Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1803
Views
0
Helpful
4
Replies

Site 2 Site VPN running but no traffic to the remote network

Go to solution
mentiq-support
Level 1
Level 1

‎02-06-2018 06:45 AM - edited ‎03-12-2019 05:00 AM

Hey there,

 

first lets have a view over my Configuration:

 

Cisco ASA 5506-X

 

2 WAN Interfaces:

16Mbit - Metric 1 - Security Level 0

100Mbit - Metric 2 - Security Level 0

 

Phsyical Interfaces:

DMZ - Security Level 0

 

VLAN Interfaces:

VLAN50 - Sitting on the DMZ Interface - Security Level 50

 

I have created a Site 2 Site VPN with the ASDM Tool and the Tunnel is up and running.

 

I have now 2 Problems:

1. Pings are coming to my Cisco ASA from the remote-Network but the Remote-Network won't get the answer of the Ping, altough i see those Pings in the Real-TimeLog Viewer which means the other side 

 

 

 

2. Doing a Ping from the Cisco ASA or a Host in the VLAN50 to a Host in the Remote-Network doesn't work:

vpn# ping <Remote-IP>
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to <Remote-IP>, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

 

Where should i start with the Search?

I would have assumed that atleast the Cisco ASA should be successfull in pinging a Host at the other Site but if that won't work my Hosts won't be better in that right?

 

And since the VPN-Tunnel isn't an Interface i can't do a NAT-Rule which sends the Traffic to the Remote-Network over the VPN...

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
willwetherman
Spotlight
Spotlight
In response to mentiq-support

‎02-07-2018 04:22 AM

Hi,

 

I have checked through your config and you are missing the following:

 

nat (VLAN50-,100Mbit) source static VLAN50 VLAN50 destination static -local -local no-proxy-arp route-lookup

 

route 100Mbit 10.106.0.0 255.255.0.0 212.144.124.225 1
route 100Mbit 212.68.101.163 255.255.255.255 212.144.124.225 1

 

I can see that the source network 172.16.50.0/24 is attached to local interface VLAN50- so this interface needs to be referenced in the NAT exempt rule and not VLAN10

 

Also you will need to add static routes for both the VPN peer gateway and remote client network as they are located out of the 100Mbit interface and not the 16Mbit interface which has the active static route.

 

I hope that this helps

 

Will

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎02-06-2018 08:22 PM

Hi

Can you share your config please?

You should look at your crypto acl to tell which traffic is gonna pass through the tunnel, the nat exemption and acls if no sysopt permit vpn configured.
These are the very first steps.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
mentiq-support
Level 1
Level 1
In response to Francesco Molino

‎02-07-2018 01:17 AM - edited ‎02-07-2018 01:54 AM

Hi Francesco,

 

thank you very much for responding to my Thread :)

 

:Last Edit:

Ok so doing a traceroute from the Cisco asa shows me, that the Traffic is going out on the 16Mbit Interface instead of going trough the tunnel... :(

vpn# traceroute 10.106.2.237

Type escape sequence to abort.
Tracing the route to 10.106.2.237

1 213.23.178.17 1 msec 1 msec 1 msec
2 *
188.111.226.253 !A !A

 

I'm feeling more comfortable with the ASDM for configuring but i do know how to run atleast the show commands trough putty - if you need more than those 2 outputs please tell me which commands i should run.

 

"You should look at your crypto acl to tell which traffic is gonna pass through the tunnel, the nat exemption and acls if no sysopt permit vpn configured."

 

In the Site-To-Site Filter for my VPN i selected the VLAN50_access_in and created 2 Rules which allows VLAN 50 to communicate with the Remote-VPN-Network and vice-versa. Traffic is "ip".

 

When i enable the NAT-Excemption for this Site-to-site VPN i get the following command shown:

Spoiler
      nat (VLAN10,100Mbit) 15 source static NETWORK_OBJ_172.16.50.0_24 NETWORK_OBJ_172.16.50.0_24 destination static Remote-VPN-local Remote-VPN-local no-proxy-arp route-lookup

Remote-VPN-local is the Remote-Network from the other side.

 

I have a PBR set up for VLAN10 to go trough the 100Mbit as a default gateway so i don't know why this VLAN10 gets mentioned when doing the NAT-Excempt.

 

Does it make more sense if i replace VLAN10 with VLAN50? I could just enter the command manually.

 

I don't think i have sysopt permit vpn configured and i can't just enter it trough the putty session. 

 

But using this command i will pretty much allow all VPN-Users (Anyconnect and Site-to-site) to reach all Interfaces/Networks on the ASA right?

 

 

I'm gonna put everything under spoilers so that it will be easier to read.

 

 

show crypto ipsec sa 

Spoiler
vpn# show crypto ipsec sa
interface: 100Mbit
Crypto map tag: 100Mbit_map, seq num: 1, local addr: 212.144.124.226

access-list 100Mbit_cryptomap_2 extended permit ip 172.16.50.0 255.255.255.0 10.106.0.0 255.255.0.0
local ident (addr/mask/prot/port): (172.16.50.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.106.0.0/255.255.0.0/0/0)
current_peer: 212.68.101.163


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 212.144.124.226/0, remote crypto endpt.: 212.68.101.163/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 76C8B8F6
current inbound spi : C69BF7D6

inbound esp sas:
spi: 0xC69BF7D6 (3332110294)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 3727360, crypto-map: 100Mbit_map
sa timing: remaining key lifetime (kB/sec): (4374000/2740)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x76C8B8F6 (1992866038)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 3727360, crypto-map: 100Mbit_map
sa timing: remaining key lifetime (kB/sec): (4374000/2740)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

 

show running-config

Spoiler
vpn# show running-config
: Saved

:
: Serial Number: JAD2050053K
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.7(1)
!
hostname vpn
domain-name .com
enable password
names
ip local pool VPN-IP-Pool 192.168.43.200-192.168.43.240 mask 255.255.252.0
ip local pool VPN-IP-Pool-2 172.16.15.1-172.16.15.50 mask 255.255.255.0
ip local pool Shrew-IP-Pool 172.16.16.1-172.16.16.50 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif 100Mbit
security-level 0
ip address 212.144.124.226 255.255.255.248
!
interface GigabitEthernet1/2
description LAN
nameif 16MBit
security-level 0
ip address 213.23.178.18 255.255.255.248
!
interface GigabitEthernet1/3
description LAN
nameif inside-lan
security-level 100
ip address 192.168.40.1 255.255.252.0
dhcprelay server 192.168.40.101
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
nameif WLAN
security-level 0
no ip address
!
interface GigabitEthernet1/7.21
description -Gueste-Wlan
vlan 21
nameif VLAN21
security-level 100
ip address 172.16.21.1 255.255.255.0
policy-route route-map Gaeste-WLAN
!
interface GigabitEthernet1/8
nameif DMZ
security-level 0
no ip address
!
interface GigabitEthernet1/8.10
description -Mgmt
vlan 10
nameif VLAN10
security-level 100
ip address 172.16.10.1 255.255.255.0
policy-route route-map PBR
!
interface GigabitEthernet1/8.11
vlan 11
nameif VLAN11
security-level 100
ip address 172.16.11.1 255.255.255.0
!
interface GigabitEthernet1/8.50
description Test-VLAN für Kunden
vlan 50
nameif VLAN50-
security-level 50
ip address 172.16.50.1 255.255.255.0
!
interface GigabitEthernet1/8.99
vlan 99
nameif VLAN99-DMZ#1
security-level 100
ip address 172.16.99.1 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
!
time-range Abends
periodic daily 19:00 to 23:59
periodic daily 0:00 to 6:59
!
boot system disk0:/asa971-lfbff-k8.SPA
ftp mode passive
dns domain-lookup 100Mbit
dns domain-lookup 16MBit
dns domain-lookup inside-lan
dns server-group DefaultDNS
name-server 192.168.40.90 inside-lan
name-server 192.168.40.100 inside-lan
domain-name .com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network 212.144.124.226
host 212.144.124.226
object network
range 192.168.40.0 192.168.43.255
object network 213.23.178.17
host 213.23.178.17
object network cust4655-1.in.mailcontrol.com
host 85.115.62.190
object network cust4655-2.in.mailcontrol.com
host 85.115.54.190
object network 16Mbit
host 213.23.178.18
object network mekur
host 192.168.40.101
object service smtp
service tcp source eq smtp
object service TelefonanlageBooster
service tcp source eq 8802
object service ftp-data
service tcp source eq ftp-data
object service ftp-control
service tcp source eq ftp
object service https_nat
service tcp source eq https
object service rdp_nat
service tcp source eq 3389
object network www-ext
host 212.144.124.226
object network www-int
host 192.168.40.101
object network OWA
host 192.168.40.101
object network owa
object network Internet-internal
subnet 192.168.40.0 255.255.252.0
object network RDP-Merkur
host 192.168.40.101
object service ssh
service tcp source eq ssh
object service OWA-HTTPS
service tcp source eq https
object network OWA-SERVER
host 192.168.40.101
object network TK-Anlage
host 192.168.40.103
object network FTP-Server
host 192.168.40.110
object network tickets..com-private
host 192.168.40.106
object network NETWORK_OBJ_192.168.43.192_26
subnet 192.168.43.192 255.255.255.192
object network NETWORK_OBJ_192.168.40.0_22
subnet 192.168.40.0 255.255.252.0
object network sonicwall
host 10.0.1.2
object service sonicwall-vpn
service tcp source eq 500
object network VLAN50
subnet 172.16.50.0 255.255.255.0
object network VLAN10NW
subnet 172.16.10.0 255.255.255.0
object network INSIDENW
subnet 192.168.40.0 255.255.252.0
object service vCenter-Appliance-Mgmt
service tcp destination eq 5480
object service UPNP
service udp destination eq 1900
object network VPN_Pool-2
subnet 172.16.15.0 255.255.255.0
object network VPN_Pool
subnet 192.168.40.0 255.255.252.0
object network VPN-PAT-NAT
range 172.16.15.1 172.16.15.250
object network NETWORK_OBJ_172.16.15.0_26
subnet 172.16.15.0 255.255.255.192
object network omd..com
host 172.16.10.60
description Monitoring-Server
object service ipv6tunnel
service 41
description ipv6tunnel
object service 33445
service udp source eq 33445
description Germans Programm
object network obj-192.168.40.106
host 19.168.40.106
object network tickets..com-public
host 213.23.178.19
object network VSHAPENW
subnet 10.0.0.0 255.0.0.0
object network storgrid-private
host 192.168.40.237
object network storgrid-public
host 212.144.124.227
object network Network_OBJ_172.16.16.0_24
subnet 172.16.16.0 255.255.255.0
object service udp500
service udp source eq isakmp destination eq isakmp
object service Active-Directory-Auth
service tcp destination eq 135
object service vSphere-Syslog-Collector-Server
service udp destination eq syslog
object service vcenter-heartbeat-udp
service udp destination eq 902
object service vcenter-heartbeat-tcp
service tcp destination eq 902
object service web-service-http
service tcp destination eq 8080
object service soap-web-services
service tcp destination eq 8090
object service internal-service-diagnostics-sdk
service tcp destination eq 8085
object service internal-service-diagnostics-sdk-tunneling
service tcp destination eq 8089
object service vcsa-sso-token-service
service tcp destination eq 7444
object service https-vcsa
service tcp destination eq 8443
object service vcenter-inventory-service-http
service tcp destination eq 10080
object service svcenter-inventory-service-http
service tcp destination eq 10443
object service vcenter-inventory-service-database
service tcp destination eq 10109
object service vsphere-profile-driven-storage-service-http
service tcp destination eq 21000
object service vsphere-profile-driven-storage-service-https
service tcp destination eq 21100
object service vsphere-syslog-collector-server-ssl
service tcp destination eq 1514
object service network-coredump-server
service udp destination eq 6500
object service auto-deploy-service
service tcp destination eq 6501
object service network-coredump-server-tcp
service tcp destination eq 6500
object service auto-deploy-mgmt
service tcp destination eq 6502
object service vsphere-web-client-http
service tcp destination eq 9090
object service vsphere-web-client-https
service tcp destination eq 9443
object service vcsa-web-user-interface-https
service tcp destination eq 5480
object service vcsa-web-user-interface-cim-service
service tcp destination eq 5489
object service vcenter-server-storage-monitoring-server-http
service tcp destination eq 22000
object service vcenter-server-storage-monitoring-server-https
service tcp destination eq 22100
object service log-browser
service tcp destination eq 12443
object service vcenter-sso-ldap
service tcp destination eq 12443
object service vcenter-sso-directory-services-ldap
service tcp destination eq 11711
object service vcenter-sso-directory-services-ldaps
service tcp destination eq 11712
object service storage-policy-server-http
service tcp destination eq 8190
object service storage-policy-server-https
service tcp destination eq 8191
object service html5-remote-console-for-virtual-machines
service tcp destination eq 7331
object service html5-remote-console-for-virtual-machines-https
service tcp destination eq 7343
object service vSphere-Konsole-MKS
service tcp destination eq 902
object service vSphere-Konsole
service tcp destination eq 903
object service RDP
service tcp source eq 3389
object network VLAN10
subnet 172.16.10.0 255.255.255.0
object service kerberos-sec
service tcp source range 1 65535 destination eq 88
object service kerberos-sec-r
service tcp source eq 88
object service ldap
service tcp destination eq ldap
object service netapp_kerberos
service tcp destination eq 464
object network 212.144.124.228
host 212.144.124.228
object network Neptun
host 192.168.40.98
object network Mars
host 192.168.40.99
object service portmapper
service tcp destination eq sunrpc
object service nfs-data-tcp
service tcp destination eq nfs
object service nfs-data-udp
service udp destination eq nfs
object service portmapper-udp
service udp destination eq sunrpc
object service nfs-mountd-dd
service tcp destination eq 2052
object network 172.16.10.199
host 172.16.10.199
object service 5001
service tcp destination eq 5001
object network owncloud-private
host 172.16.10.79
object service owncloud-4444
service tcp destination eq 4444
object network filecloud..com-public
host 212.144.124.228
object network VLAN21
subnet 172.16.21.0 255.255.255.0
object network VLAN21-WLAN-Guests
range 172.16.10.200 172.16.10.250
object network 172.16.99.0
subnet 172.16.99.0 255.255.255.0
object network public-229
host 212.144.124.229
object network 172.16.99.254
host 172.16.99.254
object service IKE
service udp source eq isakmp
object service NAT-Traversal
service udp source eq 4500
object network 172.16.10.204
host 172.16.10.204
object service 4444
service tcp destination eq 4444
object service any-tcp
service tcp source range 1 65535 destination range 1 65535
description any-regel
object network VLAN50-
subnet 172.16.50.0 255.255.255.0
object network -local
subnet 10.106.0.0 255.255.0.0
description Lokales Netz bei hinter dem VPN
object network NETWORK_OBJ_172.16.50.0_24
subnet 172.16.50.0 255.255.255.0
object-group network mailcontrol
network-object object cust4655-1.in.mailcontrol.com
network-object object cust4655-2.in.mailcontrol.com
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object icmp
protocol-object icmp6
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object icmp
protocol-object icmp6
object-group service vmware-vcsa-services
description Alle Dienste die für die Kommunikation mit der vCenter Appliance
service-object object auto-deploy-mgmt
service-object object auto-deploy-service
service-object object html5-remote-console-for-virtual-machines
service-object object html5-remote-console-for-virtual-machines-https
service-object object https-vcsa
service-object object internal-service-diagnostics-sdk
service-object object internal-service-diagnostics-sdk-tunneling
service-object object log-browser
service-object object network-coredump-server-tcp
service-object object soap-web-services
service-object object ssh
service-object object storage-policy-server-http
service-object object storage-policy-server-https
service-object object svcenter-inventory-service-http
service-object tcp destination eq www
service-object tcp destination eq https
service-object object vSphere-Syslog-Collector-Server
service-object object vcenter-heartbeat-tcp
service-object object vcenter-heartbeat-udp
service-object object vcenter-inventory-service-database
service-object object vcenter-inventory-service-http
service-object object vcenter-server-storage-monitoring-server-http
service-object object vcenter-server-storage-monitoring-server-https
service-object object vcenter-sso-directory-services-ldap
service-object object vcenter-sso-directory-services-ldaps
service-object object vcsa-sso-token-service
service-object object vcsa-web-user-interface-cim-service
service-object object vcsa-web-user-interface-https
service-object object vsphere-profile-driven-storage-service-http
service-object object vsphere-profile-driven-storage-service-https
service-object object vsphere-syslog-collector-server-ssl
service-object object vsphere-web-client-http
service-object object vsphere-web-client-https
service-object object web-service-http
service-object object vSphere-Konsole
service-object object vSphere-Konsole-MKS
service-object object netapp_kerberos
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
object-group service ol-ubuntu
description ssh
service-object tcp-udp destination range 27015 27030
service-object tcp destination eq ssh
service-object object 5001
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object object Mars
network-object object Neptun
network-object object mekur
object-group network DM_INLINE_NETWORK_2
network-object object Mars
network-object object Neptun
network-object object mekur
object-group network DM_INLINE_NETWORK_3
network-object object Mars
network-object object Neptun
network-object object mekur
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object icmp
protocol-object icmp6
object-group service owncloud-public tcp
description 4444
port-object eq 4444
object-group service Avamar-Client tcp
port-object eq 27000
port-object eq 28001
port-object eq 28002
port-object eq 29000
port-object eq 30001
port-object eq 30002
port-object eq 30003
port-object eq 3008
port-object eq 8105
port-object eq 8109
port-object eq 8181
port-object eq 8444
port-object eq 2051
port-object eq 2052
port-object eq nfs
port-object eq sunrpc
object-group network DM_INLINE_NETWORK_4
network-object host 192.168.40.154
network-object host 192.168.42.143
object-group network DM_INLINE_NETWORK_5
network-object host 192.168.40.154
network-object host 192.168.42.143
access-list OUTSIDE-IN remark Standard Regel um Traffic nach auen zu erlauben
access-list OUTSIDE-IN extended permit ip any any
access-list OUTSIDE-IN remark Traffic der nicht erlaubt ist, wird geloggt
access-list OUTSIDE-IN extended deny ip any any log
access-list 16MBit_access_in extended permit tcp any host 192.168.40.103 eq 8802 log debugging
access-list 16MBit_access_in extended permit tcp any host 192.168.40.106 eq https
access-list 16MBit_access_in extended permit object OWA-HTTPS any4 object tickets..com-private
access-list 16MBit_access_in extended permit tcp host 85.115.54.190 object-group DM_INLINE_NETWORK_1 eq smtp
access-list 16MBit_access_in extended permit tcp host 85.115.62.190 object-group DM_INLINE_NETWORK_2 eq smtp
access-list 16MBit_access_in extended permit tcp object tickets..com-public object tickets..com-private eq https
access-list 16MBit_access_in extended permit tcp any object FTP-Server eq ftp-data
access-list 16MBit_access_in extended permit tcp any object FTP-Server eq ftp
access-list 16MBit_access_in remark Standard Regel um Traffic nach auen zu erlauben
access-list 16MBit_access_in extended permit tcp any object-group DM_INLINE_NETWORK_3 eq https log debugging
access-list 16MBit_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any log
access-list 16MBit_access_in extended permit object ipv6tunnel any any
access-list 16MBit_access_in extended deny ip any any log
access-list 100Mbit_access_in extended permit tcp any4 object 172.16.10.204 eq https
access-list 100Mbit_access_in extended permit object 4444 any4 object 172.16.10.204
access-list 100Mbit_access_in extended permit tcp any4 object owncloud-private eq https
access-list 100Mbit_access_in extended permit tcp any host 172.16.10.79 eq https inactive
access-list 100Mbit_access_in extended permit tcp host 66.133.109.36 host 172.16.10.79 eq https
access-list 100Mbit_access_in extended permit tcp any object FTP-Server eq ftp-data inactive
access-list 100Mbit_access_in extended permit tcp any object FTP-Server eq ftp inactive
access-list 100Mbit_access_in extended permit object TelefonanlageBooster any object TK-Anlage inactive
access-list 100Mbit_access_in remark Standard Regel um Traffic nach auen zu erlauben
access-list 100Mbit_access_in extended permit object smtp object-group mailcontrol object OWA-SERVER inactive
access-list 100Mbit_access_in extended permit tcp any object OWA-SERVER eq https inactive
access-list 100Mbit_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
access-list 100Mbit_access_in extended deny ip any any log
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 8101
access-list split-acl- standard permit 192.168.40.0 255.255.252.0
access-list split-acl- standard permit 172.16.15.0 255.255.255.0
access-list split-acl- standard permit 172.16.10.0 255.255.255.0
access-list VLAN10_access_in extended permit tcp host 172.16.10.221 object-group DM_INLINE_NETWORK_4 object-group Avamar-Client
access-list VLAN10_access_in extended permit tcp host 172.16.10.221 host 192.168.42.143 object-group Avamar-Client
access-list VLAN10_access_in extended permit tcp host 172.16.10.79 192.168.40.0 255.255.252.0 eq https
access-list VLAN10_access_in extended permit tcp host 172.16.10.79 192.168.40.0 255.255.252.0 eq 10065
access-list VLAN10_access_in extended permit tcp host 172.16.10.79 192.168.40.0 255.255.252.0 eq ldap
access-list VLAN10_access_in extended permit tcp host 172.16.10.79 192.168.40.0 255.255.252.0 eq smtp
access-list VLAN10_access_in extended permit tcp host 172.16.10.79 192.168.40.0 255.255.252.0 range 47820 47880
access-list VLAN10_access_in extended permit udp host 172.16.10.79 192.168.40.0 255.255.252.0 eq 88
access-list VLAN10_access_in extended permit udp host 172.16.10.79 192.168.40.0 255.255.252.0 eq ntp
access-list VLAN10_access_in extended permit udp host 172.16.10.79 192.168.40.0 255.255.252.0 eq 389
access-list VLAN10_access_in extended permit tcp any any eq ssh
access-list VLAN10_access_in extended permit ip host 172.16.10.98 any
access-list VLAN10_access_in extended permit object-group TCPUDP host 172.16.10.44 any eq 6556
access-list VLAN10_access_in extended permit tcp host 172.16.10.200 any eq 28080
access-list VLAN10_access_in extended permit tcp host 172.16.10.200 any eq 18080
access-list VLAN10_access_in extended permit object 5001 object 172.16.10.199 any
access-list VLAN10_access_in extended permit ip object 172.16.10.199 any
access-list VLAN10_access_in extended permit object-group TCPUDP host 172.16.10.105 any eq 10001
access-list VLAN10_access_in extended permit udp any any eq snmp
access-list VLAN10_access_in extended permit tcp any any eq 14444
access-list VLAN10_access_in extended permit udp any any eq 88 inactive
access-list VLAN10_access_in extended permit tcp any any eq 8088
access-list VLAN10_access_in extended permit tcp any any eq 8082
access-list VLAN10_access_in extended permit tcp any any eq 445
access-list VLAN10_access_in extended permit tcp any any eq netbios-ssn
access-list VLAN10_access_in extended permit udp any any eq netbios-ns
access-list VLAN10_access_in extended permit udp any4 eq ntp any4 eq ntp
access-list VLAN10_access_in extended permit object-group vmware-vcsa-services any any
access-list VLAN10_access_in extended permit icmp any any log
access-list VLAN10_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list VLAN10_access_in extended permit tcp any any eq ftp
access-list VLAN10_access_in extended permit tcp any any eq https
access-list VLAN10_access_in extended permit object netapp_kerberos any any
access-list VLAN10_access_in extended permit tcp any any eq www
access-list VLAN10_access_in extended permit object RDP any any
access-list VLAN10_access_in extended permit object kerberos-sec any any
access-list VLAN10_access_in extended permit object ldap any any
access-list VLAN10_access_in extended permit object Active-Directory-Auth any any
access-list VLAN10_access_in extended deny ip any any log
access-list inside-lan extended permit icmp any any time-exceeded
access-list inside-lan extended permit icmp any any
access-list inbount extended permit icmp any any unreachable
access-list VLAN10 extended permit icmp any any time-exceeded
access-list VLAN10 extended permit icmp any any unreachable
access-list VLAN10 extended permit icmp any any
access-list local_lan_access standard permit host 0.0.0.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.40.0 255.255.252.0
access-list vshape_access_in extended permit tcp any any range 1 65535
access-list vshape_access_in extended permit udp any any range 1 65535
access-list vshape_access_in extended deny ip any any log
access-list inside-lan_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 host 172.16.10.221 object-group Avamar-Client
access-list inside-lan_access_in extended permit tcp 172.16.21.0 255.255.255.0 host 192.168.41.166 eq https
access-list inside-lan_access_in extended permit object-group TCPUDP 172.16.21.0 255.255.255.0 host 192.168.41.166 eq 8843
access-list inside-lan_access_in extended permit tcp host 172.16.10.79 any eq https
access-list inside-lan_access_in extended permit tcp host 172.16.10.79 any eq ldap
access-list inside-lan_access_in extended permit tcp host 172.16.10.79 any eq smtp
access-list inside-lan_access_in extended permit object-group TCPUDP host 172.16.10.44 any eq 6556
access-list inside-lan_access_in extended permit ip 172.16.10.0 255.255.255.0 192.168.40.0 255.255.252.0
access-list inside-lan_access_in extended permit object-group DM_INLINE_PROTOCOL_3 192.168.40.0 255.255.252.0 any
access-list inside-lan_access_in extended permit tcp any any eq 8108
access-list inside-lan_access_in extended permit object-group vmware-vcsa-services any any
access-list inside-lan_access_in extended permit object 5001 any any
access-list inside-lan_access_in extended permit tcp any any eq telnet
access-list inside-lan_access_in extended permit tcp any any eq 8082
access-list inside-lan_access_in extended permit tcp any any eq ftp
access-list inside-lan_access_in extended permit ip any any
access-list inside-lan_access_in extended permit object kerberos-sec any any
access-list inside-lan_access_in extended permit object ldap any any
access-list inside-lan_access_in extended permit object netapp_kerberos any any
access-list inside-lan_access_in extended permit object Active-Directory-Auth any any
access-list inside-lan_access_in extended permit udp any any eq netbios-ns
access-list inside-lan_access_in extended permit tcp any any eq nfs log disable
access-list inside-lan_access_in extended permit object portmapper any any
access-list inside-lan_access_in extended permit object nfs-mountd-dd any any
access-list inside-lan_access_in extended permit tcp any any eq 5001
access-list inside-lan_access_in extended deny object any-tcp interface VLAN50- interface inside-lan
access-list VLAN10-ACL extended permit ip 172.16.10.0 255.255.255.0 any
access-list VLAN10-ACL extended permit udp 172.16.10.0 255.255.255.0 any
access-list VLAN10-ACL extended permit tcp 172.16.10.0 255.255.255.0 any
access-list -Guest-WLAN_access_in extended permit tcp any any eq https
access-list -Guest-WLAN_access_in extended permit tcp any any eq www
access-list -Guest-WLAN_access_in extended permit tcp any any eq domain
access-list -Guest-WLAN_access_in extended permit ip any any
access-list -Guest-WLAN_access_in extended permit udp any any eq bootps
access-list -Guest-WLAN_access_in extended permit udp any any eq bootpc
access-list -Guest-WLAN_access_in extended permit icmp any any
access-list -Guest-WLAN_access_in extended permit object ssh any any
access-list -Guest-WLAN_access_in extended permit object IKE any any
access-list -Guest-WLAN_access_in extended permit object NAT-Traversal any any
access-list -Guest-WLAN_access_in extended permit tcp any any eq pop3
access-list -Guest-WLAN_access_in extended permit tcp any any eq imap4
access-list Guest-WLAN standard permit 172.16.21.0 255.255.255.0
access-list VLAN21-ACL extended permit object-group TCPUDP 172.16.21.0 255.255.255.0 any
access-list VLAN21-ACL extended permit udp 172.16.21.0 255.255.255.0 any
access-list VLAN21-ACL extended permit ip 172.16.21.0 255.255.255.0 any
access-list VLAN50- extended permit ip 172.16.50.0 255.255.255.0 any
access-list VLAN50-_access_in extended permit ip 172.16.50.0 255.255.255.0 any log debugging
access-list VLAN50-_access_in extended deny ip any any log debugging
access-list 100Mbit_cryptomap_2 extended permit ip 172.16.50.0 255.255.255.0 object -local
no pager
logging enable
logging asdm informational
logging from-address cisco-asa@.com
logging recipient-address oliver.lis@.com level warnings
mtu 100Mbit 1500
mtu 16MBit 1500
mtu inside-lan 1500
mtu WLAN 1500
mtu VLAN21 1500
mtu DMZ 1500
mtu VLAN10 1500
mtu VLAN11 1500
mtu VLAN50- 1500
mtu VLAN99-DMZ#1 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-771.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside-lan,100Mbit) source static NETWORK_OBJ_192.168.40.0_22 NETWORK_OBJ_192.168.40.0_22 destination static NETWORK_OBJ_172.16.15.0_26 NETWORK_OBJ_172.16.15.0_26 no-proxy-arp route-lookup
nat (inside-lan,16MBit) source static NETWORK_OBJ_192.168.40.0_22 NETWORK_OBJ_192.168.40.0_22 destination static Network_OBJ_172.16.16.0_24 Network_OBJ_172.16.16.0_24 no-proxy-arp route-lookup
nat (inside-lan,16MBit) source static NETWORK_OBJ_192.168.40.0_22 NETWORK_OBJ_192.168.40.0_22 destination static NETWORK_OBJ_172.16.15.0_26 NETWORK_OBJ_172.16.15.0_26 no-proxy-arp route-lookup
nat (inside-lan,16MBit) source static FTP-Server interface service ftp-control ftp-control
nat (inside-lan,16MBit) source static FTP-Server interface service ftp-data ftp-data
nat (inside-lan,16MBit) source static TK-Anlage interface service TelefonanlageBooster TelefonanlageBooster
nat (inside-lan,16MBit) source static Neptun interface service smtp smtp
nat (inside-lan,16MBit) source static Neptun interface service OWA-HTTPS OWA-HTTPS
nat (inside-lan,16MBit) source static Mars interface service smtp smtp
nat (inside-lan,16MBit) source static Mars interface service OWA-HTTPS OWA-HTTPS
nat (inside-lan,16MBit) source static OWA-SERVER interface service smtp smtp inactive
nat (inside-lan,16MBit) source static OWA-SERVER interface service OWA-HTTPS OWA-HTTPS inactive
nat (inside-lan,100Mbit) source static NETWORK_OBJ_192.168.40.0_22 NETWORK_OBJ_192.168.40.0_22 destination static NETWORK_OBJ_192.168.43.192_26 NETWORK_OBJ_192.168.43.192_26 no-proxy-arp route-lookup
nat (inside-lan,VLAN10) source static INSIDENW INSIDENW destination static VLAN10NW VLAN10NW
!
object network Internet-internal
nat (inside-lan,100Mbit) dynamic interface
object network tickets..com-private
nat (inside-lan,16MBit) static tickets..com-public
object network VPN-PAT-NAT
nat (100Mbit,100Mbit) dynamic interface
object network VLAN10
nat (VLAN10,100Mbit) dynamic interface
object network owncloud-private
nat (VLAN10,100Mbit) static filecloud..com-public
object network VLAN21
nat (VLAN21,100Mbit) dynamic interface
object network 172.16.99.0
nat (VLAN99-DMZ#1,100Mbit) dynamic interface
object network 172.16.10.204
nat (VLAN10,100Mbit) static public-229
object network VLAN50-
nat (VLAN50-,100Mbit) dynamic interface
!
nat (VLAN10,16MBit) after-auto source dynamic VLAN10NW interface inactive
nat (inside-lan,16MBit) after-auto source dynamic Internet-internal interface
access-group 100Mbit_access_in in interface 100Mbit
access-group 16MBit_access_in in interface 16MBit
access-group inside-lan_access_in in interface inside-lan
access-group -Guest-WLAN_access_in in interface VLAN21
access-group VLAN10_access_in in interface VLAN10
access-group VLAN50-_access_in in interface VLAN50-
!
route-map Gaeste-WLAN permit 9
match ip address VLAN21-ACL
set ip next-hop 212.144.124.225

!
route-map PBR permit 10
match ip address VLAN10-ACL
set ip next-hop 212.144.124.225

!
route 16MBit 0.0.0.0 0.0.0.0 213.23.178.17 1
route 100Mbit 0.0.0.0 0.0.0.0 212.144.124.225 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server -LDAP protocol ldap
aaa-server -LDAP (inside-lan) host 192.168.40.100
ldap-base-dn DC=,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ciscoasa,OU=admins,OU=User,OU=.COM,DC=,DC=com
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.40.0 255.255.252.0 inside-lan
http 172.16.15.0 255.255.255.0 100Mbit
http 172.16.15.0 255.255.255.0 inside-lan
snmp-server host-group inside-lan poll community *****
snmp-server location og
snmp-server contact ol kd
snmp-server community *****
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map 100Mbit_map 1 match address 100Mbit_cryptomap_2
crypto map 100Mbit_map 1 set pfs
crypto map 100Mbit_map 1 set connection-type answer-only
crypto map 100Mbit_map 1 set peer 212.68.101.163
crypto map 100Mbit_map 1 set ikev1 phase1-mode aggressive
crypto map 100Mbit_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map 100Mbit_map 1 set ikev2 ipsec-proposal AES256
crypto map 100Mbit_map 1 set ikev2 pre-shared-key *****
crypto map 100Mbit_map 1 set reverse-route
crypto map 100Mbit_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map 100Mbit_map interface 100Mbit
crypto map 16MBit_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map 16MBit_map interface 16MBit
crypto ca trustpoint selfsigned
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
email support@.com
subject-name CN=vpn..com
ip-address 212.144.124.226
keypair vpn..com
crl configure
crypto ca trustpoint vpn..com
enrollment terminal
email
subject-name CN=vpn
keypair vpn..com
crl configure
crypto ca trustpoint Thawte-Intermediate
enrollment terminal
crl configure
crypto ca trustpoint Thawte-Intermediate1
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca certificate chain selfsigned
certificate 657dbf58

quit
crypto ca certificate chain ASDM_TrustPoint0
certificate ca 600197b746a7eab4b49ad64b2ff790fb

quit
crypto ca certificate chain vpn..com
certificate 56ef3e67be8252d8a4bbc56c97bfede1

quit
crypto ca certificate chain Thawte-Intermediate
certificate ca 7610128a17b682bb3a1f9d1a9a35c092

quit
crypto ca certificate chain Thawte-Intermediate1
certificate ca 3e23345aed2c0a517b26ded4801d10aa

quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 3
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 3600
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable 100Mbit client-services port 443
crypto ikev2 remote-access trustpoint vpn..com
crypto ikev1 enable 100Mbit
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 10
ssh stricthostkeycheck
ssh 192.168.40.0 255.255.252.0 inside-lan
ssh 172.16.15.0 255.255.255.0 inside-lan
ssh timeout 10
ssh key-exchange group dh-group14-sha1
console timeout 0
management-access inside-lan

dhcpd auto_config 100Mbit
!
dhcpd address 172.16.21.200-172.16.21.250 VLAN21
dhcpd dns 8.8.8.8 interface VLAN21
dhcpd enable VLAN21
!
dhcpd address 172.16.10.200-172.16.10.250 VLAN10
dhcpd dns 8.8.8.8 interface VLAN10
dhcpd enable VLAN10
!
dhcpd address 172.16.50.200-172.16.50.210 VLAN50-
dhcpd dns 172.16.50.1 interface VLAN50-
dhcpd wins 172.16.50.1 interface VLAN50-
dhcpd enable VLAN50-
!
threat-detection basic-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point vpn..com 100Mbit
ssl trust-point vpn..com 16MBit
ssl trust-point vpn..com inside-lan
ssl trust-point vpn..com DMZ
ssl trust-point vpn..com VLAN10
ssl trust-point vpn..com VLAN50-
webvpn
enable 100Mbit
enable 16MBit
anyconnect image disk0:/anyconnect-win-4.4.03034-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.4.03034-webdeploy-k9.pkg 2
anyconnect profiles -100Mbit_client_profile disk0:/-100Mbit_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.40.100 192.168.40.150
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value .com
group-policy CB-GP internal
group-policy CB-GP attributes
dns-server value 192.168.40.100 192.168.40.90
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl-
default-domain value .com
split-dns value .com
split-tunnel-all-dns disable
backup-servers 213.23.178.18
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_-100Mbit internal
group-policy GroupPolicy_-100Mbit attributes
wins-server none
dns-server value 192.168.40.100 192.168.40.90
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl-
default-domain value .com
split-dns value .com
split-tunnel-all-dns disable
webvpn
anyconnect profiles value -100Mbit_client_profile type user
group-policy GroupPolicy_212.68.101.163 internal
group-policy GroupPolicy_212.68.101.163 attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
username admin password encrypted privilege 15
username password pbkdf2 privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-IP-Pool-2
authentication-server-group -LDAP
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
tunnel-group -100Mbit type remote-access
tunnel-group -100Mbit general-attributes
address-pool VPN-IP-Pool-2
authentication-server-group -LDAP
default-group-policy GroupPolicy_-100Mbit
tunnel-group -100Mbit webvpn-attributes
group-alias -100Mbit enable
tunnel-group CB type remote-access
tunnel-group CB general-attributes
address-pool VPN-IP-Pool-2
authentication-server-group -LDAP
default-group-policy CB-GP
tunnel-group CB ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
tunnel-group 212.68.101.163 type ipsec-l2l
tunnel-group 212.68.101.163 general-attributes
default-group-policy GroupPolicy_212.68.101.163
tunnel-group 212.68.101.163 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
class class-default
set connection decrement-ttl
user-statistics accounting
!
service-policy global_policy global
smtp-server 192.168.40.101
prompt hostname context
service call-home
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:bef99d49d1ebaffe83e99ebf10c5be45
: end
vpn#

 

0 Helpful

Go to solution
willwetherman
Spotlight
Spotlight
In response to mentiq-support

‎02-07-2018 04:22 AM

Hi,

 

I have checked through your config and you are missing the following:

 

nat (VLAN50-,100Mbit) source static VLAN50 VLAN50 destination static -local -local no-proxy-arp route-lookup

 

route 100Mbit 10.106.0.0 255.255.0.0 212.144.124.225 1
route 100Mbit 212.68.101.163 255.255.255.255 212.144.124.225 1

 

I can see that the source network 172.16.50.0/24 is attached to local interface VLAN50- so this interface needs to be referenced in the NAT exempt rule and not VLAN10

 

Also you will need to add static routes for both the VPN peer gateway and remote client network as they are located out of the 100Mbit interface and not the 16Mbit interface which has the active static route.

 

I hope that this helps

 

Will

0 Helpful

Go to solution
mentiq-support
Level 1
Level 1
In response to willwetherman

‎02-07-2018 05:47 AM

Many thx for this solution!

Too bad that the Site-To-Site Wizard doesn't create those Rules automatically (I've been working with sophos gateways before which are way easier to configure) but now i can connect to the other side which helps me a lot!

0 Helpful
Customers Also Viewed These Support Documents