Hi,

: Saved

:

ASA Version 7.2(2)

!

hostname fw01

domain-name domaincontrol.local

enable password 8Ry2YjIyt7RRXU24 encrypted

names

name 10.234.1.4 INT-AD1 description AD / RADIUS

name 10.254.0.1 R881G_Outside description Router 881 - Int Inside

name 10.254.0.2 ASA_Outside description ASA - Int Outside

name 10.234.0.1 ASA_Inside description ASA - Int Inside

!

interface Vlan1

nameif inside

security-level 100

ip address ASA_Inside 255.255.248.0

!

interface Vlan2

nameif outside

security-level 0

ip address ASA_Outside 255.255.255.0

!

interface Vlan3

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 11.0.0.254 255.0.0.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

banner login Domain Control

no ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup inside

dns server-group DefaultDNS

name-server INT-AD1

domain-name domaincontrol.local

same-security-traffic permit inter-interface

access-list VPN- splitTunnelAcl standard permit 10.234.0.0 255.255.0.0

access-list VPN- splitTunnelAcl standard permit 10.254.0.0 255.255.255.0

access-list outside extended permit tcp any interface outside eq ftp

access-list outside extended permit tcp any interface outside eq ftp-data

access-list outside extended permit tcp any interface outside eq www

access-list outside extended permit tcp any interface outside eq 4434

access-list outside extended permit icmp any any echo-reply inactive

access-list outside extended permit ah any any

access-list outside extended permit esp any any

access-list outside extended permit udp any any eq isakmp

access-list outside extended permit udp any any eq 4500

access-list outside extended permit tcp any interface outside eq smtp

access-list outside extended permit tcp any interface outside eq https

access-list outside extended permit tcp any eq 3101 interface outside eq 3101

access-list inside_nat0_outbound extended permit ip 10.234.0.0 255.255.248.0 192.168.200.0 255.255.255.224

access-list inside_nat0_outbound extended permit ip 10.234.0.0 255.255.248.0 11.0.0.0 255.0.0.0

pager lines 24

logging enable

logging asdm debugging

logging class vpn asdm debugging

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

ip local pool VPN-POOL 192.168.200.1-192.168.200.20 mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.234.0.0 255.255.248.0

static (inside,outside) tcp interface ftp 10.234.1.17 ftp netmask 255.255.255.255

static (inside,outside) tcp interface ftp-data 10.234.1.17 ftp-data netmask 255.255.255.255

static (inside,outside) tcp interface www 10.234.1.6 www netmask 255.255.255.255

static (inside,outside) tcp interface 4434 10.234.1.6 4434 netmask 255.255.255.255

static (inside,outside) tcp interface https 10.234.1.6 https netmask 255.255.255.255

static (inside,outside) tcp interface smtp 10.234.1.6 smtp netmask 255.255.255.255

static (inside,outside) tcp interface 3101 10.234.1.6 3101 netmask 255.255.255.255

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 R881G_Outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server RADIUS-SRV protocol radius

aaa-server RADIUS-SRV host INT-AD1

key Jj3Gyxk@p8MBbtp8TNRXo0mdH3^BgASVyi4w4LNCLGyM8YfROV!MUvfdIEIbDe8I

authentication-port 1812

accounting-port 1813

radius-common-pw Jj3Gyxk@p8MBbtp8TNRXo0mdH3^BgASVyi4w4LNCLGyM8YfROV!MUvfdIEIbDe8I

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server value 10.234.1.4

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

client-firewall none

client-access-rule none

webvpn

functions url-entry file-access file-entry file-browsing mapi

html-content-filter none

homepage none

keep-alive-ignore 4

http-comp gzip

filter none

url-list value DOMAIN

customization value DfltCustomization

port-forward none

port-forward-name value Application Access

sso-server none

deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

svc none

svc keep-installer installed

svc keepalive none

svc rekey time none

svc rekey method none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate

group-policy VPN-DOMAIN internal

group-policy VPN-DOMAIN attributes

dns-server value 10.234.1.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-splitTunnelAcl

default-domain value domain.local

username administrador password LxjqnCD0ffjLzeVB encrypted privilege 15

username vpndomain password 2RA3lIqXEXs6fU.B encrypted privilege 0

username vpndomain attributes

vpn-group-policy DfltGrpPolicy

username securegate password Pb7YMWNJ2A2.rdcF encrypted privilege 15

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable 4443

http 10.234.0.0 255.255.248.0 inside

snmp-server location Terrassa

snmp-server contact Domain

snmp-server community SnmpDomain

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group RADIUS-SRV

tunnel-group DefaultWEBVPNGroup webvpn-attributes

nbns-server INT-AD1 master timeout 2 retry 2

tunnel-group VPN-DOMAIN type ipsec-ra

tunnel-group VPN-DOMAIN general-attributes

address-pool VPN-POOL

authentication-server-group RADIUS-SRV LOCAL

default-group-policy VPN-DOMAIN

tunnel-group VPN-DOMAIN ipsec-attributes

pre-shared-key *

telnet 10.234.0.0 255.255.248.0 inside

telnet timeout 5

ssh 10.234.0.0 255.255.248.0 inside

ssh timeout 5

console timeout 0

dhcpd address 10.254.0.50-10.254.0.150 outside

dhcpd dns 10.254.0.4 interface outside

dhcpd option 3 ip 10.254.0.4 interface outside

dhcpd enable outside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

inspect ftp

inspect dns

inspect ipsec-pass-thru

inspect icmp

inspect icmp error

inspect http

policy-map asa_global_fw_policy

class inspection_default

inspect ftp

!

service-policy global_policy global

ntp server INT-AD1 source inside

webvpn

port 4433

enable outside

customization DfltCustomization

title text WebVPN Domain Control

username-prompt text USUARIO :

password-prompt text PASSWORD :

group-prompt text DOMINIO::

clear-button text Cancel.lar

login-title text Login Intranet Domain Control

login-message text Introducir usuario y password de dominio

logout-message text Sesion cerrada

logo file disk0:/LogoDomainControl.png

url-list DOMAIN "Produccion" cifs://10.234.1.2/d03-produc 5

url-list DOMAIN "Formacion" cifs://10.234.1.2/d05-forma 6

url-list DOMAIN "It" cifs://10.234.1.2/d06-it 7

url-list DOMAIN "Administracion" cifs://10.234.1.2/d01-admi 8

url-list DOMAIN "Comercial" cifs://10.234.1.2/d02-comer 9

url-list DOMAIN "wftp" cifs://10.234.1.2/r05-wftp 10

prompt hostname context

Cryptochecksum:445883abdec27b227c0eaad967e75250

: end

Thank you.

Thank you, it worked!

What is the reason? SMTP don't work with ESMTP?

Hey thats great, there are ceratin commands that the mail servers and clients push which are not recognized by the esmtp inspection, due to which it drops the connection, kindly go through this doc:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/i2.html#wp1742723

Thanks,

Varun