please send me the configuratioan

ACTIVE# sh running-config

: Saved

:

ASA Version 8.2(5)

!

hostname ACTIVE

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

description Inside to the Core Switches

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet0/1

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet0/2

description public Server - DMZ

duplex full

nameif DMZ

security-level 50

ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

!

interface Ethernet0/3

description outside to the internet via router

duplex full

nameif Outside

security-level 0

ip address 125.209.70.90 255.255.255.248 standby 125.209.70.91

!

interface Management0/0

description LAN/STATE Failover Interface

management-only

!

interface Redundant1

member-interface Ethernet0/0

member-interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.11.249 255.255.255.0 standby 192.168.11.250

!

ftp mode passive

clock timezone PST 5

dns domain-lookup DMZ

dns domain-lookup Outside

dns server-group DEFAULT-DNS

name-server 202.142.160.2

name-server 202.141.224.34

dns server-group DefaultDNS

domain-name dhalahore.org

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network DMZ-BLOCKED-LAN-NETWORKS

network-object 172.16.10.0 255.255.255.0

network-object 172.16.20.0 255.255.255.0

network-object 172.16.30.0 255.255.255.0

network-object 172.16.40.0 255.255.255.0

network-object 192.168.11.0 255.255.255.0

access-list 102 extended permit icmp any any

access-list 102 extended permit ip any any

access-list 102 extended permit tcp any any eq www

access-list 102 extended permit tcp any host 125.209.70.90 eq www

access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255

.255.0

access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.25

5.255.0

access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 125.209.70.88 255.2

55.255.248

access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.25

5.255.0

access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server

access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.18 echo

access-list DMZ-IN remark Block connections from DMZ to INSIDE networks

access-list DMZ-IN extended permit ip 10.1.1.0 255.255.255.0 any

access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server

access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server

access-list DMZ-IN remark Block connections from DMZ to INSIDE networks

access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server

access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server

access-list DMZ-IN remark Block connections from DMZ to INSIDE networks

pager lines 24

logging asdm informational

mtu DMZ 1500

mtu Outside 1500

mtu inside 1500

failover

failover lan unit primary

failover lan interface FAILOVER Management0/0

failover polltime unit 1 holdtime 3

failover polltime interface 3 holdtime 15

failover key *****

failover link FAILOVER Management0/0

failover interface ip FAILOVER 172.16.254.254 255.255.255.0 standby 172.16.254.2

50

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (DMZ) 1 10.1.1.0 255.255.255.0

nat (inside) 0 access-list no-nat

static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255

static (DMZ,Outside) tcp interface https 10.1.1.254 https netmask 255.255.255.25

5

access-group DMZ-IN in interface DMZ

access-group 102 in interface Outside

access-group no-nat in interface inside

route Outside 0.0.0.0 0.0.0.0 125.209.70.89 1

route inside 0.0.0.0 0.0.0.0 192.168.11.254 2

route inside 172.16.10.0 255.255.255.0 192.168.11.254 1

route inside 172.16.20.0 255.255.255.0 192.168.11.254 1

route inside 172.16.30.0 255.255.255.0 192.168.11.254 1

route inside 172.16.40.0 255.255.255.0 192.168.11.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet 192.168.11.254 255.255.255.255 inside

telnet timeout 5

ssh timeout 5     

Navaz

Hi,

First off I would suggest providing us with more information when you ask something (even though you later posted the configuration). There is a very high chance that discussions will get completely ignored when the original post doesnt contain much information about the situation.

I would suggest you enable the graphical user interface called ASDM on the ASA and access the ASA using it.

First you should check the Flash memory which ASDM image you have there with command

dir flash:

Choose the highest number file called asdm-xxx.bin and enable it using

asdm image flash:/asdm-xxx.bin

Where naturally the "xxx" means the number in the file name that you see on the Flash memory.

Then enable the management through the use of "http" command

http inside

The connect using a browser to the IP address of the "inside" interface IP address

https://192.168.11.249/

And install the ASDM. If you are prompted for authentication use your Enable password to login and dont give a username.

It has a VPN Wizard (in the Wizards menu) with which you can easily insert the needed information and the ASDM will generate the configurations for you.

- Jouni

ACTIVE# dir flash:

Directory of disk0:/

126    -rwx  15390720    23:58:50 May 08 2012  asa825-k8.bin

127    -rwx  16280544    02:19:18 May 09 2012  asdm-645.bin

3      drwx  4096        05:03:38 Jan 01 2003  log

10     drwx  4096        05:04:06 Jan 01 2003  crypto_archive

11     drwx  4096        05:04:08 Jan 01 2003  coredumpinfo

129    -rwx  12105313    02:01:50 May 09 2012  csd_3.5.841-k9.pkg

130    drwx  4096        02:02:00 May 09 2012  sdesktop

131    -rwx  2857568     02:02:14 May 09 2012  anyconnect-wince-ARMv4I-2.4.1012-

k9.pkg

132    -rwx  3203909     02:02:34 May 09 2012  anyconnect-win-2.4.1012-k9.pkg

133    -rwx  4832344     02:03:12 May 09 2012  anyconnect-macosx-i386-2.4.1012-k

9.pkg

134    -rwx  5209423     02:03:46 May 09 2012  anyconnect-linux-2.4.1012-k9.pkg

135    drwx  4096        08:08:12 May 31 2013  tmp

255320064 bytes total (193347584 bytes free)

and after run comand http 192.168.11.249 255.255.255.0 inside

it give error

WARNING: IP address <192.168.11.249> and netmask <255.255.255.0> inconsistent

Navaz

and how to install asdm?

Navaz

Hi,

You will basically have to make sure you have this configured

asdm image flash:/asdm-645.bin

Then you configure for example

http server enable

http 192.168.11.0 255.255.255.0 inside

Then you could try to open your web browser and insert

https://192.168.11.249/

It should get you to the screen where you have the option to install the ASDM software from your ASA to your local computer. Later on you can then use the ASDM to get into your ASA.

- Jouni

I can ping 192.168.11.249 but cant access throught browser           

after this command VPN still not working

Navaz

i am still waiting

Navaz