01-26-2017 08:03 AM - edited 02-21-2020 09:08 PM
I've been chasing this around for a week. The last firewall I configured was a PIX a hundred years ago and needless to
: Saved
:
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
!
ASA Version 9.1(6)
!
hostname owgasa
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool OfficeVPN 10.10.4.200-10.10.4.225 mask 255.255.252.0
!
interface Ethernet0/0
description CC Internet
speed 100
duplex full
nameif CC_Internet
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
description BKP network
speed 100
duplex full
nameif BKP
security-level 100
ip address 192.168.1.4 255.255.255.0
!
interface Ethernet0/2
description Office network
nameif Office
security-level 100
ip address 10.10.3.254 255.255.252.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 172.16.1.1 255.255.255.0
!
boot system disk0:/asa916-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup CC_Internet
dns server-group DefaultDNS
name-server 8.8.4.4
name-server 8.8.8.8
domain-name xxxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Office_Network
subnet 10.10.0.0 255.255.252.0
object network BKP_Network
subnet 192.168.1.0 255.255.255.0
object network MobiServ-Inside
host 10.10.2.9
object network Public_IP_Address_xxx
host x.x.x.x
description Used as termination point for inbound access from outside
object network obj-10.10.2.35
host 10.10.2.35
object network obj-10.10.2.112
host 10.10.2.112
object network obj-10.10.2.102
host 10.10.2.102
object network obj-10.10.2.11
host 10.10.2.11
object network obj-10.10.2.195
host 10.10.2.195
object network obj-10.10.2.245
host 10.10.2.245
object network obj-10.10.2.176
host 10.10.2.176
object network obj-10.10.0.199
host 10.10.0.199
object network obj-10.10.2.104
host 10.10.2.104
object network obj-10.10.0.3
host 10.10.0.3
object network obj-10.10.2.144
host 10.10.2.144
object network obj-10.10.2.204
host 10.10.2.204
object network obj-10.10.2.23
host 10.10.2.23
object network obj-10.10.2.212
host 10.10.2.212
object network obj-10.10.2.114
host 10.10.2.114
object network obj-10.10.2.9
host 10.10.2.9
object service MobiServ_ports
service tcp source range 10610 10620
object network NCR_Remote_Net
subnet 192.168.185.0 255.255.255.0
object service Mobiserv_https
service tcp source eq https
object network obj-10.10.3.0
subnet 10.10.3.0 255.255.255.0
object network obj-10.10.0.0
subnet 10.10.0.0 255.255.255.0
object network NETWORK_OBJ_172.16.0.0_24
subnet 172.16.0.0 255.255.255.0
object network NETWORK_OBJ_10.10.0.0_24
subnet 10.10.0.0 255.255.255.0
object network NETWORK_OBJ_10.10.0.0_22
subnet 10.10.0.0 255.255.252.0
object network NETWORK_OBJ_10.10.1.240_28
subnet 10.10.1.240 255.255.255.240
object network NETWORK_OBJ_10.10.1.240_29
subnet 10.10.1.240 255.255.255.248
object network NETWORK_OBJ_10.10.1.224_27
subnet 10.10.1.224 255.255.255.224
object network obj-AnyConnectPool
range 10.10.4.200 10.10.4.225
description Nat statement for AnyConnect Split-Tunnel
object-group service IBM_iAccess tcp
description Ports to allow iAccess software communications
port-object eq 2001
port-object eq 2010
port-object eq 3000
port-object eq 397
port-object range 445 447
port-object eq 448
port-object eq 449
port-object eq 5010
port-object eq 5544
port-object eq 5555
port-object eq 5566
port-object eq 5577
port-object range 8470 8476
port-object eq 8480
port-object eq 942
port-object range 9470 9476
port-object eq 9480
port-object eq 992
port-object eq exec
port-object eq netbios-ssn
port-object eq telnet
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service SecCam tcp
description Security Cameras for Corp Stores
port-object eq 6800
port-object eq 7100
port-object eq 6801
object-group service RDP tcp
description Remote Desktop Protocol
port-object range 3380 3389
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq domain
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object tcp destination eq imap4
service-object icmp
service-object tcp destination range 8288 8289
service-object tcp destination range 9901 9903
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp destination eq domain
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object icmp
service-object tcp destination eq 465
service-object tcp destination eq 587
service-object tcp destination eq 993
service-object tcp destination eq 6800
service-object tcp destination eq 7100
service-object tcp destination eq 6801
service-object tcp destination eq 9901
service-object tcp destination eq 36617
service-object tcp destination eq 47460
service-object tcp destination eq 8100
service-object tcp destination eq 2083
service-object tcp destination eq telnet
object-group network DM_INLINE_NETWORK_1
network-object object Office_Network
network-object object BKP_Network
object-group service DM_INLINE_UDP_1 udp
port-object eq 443
port-object eq www
object-group service DM_INLINE_UDP_2 udp
port-object eq 443
port-object eq www
object-group service DM_INLINE_UDP_3 udp
port-object eq 443
port-object eq www
object-group service BKPPAY tcp
port-object range 8288 8289
port-object range 9901 9903
object-group service SSL tcp
description SSL Ports
port-object eq 465
port-object eq 587
port-object eq 993
object-group network NCR_Network
network-object 172.16.0.0 255.255.255.0
object-group service CPS tcp
port-object eq 36617
port-object eq 47460
object-group service IDT tcp
port-object eq 8100
object-group service GoDaddy tcp
description Management port
port-object eq 2083
object-group service PrintNetEnt tcp-udp
description Ports for PrintNet Enterprise
port-object eq 1030
port-object eq 135
port-object eq 389
port-object eq domain
access-list inside_access_in remark Limits access from BKP Network to Office network except for protocols in preceeding rule
access-list inside_access_in extended deny ip 192.168.1.0 255.255.255.0 10.10.0.0 255.255.252.0
access-list inside_access_in remark Default allowed protocols from BKP network to Internet
access-list inside_access_in remark Default allowed protocols from inside network to Internet
access-list inside_access_in remark Enables use of Google QUIC protocol
access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_UDP_3
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.1.0 255.255.255.0 any
access-list inside_access_in remark Deny any other traffic
access-list inside_access_in extended deny ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in remark Deny any other traffic
access-list inside2_access_in remark No access from Office Network to BKP
access-list inside2_access_in extended deny ip 10.10.0.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list inside2_access_in remark Default allowed protocols from Office network to Internet
access-list inside2_access_in remark Default allowed protocols from BKP network to Internet
access-list inside2_access_in extended permit object-group DM_INLINE_SERVICE_2 10.10.0.0 255.255.252.0 any log disable
access-list inside2_access_in remark Enable use of Google QUIC protocol
access-list inside2_access_in extended permit udp 10.10.0.0 255.255.252.0 any object-group DM_INLINE_UDP_2
access-list inside2_access_in extended permit udp 10.10.0.0 255.255.252.0 any eq ntp
access-list inside2_access_in extended permit tcp 10.10.0.0 255.255.252.0 any object-group IBM_iAccess
access-list inside2_access_in remark Deny all other traffic
access-list inside2_access_in extended deny ip 10.10.0.0 255.255.252.0 any
access-list inside2_access_in remark Default allowed protocols from BKP network to Internet
access-list inside2_access_in remark Deny all other traffic
access-list CC_Internet_access_in remark Enables inbound Google QUIC protocol
access-list CC_Internet_access_in extended permit udp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_UDP_1
access-list CC_Internet_access_in remark MobiServ access
access-list CC_Internet_access_in extended permit tcp any object MobiServ-Inside eq https
access-list CC_Internet_access_in remark MobiServ access
access-list CC_Internet_access_in extended permit tcp any object MobiServ-Inside range 10610 10620
access-list CC_Internet_access_in remark MobiServ access
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.114 eq 21591
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.212 eq 21590
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.23 eq 21589
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.204 eq 21588
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.144 eq 21587
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.0.3 eq 23389
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.104 eq 19182
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.0.199 eq 18172
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.176 eq 3384
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.245 eq 3378
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.195 eq 3379
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.11 eq 3380
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.102 eq 3385
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.112 eq 3388
access-list CC_Internet_access_in remark Remote desktop access
access-list CC_Internet_access_in extended permit tcp any object obj-10.10.2.35 eq 1587
access-list CC_Internet_access_in extended permit tcp any object obj-AnyConnectPool object-group IBM_iAccess inactive
access-list CC_Internet_access_in remark Denys all inbound connections from the Internet
access-list CC_Internet_access_in extended deny ip any any
access-list CC_Internet_cryptomap extended permit ip object Office_Network 172.16.0.0 255.255.255.0
access-list NCRVPN extended permit ip 10.10.0.0 255.255.252.0 172.16.0.0 255.255.255.0
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list split-tunnel remark Local Office Network
access-list split-tunnel standard permit 10.10.0.0 255.255.252.0
pager lines 50
logging enable
logging asdm informational
logging from-address xxx@xxxxx.com
logging recipient-address xxx@xxxxx.com level alerts
logging host Office 10.10.0.199 17/1514
logging class auth trap informational
mtu CC_Internet 1500
mtu BKP 1500
mtu Office 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (BKP,CC_Internet) source dynamic BKP_Network interface description Dynamic NAT (PAT) for general outside access
nat (Office,CC_Internet) source static Office_Network Office_Network destination static obj-AnyConnectPool obj-AnyConnectPool
nat (Office,CC_Internet) source static MobiServ-Inside Public_IP_Address_xxx service MobiServ_ports MobiServ_ports description PAT settings for Mobiserv ports
nat (Office,CC_Internet) source static obj-AnyConnectPool interface inactive description PAT settings for AnyConnect
nat (Office,CC_Internet) source static MobiServ-Inside Public_IP_Address_188 service Mobiserv_https Mobiserv_https description PAT settings for Mobiserv ports
nat (Office,CC_Internet) source static Office_Network Office_Network destination static NETWORK_OBJ_172.16.0.0_24 NETWORK_OBJ_172.16.0.0_24 no-proxy-arp route-lookup
nat (Office,CC_Internet) source dynamic any interface description Dynamic NAT (PAT) for general outside access
nat (Office,CC_Internet) source static NETWORK_OBJ_10.10.0.0_22 NETWORK_OBJ_10.10.0.0_22 destination static NETWORK_OBJ_10.10.1.240_28 NETWORK_OBJ_10.10.1.240_28 no-proxy-arp route-lookup inactive
nat (Office,CC_Internet) source static Office_Network Office_Network destination static NETWORK_OBJ_10.10.1.240_28 NETWORK_OBJ_10.10.1.240_28 no-proxy-arp route-lookup inactive
nat (Office,CC_Internet) source static Office_Network Office_Network destination static NETWORK_OBJ_10.10.1.240_29 NETWORK_OBJ_10.10.1.240_29 no-proxy-arp route-lookup inactive
nat (Office,CC_Internet) source static NETWORK_OBJ_10.10.0.0_22 NETWORK_OBJ_10.10.0.0_22 destination static NETWORK_OBJ_10.10.1.224_27 NETWORK_OBJ_10.10.1.224_27 no-proxy-arp route-lookup inactive
!
object network obj-10.10.2.35
nat (Office,CC_Internet) static x.x.x.x service tcp 1587 1587
object network obj-10.10.2.112
nat (Office,CC_Internet) static x.x.x.x service tcp 3388 3388
object network obj-10.10.2.102
nat (Office,CC_Internet) static x.x.x.x service tcp 3385 3385
object network obj-10.10.2.11
nat (Office,CC_Internet) static x.x.x.x service tcp 3380 3380
object network obj-10.10.2.195
nat (Office,CC_Internet) static x.x.x.x service tcp 3379 3379
object network obj-10.10.2.245
nat (Office,CC_Internet) static x.x.x.x service tcp 3378 3378
object network obj-10.10.2.176
nat (Office,CC_Internet) static x.x.x.x service tcp 3384 3384
object network obj-10.10.0.199
nat (Office,CC_Internet) static x.x.x.x service tcp 18172 18172
object network obj-10.10.2.104
nat (Office,CC_Internet) static x.x.x.x service tcp 19182 19182
object network obj-10.10.0.3
nat (Office,CC_Internet) static x.x.x.x service tcp 23389 23389
object network obj-10.10.2.144
nat (Office,CC_Internet) static x.x.x.x service tcp 21587 21587
object network obj-10.10.2.204
nat (Office,CC_Internet) static x.x.x.x service tcp 21588 21588
object network obj-10.10.2.23
nat (Office,CC_Internet) static x.x.x.x service tcp 21589 21589
object network obj-10.10.2.212
nat (Office,CC_Internet) static x.x.x.x service tcp 21590 21590
object network obj-10.10.2.114
nat (Office,CC_Internet) static x.x.x.x service tcp 21591 21591
object network obj-10.10.2.9
nat (Office,CC_Internet) static x.x.x.x service tcp 10620 10620
access-group CC_Internet_access_in in interface CC_Internet
access-group inside_access_in in interface BKP
access-group inside2_access_in in interface Office
route CC_Internet 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 8
http server enable
http 10.10.0.0 255.255.252.0 Office
http 172.16.1.0 255.255.255.0 management
http 10.10.4.0 255.255.252.0 Office
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map CC_Internet_map 1 match address CC_Internet_cryptomap
crypto map CC_Internet_map 1 set peer x.x.x.x
crypto map CC_Internet_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map CC_Internet_map interface CC_Internet
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable CC_Internet
crypto ikev1 enable CC_Internet
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.10.0.0 255.255.252.0 Office
telnet 172.16.0.0 255.255.255.0 management
telnet timeout 5
ssh stricthostkeycheck
ssh x.x.x.x 255.255.255.0 CC_Internet
ssh x.x.x.x 255.255.255.255 CC_Internet
ssh 10.10.0.0 255.255.252.0 Office
ssh 0.0.0.0 0.0.0.0 Office
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Office
vpn-sessiondb max-other-vpn-limit 250
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 131.107.13.100 source CC_Internet
webvpn
enable CC_Internet
anyconnect image disk0:/anyconnect-win-4.4.00243-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 8.8.4.4 8.8.8.8
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
default-domain value xxx.xxx.com
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 8.8.4.4 10.10.2.7
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value xxx.xxxxxx.com
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask none default anyconnect
username xxxxxxxxxx password xxxxxxxxxxxxxxxx encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool OfficeVPN
default-group-policy GroupPolicy_AnyConnect
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy GroupPolicy_x.x.x.x
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key xxxxxxx
ikev2 remote-authentication pre-shared-key xxxxxxx
ikev2 local-authentication pre-shared-key xxxxxxx
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool OfficeVPN
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ftp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxx
: end
Solved! Go to Solution.
01-28-2017 05:40 AM
im not seen below command in your config.
# syspot connection permit-vpn
when you add this command your outside vpn nw will have same security level as 100 . this will work
otherwise .
you have to add the acl entry on vpn cofigured interface to all "any to your office network" .
check .
thanks ,
Mani
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide