cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1130
Views
0
Helpful
2
Replies

MSTSC Issue between PIX

sanjeevmahadani
Level 1
Level 1

Hi,

I am facing MSTSC ( RDP) issue over IPSEC configured between PIX Version 7.2(4)7 & PIX Version 6.3(3)

When I am adding below commands on host GOIP-FW-AIRTEL, it's pinging my server destination 192.168.0.4 behind host hhc01 with 0 drop, but unable to take MSTSC from my PC, I am behind host GOIP-FW-AIRTEL,

And when i am removing same commands from host GOIP-FW-AIRTEL, i am getting 5-8 % ping loss but able to take MSTSC ( RDP ) but because of ping drop, It's not stay long and braking the remote session.

access-list outside_80_cryptomap extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

crypto map outside_map 80 match address outside_80_cryptomap

Plks. help to resolve.this issue, below is conf.

-------------------------------------------------------------------------------------

PIX Configuration Site A

PIX Version 7.2(4)7

GOIP-FW-AIRTEL# sh run

: Saved

:

PIX Version 7.2(4)7

!

hostname GOIP-FW-AIRTEL

domain-name goipglobal.local

enable password ezaMyFFEuoF0dAEd encrypted

passwd bLZBoSxKBrkXAdim encrypted

names

dns-guard

!

interface Ethernet0

nameif outside

security-level 0

ip address 182.71.161.170 255.255.255.248

!

interface Ethernet1

nameif inside

security-level 100

ip address 172.16.0.2 255.255.0.0

!

interface Ethernet2

shutdown

nameif intf2

security-level 4

no ip address

!

interface Ethernet3

shutdown

nameif intf3

security-level 6

no ip address

!

interface Ethernet4

shutdown

nameif intf4

security-level 8

no ip address

!

interface Ethernet5

shutdown

nameif intf5

security-level 10

no ip address

!

ftp mode passive

clock timezone IST 5 30

dns server-group DefaultDNS

domain-name goipglobal.local

object-group network hoshan_collocation

network-object 132.11.1.0 255.255.255.0

network-object 132.12.1.0 255.255.255.0

network-object 132.14.1.0 255.255.255.0

network-object 132.15.1.0 255.255.255.0

network-object 132.2.1.0 255.255.255.0

network-object 132.20.1.0 255.255.255.0

network-object 132.21.1.0 255.255.255.0

network-object 132.22.1.0 255.255.255.0

network-object 132.23.1.0 255.255.255.0

network-object 132.3.1.0 255.255.255.0

network-object 132.30.1.0 255.255.255.0

network-object 132.31.1.0 255.255.255.0

network-object 132.32.1.0 255.255.255.0

network-object 132.4.1.0 255.255.255.0

network-object 132.6.1.0 255.255.255.0

network-object 132.7.1.0 255.255.255.0

network-object 132.8.1.0 255.255.255.0

network-object 132.81.1.0 255.255.255.0

network-object 132.9.1.0 255.255.255.0

network-object 192.168.200.0 255.255.255.252

network-object 132.25.1.0 255.255.255.0

network-object 10.130.10.0 255.255.255.0

network-object 10.130.11.0 255.255.255.0

network-object 10.130.12.0 255.255.255.0

network-object 10.130.13.0 255.255.255.0

network-object 10.130.14.0 255.255.255.0

network-object 10.130.15.0 255.255.255.0

network-object 10.130.16.0 255.255.255.0

network-object 10.130.2.0 255.255.255.0

network-object 10.130.20.0 255.255.255.0

network-object 10.130.21.0 255.255.255.0

network-object 10.130.22.0 255.255.255.0

network-object 10.130.23.0 255.255.255.0

network-object 10.130.24.0 255.255.255.0

network-object 10.130.25.0 255.255.255.0

network-object 10.130.26.0 255.255.255.0

network-object 10.130.27.0 255.255.255.0

network-object 10.130.3.0 255.255.255.0

network-object 10.130.30.0 255.255.255.0

network-object 10.130.31.0 255.255.255.0

network-object 10.130.32.0 255.255.255.0

network-object 10.130.33.0 255.255.255.0

network-object 10.130.34.0 255.255.255.0

network-object 10.130.35.0 255.255.255.0

network-object 10.130.4.0 255.255.255.0

network-object 10.130.40.0 255.255.255.0

network-object 10.130.7.0 255.255.255.0

network-object 10.130.71.0 255.255.255.0

network-object 132.24.1.0 255.255.255.0

object-group network Hoshan_Dubai

network-object 192.168.1.0 255.255.255.0

network-object 192.168.15.0 255.255.255.0

network-object 192.168.16.0 255.255.255.0

network-object 192.168.2.0 255.255.255.0

network-object 192.168.20.0 255.255.255.0

network-object 192.168.200.0 255.255.255.252

network-object 192.168.21.0 255.255.255.0

network-object 192.168.25.0 255.255.255.0

network-object 192.168.3.0 255.255.255.0

network-object 192.168.30.0 255.255.255.0

network-object 192.168.35.0 255.255.255.0

network-object 192.168.36.0 255.255.255.0

network-object 192.168.38.0 255.255.255.0

network-object 192.168.41.0 255.255.255.0

network-object 192.168.42.0 255.255.255.0

network-object 192.168.5.0 255.255.255.0

network-object 192.168.50.0 255.255.255.0

network-object 192.168.6.0 255.255.255.0

network-object 192.168.46.0 255.255.255.0

network-object 192.168.48.0 255.255.255.0

network-object 10.131.1.0 255.255.255.0

network-object 10.131.10.0 255.255.255.0

network-object 10.131.11.0 255.255.255.0

network-object 10.131.20.0 255.255.255.0

network-object 10.131.30.0 255.255.255.0

network-object 10.131.100.0 255.255.255.0

network-object 10.132.1.0 255.255.255.0

network-object 10.132.10.0 255.255.255.0

network-object 10.132.11.0 255.255.255.0

network-object 10.132.12.0 255.255.255.0

network-object 10.132.13.0 255.255.255.0

network-object 10.133.1.0 255.255.255.0

network-object 10.133.20.0 255.255.255.0

network-object 10.134.1.0 255.255.255.0

network-object 10.134.10.0 255.255.255.0

network-object 10.135.1.0 255.255.255.0

network-object 10.135.10.0 255.255.255.0

network-object 10.136.1.0 255.255.255.0

network-object 10.140.1.0 255.255.255.0

network-object 10.140.10.0 255.255.255.0

network-object 10.140.11.0 255.255.255.0

network-object 10.140.12.0 255.255.255.0

network-object 10.141.1.0 255.255.255.0

network-object 10.142.1.0 255.255.255.0

network-object 10.150.1.0 255.255.255.0

network-object 10.150.20.0 255.255.255.0

network-object 10.151.1.0 255.255.255.0

network-object 10.152.1.0 255.255.255.0

network-object 10.153.1.0 255.255.255.0

network-object 10.160.1.0 255.255.255.0

network-object 192.168.43.0 255.255.255.0

object-group network mmg1

network-object 132.101.1.0 255.255.255.0

object-group network mmg2

network-object 10.50.52.0 255.255.255.0

network-object 10.50.54.0 255.255.255.0

network-object 10.50.55.0 255.255.255.0

network-object 10.50.56.0 255.255.255.0

network-object 10.50.57.0 255.255.255.0

network-object 10.50.58.0 255.255.255.0

network-object 10.50.80.0 255.255.255.0

network-object 10.50.101.0 255.255.255.0

network-object 10.50.102.0 255.255.255.0

network-object 10.50.103.0 255.255.255.0

network-object 10.50.105.0 255.255.255.0

network-object 10.50.106.0 255.255.255.0

network-object 10.50.107.0 255.255.255.0

network-object 10.50.111.0 255.255.255.0

network-object 10.50.112.0 255.255.255.0

network-object 10.50.115.0 255.255.255.0

network-object 10.50.117.0 255.255.255.0

network-object 10.50.119.0 255.255.255.0

network-object 10.50.120.0 255.255.255.0

network-object 10.50.121.0 255.255.255.0

network-object 10.50.67.0 255.255.255.0

network-object 10.50.72.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip 172.16.0.0 255.255.0.0 object-group hoshan_collocation

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 object-group hoshan_collocation

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 198.73.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 132.1.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 object-group Hoshan_Dubai

access-list inside_nat0_outbound extended permit ip any 10.10.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.130.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 object-group mmg1

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 object-group mmg2

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.130.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.235.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.2.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 192.168.200.0 255.255.255.252

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.4.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.6.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.8.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.81.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.11.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.7.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.22.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.21.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.20.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.3.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.12.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.9.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.31.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.30.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.23.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.32.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.14.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.15.1.0 255.255.255.0

access-list unikom_vpn_collocation extended permit ip 172.16.0.0 255.255.0.0 132.25.1.0 255.255.255.0

access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply

access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded

access-list OUTSIDE_IN_ACL extended permit ip any host 182.71.161.172

access-list OUTSIDE_IN_ACL extended permit ip any host 182.71.161.171

access-list OUTSIDE_IN_ACL extended permit ip any host 182.71.161.173

access-list OUTSIDE_IN_ACL extended permit ip any host 182.71.161.174

access-list OUTSIDE_IN_ACL extended deny ip host 68.88.124.70 any

access-list outside_40_cryptomap extended permit ip 172.16.0.0 255.255.0.0 198.73.0.0 255.255.0.0

access-list outside_120_cryptomap extended permit ip 172.16.0.0 255.255.0.0 132.1.1.0 255.255.255.0

access-list outside_120_cryptomap extended permit ip 172.16.0.0 255.255.0.0 10.130.0.0 255.255.255.0

access-list outside_120_cryptomap extended permit ip 172.16.0.0 255.255.0.0 10.130.1.0 255.255.255.0

access-list outside_120_cryptomap extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list asdm_cap_selector_inside extended permit ip host 172.16.0.1 host 132.1.1.7

access-list asdm_cap_selector_inside extended permit ip host 132.1.1.7 host 172.16.0.1

access-list asdm_cap_selector_inside extended permit ip host 172.16.0.1 host 192.168.0.2

access-list asdm_cap_selector_inside extended permit ip host 192.168.0.2 host 172.16.0.1

access-list asdm_cap_selector_inside extended permit ip host 172.16.0.7 host 192.168.0.78

access-list asdm_cap_selector_inside extended permit ip host 192.168.0.78 host 172.16.0.7

access-list outside_100_cryptomap extended permit ip 172.16.0.0 255.255.0.0 object-group Hoshan_Dubai

access-list block extended deny tcp any 69.171.0.0 255.255.0.0

access-list block extended permit udp any any

access-list block extended permit tcp any any

access-list block extended permit icmp any any

access-list block extended deny ip any 69.171.0.0 255.255.0.0

access-list remote-access_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0

access-list outside_cryptomap_3 extended permit ip any 10.10.1.0 255.255.255.0

access-list outside_101_cryptomap extended permit ip 172.16.0.0 255.255.0.0 object-group mmg1

access-list outside_102_cryptomap extended permit ip 172.16.0.0 255.255.255.0 object-group mmg2

access-list outside_125_cryptomap extended permit ip 172.16.0.0 255.255.0.0 192.168.235.0 255.255.255.0

access-list outside_80_cryptomap extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging trap informational

logging asdm informational

logging device-id hostname

logging host inside 172.16.0.124

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip local pool remote-ip 10.10.1.1-10.10.1.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-521.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 182.71.161.172 172.16.0.6 netmask 255.255.255.255

static (inside,outside) 182.71.161.174 172.16.0.7 netmask 255.255.255.255

static (inside,outside) 182.71.161.173 172.16.0.152 netmask 255.255.255.255

static (inside,outside) 182.71.161.171 172.16.0.5 netmask 255.255.255.255

no threat-detection statistics tcp-intercept

access-group OUTSIDE_IN_ACL in interface outside

route outside 0.0.0.0 0.0.0.0 182.71.161.169 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

snmp-server host inside 172.16.0.124 poll community goip-pix

snmp-server host inside 172.16.0.27 community goip-pix

snmp-server host inside 172.16.1.248 community goip-pix

snmp-server location NOIDA FF

snmp-server contact Network Admin

snmp-server community goip-pix

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps ipsec start stop

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 120 set transform-set ESP-DES-SHA

crypto dynamic-map outside_dyn_map 120 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 120 set security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set peer 88.85.251.2

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 20 set security-association lifetime seconds 28800

crypto map outside_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 40 match address outside_40_cryptomap

crypto map outside_map 40 set peer 213.230.22.7

crypto map outside_map 40 set transform-set ESP-DES-MD5

crypto map outside_map 40 set security-association lifetime seconds 28800

crypto map outside_map 40 set security-association lifetime kilobytes 4608000

crypto map outside_map 80 match address outside_80_cryptomap

crypto map outside_map 80 set peer 212.12.168.230

crypto map outside_map 80 set transform-set ESP-DES-MD5

crypto map outside_map 80 set security-association lifetime seconds 86400

crypto map outside_map 80 set security-association lifetime kilobytes 4608000

crypto map outside_map 100 match address outside_100_cryptomap

crypto map outside_map 100 set pfs

crypto map outside_map 100 set peer 213.132.44.195

crypto map outside_map 100 set transform-set ESP-DES-MD5

crypto map outside_map 100 set security-association lifetime seconds 28800

crypto map outside_map 100 set security-association lifetime kilobytes 4608000

crypto map outside_map 120 match address outside_120_cryptomap

crypto map outside_map 120 set peer 88.85.255.1

crypto map outside_map 120 set transform-set ESP-DES-MD5

crypto map outside_map 120 set security-association lifetime seconds 28800

crypto map outside_map 120 set security-association lifetime kilobytes 4608000

crypto map outside_map 121 match address outside_101_cryptomap

crypto map outside_map 121 set peer 109.83.215.180

crypto map outside_map 121 set transform-set ESP-DES-MD5

crypto map outside_map 121 set security-association lifetime seconds 28800

crypto map outside_map 121 set security-association lifetime kilobytes 4608000

crypto map outside_map 122 match address outside_102_cryptomap

crypto map outside_map 122 set peer 46.235.94.66

crypto map outside_map 122 set transform-set ESP-DES-MD5

crypto map outside_map 122 set security-association lifetime seconds 28800

crypto map outside_map 122 set security-association lifetime kilobytes 4608000

crypto map outside_map 125 match address outside_125_cryptomap

crypto map outside_map 125 set peer 109.83.215.196 88.85.251.6

crypto map outside_map 125 set transform-set ESP-DES-MD5

crypto map outside_map 125 set security-association lifetime seconds 28800

crypto map outside_map 125 set security-association lifetime kilobytes 4608000

crypto map outside_map 125 set phase1-mode aggressive

crypto map outside_map 140 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

crypto isakmp policy 70

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal  20

crypto isakmp ipsec-over-tcp port 10000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

ssh version 1

console timeout 0

ntp server 195.43.74.123 source outside prefer

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem enable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

smartcard-removal-disconnect enable

client-firewall none

client-access-rule none

group-policy remote-access internal

group-policy remote-access attributes

dns-server value 192.168.1.11 4.2.2.2

vpn-tunnel-protocol IPSec

username praful password TEzhJ7QU1N69uu44 encrypted privilege 15

username sandeep password 3RPLe5XLRun5d2eR encrypted privilege 7

tunnel-group 88.85.251.2 type ipsec-l2l

tunnel-group 88.85.251.2 ipsec-attributes

pre-shared-key *

tunnel-group 213.230.22.7 type ipsec-l2l

tunnel-group 213.230.22.7 ipsec-attributes

pre-shared-key *

tunnel-group 88.85.255.1 type ipsec-l2l

tunnel-group 88.85.255.1 ipsec-attributes

pre-shared-key *

tunnel-group 212.12.168.230 type ipsec-l2l

tunnel-group 212.12.168.230 ipsec-attributes

pre-shared-key *

tunnel-group 213.132.44.195 type ipsec-l2l

tunnel-group 213.132.44.195 ipsec-attributes

pre-shared-key *

tunnel-group remote-access type ipsec-ra

tunnel-group remote-access general-attributes

address-pool remote-ip

default-group-policy remote-access

tunnel-group remote-access ipsec-attributes

pre-shared-key *

tunnel-group 109.83.215.180 type ipsec-l2l

tunnel-group 109.83.215.180 ipsec-attributes

pre-shared-key *

tunnel-group 46.235.94.66 type ipsec-l2l

tunnel-group 46.235.94.66 ipsec-attributes

pre-shared-key *

tunnel-group 109.83.215.196 type ipsec-l2l

tunnel-group 109.83.215.196 ipsec-attributes

pre-shared-key *

tunnel-group 88.85.251.6 type ipsec-l2l

tunnel-group 88.85.251.6 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:cb8a70fdc98fcf15b1bc5730093067de

: end

PIX Configuration Site B

============

hhc01#  sh run

: Saved

:

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password 3klwy9AiK8FJOaNE encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname hhc01

domain-name hoshanco.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl-vpn permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list acl-vpn permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list acl-vpn permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list acl-vpn permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list acl-vpn permit ip 192.168.0.0 255.255.255.0 132.0.0.0 255.0.0.0

access-list acl-vpn permit ip 192.168.0.0 255.255.255.0 10.250.0.0 255.255.255.0

access-list acl-vpn permit ip 192.168.0.0 255.255.255.0 10.130.0.0 255.255.255.0

access-list split permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list acl-inside permit ip any any

access-list fahad permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_in permit icmp any any

access-list outside_in permit ip any any

access-list outside_in permit ip 10.250.0.0 255.255.255.0 any

access-list outside_in permit ip 10.130.0.0 255.255.255.0 any

access-list inside permit ip 192.168.0.0 255.255.255.0 any

access-list inside permit tcp any any eq smtp

access-list inside permit tcp any any eq pop3

access-list inside permit tcp any any eq imap4

access-list inside permit ip any any

access-list nonat permit ip 192.168.0.0 255.255.255.0 132.0.0.0 255.0.0.0

access-list HOSH permit ip host 192.168.0.62 any

access-list HOSH permit ip host 192.168.0.63 any

access-list HOSH permit ip host 192.168.0.188 any

access-list HOSH permit ip host 192.168.0.23 any

access-list HOSH permit ip host 192.168.0.37 any

access-list HOSH permit ip host 192.168.0.38 any

access-list HOSH permit ip host 192.168.0.41 any

access-list HOSH permit ip host 192.168.0.65 any

access-list HOSH permit ip host 192.168.0.56 any

access-list HOSH permit ip host 192.168.0.64 any

access-list HOSH permit ip host 192.168.0.132 any

access-list HOSH permit ip host 192.168.0.138 any

access-list HOSH permit ip host 192.168.0.50 any

access-list HOSH permit ip host 192.168.0.126 any

access-list HOSH permit ip host 192.168.0.139 any

access-list HOSH permit ip host 192.168.0.167 any

access-list HOSH permit ip host 192.168.0.247 any

access-list HOSH permit ip host 192.168.0.30 any

access-list HOSH permit ip host 192.168.0.151 any

access-list HOSH permit ip host 192.168.0.207 any

access-list HOSH permit ip host 192.168.0.59 any

access-list HOSH permit ip host 192.168.0.58 any

access-list HOSH permit ip host 192.168.0.173 any

access-list HOSH permit ip host 192.168.0.157 any

access-list HOSH permit ip host 192.168.0.127 any

access-list HOSH permit ip host 192.168.0.159 any

access-list unikom_vpn permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list unikom_nonat permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 212.12.168.230 255.255.255.240

ip address inside 192.168.0.1 255.255.255.0

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

ip local pool hoshanpool 192.168.1.175-192.168.1.189

ip local pool vpnpool1 192.168.1.31-192.168.1.40

pdm history enable

arp timeout 14400

global (outside) 1 212.12.168.232

nat (inside) 0 access-list acl-vpn

nat (inside) 1 access-list HOSH 0 0

static (inside,outside) 212.12.168.237 192.168.0.43 netmask 255.255.255.255 0 0

static (inside,outside) 212.12.168.238 192.168.0.9 netmask 255.255.255.255 0 0

static (inside,outside) 212.12.168.229 192.168.0.6 netmask 255.255.255.255 0 0

static (inside,outside) 212.12.168.231 192.168.0.39 netmask 255.255.255.255 0 0

static (inside,outside) 212.12.168.239 192.168.0.5 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

access-group inside in interface inside

route outside 0.0.0.0 0.0.0.0 212.12.168.225 1

route outside 10.205.29.0 255.255.255.0 212.12.168.225 1

route outside 132.0.0.0 255.0.0.0 212.12.168.225 1

route inside 132.1.1.0 255.255.255.0 192.168.0.2 1

route outside 192.168.50.0 255.255.255.0 212.12.168.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 182.71.161.170 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

sysopt ipsec pl-compatible

crypto ipsec transform-set hoshan esp-des esp-md5-hmac

crypto ipsec transform-set fahad esp-des esp-md5-hmac

crypto ipsec transform-set unikom_set esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto dynamic-map hoshan-dyna-map 20 set transform-set hoshan

crypto dynamic-map hoshan-dyna-map 20 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map hoshan-rmt-map 10 ipsec-isakmp

crypto map hoshan-rmt-map 10 match address fahad

crypto map hoshan-rmt-map 10 set peer 87.200.189.122

crypto map hoshan-rmt-map 10 set transform-set fahad

crypto map hoshan-rmt-map 10 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map hoshan-rmt-map 20 ipsec-isakmp dynamic hoshan-dyna-map

crypto map hoshan-rmt-map 30 ipsec-isakmp

crypto map hoshan-rmt-map 30 set peer 124.30.19.74

crypto map hoshan-rmt-map 30 set transform-set unikom_set

crypto map hoshan-rmt-map 30 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map hoshan-rmt-map 35 ipsec-isakmp

crypto map hoshan-rmt-map 35 match address unikom_vpn

crypto map hoshan-rmt-map 35 set peer 182.71.161.170

crypto map hoshan-rmt-map 35 set transform-set unikom_set

crypto map hoshan-rmt-map 35 set security-association lifetime seconds 86400 kilobytes 50000

crypto map hoshan-rmt-map interface outside

isakmp enable outside

isakmp key ******** address 87.200.189.122 netmask 255.255.255.255

isakmp key ******** address 124.30.19.74 netmask 255.255.255.255

isakmp key ******** address 182.71.161.170 netmask 255.255.255.255

isakmp identity address

isakmp keepalive 20 40

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 28800

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 25 authentication pre-share

isakmp policy 25 encryption des

isakmp policy 25 hash md5

isakmp policy 25 group 1

isakmp policy 25 lifetime 86400

vpngroup hoshan-users address-pool vpnpool1

vpngroup hoshan-users split-tunnel split

vpngroup hoshan-users idle-time 600

vpngroup hoshan-users password ********

vpngroup hoshanholdingvpn address-pool hoshanpool

vpngroup hoshanholdingvpn dns-server 192.168.0.4 192.168.0.3

vpngroup hoshanholdingvpn wins-server 192.168.0.4 192.168.0.3

vpngroup hoshanholdingvpn split-tunnel split

vpngroup hoshanholdingvpn idle-time 1800

vpngroup hoshanholdingvpn password ********

telnet 212.12.160.0 255.255.224.0 outside

telnet 192.168.0.188 255.255.255.255 inside

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh 212.12.160.0 255.255.240.0 outside

ssh 182.71.161.170 255.255.255.255 outside

ssh timeout 5

console timeout 0

vpdn group 1 client configuration address local hoshanpool

terminal width 80

Cryptochecksum:68a814140e97d95c47e342f4581d319d

: end

hhc01#

Reg

Sanjeev

2 Replies 2

Ths is the relevant configuration:

PIX:

crypto map hoshan-rmt-map 35 ipsec-isakmp

crypto map hoshan-rmt-map 35 match address unikom_vpn

crypto map hoshan-rmt-map 35 set peer x.x.161.170

crypto map hoshan-rmt-map 35 set transform-set unikom_set

crypto map hoshan-rmt-map 35 set security-association lifetime seconds 86400 kilobytes 50000

!

access-list unikom_vpn permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0

!

access-list unikom_nonat permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0

!

***********************************

ASA:

crypto map outside_map 80 match address outside_80_cryptomap

crypto map outside_map 80 set peer x.x.168.230

crypto map outside_map 80 set transform-set ESP-DES-MD5

crypto map outside_map 80 set security-association lifetime seconds 86400

crypto map outside_map 80 set security-association lifetime kilobytes 4608000

!

access-list outside_80_cryptomap extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

!

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

!

Please do the following:

On the PIX:

access-list inside-cap permit tcp 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list inside-cap permit tcp 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

capture inside-cap interface inside access-list capin

capture drop type asp-drop all

Then try to RDP from 172.16.0.0/16 and do a "show capture inside-cap" and "show capture drop | inc 192.168.0.4"

Let me know.

Portu.

Please rate any helpful posts ;-)

Ok Let's check .

Reg

Sanjeev

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: