Solved: switching ISP on ASA

David Hunt · ‎12-07-2011

Hello Friends...

I am attempting to switch my ISP over to a new \ faster ISP. The line has been run and I have new public IP's I need to configure on my ASA. The firewall config is shown below...

What I am attempting to do is to configure an unused interface on my ASA. In my case it is Ethernet0/3 and have that be my primary connection to the internet. and then keep exisitng connection to the intenet (Ethernet0/0) configured and either shutdown or just have a higher default route metric. Then, my thought process would be...

1 - add a new public IP to ethernet 0/3 (50.x.x.92) with a security-level of 0

2 - add default route with metric 1 (route newIsp 0.0.0.0 0.0.0.0 50.x.x.93 1) to point to the ISP router. (50.x.x.93)

2b - change existing default route metric to 2 ( route outside 0.0.0.0 0.0.0.0 66.x.x.67 2)

3 - change the global NAT (global (NewISP) 1 50.x.x.91 netmask 255.255.255.255)

4 - Test

5 - once i can confirm internet connectivity, change via DNS the IP of my public servers (mail, etc...)

6 - reconfigure NAT's to new public IP's...

I have made it as far as step 3... and my test fails (internet connectivity)... even though packet trace is fine....

any thoughts? What appears to be happening is that DNS will not resolve??? Thank you in advance...

SA Version 8.2(4)
!
hostname XXXX
domain-name XXXX.org
enable password wZJefsykk8VmlkFg encrypted
passwd wZJefsykk8VmlkFg encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 66.x.x.70 255.255.255.224
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.11.144.253 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 10
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/3
nameif NewISP
security-level 0
ip address 50.X.X.92 255.255.255.240

!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
!
time-range Always
!
boot system disk0:/disk0asa727-k8.bin
boot system disk0:/asa824-k8.bin
boot system disk0:/asa824-k8,bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name xxxx.org
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq 2534
port-object eq 2533
port-object range 2701 2750
port-object eq https
object-group network DM_INLINE_NETWORK_4
network-object host 66.x.x.77
network-object host 66.x.x.78
object-group network DM_INLINE_NETWORK_5
network-object host 60.x.x.77
network-object host 66.x.x.78
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list 120 extended permit ip 10.11.144.0 255.255.255.0 10.11.145.0 255.255.255.0
access-list 130 extended permit ip 10.11.144.0 255.255.255.0 10.11.146.0 255.255.255.0
access-list 140 extended permit ip 10.11.144.0 255.255.255.0 10.11.147.0 255.255.255.0
access-list 150 extended permit ip 10.11.144.0 255.255.255.0 10.11.148.0 255.255.255.0
access-list 160 extended permit ip 10.11.144.0 255.255.255.0 10.11.149.0 255.255.255.0
access-list 170 extended permit ip 10.11.144.0 255.255.255.0 10.11.150.0 255.255.255.0
access-list 180 extended permit ip 10.11.144.0 255.255.255.0 10.11.151.0 255.255.255.0
access-list nonat extended permit ip 10.11.0.0 255.255.0.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 10.11.144.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip any 10.11.0.0 255.255.0.0
access-list nonat extended permit ip any 172.16.10.0 255.255.255.0
access-list outside_acl extended permit tcp any host 66.x.x.73 object-group DM_INLINE_TCP_0
access-list outside_acl extended permit icmp any any time-range Always
access-list outside_acl extended permit tcp any host 66.x.x.77 eq www time-range Always
access-list outside_acl extended permit tcp any host 66.x.x.78 object-group DM_INLINE_TCP_1 time-range Always
access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_5 eq smtp time-range Always
access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_4 eq pop3 time-range Always
access-list dmz_acl extended permit udp 10.1.1.0 255.255.255.0 host 10.11.144.3 eq domain time-range Always
access-list dmz_acl extended permit ip 10.1.1.0 255.255.255.0 host 10.11.144.3 time-range Always
access-list dmz_acl extended permit tcp any any
access-list XXXVPN_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list XXXVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm warnings
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool XXXVPN_IP_POOL 172.16.10.1-172.16.10.10
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
asdm history enable
arp timeout 14400

global (newIsp) 1 50.x.x.91 netmask 255.255.255.255

global (outside) 1 66.x.x.71 netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 1 10.11.144.0 255.255.255.0
nat (inside) 1 10.11.145.0 255.255.255.0
nat (inside) 1 10.11.146.0 255.255.255.0
nat (inside) 1 10.11.147.0 255.255.255.0
nat (inside) 1 10.11.148.0 255.255.255.0
nat (inside) 1 10.11.149.0 255.255.255.0
nat (inside) 1 10.11.150.0 255.255.255.0
nat (inside) 1 10.11.151.0 255.255.255.0
static (inside,outside) 66.x.x.72 10.11.144.8 netmask 255.255.255.255
static (inside,outside) 66.x.x.78 10.11.144.12 netmask 255.255.255.255
static (inside,outside) 66.x.x.77 10.11.144.2 netmask 255.255.255.255
static (inside,outside) 66.x.x.85 10.11.144.25 netmask 255.255.255.255
static (inside,outside) 66.x.x.73 10.11.144.7 netmask 255.255.255.255
access-group outside_acl in interface outside
access-group inside_access_in in interface inside
access-group dmz_acl in interface dmz
route NewISP 0.0.0.0 0.0.0.0 50.x.x.93 1

route outside 0.0.0.0 0.0.0.0 66.x.x.67 2
route inside 10.11.145.0 255.255.255.0 10.11.144.254 1
route inside 10.11.146.0 255.255.255.0 10.11.144.254 1
route inside 10.11.147.0 255.255.255.0 10.11.144.254 1
route inside 10.11.148.0 255.255.255.0 10.11.144.254 1
route inside 10.11.149.0 255.255.255.0 10.11.144.254 1
route inside 10.11.150.0 255.255.255.0 10.11.144.254 1
route inside 10.11.151.0 255.255.255.0 10.11.144.254 1
route inside 192.168.100.0 255.255.255.0 10.11.144.254 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server DOMAIN protocol nt
aaa-server DOMAIN (inside) host 10.11.144.3
nt-auth-domain-controller XXXdc1
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
url-server (inside) vendor websense host 10.11.144.9 timeout 30 protocol TCP version 1 connections 50
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication secure-http-client
filter url except 10.1.1.1 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url except 0.0.0.0 0.0.0.0 10.1.1.3 255.255.255.255
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.11.144.0 255.255.255.0 inside
http 10.11.0.0 255.255.0.0 inside
http 0.0.0.0 255.255.255.255 outside
snmp-server location Weber
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 20 esp-des esp-md5-hmac
crypto ipsec transform-set 30 esp-des esp-md5-hmac
crypto ipsec transform-set 50 esp-des esp-md5-hmac
crypto ipsec transform-set 60 esp-des esp-md5-hmac
crypto ipsec transform-set 70 esp-des esp-md5-hmac
crypto ipsec transform-set ENCRYPT esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OUTSIDEMAP 10 set transform-set ENCRYPT
crypto dynamic-map OUTSIDEMAP 30 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map VPN 20 match address 120
crypto map VPN 20 set peer 206.166.36.122
crypto map VPN 20 set transform-set 20
crypto map VPN 30 set peer 206.166.36.154
crypto map VPN 30 set transform-set 30
crypto map VPN 50 set peer 206.166.36.146
crypto map VPN 50 set transform-set 50
crypto map VPN 60 set peer 206.166.36.150
crypto map VPN 60 set transform-set 60
crypto map VPN 70 set peer 206.166.36.126
crypto map VPN 70 set transform-set 70
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn sslvpnspd.XXX.org
subject-name CN=sslvpnspd
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 50d23f4d
    308201e9 30820152 a0030201 02020450 d23f4d30 0d06092a 864886f7 0d010105
    05003039 31123010 06035504 03130973 736c7670 6e737064 31233021 06092a86
    4886f70d 01090216 1473736c 76706e73 70642e73 6b6f6b69 652e6f72 67301e17
    0d313130 31323631 37323930 355a170d 32313031 32333137 32393035 5a303931
    12301006 03550403 13097373 6c76706e 73706431 23302106 092a8648 86f70d01
    09021614 73736c76 706e7370 642e736b 6f6b6965 2e6f7267 30819f30 0d06092a
    864886f7 0d010101 05000381 8d003081 89028181 00b7ec4e 59cbac48 0887a91f
    6a093ce6 96b98eff 5276cb30 5d7831a3 d1fec4ae a6ecdd56 d64e3140 b3acb7b0
    a6c77aa5 732e5e28 6dae291f f0af8af9 d0b8d245 8351879b e2d7d36a 8890ee3a
    6c873537 98a30ca1 9ec5efae 5866656b 278573f0 be1990d7 0f9dfc67 dbc8d63d
    33bce9af b786a396 d695be7a 12dcecdc 61b54119 31020301 0001300d 06092a86
    4886f70d 01010505 00038181 001de265 7c0d1343 b15718e6 9e7fd220 12f17499
    d72a723b bd5841a8 d4d30ef3 dab4e858 f078089b 0602b3da 76dad4b7 9eb47466
    44914b5a f30f11f9 7ad3f2f5 9cdc027b db32f06a 9f548a68 6a0ca0a6 623833ee
    d4b2f7f2 75602be6 927d3b3e 1def6021 1bd71e18 c9e2a4fe cc7bc65d 6c7b608a
    cfdbd3d7 421a40c6 b7472323 d8
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
telnet 10.11.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.11.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
url-block url-mempool 1500
url-block url-size 4
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2001-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
wins-server value 10.11.144.3 10.11.144.8
dns-server value 10.11.144.3 10.11.144.8
vpn-tunnel-protocol IPSec
backup-servers clear-client-config
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
group-policy SPDVPN internal
group-policy SPDVPN attributes
wins-server value 10.11.144.3 10.11.144.8
dns-server value 10.11.144.3 10.11.144.8
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPDVPN_splitTunnelAcl
default-domain value xxx.org
username xxx password sE2H9HubIXI75SNz encrypted privilege 15
username xxx attributes
vpn-group-policy SPDVPN
username admin password 6YI.p7lD7uzHZBBs encrypted privilege 15
tunnel-group SPDVPN type remote-access
tunnel-group SPDVPN general-attributes
authentication-server-group DOMAIN
default-group-policy SPDVPN
dhcp-server 10.11.144.3
tunnel-group SPDVPN webvpn-attributes
group-alias SPD enable
tunnel-group SPDVPN ipsec-attributes
pre-shared-key *****
tunnel-group 206.x.x.126 type ipsec-l2l
tunnel-group 206.x.x.126 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect mgcp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:de6cc013b7f352d3ae23801e154d8a3b
: end

Julio Carvajal · ‎12-08-2011

Hello David,

Sounds like an ARP issue, can you clear the arp on the ASA.

- clear arp

Then try to do a show ARP on the ASA and let us know if you can see the default-gateway of the ASA (modem,dsl)

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-08-2011

Hello David,

Great to hear that know you have connectivity to the internet.

Is the DNS behind the inside interface, so basically you cannot perform a nslookup from any host behind the firewall right?

Please let me know if this is the case because if the DNS server is not resolving the domain names we will create a capture on the inside and outside interface.

Regards,

Please rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-08-2011

Hello David,

Ok lets say the Ip address of the DNS is 192.168.1.3 and its translated on the outside to 1.1.1.1

access-list capin permit udp host 192.168.1.3 any eq 53

access-list capin permit udp any eq 53 host 192.168.1.3

capture capin access-list capin interface inside

access-list capout permit udp any eq 53 host 1.1.1.1

access-list capout permit udp host 1.1.1.1 any eq 53

capture capout access-list capout interface outside

Please provide the show cap of both captures:

Please rate helpful posts.

Julio!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

mvsheik123 · ‎12-07-2011

Your got everything is perfect order :-). For your previous ISP, you can use IP SLA feature to act as backup for internet.

As far as internet access with new ISP..

Can you try with 'global (NewISP) 1 interface' and see if that works?

Thx

MS

David Hunt · ‎12-08-2011

Still does not work... I tried something different this time... I tried to simplify this as much as possable,,, All I am trying to do this time is to switch IP addess on the outside interface to that of the new IP provided by the new ISP...

I made the IP address change on the interface...I made the default route change... and the global NAT change... I must be missing something becasue it still does not work.

Below are two configs.... the first config is the config that is not working.... in bold are the changes that I made... following that is the working config... I am absolutely stumped.... please help...

NOT Working Config

:

ASA Version 8.2(4)

!

hostname XXXX

domain-name XXXX.org

enable password wZJefsykk8VmlkFg encrypted

passwd wZJefsykk8VmlkFg encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 50.x.x.92 255.255.255.240

!

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.11.144.253 255.255.255.0

!

interface Ethernet0/2

speed 100

duplex full

nameif dmz

security-level 10

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

time-range Always

!

boot system disk0:/disk0asa727-k8.bin

boot system disk0:/asa824-k8.bin

boot system disk0:/asa824-k8,bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name xxx.org

object-group service DM_INLINE_TCP_0 tcp

port-object eq www

port-object eq 2534

port-object eq 2533

port-object range 2701 2750

port-object eq https

object-group network DM_INLINE_NETWORK_4

network-object host 66.x.x.77

network-object host 66.x.x.78

object-group network DM_INLINE_NETWORK_5

network-object host 66.x.x.77

network-object host 66.x.x.78

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

access-list 120 extended permit ip 10.11.144.0 255.255.255.0 10.11.145.0 255.255.255.0

access-list 130 extended permit ip 10.11.144.0 255.255.255.0 10.11.146.0 255.255.255.0

access-list 140 extended permit ip 10.11.144.0 255.255.255.0 10.11.147.0 255.255.255.0

access-list 150 extended permit ip 10.11.144.0 255.255.255.0 10.11.148.0 255.255.255.0

access-list 160 extended permit ip 10.11.144.0 255.255.255.0 10.11.149.0 255.255.255.0

access-list 170 extended permit ip 10.11.144.0 255.255.255.0 10.11.150.0 255.255.255.0

access-list 180 extended permit ip 10.11.144.0 255.255.255.0 10.11.151.0 255.255.255.0

access-list nonat extended permit ip 10.11.0.0 255.255.0.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.11.144.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip any 10.11.0.0 255.255.0.0

access-list nonat extended permit ip any 172.16.10.0 255.255.255.0

access-list outside_acl extended permit tcp any host 66.x.x.73 object-group DM_INLINE_TCP_0

access-list outside_acl extended permit icmp any any time-range Always

access-list outside_acl extended permit tcp any host 66.x.x.77 eq www time-range Always

access-list outside_acl extended permit tcp any host 66.x.x.78 object-group DM_INLINE_TCP_1 time-range Always

access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_5 eq smtp time-range Always

access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_4 eq pop3 time-range Always

access-list dmz_acl extended permit udp 10.1.1.0 255.255.255.0 host 10.11.144.3 eq domain time-range Always

access-list dmz_acl extended permit ip 10.1.1.0 255.255.255.0 host 10.11.144.3 time-range Always

access-list dmz_acl extended permit tcp any any

access-list SPDVPN_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

access-list SPDVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm warnings

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

ip local pool SPDVPN_IP_POOL 172.16.10.1-172.16.10.10

ip verify reverse-path interface inside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-635.bin

asdm history enable

arp timeout 14400

global (outside) 1 50.77.178.91 netmask 255.255.255.255

nat (inside) 0 access-list nonat

nat (inside) 1 10.11.144.0 255.255.255.0

nat (inside) 1 10.11.145.0 255.255.255.0

nat (inside) 1 10.11.146.0 255.255.255.0

nat (inside) 1 10.11.147.0 255.255.255.0

nat (inside) 1 10.11.148.0 255.255.255.0

nat (inside) 1 10.11.149.0 255.255.255.0

nat (inside) 1 10.11.150.0 255.255.255.0

nat (inside) 1 10.11.151.0 255.255.255.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,outside) 66.99.50.72 10.11.144.8 netmask 255.255.255.255

static (inside,outside) 66.99.50.78 10.11.144.12 netmask 255.255.255.255

static (inside,outside) 66.99.50.77 10.11.144.2 netmask 255.255.255.255

static (inside,outside) 66.99.50.85 10.11.144.25 netmask 255.255.255.255

static (inside,outside) 66.99.50.73 10.11.144.7 netmask 255.255.255.255

access-group outside_acl in interface outside

access-group inside_access_in in interface inside

access-group dmz_acl in interface dmz

route outside 0.0.0.0 0.0.0.0 50.x.x.93 1

route inside 10.11.145.0 255.255.255.0 10.11.144.254 1

route inside 10.11.146.0 255.255.255.0 10.11.144.254 1

route inside 10.11.147.0 255.255.255.0 10.11.144.254 1

route inside 10.11.148.0 255.255.255.0 10.11.144.254 1

route inside 10.11.149.0 255.255.255.0 10.11.144.254 1

route inside 10.11.150.0 255.255.255.0 10.11.144.254 1

route inside 10.11.151.0 255.255.255.0 10.11.144.254 1

route inside 192.168.100.0 255.255.255.0 10.11.144.254 1

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server DOMAIN protocol nt

aaa-server DOMAIN (inside) host 10.11.144.3

nt-auth-domain-controller XXXdc1

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

reval-period 36000

sq-period 300

url-server (inside) vendor websense host 10.11.144.9 timeout 30 protocol TCP version 1 connections 50

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication secure-http-client

filter url except 10.1.1.1 255.255.255.255 0.0.0.0 0.0.0.0 allow

filter url except 0.0.0.0 0.0.0.0 10.1.1.3 255.255.255.255

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.11.144.0 255.255.255.0 inside

http 10.11.0.0 255.255.0.0 inside

http 0.0.0.0 255.255.255.255 outside

snmp-server location Weber

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set 20 esp-des esp-md5-hmac

crypto ipsec transform-set 30 esp-des esp-md5-hmac

crypto ipsec transform-set 50 esp-des esp-md5-hmac

crypto ipsec transform-set 60 esp-des esp-md5-hmac

crypto ipsec transform-set 70 esp-des esp-md5-hmac

crypto ipsec transform-set ENCRYPT esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map OUTSIDEMAP 10 set transform-set ENCRYPT

crypto dynamic-map OUTSIDEMAP 30 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 10 set reverse-route

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map VPN 20 match address 120

crypto map VPN 20 set peer 206.166.36.122

crypto map VPN 20 set transform-set 20

crypto map VPN 30 set peer 206.166.36.154

crypto map VPN 30 set transform-set 30

crypto map VPN 50 set peer 206.166.36.146

crypto map VPN 50 set transform-set 50

crypto map VPN 60 set peer 206.166.36.150

crypto map VPN 60 set transform-set 60

crypto map VPN 70 set peer 206.166.36.126

crypto map VPN 70 set transform-set 70

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

fqdn sslvpnspd.skokie.org

subject-name CN=sslvpnspd

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 50d23f4d

308201e9 30820152 a0030201 02020450 d23f4d30 0d06092a 864886f7 0d010105

05003039 31123010 06035504 03130973 736c7670 6e737064 31233021 06092a86

4886f70d 01090216 1473736c 76706e73 70642e73 6b6f6b69 652e6f72 67301e17

0d313130 31323631 37323930 355a170d 32313031 32333137 32393035 5a303931

12301006 03550403 13097373 6c76706e 73706431 23302106 092a8648 86f70d01

09021614 73736c76 706e7370 642e736b 6f6b6965 2e6f7267 30819f30 0d06092a

864886f7 0d010101 05000381 8d003081 89028181 00b7ec4e 59cbac48 0887a91f

6a093ce6 96b98eff 5276cb30 5d7831a3 d1fec4ae a6ecdd56 d64e3140 b3acb7b0

a6c77aa5 732e5e28 6dae291f f0af8af9 d0b8d245 8351879b e2d7d36a 8890ee3a

6c873537 98a30ca1 9ec5efae 5866656b 278573f0 be1990d7 0f9dfc67 dbc8d63d

33bce9af b786a396 d695be7a 12dcecdc 61b54119 31020301 0001300d 06092a86

4886f70d 01010505 00038181 001de265 7c0d1343 b15718e6 9e7fd220 12f17499

d72a723b bd5841a8 d4d30ef3 dab4e858 f078089b 0602b3da 76dad4b7 9eb47466

44914b5a f30f11f9 7ad3f2f5 9cdc027b db32f06a 9f548a68 6a0ca0a6 623833ee

d4b2f7f2 75602be6 927d3b3e 1def6021 1bd71e18 c9e2a4fe cc7bc65d 6c7b608a

cfdbd3d7 421a40c6 b7472323 d8

quit

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

telnet 10.11.0.0 255.255.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 10.11.0.0 255.255.0.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

url-block url-mempool 1500

url-block url-size 4

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.2001-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

wins-server value 10.11.144.3 10.11.144.8

dns-server value 10.11.144.3 10.11.144.8

vpn-tunnel-protocol IPSec

backup-servers clear-client-config

nac-settings value DfltGrpPolicy-nac-framework-create

webvpn

svc keepalive none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate

customization value DfltCustomization

group-policy SPDVPN internal

group-policy SPDVPN attributes

wins-server value 10.11.144.3 10.11.144.8

dns-server value 10.11.144.3 10.11.144.8

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPDVPN_splitTunnelAcl

default-domain value XXX.org

username tpanocha password sE2H9HubIXI75SNz encrypted privilege 15

username tpanocha attributes

vpn-group-policy SPDVPN

username admin password 6YI.p7lD7uzHZBBs encrypted privilege 15

tunnel-group SPDVPN type remote-access

tunnel-group SPDVPN general-attributes

authentication-server-group DOMAIN

default-group-policy SPDVPN

dhcp-server 10.11.144.3

tunnel-group SPDVPN webvpn-attributes

group-alias SPD enable

tunnel-group SPDVPN ipsec-attributes

pre-shared-key *****

tunnel-group 206.166.36.126 type ipsec-l2l

tunnel-group 206.166.36.126 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect http

inspect mgcp

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email

callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:4eea62ac33fd47fef2fb739d4ec2b684

: end

Working Config

:

ASA Version 8.2(4)

!

hostname XXXX

domain-name XXX.org

enable password wZJefsykk8VmlkFg encrypted

passwd wZJefsykk8VmlkFg encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 66.x.x.70 255.255.255.224

!

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.11.144.253 255.255.255.0

!

interface Ethernet0/2

speed 100

duplex full

nameif dmz

security-level 10

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

time-range Always

!

boot system disk0:/disk0asa727-k8.bin

boot system disk0:/asa824-k8.bin

boot system disk0:/asa824-k8,bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name xxxx.org

object-group service DM_INLINE_TCP_0 tcp

port-object eq www

port-object eq 2534

port-object eq 2533

port-object range 2701 2750

port-object eq https

object-group network DM_INLINE_NETWORK_4

network-object host 66.x.x.77

network-object host 66.x.x.78

object-group network DM_INLINE_NETWORK_5

network-object host 60.x.x.77