02-20-2013 05:56 AM
Is it possible to have different crypto maps on different interfaces? We have 2 ISPs. I am not looking to do failover just have each of our 2 branch offices connect on separate interfaces.
5510 with Sec+ E0/0 10Mb, E0/3 10Mb
Each branch has 5505 with 10Mb
currently both branches have working tunnels to e0/3 on the 5510
Anyone have a link to setting this up? I seem to onl find info on setting it up for failover. Thought I would ask before editing and posting my asa configs.
I can post the configs if needed.
02-20-2013 01:03 PM
Yes u can have
But u will have to u se static route for other vpn because your all traffic is going out by your default route to your first ISP.
*** Do Rate Helpful Posts ***
02-21-2013 08:26 AM
I was able to get the tunnel up by adding the route, tunnel-group, and new crypto map on 2nd interface. I was not able to connect to anything at the branch from the main ASA5510. I was able to connect as normal from the branch office to the main office over the new tunnel.
In the Main Office config "crypto map backup_map 30" was "crypto map outside_map 30"
Main Office ASA5510
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name xxx.local
names
name 1.1.1.107 Sonoma description OLD MAIL SERVER
name 10.10.2.6 DAYTONA-INT
name 10.10.2.62 SEBRING-INT
name 10.10.2.4 AUTHENTICA-INT
name 10.10.2.11 MIDOHIO-INT
name 10.10.2.15 PMEUPDATE-INT
name 10.10.2.25 FILETRANSFER-INT
name 10.10.2.22 FTP-INT
name 10.10.2.1 HOMESTEAD-INT
name 1.1.1.102 DAYTONA-EXT-OUT description CAS Server
name 1.1.1.109 FILETRANSFER-EXT-OUT description Secure File Transfer
name 1.1.1.105 FTP-EXT-OUT description FTPS
name 1.1.1.103 AUTHENTICA-EXT-OUT description Secure PDF
name 1.1.1.106 OSCODA-EXT-OUT description SQL Testing
name 1.1.1.104 ALEXSYS123-EXT-OUT description MidOhio
name 1.1.1.108 PMEUPDATE-EXT-OUT description NC Update server
name 1.1.1.110 CRASHPLAN-EXT-OUT description CrashPlan backup server
name 3.3.3.17 CV-WC
name 12.218.107.2 KINCEY-NC
name 10.10.2.34 CRASHPLAN-INT
name 2.2.2.196 DAYTONA-EXT-BAK
name 2.2.2.197 OneXPortal1-EXT-OUT description External IP for OneXPortal/NH-VM
name 10.10.2.41 OneXPortal1-INT description Internal IP for OneXPortal/NH-VM
!
interface Ethernet0/0
nameif backup
security-level 1
ip address 2.2.2.194 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.9.1.1 255.255.0.0
!
interface Ethernet0/2
shutdown
nameif test
security-level 10
ip address 172.16.10.1 255.255.255.0
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 1.1.1.98 255.255.255.224
!
interface Management0/0
nameif management
security-level 100
ip address 172.17.0.199 255.255.255.0
management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup management
dns server-group DefaultDNS
name-server HOMESTEAD-INT
domain-name xxx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service SQLTEST udp
description SQLTEST for VES
port-object eq 1434
object-group service SQLTEST_TCP tcp
description SQLTEST For VES
port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
object-group service crashplan-4282 tcp
port-object eq 4282
object-group service OneXPortal tcp
description Open ports for OneXPortal
port-object eq 5222
port-object eq 8444
access-list nonat extended permit ip any 10.9.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.9.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list nonat extended permit ip host 1.1.1.98 10.100.0.0 255.255.0.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list nonat extended permit ip any 10.20.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.21.0.0 255.255.0.0
access-list nonat extended permit ip 10.21.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list nonat extended permit ip 10.9.11.0 255.255.255.0 10.20.0.0 255.255.0.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.22.0.0 255.255.0.0
access-list nonat extended permit ip 10.12.0.0 255.255.0.0 10.22.0.0 255.255.0.0
access-list nonat extended permit ip 10.12.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list nonat extended permit ip host 2.2.2.194 10.100.0.0 255.255.0.0
access-list outside_access_in extended permit tcp any host OneXPortal1-EXT-OUT object-group OneXPortal
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq smtp
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq https
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq www
access-list outside_access_in extended permit icmp host 10.100.0.1 any inactive
access-list outside_access_in extended permit icmp any any inactive
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 192.168.101.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.20.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.100.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.9.0.0 255.255.0.0
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq smtp
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq https
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host PMEUPDATE-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq ssh inactive
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq https
access-list outside_access_in_1 remark FTPS
access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT object-group DM_INLINE_TCP_1
access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT range 60200 60400
access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq https
access-list outside_access_in_1 extended permit tcp any host OSCODA-EXT-OUT object-group SQLTEST_TCP inactive
access-list outside_access_in_1 extended permit udp any host OSCODA-EXT-OUT object-group SQLTEST inactive
access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq https
access-list outside_access_in_1 extended permit tcp any host CRASHPLAN-EXT-OUT object-group crashplan-4282
access-list outside_access_in_1 extended deny icmp any any
access-list outside_access_in_1 extended permit icmp host 10.100.0.1 any inactive
access-list inside_access_out remark ******
access-list inside_access_out extended permit ip any any log
access-list CV-WC_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list CV-WC_CRYPTO extended permit ip 10.9.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list KINCEY_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list KINCEY_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.21.0.0 255.255.0.0
access-list KINCEY_CRYPTO extended permit ip 10.9.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list KINCEY_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.22.0.0 255.255.0.0
access-list KINCEY_CRYPTO extended permit ip 10.12.0.0 255.255.0.0 10.22.0.0 255.255.0.0
access-list tcp-BYPASS extended permit tcp host 172.16.10.2 any
mtu backup 1500
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool IPSECVPN2 10.10.11.76-10.10.11.100
ip local pool SSL-VPN 10.9.11.1-10.9.11.100 mask 255.255.0.0
ip local pool IPSECVPN 10.10.11.25-10.10.11.75
ip local pool SSL-VPN-BU 10.9.11.101-10.9.11.200 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (backup) 1 2.2.2.195
global (outside) 1 1.1.1.99 netmask 255.255.255.224
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.0.0 255.255.0.0
nat (inside) 1 10.11.0.0 255.255.0.0
nat (inside) 1 10.12.0.0 255.255.0.0
static (inside,outside) DAYTONA-EXT-OUT DAYTONA-INT netmask 255.255.255.255
static (inside,outside) AUTHENTICA-EXT-OUT AUTHENTICA-INT netmask 255.255.255.255
static (inside,outside) ALEXSYS123-EXT-OUT MIDOHIO-INT netmask 255.255.255.255
static (inside,outside) PMEUPDATE-EXT-OUT PMEUPDATE-INT netmask 255.255.255.255
static (inside,outside) FILETRANSFER-EXT-OUT FILETRANSFER-INT netmask 255.255.255.255
static (inside,outside) FTP-EXT-OUT FTP-INT netmask 255.255.255.255
static (inside,backup) OneXPortal1-EXT-OUT OneXPortal1-INT netmask 255.255.255.255
static (inside,backup) DAYTONA-EXT-BAK DAYTONA-INT netmask 255.255.255.255
static (inside,outside) CRASHPLAN-EXT-OUT CRASHPLAN-INT netmask 255.255.255.255
access-group outside_access_in in interface backup
access-group inside_access_out in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.97 1
route backup 0.0.0.0 0.0.0.0 2.2.2.193 254
route inside 10.8.0.0 255.255.0.0 10.10.1.1 1
route inside 10.10.0.0 255.255.0.0 10.10.1.1 1
route inside 10.11.0.0 255.255.0.0 10.10.1.1 1
route inside 10.12.0.0 255.255.0.0 10.10.1.1 1
route backup 3.3.3.15 255.255.255.255 2.2.2.193 1
route backup 3.3.3.17 255.255.255.255 2.2.2.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
rd DfltAccessPolicy
webvpn
http-proxy enable
aaa-server PMERADIUS protocol radius
aaa-server PMERADIUS (inside) host HOMESTEAD-INT
key *****
radius-common-pw *****
aaa authentication ssh console LOCAL
http server enable
http 10.10.0.0 255.255.0.0 inside
http 172.17.0.0 255.255.255.0 management
http redirect backup 80
http redirect outside 80
crypto ipsec transform-set PM1 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set 50 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df backup
crypto ipsec df-bit clear-df outside
crypto dynamic-map dyn1 1 set pfs group1
crypto dynamic-map dyn1 1 set transform-set PM1
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map cryptomap1 1 ipsec-isakmp dynamic dyn1
crypto map outside_map 20 match address KINCEY_CRYPTO
crypto map outside_map 20 set peer KINCEY-NC
crypto map outside_map 20 set transform-set PM1
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map backup_map 30 match address CV-WC_CRYPTO
crypto map backup_map 30 set peer 3.3.3.17
crypto map backup_map 30 set transform-set PM1
crypto map backup_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map backup_map interface backup
crypto ca trustpoint vpn.xxx.com
enrollment terminal
fqdn vpn.xxx.com
subject-name CN=vpn.xxx.com, O=xxx, C=US, St=xx, L=xx
keypair vpn.xxx.com
crl configure
crypto ca certificate chain vpn.xxx.com
certificate 041200616c79f4
quit
crypto isakmp identity address
crypto isakmp enable backup
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 33
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server HOMESTEAD-INT source inside prefer
ssl trust-point vpn.xxx.com outside
ssl trust-point vpn.xxx.com backup
ssl trust-point vpn.xxx.com test
webvpn
enable backup
enable outside
svc image disk0:/anyconnect-win-2.5.
3055-k9.pk
g 2
svc image disk0:/anyconnect-win-2.5.
2014-k9.pk
g 3
svc image disk0:/anyconnect-macosx-i
386-2.5.60
05-k9.pkg 4
svc image disk0:/anyconnect-win-3.1.
01065-k9.p
kg 5
svc profiles AllowRemoteUsers disk0:/AnyConnectProfile20
121003.xml
svc enable
internal-password enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.10.2.1
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain none
group-policy DfltGrpPolicy attributes
dns-server value 10.10.2.1 10.10.2.62
vpn-idle-timeout 600
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value xxx.local
webvpn
url-list value Book1
svc profiles value AllowRemoteUsers
svc ask enable default webvpn timeout 10
group-policy AnyConnect internal
group-policy AnyConnect attributes
vpn-tunnel-protocol webvpn
webvpn
svc ask enable default webvpn timeout 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool (backup) SSL-VPN-BU
address-pool (outside) SSL-VPN
address-pool SSL-VPN
authentication-server-grou
p PMERADIUS
tunnel-group pm_ipsec type remote-access
tunnel-group pm_ipsec general-attributes
address-pool IPSECVPN2
tunnel-group pm_ipsec ipsec-attributes
pre-shared-key *****
tunnel-group xxx type remote-access
tunnel-group xxx general-attributes
address-pool IPSECVPN
tunnel-group xxx ipsec-attributes
pre-shared-key *****
tunnel-group 207.148.209.20 type ipsec-l2l
tunnel-group 207.148.209.20 ipsec-attributes
pre-shared-key *****
tunnel-group 3.3.3.17 type ipsec-l2l
tunnel-group 3.3.3.17 ipsec-attributes
pre-shared-key *****
tunnel-group 12.218.107.2 type ipsec-l2l
tunnel-group 12.218.107.2 ipsec-attributes
pre-shared-key *****
!
class-map tcp-BYPASS
match access-list tcp-BYPASS
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect icmp
inspect ip-options
class class-default
!
service-policy global_policy global
smtp-server 10.10.2.6
prompt hostname context
Cryptochecksum:fd773e12ead
6414bd14e1
0cd3b7324f
0
: end
**************************
**********
**********
**********
*******
**************************
**********
**********
**********
*******
Branch office
hostname CV-WC
domain-name xxx.local
names
name 10.10.0.0 NH-LAN
name 10.10.2.1 HOMESTEAD
name 2.2.2.194 NH
!
interface Ethernet0/0
description CV-WC *WAN* (Physical Interface)
switchport access vlan 2
!
interface Ethernet0/1
description CV-WC *LAN* (Physical Interface)
!
interface Ethernet0/2
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
description CV-WC *LAN* Interface
nameif inside
security-level 100
ip address 10.100.0.1 255.255.0.0
!
interface Vlan2
description CV-WC *WAN* Interface
nameif outside
security-level 0
ip address 3.3.3.17 255.255.255.0
!
ftp mode passive
clock timezone MST -5
clock summer-time MST recurring
dns server-group DefaultDNS
domain-name xxx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_out_outside extended permit ip any any
access-list outside_in_inside extended permit icmp any any
access-list CV-Split-Tunnel standard permit 10.100.0.0 255.255.0.0
access-list CV-Split-Tunnel standard permit NH-LAN 255.255.0.0
access-list CV-Split-Tunnel standard permit 10.20.0.0 255.255.0.0
access-list INSIDE_NAT0_OUTBOUND extended permit ip 10.100.0.0 255.255.0.0 NH-LAN 255.255.0.0
access-list INSIDE_NAT0_OUTBOUND extended permit ip any 10.100.0.0 255.255.0.0
access-list OUTSIDE_1_CRYPTO extended permit ip 10.100.0.0 255.255.0.0 NH-LAN 255.255.0.0
access-list WKSMITH_CRYPTO extended permit ip 10.100.0.0 255.255.0.0 NH-LAN 255.255.0.0
pager lines 24
logging enable
logging monitor warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool GENERAL-WC-SSL 10.100.0.101-10.100.0.120 mask 255.255.0.0
ip local pool CV-WC-VPNPOOL 10.100.0.10-10.100.0.60 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list INSIDE_NAT0_OUTBOUND
nat (inside) 1 10.100.0.0 255.255.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_out_outside in interface inside
access-group outside_in_inside in interface outside
route outside 0.0.0.0 0.0.0.0 3.3.3.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
rd DfltAccessPolicy
aaa-server PMERADIUS protocol radius
aaa-server PMERADIUS (inside) host HOMESTEAD
key *****
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.100.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 50 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set RTPSET esp-aes esp-sha-hmac
crypto ipsec transform-set PM1 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address WKSMITH_CRYPTO
crypto map outside_map 20 set peer 2.2.2.194
crypto map outside_map 20 set transform-set PM1
crypto map outside_map interface outside
crypto ca trustpoint vpn3.xxx.com
enrollment terminal
fqdn vpn3.xxx.com
subject-name CN=vpn3.xxx.com,OU=xxx,O=x
xx,C=US,St
=xxx,L=xxx
crl configure
crypto ca certificate chain vpn3.xxx.com
certificate ca 0301
quit
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 1.1.1.96 255.255.255.224 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 204.235.61.9 source outside
ssl trust-point vpn3.xxx.com outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.
3055-k9.pk
g 1
svc image disk0:/anyconnect-macosx-i
386-2.5.60
05-k9.pkg 2
svc enable
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 600
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy CV-WC-SSL internal
group-policy CV-WC-SSL attributes
dns-server value 10.10.2.1
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CV-Split-Tunnel
default-domain value xxx.local
webvpn
url-list none
svc ask enable
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool CV-WC-VPNPOOL
authentication-server-grou
p PMERADIUS
authentication-server-grou
p (inside) PMERADIUS
default-group-policy CV-WC-SSL
tunnel-group CV-WC-SSL type remote-access
tunnel-group CV-WC-SSL general-attributes
address-pool CV-WC-VPNPOOL
authentication-server-grou
p PMERADIUS
default-group-policy CV-WC-SSL
tunnel-group 1.1.1.98 type ipsec-l2l
tunnel-group 1.1.1.98 ipsec-attributes
pre-shared-key *****
tunnel-group 2.2.2.194 type ipsec-l2l
tunnel-group 2.2.2.194 ipsec-attributes
pre-shared-key *****
!
!
!
policy-map global_policy
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:df6da93d6f2
5a586d11ad
59c600cf72
c
: end
Main Office ASA5510
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name xxx.local
names
name 1.1.1.107 Sonoma description OLD MAIL SERVER
name 10.10.2.6 DAYTONA-INT
name 10.10.2.62 SEBRING-INT
name 10.10.2.4 AUTHENTICA-INT
name 10.10.2.11 MIDOHIO-INT
name 10.10.2.15 PMEUPDATE-INT
name 10.10.2.25 FILETRANSFER-INT
name 10.10.2.22 FTP-INT
name 10.10.2.1 HOMESTEAD-INT
name 1.1.1.102 DAYTONA-EXT-OUT description CAS Server
name 1.1.1.109 FILETRANSFER-EXT-OUT description Secure File Transfer
name 1.1.1.105 FTP-EXT-OUT description FTPS
name 1.1.1.103 AUTHENTICA-EXT-OUT description Secure PDF
name 1.1.1.106 OSCODA-EXT-OUT description SQL Testing
name 1.1.1.104 ALEXSYS123-EXT-OUT description MidOhio
name 1.1.1.108 PMEUPDATE-EXT-OUT description NC Update server
name 1.1.1.110 CRASHPLAN-EXT-OUT description CrashPlan backup server
name 3.3.3.17 CV-WC
name 12.218.107.2 KINCEY-NC
name 10.10.2.34 CRASHPLAN-INT
name 2.2.2.196 DAYTONA-EXT-BAK
name 2.2.2.197 OneXPortal1-EXT-OUT description External IP for OneXPortal/NH-VM
name 10.10.2.41 OneXPortal1-INT description Internal IP for OneXPortal/NH-VM
!
interface Ethernet0/0
nameif backup
security-level 1
ip address 2.2.2.194 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.9.1.1 255.255.0.0
!
interface Ethernet0/2
shutdown
nameif test
security-level 10
ip address 172.16.10.1 255.255.255.0
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 1.1.1.98 255.255.255.224
!
interface Management0/0
nameif management
security-level 100
ip address 172.17.0.199 255.255.255.0
management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup management
dns server-group DefaultDNS
name-server HOMESTEAD-INT
domain-name xxx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service SQLTEST udp
description SQLTEST for VES
port-object eq 1434
object-group service SQLTEST_TCP tcp
description SQLTEST For VES
port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
object-group service crashplan-4282 tcp
port-object eq 4282
object-group service OneXPortal tcp
description Open ports for OneXPortal
port-object eq 5222
port-object eq 8444
access-list nonat extended permit ip any 10.9.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.9.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list nonat extended permit ip host 1.1.1.98 10.100.0.0 255.255.0.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list nonat extended permit ip any 10.20.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.21.0.0 255.255.0.0
access-list nonat extended permit ip 10.21.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list nonat extended permit ip 10.9.11.0 255.255.255.0 10.20.0.0 255.255.0.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.22.0.0 255.255.0.0
access-list nonat extended permit ip 10.12.0.0 255.255.0.0 10.22.0.0 255.255.0.0
access-list nonat extended permit ip 10.12.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list nonat extended permit ip host 2.2.2.194 10.100.0.0 255.255.0.0
access-list outside_access_in extended permit tcp any host OneXPortal1-EXT-OUT object-group OneXPortal
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq smtp
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq https
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq www
access-list outside_access_in extended permit icmp host 10.100.0.1 any inactive
access-list outside_access_in extended permit icmp any any inactive
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 192.168.101.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.20.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.100.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.9.0.0 255.255.0.0
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq smtp
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq https
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host PMEUPDATE-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq ssh inactive
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq https
access-list outside_access_in_1 remark FTPS
access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT object-group DM_INLINE_TCP_1
access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT range 60200 60400
access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq https
access-list outside_access_in_1 extended permit tcp any host OSCODA-EXT-OUT object-group SQLTEST_TCP inactive
access-list outside_access_in_1 extended permit udp any host OSCODA-EXT-OUT object-group SQLTEST inactive
access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq https
access-list outside_access_in_1 extended permit tcp any host CRASHPLAN-EXT-OUT object-group crashplan-4282
access-list outside_access_in_1 extended deny icmp any any
access-list outside_access_in_1 extended permit icmp host 10.100.0.1 any inactive
access-list inside_access_out remark ******
access-list inside_access_out extended permit ip any any log
access-list CV-WC_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list CV-WC_CRYPTO extended permit ip 10.9.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list KINCEY_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list KINCEY_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.21.0.0 255.255.0.0
access-list KINCEY_CRYPTO extended permit ip 10.9.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list KINCEY_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.22.0.0 255.255.0.0
access-list KINCEY_CRYPTO extended permit ip 10.12.0.0 255.255.0.0 10.22.0.0 255.255.0.0
access-list tcp-BYPASS extended permit tcp host 172.16.10.2 any
mtu backup 1500
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool IPSECVPN2 10.10.11.76-10.10.11.100
ip local pool SSL-VPN 10.9.11.1-10.9.11.100 mask 255.255.0.0
ip local pool IPSECVPN 10.10.11.25-10.10.11.75
ip local pool SSL-VPN-BU 10.9.11.101-10.9.11.200 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (backup) 1 2.2.2.195
global (outside) 1 1.1.1.99 netmask 255.255.255.224
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.0.0 255.255.0.0
nat (inside) 1 10.11.0.0 255.255.0.0
nat (inside) 1 10.12.0.0 255.255.0.0
static (inside,outside) DAYTONA-EXT-OUT DAYTONA-INT netmask 255.255.255.255
static (inside,outside) AUTHENTICA-EXT-OUT AUTHENTICA-INT netmask 255.255.255.255
static (inside,outside) ALEXSYS123-EXT-OUT MIDOHIO-INT netmask 255.255.255.255
static (inside,outside) PMEUPDATE-EXT-OUT PMEUPDATE-INT netmask 255.255.255.255
static (inside,outside) FILETRANSFER-EXT-OUT FILETRANSFER-INT netmask 255.255.255.255
static (inside,outside) FTP-EXT-OUT FTP-INT netmask 255.255.255.255
static (inside,backup) OneXPortal1-EXT-OUT OneXPortal1-INT netmask 255.255.255.255
static (inside,backup) DAYTONA-EXT-BAK DAYTONA-INT netmask 255.255.255.255
static (inside,outside) CRASHPLAN-EXT-OUT CRASHPLAN-INT netmask 255.255.255.255
access-group outside_access_in in interface backup
access-group inside_access_out in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.97 1
route backup 0.0.0.0 0.0.0.0 2.2.2.193 254
route inside 10.8.0.0 255.255.0.0 10.10.1.1 1
route inside 10.10.0.0 255.255.0.0 10.10.1.1 1
route inside 10.11.0.0 255.255.0.0 10.10.1.1 1
route inside 10.12.0.0 255.255.0.0 10.10.1.1 1
route backup 3.3.3.15 255.255.255.255 2.2.2.193 1
route backup 3.3.3.17 255.255.255.255 2.2.2.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
rd DfltAccessPolicy
webvpn
http-proxy enable
aaa-server PMERADIUS protocol radius
aaa-server PMERADIUS (inside) host HOMESTEAD-INT
key *****
radius-common-pw *****
aaa authentication ssh console LOCAL
http server enable
http 10.10.0.0 255.255.0.0 inside
http 172.17.0.0 255.255.255.0 management
http redirect backup 80
http redirect outside 80
crypto ipsec transform-set PM1 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set 50 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df backup
crypto ipsec df-bit clear-df outside
crypto dynamic-map dyn1 1 set pfs group1
crypto dynamic-map dyn1 1 set transform-set PM1
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map cryptomap1 1 ipsec-isakmp dynamic dyn1
crypto map outside_map 20 match address KINCEY_CRYPTO
crypto map outside_map 20 set peer KINCEY-NC
crypto map outside_map 20 set transform-set PM1
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map backup_map 30 match address CV-WC_CRYPTO
crypto map backup_map 30 set peer 3.3.3.17
crypto map backup_map 30 set transform-set PM1
crypto map backup_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map backup_map interface backup
crypto ca trustpoint vpn.xxx.com
enrollment terminal
fqdn vpn.xxx.com
subject-name CN=vpn.xxx.com, O=xxx, C=US, St=xx, L=xx
keypair vpn.xxx.com
crl configure
crypto ca certificate chain vpn.xxx.com
certificate 041200616c79f4
quit
crypto isakmp identity address
crypto isakmp enable backup
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 33
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server HOMESTEAD-INT source inside prefer
ssl trust-point vpn.xxx.com outside
ssl trust-point vpn.xxx.com backup
ssl trust-point vpn.xxx.com test
webvpn
enable backup
enable outside
svc image disk0:/anyconnect-win-2.5.
3055-k9.pk
g 2
svc image disk0:/anyconnect-win-2.5.
2014-k9.pk
g 3
svc image disk0:/anyconnect-macosx-i
386-2.5.60
05-k9.pkg 4
svc image disk0:/anyconnect-win-3.1.
01065-k9.p
kg 5
svc profiles AllowRemoteUsers disk0:/AnyConnectProfile20
121003.xml
svc enable
internal-password enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.10.2.1
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain none
group-policy DfltGrpPolicy attributes
dns-server value 10.10.2.1 10.10.2.62
vpn-idle-timeout 600
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value xxx.local
webvpn
url-list value Book1
svc profiles value AllowRemoteUsers
svc ask enable default webvpn timeout 10
group-policy AnyConnect internal
group-policy AnyConnect attributes
vpn-tunnel-protocol webvpn
webvpn
svc ask enable default webvpn timeout 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool (backup) SSL-VPN-BU
address-pool (outside) SSL-VPN
address-pool SSL-VPN
authentication-server-grou
p PMERADIUS
tunnel-group pm_ipsec type remote-access
tunnel-group pm_ipsec general-attributes
address-pool IPSECVPN2
tunnel-group pm_ipsec ipsec-attributes
pre-shared-key *****
tunnel-group xxx type remote-access
tunnel-group xxx general-attributes
address-pool IPSECVPN
tunnel-group xxx ipsec-attributes
pre-shared-key *****
tunnel-group 207.148.209.20 type ipsec-l2l
tunnel-group 207.148.209.20 ipsec-attributes
pre-shared-key *****
tunnel-group 3.3.3.17 type ipsec-l2l
tunnel-group 3.3.3.17 ipsec-attributes
pre-shared-key *****
tunnel-group 12.218.107.2 type ipsec-l2l
tunnel-group 12.218.107.2 ipsec-attributes
pre-shared-key *****
!
class-map tcp-BYPASS
match access-list tcp-BYPASS
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect icmp
inspect ip-options
class class-default
!
service-policy global_policy global
smtp-server 10.10.2.6
prompt hostname context
Cryptochecksum:fd773e12ead
6414bd14e1
0cd3b7324f
0
: end
**************************
**********
**********
**********
*******
**************************
**********
**********
**********
*******
Branch office
hostname CV-WC
domain-name xxx.local
names
name 10.10.0.0 NH-LAN
name 10.10.2.1 HOMESTEAD
name 2.2.2.194 NH
!
interface Ethernet0/0
description CV-WC *WAN* (Physical Interface)
switchport access vlan 2
!
interface Ethernet0/1
description CV-WC *LAN* (Physical Interface)
!
interface Ethernet0/2
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
description CV-WC *LAN* Interface
nameif inside
security-level 100
ip address 10.100.0.1 255.255.0.0
!
interface Vlan2
description CV-WC *WAN* Interface
nameif outside
security-level 0
ip address 3.3.3.17 255.255.255.0
!
ftp mode passive
clock timezone MST -5
clock summer-time MST recurring
dns server-group DefaultDNS
domain-name xxx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_out_outside extended permit ip any any
access-list outside_in_inside extended permit icmp any any
access-list CV-Split-Tunnel standard permit 10.100.0.0 255.255.0.0
access-list CV-Split-Tunnel standard permit NH-LAN 255.255.0.0
access-list CV-Split-Tunnel standard permit 10.20.0.0 255.255.0.0
access-list INSIDE_NAT0_OUTBOUND extended permit ip 10.100.0.0 255.255.0.0 NH-LAN 255.255.0.0
access-list INSIDE_NAT0_OUTBOUND extended permit ip any 10.100.0.0 255.255.0.0
access-list OUTSIDE_1_CRYPTO extended permit ip 10.100.0.0 255.255.0.0 NH-LAN 255.255.0.0
access-list WKSMITH_CRYPTO extended permit ip 10.100.0.0 255.255.0.0 NH-LAN 255.255.0.0
pager lines 24
logging enable
logging monitor warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool GENERAL-WC-SSL 10.100.0.101-10.100.0.120 mask 255.255.0.0
ip local pool CV-WC-VPNPOOL 10.100.0.10-10.100.0.60 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list INSIDE_NAT0_OUTBOUND
nat (inside) 1 10.100.0.0 255.255.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_out_outside in interface inside
access-group outside_in_inside in interface outside
route outside 0.0.0.0 0.0.0.0 3.3.3.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
rd DfltAccessPolicy
aaa-server PMERADIUS protocol radius
aaa-server PMERADIUS (inside) host HOMESTEAD
key *****
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.100.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 50 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set RTPSET esp-aes esp-sha-hmac
crypto ipsec transform-set PM1 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address WKSMITH_CRYPTO
crypto map outside_map 20 set peer 2.2.2.194
crypto map outside_map 20 set transform-set PM1
crypto map outside_map interface outside
crypto ca trustpoint vpn3.xxx.com
enrollment terminal
fqdn vpn3.xxx.com
subject-name CN=vpn3.xxx.com,OU=xxx,O=x
xx,C=US,St
=xxx,L=xxx
crl configure
crypto ca certificate chain vpn3.xxx.com
certificate ca 0301
quit
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 1.1.1.96 255.255.255.224 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 204.235.61.9 source outside
ssl trust-point vpn3.xxx.com outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.
3055-k9.pk
g 1
svc image disk0:/anyconnect-macosx-i
386-2.5.60
05-k9.pkg 2
svc enable
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 600
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy CV-WC-SSL internal
group-policy CV-WC-SSL attributes
dns-server value 10.10.2.1
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CV-Split-Tunnel
default-domain value xxx.local
webvpn
url-list none
svc ask enable
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool CV-WC-VPNPOOL
authentication-server-grou
p PMERADIUS
authentication-server-grou
p (inside) PMERADIUS
default-group-policy CV-WC-SSL
tunnel-group CV-WC-SSL type remote-access
tunnel-group CV-WC-SSL general-attributes
address-pool CV-WC-VPNPOOL
authentication-server-grou
p PMERADIUS
default-group-policy CV-WC-SSL
tunnel-group 1.1.1.98 type ipsec-l2l
tunnel-group 1.1.1.98 ipsec-attributes
pre-shared-key *****
tunnel-group 2.2.2.194 type ipsec-l2l
tunnel-group 2.2.2.194 ipsec-attributes
pre-shared-key *****
!
!
!
policy-map global_policy
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:df6da93d6f2
5a586d11ad
59c600cf72
c
: end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide