Showing results for 
Search instead for 
Did you mean: 





I need to give VPN clients on access to the s2s VPN via this ASA on group MTLONVPN.

Any help appreciated. Thanks


ASA Version 8.2(5)
hostname MTLDRASA01
enable password yWL0OyyyF2vJCKw6 encrypted
passwd EMM5CEA7494udygX encrypted
name MATLONPub1
name MATLONPub2
name MASIN
name MAHKG
name MTDRADC01
interface Ethernet0/0
 description *** Outside Interface ***
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
 description *** VMNic2 Production Replica Network ***
 switchport access vlan 39
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 description *** Inside VLAN ***
 nameif inside
 security-level 100
 ip address
interface Vlan2
 description *** Outside VLAN ***
 nameif outside
 security-level 0
 ip address
interface Vlan39
 description *** Production Replica Network ***
 nameif prod_rep
 security-level 100
 no ip address
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup prod_rep
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network MATSCO_HOSTS
 network-object MATLONPub1
 network-object MATLONPub2
 network-object MASIN
 network-object MAHKG
object-group service crmport tcp
 port-object eq 8443
 port-object eq www
 port-object eq https
access-list outside_access_in extended permit icmp object-group MATSCO_HOSTS interface outside echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any parameter-problem
access-list outside_access_in extended permit tcp any host object-group crmport
access-list outside_access_in extended permit tcp any host eq https
access-list outside_access_in extended permit tcp any host eq https
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip any
access-list outside_cryptomap_dyn_20 extended permit ip any
access-list MTLDR_MTLON_S2S_VPN extended permit ip
access-list ProdRepVPN_splitTunnelAcl standard permit
access-list ProdRepVPN_splitTunnelAcl standard permit
pager lines 24
logging enable
logging timestamp
logging buffer-size 40960
logging console critical
logging monitor critical
logging buffered debugging
logging asdm informational
logging device-id string MTLDRASA01
mtu inside 1500
mtu outside 1500
mtu prod_rep 1500
ip local pool MTLDRVPNPool mask
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (outside) 20
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10
nat (prod_rep) 20
static (inside,outside) tcp www www netmask
static (inside,outside) tcp 8443 8443 netmask
static (inside,outside) tcp https https netmask
static (inside,outside) tcp https https netmask
static (inside,outside) tcp https MTDRADC01 https netmask
access-group outside_access_in in interface outside
route outside 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD-Auth protocol radius
aaa-server AD-Auth (inside) host MTDRADC01
 key *****
 radius-common-pw *****
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http MATLONPub1 outside
http MATLONPub2 outside
http MASIN outside
http MAHKG outside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 match address MTLDR_MTLON_S2S_VPN
crypto map outside_map 10 set peer
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 30
ssh inside
ssh MATLONPub1 outside
ssh MATLONPub2 outside
ssh MASIN outside
ssh MAHKG outside
ssh timeout 30
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy ProdRepVPN internal
group-policy ProdRepVPN attributes
 dns-server value
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ProdRepVPN_splitTunnelAcl
 default-domain none
group-policy DfltGrpPolicy attributes
 dns-server value
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol webvpn
username mimadmin password ewJkTpoWUl19fINi encrypted privilege 15
username Matsco password ims7VZCZE9SCOS4I encrypted privilege 15
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *****
tunnel-group ProdRepVPN type remote-access
tunnel-group ProdRepVPN general-attributes
 address-pool MTLDRVPNPool
 default-group-policy ProdRepVPN
tunnel-group ProdRepVPN ipsec-attributes
 pre-shared-key *****
tunnel-group MTLONVPN type remote-access
tunnel-group MTLONVPN general-attributes
 address-pool MTLDRVPNPool
 authentication-server-group AD-Auth LOCAL
 default-group-policy ProdRepVPN
tunnel-group MTLONVPN ipsec-attributes
 pre-shared-key *****
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 4096
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
prompt hostname context
no call-home reporting anonymous
: end

2 Replies 2

Dan Lukes

Wrong forum. The Feedback Forum is dedicated to other topics. See description for details.

This thread will be moved to VPN

This discussion has been reposted from Cisco Small Business Support Community to the VPN community.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers