01-18-2013 03:23 AM
I have a site-to-site vpn connection to a remote client site that can be accessed from the servers in the following access list
access-list MATCHJLS extended permit ip 78.129.xxx.0 255.255.255.128 object-group DM_INLINE_NETWORK_1
object-group network DM_INLINE_NETWORK_1 network-object host 172.19.60.52 network-object host 172.19.60.53 network-object host 172.19.60.68 network-object host 172.19.60.69 network-object host 172.19.60.84 network-object host 172.19.60.85 network-object host 172.19.60.86
I would also like 10.1.1.0/24 and 10.255.255.0/24 to access the remote site but the admin onsite says that NAT
should be used with the existing access and they won't add the additional rules due to a possible ip conflict.
I'm not sure how to do this. Any advice would be much appreciated.
01-19-2013 01:08 PM
OK.
1. First try to upgrade, it might solve the problem
2. If upgrade will not fix it, please send me back results for both tests:
packet-tracer input inside icmp 10.1.1.10 8 0 172.19.60.52 det
packet-tracer input inside icmp 10.255.255.10 8 0 172.19.60.52 det
And some more details:
sh asp table classify crypto
sh asp table vpn-context detail
sh asp drop
But first test newer version of software.
--
Michal
01-22-2013 06:14 AM
Router is now running asa825-33-k8.bin. No change unfortunately. I ran the commands as requested -
Result of the command: "packet-tracer input inside icmp 10.1.1.10 8 0 172.19.60.52 det"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab87b088, priority=1, domain=permit, deny=false
hits=5873, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group allow in interface Inside
access-list allow extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8da840, priority=12, domain=permit, deny=false
hits=358, user_data=0xa8acab80, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab87da98, priority=0, domain=inspect-ip-options, deny=true
hits=475, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab87d710, priority=66, domain=inspect-icmp-error, deny=false
hits=19, user_data=0xab87d5f8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside) 11 access-list policy-nat
match ip Inside 10.1.1.0 255.255.255.0 Outside host 172.19.60.52
dynamic translation to pool 11 (78.129.151.105)
translate_hits = 1, untranslate_hits = 0
Additional Information:
Dynamic translate 10.1.1.10/0 to 78.129.151.105/31664 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xab8ae3f0, priority=2, domain=nat, deny=false
hits=1, user_data=0xab8ae330, cs_id=0x0, flags=0x0, protocol=0
src ip=10.1.1.0, mask=255.255.255.0, port=0
dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Inside) 11 access-list policy-nat
match ip Inside 10.1.1.0 255.255.255.0 Outside host 172.19.60.52
dynamic translation to pool 11 (78.129.151.105)
translate_hits = 1, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8ae520, priority=2, domain=host, deny=false
hits=162, user_data=0xab8ae330, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.1.1.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xabf64438, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.128, port=0
dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Result of the command: "packet-tracer input inside icmp 10.255.255.10 8 0 172.19.60.52 det"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group allow in interface Inside
access-list allow extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8da840, priority=12, domain=permit, deny=false
hits=359, user_data=0xa8acab80, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab87da98, priority=0, domain=inspect-ip-options, deny=true
hits=476, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab87d710, priority=66, domain=inspect-icmp-error, deny=false
hits=20, user_data=0xab87d5f8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside) 10 access-list policy-nat-two
match ip Inside 10.255.255.0 255.255.255.0 Outside host 172.19.60.52
dynamic translation to pool 10 (78.129.151.106)
translate_hits = 1, untranslate_hits = 0
Additional Information:
Dynamic translate 10.255.255.10/0 to 78.129.151.106/25111 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xab8cd310, priority=2, domain=nat, deny=false
hits=1, user_data=0xab8cd250, cs_id=0x0, flags=0x0, protocol=0
src ip=10.255.255.0, mask=255.255.255.0, port=0
dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Inside) 10 access-list policy-nat-two
match ip Inside 10.255.255.0 255.255.255.0 Outside host 172.19.60.52
dynamic translation to pool 10 (78.129.151.106)
translate_hits = 1, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8cd668, priority=2, domain=host, deny=false
hits=2, user_data=0xab8cd250, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.255.255.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xabf64438, priority=70, domain=encrypt, deny=false
hits=2, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.128, port=0
dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Result of the command: "sh asp table classify crypto"
Interface Inside:
Interface Outside:
in id=0xa7aae2d8, priority=70, domain=decrypt, deny=false
hits=2, user_data=0x5124, cs_id=0x0, reverse, flags=0x0, protocol=50
src ip=212.118.128.233, mask=255.255.255.255, port=51829
dst ip=87.117.213.66, mask=255.255.255.255, port=1576, dscp=0x0
in id=0xac447cc0, priority=70, domain=decrypt, deny=false
hits=1, user_data=0x89bc, cs_id=0x0, reverse, flags=0x0, protocol=17
src ip=37.19.98.120, mask=255.255.255.255, port=49259
dst ip=87.117.213.66, mask=255.255.255.255, port=4500, dscp=0x0
in id=0xac4583c0, priority=70, domain=decrypt, deny=false
hits=1, user_data=0xd014, cs_id=0x0, reverse, flags=0x0, protocol=17
src ip=46.242.71.196, mask=255.255.255.255, port=52470
dst ip=87.117.213.66, mask=255.255.255.255, port=4500, dscp=0x0
in id=0xac45a348, priority=70, domain=decrypt, deny=false
hits=3, user_data=0x11a2c, cs_id=0x0, reverse, flags=0x0, protocol=50
src ip=212.118.128.233, mask=255.255.255.255, port=37242
dst ip=87.117.213.66, mask=255.255.255.255, port=50445, dscp=0x0
in id=0xa7aae010, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=2, user_data=0x5124, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=212.118.157.213, mask=255.255.255.255, port=0
dst ip=78.129.151.26, mask=255.255.255.255, port=0, dscp=0x0
in id=0xac447c28, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=41, user_data=0x89bc, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.255.255.1, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
in id=0xac458328, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=33, user_data=0xd014, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.255.255.2, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
in id=0xac45a2b0, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=1, user_data=0x11a2c, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=212.118.157.205, mask=255.255.255.255, port=0
dst ip=78.129.151.26, mask=255.255.255.255, port=0, dscp=0x0
in id=0xac19c1c8, priority=12, domain=ipsec-natt, deny=false
hits=4, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=17
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=87.117.213.66, mask=255.255.255.255, port=4500, dscp=0x0
in id=0xab79fd58, priority=12, domain=ipsec-tunnel-flow, deny=true
hits=98, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
in id=0xac19cc28, priority=12, domain=ipsec-tunnel-flow, deny=true
hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=::/0, port=0
dst ip=::/0, port=0
out id=0xab83e660, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=255.255.255.255, port=0, dscp=0x0
out id=0xabf64438, priority=70, domain=encrypt, deny=false
hits=2, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.128, port=0
dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0
out id=0xabf64730, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.128, port=0
dst ip=172.19.60.53, mask=255.255.255.255, port=0, dscp=0x0
out id=0xabf64a28, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.128, port=0
dst ip=172.19.60.68, mask=255.255.255.255, port=0, dscp=0x0
out id=0xabf64d20, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.128, port=0
dst ip=172.19.60.69, mask=255.255.255.255, port=0, dscp=0x0
out id=0xabf65018, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.128, port=0
dst ip=172.19.60.84, mask=255.255.255.255, port=0, dscp=0x0
out id=0xabf65310, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.128, port=0
dst ip=172.19.60.85, mask=255.255.255.255, port=0, dscp=0x0
out id=0xabf65608, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.128, port=0
dst ip=172.19.60.86, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac17bd80, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab895290, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac17c0e0, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab895290, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.224, port=0
dst ip=10.180.9.121, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac17c3d8, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab895290, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.224, port=0
dst ip=10.180.9.120, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac17c6d0, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab895290, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.224, port=0
dst ip=10.180.9.221, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac17c9c8, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac17cd28, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.203, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac17d020, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.204, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac4598d8, priority=70, domain=encrypt, deny=false
hits=1, user_data=0xf16c, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.205, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac17d318, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.205, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac17d610, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.206, mask=255.255.255.255, port=0, dscp=0x0
out id=0xab761f90, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.207, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac1830b0, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.208, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac183368, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.209, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac183620, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.210, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac183918, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.211, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac183c10, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.212, mask=255.255.255.255, port=0, dscp=0x0
out id=0xa7aad538, priority=70, domain=encrypt, deny=false
hits=2, user_data=0x2944, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.213, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac183f08, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.213, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac184378, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.214, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac184670, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.215, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac184928, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.216, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac184be0, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.217, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac184ed8, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.218, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac1851d0, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.190, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac1854c8, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.191, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac1857c0, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.192, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac185ab8, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.193, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac185f28, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.194, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac186220, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.195, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac186518, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.196, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac186810, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.197, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac186b08, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.198, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac186e00, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.199, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac1870f8, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.200, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac1873f0, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.201, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac17bb78, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0
src ip=78.129.151.26, mask=255.255.255.255, port=0
dst ip=212.118.157.202, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac187908, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83dc88, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac187c68, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83dc88, reverse, flags=0x0, protocol=0
src ip=78.129.151.9, mask=255.255.255.255, port=0
dst ip=172.16.135.184, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac187f60, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83dc88, reverse, flags=0x0, protocol=0
src ip=78.129.151.24, mask=255.255.255.248, port=0
dst ip=172.16.158.11, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac188258, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83dc88, reverse, flags=0x0, protocol=0
src ip=78.129.151.24, mask=255.255.255.248, port=0
dst ip=172.17.167.10, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac188550, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83dc88, reverse, flags=0x0, protocol=0
src ip=78.129.151.24, mask=255.255.255.248, port=0
dst ip=172.16.157.164, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac188848, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83dc88, reverse, flags=0x0, protocol=0
src ip=78.129.151.24, mask=255.255.255.248, port=0
dst ip=172.16.134.86, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac188b40, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83df68, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac188ea0, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83df68, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.224, port=0
dst ip=10.180.9.121, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac17d908, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83df68, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.224, port=0
dst ip=10.180.9.120, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac1893b8, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x0, cs_id=0xab83df68, reverse, flags=0x0, protocol=0
src ip=78.129.151.0, mask=255.255.255.224, port=0
dst ip=10.180.9.221, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac446e30, priority=70, domain=encrypt, deny=false
hits=41, user_data=0x653c, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.255.255.1, mask=255.255.255.255, port=0, dscp=0x0
out id=0xac457e38, priority=70, domain=encrypt, deny=false
hits=33, user_data=0xadf4, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.255.255.2, mask=255.255.255.255, port=0, dscp=0x0
Interface identity:
Last clearing of hits counters: Never
Result of the command: "sh asp table vpn-context detail"
VPN CTX = 0x00011A2C
Peer IP = 212.118.157.205
Pointer = 0xAC454BC8
State = UP
Flags = DECR+ESP
SA = 0x00049A8B
SPI = 0x7A910DC5
Group = 2
Pkts = 111
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter =
VPN CTX = 0x0000F16C
Peer IP = 212.118.157.205
Pointer = 0xAC457680
State = UP
Flags = ENCR+ESP
SA = 0x00060027
SPI = 0xDD8B333E
Group = 1
Pkts = 96
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter =
VPN CTX = 0x0000D014
Peer IP = 10.255.255.2
Pointer = 0xAC4581E0
State = UP
Flags = DECR+ESP+NATT
SA = 0x00038005
SPI = 0x43273945
Group = 2
Pkts = 1233
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter =
VPN CTX = 0x0000ADF4
Peer IP = 10.255.255.2
Pointer = 0xAC457D30
State = UP
Flags = ENCR+ESP+NATT
SA = 0x0004385B
SPI = 0xD3038491
Group = 2
Pkts = 1064
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter =
VPN CTX = 0x000089BC
Peer IP = 10.255.255.1
Pointer = 0xAC447AE0
State = UP
Flags = DECR+ESP+NATT
SA = 0x0002866F
SPI = 0x3DBAA97B
Group = 0
Pkts = 272
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter =
VPN CTX = 0x0000653C
Peer IP = 10.255.255.1
Pointer = 0xAC464190
State = UP
Flags = ENCR+ESP+NATT
SA = 0x00033F7D
SPI = 0xEBB09BAE
Group = 0
Pkts = 333
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter =
VPN CTX = 0x00005124
Peer IP = 212.118.157.213
Pointer = 0xA7AADEC8
State = UP
Flags = DECR+ESP
SA = 0x0000BC13
SPI = 0x75CA2806
Group = 2
Pkts = 1602
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter =
VPN CTX = 0x00002944
Peer IP = 212.118.157.213
Pointer = 0xA7AAD430
State = UP
Flags = ENCR+ESP
SA = 0x0002154F
SPI = 0x990EF331
Group = 1
Pkts = 1573
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter =
Result of the command: "sh asp drop"
Frame drop:
Flow is denied by configured rule (acl-drop) 611
NAT-T keepalive message (natt-keepalive) 15
First TCP packet not SYN (tcp-not-syn) 82
TCP failed 3 way handshake (tcp-3whs-failed) 25
TCP RST/FIN out of order (tcp-rstfin-ooo) 3
Slowpath security checks failed (sp-security-failed) 45
Expired flow (flow-expired) 1
Interface is down (interface-down) 2
Dropped pending packets in a closed socket (np-socket-closed) 33
Last clearing: Never
Flow drop:
Need to start IKE negotiation (need-ike) 8
Inspection failure (inspect-fail) 14
SSL bad record detected (ssl-bad-record-detect) 1
SSL received close alert (ssl-received-close-alert) 1
Last clearing: Never
01-20-2013 07:34 AM
Hi Graham,
Please remove two the dyamic nats and associated global (Outside) lines below.
global (Outside) 11 78.129.151.105
global (Outside) 10 78.129.151.106
Try the below static nats.
static (inside,outside) 78.129.151.105 access−list policy−nat
static (outside,outside) 78.129.151.106 access−list policy−nat-two
Let me know, how it coming along.
thanks
Rizwan Rafeek
01-28-2013 02:02 AM
Still no luck unfortunately. Any further suggestions?
01-28-2013 06:07 AM
Please tell me, how much DRAM installed on your ASA?
01-28-2013 06:12 AM
1024 MB
01-28-2013 06:26 AM
Please post your current running config.
thanks
01-28-2013 06:38 AM
Thanks for your help. Here you go:
: Saved
:
ASA Version 8.2(5)33
!
hostname vpn
domain-name msiuk.com
enable password Pp6RUfdBBNbecnUU encrypted
passwd ucU7iJY/nXKMNlZ/ encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 87.117.213.66 255.255.255.252
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 78.129.151.1 255.255.255.128
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa825-33-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name msisk.com
same-security-traffic permit inter-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3389
port-object eq 8080
port-object eq www
port-object eq https
object-group service Http81 tcp
port-object eq 81
object-group service DM_INLINE_TCP_3 tcp
port-object eq 81
port-object eq www
port-object eq smtp
object-group network DM_INLINE_NETWORK_1
network-object host 172.19.60.52
network-object host 172.19.60.53
network-object host 172.19.60.68
network-object host 172.19.60.69
network-object host 172.19.60.84
network-object host 172.19.60.85
network-object host 172.19.60.86
access-list basic extended permit icmp any any echo-reply
access-list basic extended permit icmp any any time-exceeded
access-list basic extended permit tcp any host 78.129.151.24 eq 8731
access-list basic extended permit tcp any host 78.129.151.24 eq www
access-list basic extended permit tcp any host 78.129.151.20 object-group DM_INLINE_TCP_3
access-list basic extended permit tcp any host 78.129.151.28 eq www
access-list basic extended permit tcp any host 78.129.151.32 eq www
access-list basic extended permit tcp any host 78.129.151.18 eq https inactive
access-list basic extended permit tcp any host 78.129.151.23 eq www
access-list basic extended permit tcp any host 78.129.151.2 eq https
access-list basic extended permit tcp any host 78.129.151.14 eq https
access-list basic extended permit tcp any host 78.129.151.24
access-list basic extended permit tcp host 94.128.5.2 78.129.151.0 255.255.255.128 object-group DM_INLINE_TCP_1
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.255.255.0 255.255.255.0
access-list SPLITTUN standard permit 78.129.151.0 255.255.255.128
access-list SPLITTUN standard permit 10.1.1.0 255.255.255.0
access-list allow extended permit ip any any
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.203
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.204
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.205
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.206
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.207
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.208
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.209
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.210
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.211
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.212
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.213
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.214
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.215
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.216
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.217
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.218
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.190
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.191
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.192
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.193
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.194
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.195
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.196
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.197
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.198
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.199
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.200
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.201
access-list MATCHSTC extended permit ip host 78.129.151.26 host 212.118.157.202
access-list STCNAT extended permit ip any 212.118.157.0 255.255.255.0
access-list policy-nat extended permit ip 10.1.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list MATCHKW extended permit ip 78.129.151.0 255.255.255.224 host 10.180.9.121
access-list MATCHKW extended permit ip 78.129.151.0 255.255.255.224 host 10.180.9.120
access-list MATCHKW extended permit ip 78.129.151.0 255.255.255.224 host 10.180.9.221
access-list Huawei extended permit ip host 78.129.151.9 host 172.16.135.184
access-list Huawei extended permit ip 78.129.151.24 255.255.255.248 host 172.16.158.11
access-list Huawei extended permit ip 78.129.151.24 255.255.255.248 host 172.17.167.10
access-list Huawei extended permit ip 78.129.151.24 255.255.255.248 host 172.16.157.164
access-list Huawei extended permit ip 78.129.151.24 255.255.255.248 host 172.16.134.86
access-list MATCHJLS extended permit ip 78.129.151.0 255.255.255.128 object-group DM_INLINE_NETWORK_1
access-list policy-nat-two extended permit ip 10.255.255.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
ip local pool LOCPOOL 10.255.255.1-10.255.255.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
global (Outside) 11 78.129.151.105
global (Outside) 10 78.129.151.106
nat (Outside) 10 access-list policy-nat-two
nat (Inside) 0 access-list NONAT
nat (Inside) 11 access-list policy-nat
nat (Inside) 10 access-list policy-nat-two
nat (Inside) 1 10.1.1.0 255.255.255.0
nat (Inside) 1 10.2.2.0 255.255.255.0
access-group basic in interface Outside
access-group allow out interface Outside
access-group allow in interface Inside
access-group allow out interface Inside
route Outside 0.0.0.0 0.0.0.0 87.117.213.65 1
route Inside 10.1.1.0 255.255.255.0 78.129.151.2 1
route Inside 10.2.2.0 255.255.255.0 78.129.151.2 1
route Inside 10.33.67.0 255.255.255.0 78.129.151.26 1
route Inside 172.20.78.0 255.255.255.0 78.129.151.26 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Outside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set VPN3DES esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set asa2transform esp-3des esp-sha-hmac
crypto ipsec transform-set kwset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set jlstransformset esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYNOMAP 10 set transform-set VPN3DES
crypto map VPNPEER 1 match address MATCHJLS
crypto map VPNPEER 1 set peer 94.128.15.86
crypto map VPNPEER 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map VPNPEER 10 match address MATCHKW
crypto map VPNPEER 10 set peer 94.128.5.2
crypto map VPNPEER 10 set transform-set jlstransformset
crypto map VPNPEER 10 set nat-t-disable
crypto map VPNPEER 30 match address MATCHSTC
crypto map VPNPEER 30 set peer 212.118.128.233
crypto map VPNPEER 30 set transform-set ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map VPNPEER 30 set reverse-route
crypto map VPNPEER 40 match address Huawei
crypto map VPNPEER 40 set peer 94.128.3.130
crypto map VPNPEER 40 set transform-set kwset
crypto map VPNPEER 50 match address MATCHKW
crypto map VPNPEER 50 set pfs
crypto map VPNPEER 50 set peer 94.128.5.2
crypto map VPNPEER 50 set transform-set kwset ESP-DES-MD5 ESP-3DES-SHA ESP-DES-SHA
crypto map VPNPEER 50 set nat-t-disable
crypto map VPNPEER 100 ipsec-isakmp dynamic DYNOMAP
crypto map VPNPEER interface Outside
crypto isakmp enable Outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto isakmp nat-traversal 3600
crypto isakmp disconnect-notify
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-filter value MATCHKW
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy CLIENTGROUP internal
group-policy CLIENTGROUP attributes
dns-server value 10.1.1.10 10.1.1.2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLITTUN
default-domain value msiuk.local
username admin password 9RG9xAvyOSnJRd.Q encrypted privilege 15
tunnel-group msi type remote-access
tunnel-group msi general-attributes
address-pool LOCPOOL
default-group-policy CLIENTGROUP
tunnel-group msi ipsec-attributes
pre-shared-key *****
tunnel-group msi ppp-attributes
authentication ms-chap-v2
tunnel-group 212.118.128.233 type ipsec-l2l
tunnel-group 212.118.128.233 ipsec-attributes
pre-shared-key *****
tunnel-group 94.128.5.2 type ipsec-l2l
tunnel-group 94.128.5.2 ipsec-attributes
pre-shared-key *****
tunnel-group 94.128.3.130 type ipsec-l2l
tunnel-group 94.128.3.130 ipsec-attributes
pre-shared-key *****
tunnel-group 94.128.15.86 type ipsec-l2l
tunnel-group 94.128.15.86 ipsec-attributes
pre-shared-key *****
!
class-map ftpdefault
match default-inspection-traffic
class-map inspection-default
!
!
policy-map global_policy
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f516a297ee0a2cfd9f966a4ea148c283
: end
asdm image disk0:/asdm-625-53.bin
no asdm history enable
01-28-2013 07:49 AM
Please remove these lines.
global (Outside) 11 78.129.151.105
global (Outside) 10 78.129.151.106
nat (Inside) 11 access-list policy-nat
nat (Inside) 10 access-list policy-nat-two
Apply these.
crypto dynamic-map DYNOMAP 10 set reverse-route
access-list SPLITTUN standard permit ip object-group DM_INLINE_NETWORK_1
static (inside,outside) 78.129.151.105 access−list policy−nat
static (outside,outside) 78.129.151.106 access−list policy−nat-two
I assume your active group-policy is "CLIENTGROUP", if not please advise.
thanks
Rizwan Rafeek
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: