05-16-2019 12:34 PM
I initially set up an AnyConnect VPN to go to a single internal subnet, and that is working. However, we are adding several more subnets, and I cannot access any of them across the AnyConnect VPN. All of the subnets terminate directly on the ASA that hosts AnyConnect. But I can't figure out how to add the additional networks to the Interesting Traffic. Can anyone help?
05-16-2019 12:38 PM
05-16-2019 01:00 PM
You need to define the secure network in the group-policy. See the following guide:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70917-asa-split-tunnel-vpn-client.html#s2
05-16-2019 03:04 PM
I think this has the relevant information. I have added the subnets to the SSLVPN-SplitTunnel ACL, which is where the TestNetwork that is working is located. But I can't access Inside, DMZNetwork, or WebNetwork over the SSLVPN.
ASA Version 9.8(4)
ip local pool VPN-POOL 192.168.105.5-192.168.105.250 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address x.x.x.x x.x.x.x
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 192.168.111.1 255.255.255.0 standby 192.168.111.254
!
interface GigabitEthernet0/2
nameif web
security-level 50
ip address 192.168.224.1 255.255.255.0 standby 192.168.224.254
!
interface GigabitEthernet0/3
nameif DMZ
security-level 50
ip address 192.168.222.1 255.255.255.0 standby 192.168.222.254
!
interface GigabitEthernet0/4
nameif pci
security-level 100
ip address 192.168.190.1 255.255.255.0 standby 192.168.190.254
!
interface GigabitEthernet0/5
nameif test
security-level 100
ip address 192.168.195.1 255.255.255.0 standby 192.168.195.254
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/8
description LAN/STATE Failover Interface
!
!
ftp mode passive
clock timezone EST -4
dns domain-lookup Outside
dns domain-lookup management
dns server-group DefaultDNS
name-server 192.168.111.2
name-server 4.2.2.2
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
-
access-list SSLVPN-SplitTunnel remark TestNetwork - SplitTunnel
access-list SSLVPN-SplitTunnel standard permit 192.168.195.0 255.255.255.0
access-list SSLVPN-SplitTunnel remark SplitTunnel- Inside
access-list SSLVPN-SplitTunnel standard permit 192.168.111.0 255.255.255.0
access-list SSLVPN-SplitTunnel remark DMZNetork-SplitTunnel
access-list SSLVPN-SplitTunnel standard permit 192.168.222.0 255.255.255.0
access-list SSLVPN-SplitTunnel remark WebNetwork-SplitTunnel
access-list SSLVPN-SplitTunnel standard permit 192.168.224.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_2
pager lines 23
logging enable
logging standby
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu web 1500
mtu DMZ 1500
mtu pci 1500
mtu test 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface fover GigabitEthernet0/8
failover link fover GigabitEthernet0/8
failover interface ip fover 192.168.191.1 255.255.255.240 standby 192.168.191.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (test,Outside) source static any any destination static SSLVPN-Network SSLVPN-Network no-proxy-arp route-lookup
nat (Inside,Outside) source static any any destination static SSLVPN-Network SSLVPN-Network no-proxy-arp route-lookup
nat (DMZ,Outside) source static any any destination static SSLVPN-Network SSLVPN-Network no-proxy-arp route-lookup
nat (web,Outside) source static any any destination static SSLVPN-Network SSLVPN-Network no-proxy-arp route-lookup
nat (pci,Outside) source static any any destination static SSLVPN-Network SSLVPN-Network no-proxy-arp route-lookup
!
object network TestNetwork-NAT
nat (any,Outside) dynamic interface
object network PCI-Network-NAT
nat (any,Outside) dynamic interface
object network DMZ-Network-NAT
nat (any,Outside) dynamic interface
object network Internal-Network-NAT
nat (any,Outside) dynamic interface
object network Web-Network-NAT
nat (any,Outside) dynamic interface
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group web_access_in in interface web
access-group DMZ_access_in in interface DMZ
access-group pci_access_in in interface pci
access-group test_access_in in interface test
access-group management_access_in in interface management
route Outside 0.0.0.0 0.0.0.0 x.x.x.x
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable 8443
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer *.*.*.*
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 2 match address Outside_cryptomap_1
crypto map Outside_map 2 set peer *.*.*.*
crypto map Outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 3 match address Outside_cryptomap_2
crypto map Outside_map 3 set peer *.*.*.*
crypto map Outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map interface Outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=*****
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=****
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
fqdn *****
subject-name CN=*******
keypair vpn.key
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
fqdn *****
subject-name CN=*****
keypair vpnkey.key
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
fqdn *****
subject-name CN *****
keypair newkey.key
crl configure
crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint6
keypair newkey.key
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca
*****
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate
*****
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate
*****
quit
crypto ca certificate chain ASDM_TrustPoint5
certificate ca *****
quit
crypto ca certificate chain ASDM_TrustPoint6
certificate
*****
quit
crypto ikev1 enable Outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 1800
crypto ikev1 policy 3
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
crypto ikev1 policy 4
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28000
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.111.2
ntp server 129.6.15.28
ssl trust-point ASDM_TrustPoint6 Outside
ssl trust-point ASDM_TrustPoint6 Inside
ssl trust-point ASDM_TrustPoint6 web
ssl trust-point ASDM_TrustPoint6 DMZ
ssl trust-point ASDM_TrustPoint6 pci
ssl trust-point ASDM_TrustPoint6 test
ssl trust-point ASDM_TrustPoint6 management
webvpn
enable Outside
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect image disk0:/anyconnect-macos-4.7.02036-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 2
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.111.2
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-network-list value SSLVPN-SplitTunnel
group-policy GroupPolicy_SSLVPN internal
group-policy GroupPolicy_SSLVPN attributes
wins-server none
dns-server value 192.168.111.2
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLVPN-SplitTunnel
default-domain none
group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_2.2.2.2 internal
group-policy GroupPolicy_2.2.2.2 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_3.3.3.3 internal
group-policy GroupPolicy_3.3.3.3 attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username ***** password *****
username ***** attributes
service-type remote-access
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool VPN-POOL
default-group-policy GroupPolicy_SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy GroupPolicy_2.2.2.2
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy GroupPolicy_2.2.2.2
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
default-group-policy GroupPolicy_3.3.3.3
tunnel-group 3.3.3.3 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
: end
05-16-2019 03:25 PM
05-16-2019 04:05 PM
object network SSLVPN-Network
subnet 192.168.105.0 255.255.255.0
Added back into the config:
ASA Version 9.8(4)
ip local pool VPN-POOL 192.168.105.5-192.168.105.250 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address x.x.x.x x.x.x.x
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 192.168.111.1 255.255.255.0 standby 192.168.111.254
!
interface GigabitEthernet0/2
nameif web
security-level 50
ip address 192.168.224.1 255.255.255.0 standby 192.168.224.254
!
interface GigabitEthernet0/3
nameif DMZ
security-level 50
ip address 192.168.222.1 255.255.255.0 standby 192.168.222.254
!
interface GigabitEthernet0/4
nameif pci
security-level 100
ip address 192.168.190.1 255.255.255.0 standby 192.168.190.254
!
interface GigabitEthernet0/5
nameif test
security-level 100
ip address 192.168.195.1 255.255.255.0 standby 192.168.195.254
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/8
description LAN/STATE Failover Interface
!
!
ftp mode passive
clock timezone EST -4
dns domain-lookup Outside
dns domain-lookup management
dns server-group DefaultDNS
name-server 192.168.111.2
name-server 4.2.2.2
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
-
object network SSLVPN-Network
subnet 192.168.105.0 255.255.255.0
access-list SSLVPN-SplitTunnel remark TestNetwork - SplitTunnel
access-list SSLVPN-SplitTunnel standard permit 192.168.195.0 255.255.255.0
access-list SSLVPN-SplitTunnel remark SplitTunnel- Inside
access-list SSLVPN-SplitTunnel standard permit 192.168.111.0 255.255.255.0
access-list SSLVPN-SplitTunnel remark DMZNetork-SplitTunnel
access-list SSLVPN-SplitTunnel standard permit 192.168.222.0 255.255.255.0
access-list SSLVPN-SplitTunnel remark WebNetwork-SplitTunnel
access-list SSLVPN-SplitTunnel standard permit 192.168.224.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_2
pager lines 23
logging enable
logging standby
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu web 1500
mtu DMZ 1500
mtu pci 1500
mtu test 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface fover GigabitEthernet0/8
failover link fover GigabitEthernet0/8
failover interface ip fover 192.168.191.1 255.255.255.240 standby 192.168.191.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (test,Outside) source static any any destination static SSLVPN-Network SSLVPN-Network no-proxy-arp route-lookup
nat (Inside,Outside) source static any any destination static SSLVPN-Network SSLVPN-Network no-proxy-arp route-lookup
nat (DMZ,Outside) source static any any destination static SSLVPN-Network SSLVPN-Network no-proxy-arp route-lookup
nat (web,Outside) source static any any destination static SSLVPN-Network SSLVPN-Network no-proxy-arp route-lookup
nat (pci,Outside) source static any any destination static SSLVPN-Network SSLVPN-Network no-proxy-arp route-lookup
!
object network TestNetwork-NAT
nat (any,Outside) dynamic interface
object network PCI-Network-NAT
nat (any,Outside) dynamic interface
object network DMZ-Network-NAT
nat (any,Outside) dynamic interface
object network Internal-Network-NAT
nat (any,Outside) dynamic interface
object network Web-Network-NAT
nat (any,Outside) dynamic interface
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group web_access_in in interface web
access-group DMZ_access_in in interface DMZ
access-group pci_access_in in interface pci
access-group test_access_in in interface test
access-group management_access_in in interface management
route Outside 0.0.0.0 0.0.0.0 x.x.x.x
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable 8443
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer *.*.*.*
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 2 match address Outside_cryptomap_1
crypto map Outside_map 2 set peer *.*.*.*
crypto map Outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 3 match address Outside_cryptomap_2
crypto map Outside_map 3 set peer *.*.*.*
crypto map Outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map interface Outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=*****
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=****
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
fqdn *****
subject-name CN=*******
keypair vpn.key
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
fqdn *****
subject-name CN=*****
keypair vpnkey.key
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
fqdn *****
subject-name CN *****
keypair newkey.key
crl configure
crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint6
keypair newkey.key
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca
*****
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate
*****
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate
*****
quit
crypto ca certificate chain ASDM_TrustPoint5
certificate ca *****
quit
crypto ca certificate chain ASDM_TrustPoint6
certificate
*****
quit
crypto ikev1 enable Outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 1800
crypto ikev1 policy 3
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
crypto ikev1 policy 4
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28000
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.111.2
ntp server 129.6.15.28
ssl trust-point ASDM_TrustPoint6 Outside
ssl trust-point ASDM_TrustPoint6 Inside
ssl trust-point ASDM_TrustPoint6 web
ssl trust-point ASDM_TrustPoint6 DMZ
ssl trust-point ASDM_TrustPoint6 pci
ssl trust-point ASDM_TrustPoint6 test
ssl trust-point ASDM_TrustPoint6 management
webvpn
enable Outside
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect image disk0:/anyconnect-macos-4.7.02036-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 2
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.111.2
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-network-list value SSLVPN-SplitTunnel
group-policy GroupPolicy_SSLVPN internal
group-policy GroupPolicy_SSLVPN attributes
wins-server none
dns-server value 192.168.111.2
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLVPN-SplitTunnel
default-domain none
group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_2.2.2.2 internal
group-policy GroupPolicy_2.2.2.2 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_3.3.3.3 internal
group-policy GroupPolicy_3.3.3.3 attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username ***** password *****
username ***** attributes
service-type remote-access
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool VPN-POOL
default-group-policy GroupPolicy_SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy GroupPolicy_2.2.2.2
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy GroupPolicy_2.2.2.2
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
default-group-policy GroupPolicy_3.3.3.3
tunnel-group 3.3.3.3 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
: end
05-17-2019 12:55 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide