cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1897
Views
3
Helpful
32
Replies

ASA IPSec VPN client fails to connect to the DMZ

Stevan44
Level 1
Level 1

Hello,

I have a IPSec VPN setup on my ASA which allows the client to reach the inside. I've added a DMZ and I would like to allow VPN access to it as well. I have made the configurations to allow access but it's not working. Can some please let me know when I have screwed up at? Thank you in advance!

 

 

32 Replies 32

Hi MHM,

Sorry for the delay.

 I'm using Cisco IPSec client which is terminated on a ASA. From what I can see, this issue the issue:

I have one ASA that is configured for IPSec VPN Cisco client. The VPN allow access to inside network, but trying to get it to my DMZ is a problem. My VPN address pool is defined as 124.140.1.x /24. My DMZ1 is defined as 192.168.44.x/24. After connecting to my VPN client, I can ping anything on the inside network, but I get the following when trying to ping a DMZ device:

Stevan44_1-1706721717442.png

Anti-spoofing is on and I would like to keep it that way. Is seems that traffic is going one way and leaving another. ASA does not support that asymmetrical traffic.

My NAT rule is (dmz1) to (outside) source static DMZ1-Network DMZ1-Network destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup description For VPN to access DMZ1 translate_hits = 16, untranslate_hits = 16

I believe that this is right.  Access to my Inside is working I get talk to 124.140.1. 124.140.1 can't talk to DMZ1.  Packet tracer may not run correctly due to being VPN encrypted traffic.

How do I get the traffic to the right interface?

Here the configuration:

ip local pool IPSEC-VPN-Pool 124.140.1.1-124.140.1.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
description Outside
speed 1000
duplex full
mac-address 0019.0724.64f7
nameif outside
security-level 0
ddns update DYNU
dhcp client update dns
ip address dhcp setroute
!
interface GigabitEthernet1/0
description Inside
speed 1000
duplex full
nameif inside
security-level 100
ip address Firewall 255.255.255.0
!
interface GigabitEthernet1/1.100
description DMZ1 for Duke Network
vlan 100
nameif dmz1
security-level 50
ip address 192.168.44.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network DukeLAN
subnet 144.244.244.0 255.255.255.0
description Inside Network
object-group network DM_INLINE_NETWORK_1
network-object object DukeLAN
network-object object DMZ1-Network
object-group service DM_INLINE_SERVICE_4
service-object icmp timestamp-reply
service-object icmp unreachable
service-object tcp destination eq ssh
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_2
network-object object DMZ1-Network
network-object object DukeLAN
access-list 102 extended permit ip object DukeLAN object Obj-Remote-IPSEC-VPN
access-list limit-torrent extended permit ip any4 object DellMedia_Upstairs
access-list Split_Tunnel remark Duke Network
access-list Split_Tunnel standard permit 144.244.244.0 255.255.255.0
access-list Split_Tunnel remark VPN
access-list Split_Tunnel standard permit 124.140.1.0 255.255.255.0
access-list Split_Tunnel remark Duke DMZ
access-list Split_Tunnel standard permit 192.168.44.0 255.255.255.0
access-list 101 extended permit ip object DukeLAN object Obj-Remote-IPSEC-VPN
access-list Dmz1_Access_In remark DMZ can get access to Internet
access-list Dmz1_Access_In remark Anything in DMZ can get access to Internet
access-list Dmz1_Access_In remark Block DMZ to any where
access-list Dmz1_Access_In extended deny ip any any
access-list outside_cryptomap_1.1_1 extended deny object-group VPN_Ports interface inside interface outside
access-list outside_cryptomap_1.1_2 extended permit ip object Obj-Remote-IPSEC-VPN object-group DM_INLINE_NETWORK_2
access-list outside_cryptomap_65535.65535_1 extended permit ip object DukeLAN any inactive
access-list outside_cryptomap_65535.65535_2 extended deny ip object DukeLAN any inactive
access-list outside_cryptomap_65535.65535 extended permit object-group DM_INLINE_PROTOCOL_1 object DukeLAN any object-group TCP-UDP2049
access-list inside_cryptomap_65535.65535 extended permit ip object DukeLAN object Obj-Remote-IPSEC-VPN
access-list dmz1_cryptomap_65535.65535 extended permit ip object DMZ1-Network object Obj-Remote-IPSEC-VPN
access-list inside_cryptomap_65535.65535_1 extended permit ip object DukeLAN object Obj-Remote-IPSEC-VPN
access-list outside_cryptomap_10.10 extended permit ip object Obj-Remote-IPSEC-VPN object-group DM_INLINE_NETWORK_1
access-list IPSecVPN_Policy remark Allow VPN users Internet and ICMP
access-list IPSecVPN_Policy extended permit object-group DM_INLINE_SERVICE_3 object Obj-Remote-IPSEC-VPN any
no pager
nat (dmz1,outside) source static DMZ1-Network DMZ1-Network destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup description For VPN to access DMZ1
nat (dmz1,outside) source static MarksPlex interface service 32400_in 32400_out description For Outside Access to Plex
nat (inside,dmz1) source static DMZ1-Network interface service 37777 37777 description To allow traffic to flow from a lower security level (DMZ). So it can reach DukeDVR in a higher security (Inside)
nat (outside,inside) source static any any destination static DukeDVR DukeDVR service 37777 37777 description For Outside access to DVR
nat (inside,outside) source dynamic DukeLAN interface description Allow Inside Access to the Outside
nat (inside,outside) source static DukeLAN DukeLAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN route-lookup description For Inside VPN Split tunnel
!
object network DukeLAN
nat (inside,outside) dynamic interface dns
object network obj_any
nat (inside,outside) dynamic interface
!
nat (dmz1,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group Dmz1_Access_In in interface dmz1
group-policy "No Access" attributes
vpn-simultaneous-logins 0
vpn-filter value inside_access_in
vpn-tunnel-protocol ikev1
address-pools value IPSEC-VPN-Pool
group-policy DfltGrpPolicy attributes
dns-server value 4.2.2.2 8.8.8.8
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 ikev2 ssl-client
ipsec-udp enable
split-tunnel-policy excludespecified
split-tunnel-network-list value Split_Tunnel
default-domain value Duke.com
address-pools value IPSEC-VPN-Pool
webvpn
anyconnect dpd-interval client none
anyconnect dpd-interval gateway none
hidden-shares visible
group-policy IPSEC-Remote-VPN internal
group-policy IPSEC-Remote-VPN attributes
banner value Welcome to Duke Network. For offical use only!
dns-server value 4.2.2.2 8.8.8.8
vpn-simultaneous-logins 2
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL-SPLIT-TUNNEL
default-domain value Duke.com
client-access-rule none

ip local pool IPSEC-VPN-Pool 124.140.1.1-124.140.1.254 mask 255.255.255.0
!
interface GigabitEthernet1/0
description Inside
speed 1000
duplex full
nameif inside
security-level 100
ip address Firewall 255.255.255.0
!
interface GigabitEthernet1/1.100
description DMZ1 for Duke Network
vlan 100
nameif dmz1
security-level 50
ip address 192.168.44.1 255.255.255.0
!
access-list Split_Tunnel remark Duke Network
access-list Split_Tunnel standard permit 144.244.244.0 255.255.255.0 <<- if this INside subnet then it correct
access-list Split_Tunnel remark VPN
access-list Split_Tunnel standard permit 124.140.1.0 255.255.255.0 << this client subnet not need to add it to split Tunnel 
access-list Split_Tunnel remark Duke DMZ
access-list Split_Tunnel standard permit 192.168.44.0 255.255.255.0 <<- this DMZ subnet so it correct

nat (dmz1,outside) source static DMZ1-Network DMZ1-Network destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup description For VPN to access DMZ1 <<- NO-NAT for DMZ subnet
nat (inside,outside) source static DukeLAN DukeLAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN route-lookup description For Inside VPN Split tunnel <<- NO-NAT for INside Subnet 

split-tunnel-network-list value Split_Tunnel 


NOW 
I see many crypto ACL like
access-list outside_cryptomap_1.1_2 extended permit ip object Obj-Remote-IPSEC-VPN object-group DM_INLINE_NETWORK_2
I dont know for what you use it, you clear that you use IPSec RA not Site to Site so no need these crypto 
also there is no tunnel-group ?

this example help you to more info 
https://www.petenetlive.com/KB/Article/0000070

Check above 
thanks 
MHM

 

""""access-list Dmz1_Access_In remark Block DMZ to any where
access-list Dmz1_Access_In extended deny ip any any""""" <- THIS ALSO NOT CLEAR why apply acl deny any any

MHM

I've used https://www.petenetlive.com/KB/Article/0000070.  A long time ago in creating the IPSec VPN. But it does not cover adding another network such as the DMZ so that VPN client can get to it. As for Access-list Dmz1_Access_In extended deny ip any any, I added that to Block DMZ traffic to any where. I can see that this may be an issue I will disable it. Thanks for help and for pointing it out!

access-list Split_Tunnel remark Duke Network
access-list Split_Tunnel standard permit 144.244.244.0 255.255.255.0 <<- if this INside subnet then it correct (This is correct, please see the config that I sent)
access-list Split_Tunnel remark VPN
access-list Split_Tunnel standard permit 124.140.1.0 255.255.255.0 << this client subnet not need to add it to split Tunnel Removed access-list Split_Tunnel standard permit 124.140.1.0 255.255.255.0 
access-list Split_Tunnel remark Duke DMZ
access-list Split_Tunnel standard permit 192.168.44.0 255.255.255.0 <<- this DMZ subnet so it correct

nat (dmz1,outside) source static DMZ1-Network DMZ1-Network destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup description For VPN to access DMZ1 <<- NO-NAT for DMZ subnet  This are correct.
nat (inside,outside) source static DukeLAN DukeLAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN route-lookup description For Inside VPN Split tunnel <<- NO-NAT for INside Subnet  This are correct.

split-tunnel-network-list value Split_Tunnel   (I don't know what this means??)

I see many crypto ACL like
access-list outside_cryptomap_1.1_2 extended permit ip object Obj-Remote-IPSEC-VPN object-group DM_INLINE_NETWORK_2
I don't know for what you use it, you clear that you use IPSec RA not Site to Site so no need these crypto also there is no tunnel-group ? 

To allow VPN to talk with Inside and DMZ.

object-group network DM_INLINE_NETWORK_2
network-object object DMZ1-Network
network-object object DukeLAN

I've made the changes that you have suggested, but no joy.

 packet-tracer input outside icmp 124.140.1.1 0 0 192.168.44.4 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x279122c0, priority=1, domain=permit, deny=false
hits=333861103, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.44.0 255.255.255.0 dmz1

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (dmz1,outside) source static DMZ1-Network DMZ1-Network destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup description For VPN to access DMZ1
Additional Information:
NAT divert to egress interface dmz1
Untranslate 192.168.44.4/0 to 192.168.44.4/0

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 124.140.1.1 255.255.255.255 outside

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object Obj-Remote-IPSEC-VPN 192.168.44.0 255.255.255.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x278ceab8, priority=13, domain=permit, deny=false
hits=6, user_data=0x2175f500, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=124.140.1.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.44.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 6
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
description Netflow_export_class
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x27154898, priority=7, domain=conn-set, deny=false
hits=37277, user_data=0x2800ca98, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (dmz1,outside) source static DMZ1-Network DMZ1-Network destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup description For VPN to access DMZ1
Additional Information:
Static translate 124.140.1.1/0 to 124.140.1.1/0
Forward Flow based lookup yields rule:
in id=0x27837e90, priority=6, domain=nat, deny=false
hits=73, user_data=0x261bb478, cs_id=0x0, flags=0x0, protocol=0
src ip/id=124.140.1.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.44.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=dmz1

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x24efb688, priority=0, domain=nat-per-session, deny=true
hits=1284149, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2790f158, priority=0, domain=inspect-ip-options, deny=true
hits=1470505, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 10
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x277f12e8, priority=79, domain=punt, deny=true
hits=7, user_data=0x24d93d60, cs_id=0x0, flags=0x0, protocol=0
src ip/id=124.140.1.1, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 11
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description Netflow_export_class
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x27130928, priority=70, domain=inspect-icmp, deny=false
hits=17530, user_data=0x263086d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x27702370, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=7, user_data=0x1d324, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=124.140.1.1, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 packet-tracer input outside icmp 124.140.1.1 8 0 192.168.44.4 detailed <<- the IP use you in packet-tracer must note use by any active client, so select other IP and share the output of packet-tracer 
sorry of late reply but I am busy 
waiting your reply 
thanks 
MHM

I will test this out after I finish testing some changes that i made. I
dont think that packet tracer will work with another VPN IP. I connected
up to the VPN and tried to ping a DMZ device it failed.

First use icmp code 8 0 not 0 0

Second run packet tracer twice to make  tunnels up

MHM

Stevan44
Level 1
Level 1

Now I'm getting 

nat error.png

Stevan44
Level 1
Level 1

Thanks I've made some changes it looks like it getting better. its dropping due to ACL, but I can't figure it out. Time to step away

Screenshot .png

Does anyone know the best way to resolve this issue:

5Jan 27 202412:28:54305013124.140.1.1 192.168.44.2 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:124.140.1.1 dst dmz1:192.168.44.2 (type 8, code 0) denied due to NAT reverse path failure

I have one ASA that is configured for IPSec VPN Cisco client. The VPN allow access to inside network, but trying to get it to my DMZ is a problem. My VPN address pool is defined as 124.140.1.x /24. My DMZ1 is defined as 192.168.44.x/24. After connecting to my VPN client, I can ping anything on the inside network, but I get the following when trying to ping a DMZ device:

1.png

I do have anti-spoofing on and I would like to keep it that way. Is seems that traffic is going one way and leaving another. ASA does not support that asymmetrical traffic.

My NAT rule is (dmz1) to (outside) source static DMZ1-Network DMZ1-Network destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup description For VPN to access DMZ1 translate_hits = 16, untranslate_hits = 16

I believe that this is right. Can someone please tell me how to config the ASA so that I can access my Inside (working) and DMZ1. 

Steve

 

Here's the config:

ip local pool IPSEC-VPN-Pool 124.140.1.1-124.140.1.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
description Outside
speed 1000
duplex full
mac-address 0019.0724.64f7
nameif outside
security-level 0
ddns update DYNU
dhcp client update dns
ip address dhcp setroute
!
interface GigabitEthernet1/0
description Inside
speed 1000
duplex full
nameif inside
security-level 100
ip address Firewall 255.255.255.0
!
interface GigabitEthernet1/1.100
description DMZ1 for Duke Network
vlan 100
nameif dmz1
security-level 50
ip address 192.168.44.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network DukeLAN
subnet 144.244.244.0 255.255.255.0
description Inside Network
object-group network DM_INLINE_NETWORK_1
network-object object DukeLAN
network-object object DMZ1-Network
object-group service DM_INLINE_SERVICE_4
service-object icmp timestamp-reply
service-object icmp unreachable
service-object tcp destination eq ssh
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_2
network-object object DMZ1-Network
network-object object DukeLAN
access-list 102 extended permit ip object DukeLAN object Obj-Remote-IPSEC-VPN
access-list limit-torrent extended permit ip any4 object DellMedia_Upstairs
access-list Split_Tunnel remark Duke Network
access-list Split_Tunnel standard permit 144.244.244.0 255.255.255.0
access-list Split_Tunnel remark VPN
access-list Split_Tunnel standard permit 124.140.1.0 255.255.255.0
access-list Split_Tunnel remark Duke DMZ
access-list Split_Tunnel standard permit 192.168.44.0 255.255.255.0
access-list 101 extended permit ip object DukeLAN object Obj-Remote-IPSEC-VPN
access-list Dmz1_Access_In remark DMZ can get access to Internet
access-list Dmz1_Access_In remark Anything in DMZ can get access to Internet
access-list Dmz1_Access_In remark Block DMZ to any where
access-list Dmz1_Access_In extended deny ip any any
access-list outside_cryptomap_1.1_1 extended deny object-group VPN_Ports interface inside interface outside
access-list outside_cryptomap_1.1_2 extended permit ip object Obj-Remote-IPSEC-VPN object-group DM_INLINE_NETWORK_2
access-list outside_cryptomap_65535.65535_1 extended permit ip object DukeLAN any inactive
access-list outside_cryptomap_65535.65535_2 extended deny ip object DukeLAN any inactive
access-list outside_cryptomap_65535.65535 extended permit object-group DM_INLINE_PROTOCOL_1 object DukeLAN any object-group TCP-UDP2049
access-list inside_cryptomap_65535.65535 extended permit ip object DukeLAN object Obj-Remote-IPSEC-VPN
access-list dmz1_cryptomap_65535.65535 extended permit ip object DMZ1-Network object Obj-Remote-IPSEC-VPN
access-list inside_cryptomap_65535.65535_1 extended permit ip object DukeLAN object Obj-Remote-IPSEC-VPN
access-list outside_cryptomap_10.10 extended permit ip object Obj-Remote-IPSEC-VPN object-group DM_INLINE_NETWORK_1
access-list IPSecVPN_Policy remark Allow VPN users Internet and ICMP
access-list IPSecVPN_Policy extended permit object-group DM_INLINE_SERVICE_3 object Obj-Remote-IPSEC-VPN any
no pager
nat (dmz1,outside) source static DMZ1-Network DMZ1-Network destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup description For VPN to access DMZ1
nat (dmz1,outside) source static MarksPlex interface service 32400_in 32400_out description For Outside Access to Plex
nat (inside,dmz1) source static DMZ1-Network interface service 37777 37777 description To allow traffic to flow from a lower security level (DMZ). So it can reach DukeDVR in a higher security (Inside)
nat (outside,inside) source static any any destination static DukeDVR DukeDVR service 37777 37777 description For Outside access to DVR
nat (inside,outside) source dynamic DukeLAN interface description Allow Inside Access to the Outside
nat (inside,outside) source static DukeLAN DukeLAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN route-lookup description For Inside VPN Split tunnel
!
object network DukeLAN
nat (inside,outside) dynamic interface dns
object network obj_any
nat (inside,outside) dynamic interface
!
nat (dmz1,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group Dmz1_Access_In in interface dmz1
group-policy "No Access" attributes
vpn-simultaneous-logins 0
vpn-filter value inside_access_in
vpn-tunnel-protocol ikev1
address-pools value IPSEC-VPN-Pool
group-policy DfltGrpPolicy attributes
dns-server value 4.2.2.2 8.8.8.8
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 ikev2 ssl-client
ipsec-udp enable
split-tunnel-policy excludespecified
split-tunnel-network-list value Split_Tunnel
default-domain value Duke.com
address-pools value IPSEC-VPN-Pool
webvpn
anyconnect dpd-interval client none
anyconnect dpd-interval gateway none
hidden-shares visible
group-policy IPSEC-Remote-VPN internal
group-policy IPSEC-Remote-VPN attributes
banner value Welcome to Duke Network. For offical use only!
dns-server value 4.2.2.2 8.8.8.8
vpn-simultaneous-logins 2
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL-SPLIT-TUNNEL
default-domain value Duke.com
client-access-rule none