.

Hello Jeff,

Please try the following:

nat (Public_internet,Public_internet) 2 source dynamic  NETWORK_OBJ_192.168.238.0_27 interface

Also with the configuration you have you should be able to access only the subnet behind the Private_ODATA interface that is 10.30.133.0 255.255.255.0

Any other question.. Sure.. Just remember to rate all of my answers.

Julio

Just tried that and I got an error returned:

"ERROR: NETWORK_OBJ_192.168.238.0_27 doesn't match an existing object or object-group"

Cheers,

Jeff.