Thank you so much! That worked perfectly I had to get rid of my existing Dynamic NAT Policy that I was using for all Web traffic. So as of right now I can't get out to the internet. I can remote into the Domain Controller and when I try to ping www.google.com I get the following error

I realize that this may require me to post another question. Please let me know if I should do so and what section you think I should post it in.

My traffic from my inside-network to external is being stopped by IDS. I assume I need another rule to properly NAT all internet traffic. Or is this where a split-tunnel would come in use and I would seperate all internet and vpn traffic that way. What would be best practice?

Here is an update look at my config. I did notice that nat (inside) 0 access-list INSIDE-NAT0

Did not show up on the config. I went to configure terminal and pasted nat (inside) 0 access-list INSIDE-NAT0

is that an effective way to set that configuration?

clock summer-time EDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

domain-name kensington.org

object-group network DM_INLINE_NETWORK_1

network-object 10.1.0.0 255.255.252.0

network-object 172.16.2.0 255.255.255.0

access-list match-icmp-acl remark Match all ICMP traffic

access-list match-icmp-acl extended permit icmp any any inactive

access-list match-client-udp-acl remark Match all Client based UDP traffic

access-list match-client-udp-acl extended permit udp any any inactive

access-list match-client-tcp-acl remark Match all Client based TCP traffic

access-list match-client-tcp-acl extended permit tcp any any inactive

access-list inside_access_in remark Allow anything

access-list inside_access_in extended permit ip 10.2.0.0 255.255.252.0 any

access-list inside_access_in remark Clean up rule for logging

access-list inside_access_in extended deny ip any any

access-list outside_access_in remark Clean up rule for logging

access-list outside_access_in extended deny ip any any inactive

access-list outside_access_in extended permit ip host 10.2.0.1 any inactive

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 object-group DM_INLINE_NETWORK_1

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 10.1.0.0 255.255.252.0

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 10.8.0.0 255.255.255.0

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 10.100.0.0 255.255.252.0

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 any

access-list outside_cryptomap extended permit ip host *Remote Site Public IP* host *Main Site Public IP*

access-list jrsvpn-splittun-acl standard permit 10.1.0.0 255.255.252.0

access-list jrsvpn-splittun-acl standard permit 10.7.0.0 255.255.255.0

access-list jrsvpn-splittun-acl standard permit 10.2.0.0 255.255.252.0

access-list jrsvpn-splittun-acl standard permit 10.8.0.0 255.255.255.0

access-list jrsvpn-splittun-acl standard permit 172.16.0.0 255.255.252.0

access-list inside_nat0 extended permit ip 10.2.0.0 255.255.252.0 10.1.0.0 255.255.252.0

pager lines 24

logging enable

logging timestamp

logging buffer-size 65535

logging asdm-buffer-size 512

logging monitor debugging

logging buffered debugging

logging trap notifications

logging asdm notifications

logging queue 2048

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface dmz

ip audit name attack attack action alarm

ip audit name info info action alarm

ip audit interface outside info

ip audit interface outside attack

ip audit interface inside info

ip audit interface inside attack

ip audit interface dmz info

ip audit interface dmz attack

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-623.bin

asdm history enable

arp timeout 14400

global (outside) 10 interface

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

Message was edited by: Mike Kraut

Hi,

Seems also that your  "cryptomap" ACL (that defines what traffic is tunneled to L2L VPN) is configured with the destination address "any". This will mean that ANY connection initiated from the local LAN network will be forwarded to the L2L VPN connection and therefore to the other site. This includes all traffic that is heading to Internet.

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 object-group DM_INLINE_NETWORK_1

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 10.1.0.0 255.255.252.0

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 10.8.0.0 255.255.255.0

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 10.100.0.0 255.255.252.0

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 any

On the above ACL the last bolded line is what makes all traffic get forwarded to the L2L VPN.

So is this something you need to have in place or could the users use the local Internet connection? Or are you specifically forwarding all traffic to the other site so they go through some sort of filtering?

If you were to remove the bolded line from the cryptomap ACL then you would need these configurations to both enable L2L VPN traffic and Internet traffic through the local Internet connection of the ASA

access-list INSIDE-NAT0 permit ip 10.2.0.0 255.255.252.0 10.1.0.0 255.255.252.0

nat (inside) 0 access-list INSIDE-NAT0

global (outside) 10 interface

nat (inside) 10 10.2.0.0 255.255.252.0

The most commong setup with L2L VPN connections (that I run into) is to forward ONLY traffic between the local and remote site LAN/DMZ networks. Internet traffic is very very rarely forwarded to the other site.

If you have found the information helpfull, please rate the answers Also if some answer answers your question can you mark the question as answered

Naturally ask more if I missed something or there is something else that needs looking into.

- Jouni

Hey Jouni,

Thanks again for the all the help the problem is I am actually back to the problem I was trying to solve in the first place (Which was not listed in my orignal post). After making the changes you suggest I do have internet traffic flowing again however, now I am having connection issues to servers on the remote site. For example RDP sessions will prompt for a password but just result in having a black screen. My Active Directory sites won't sync over the vpn, etc. These are the errors I get in my ASA's log.

Now obviously all my 10.1.0.0/22 traffic is now being NAt'd and showing up as 10.2.0.1

I assume that the ASA thinks traffic is being spoofed and is blocking outside traffic since it is coming as 10.2.0.1 (the inside network address)

How can we maintain the VPN traffic as 10.1.0.0/22? A NAT exemption? Or I am not even on the right track with that thought?

Thanks for helping me learn as I am unexperienced in this area.

Hi,

I think the easiest way for me to approach this problem at this point would be to look through both sites configurations. After this I could confirm with you how the L2L VPN setup should be and finally try to provide the configurations needed to correct the situation.

If I suggest something now and I dont see the big picture (seeing the whole configuration) we might again end up in a situation where something doesnt work

- Jouni

ASA Version 8.2(2)

!

hostname Orion-FW1

domain-name

names

name *Remote Site Public IP Gateway* outside-network description outside-network

!

interface Vlan10

description Internet facing interface

nameif outside

security-level 0

ip address dhcp

!

interface Vlan20

description Internal Network facing interface

nameif inside

security-level 100

ip address 10.2.0.1 255.255.252.0

!

interface Vlan30

description For the DMZ

<--- More --->

no forward interface Vlan20

nameif dmz

security-level 25

no ip address

!

interface Ethernet0/0

description outside interface

switchport access vlan 10

!

interface Ethernet0/1

description inside interface

switchport access vlan 20

!

interface Ethernet0/2

description dmz interface

switchport access vlan 30

shutdown

!

interface Ethernet0/3

description Unassigned interface

switchport access vlan 999

shutdown

!

interface Ethernet0/4

<--- More --->

description Unassigned interface

switchport access vlan 999

shutdown

!

interface Ethernet0/5

description Unassigned interface

switchport access vlan 999

shutdown

!

interface Ethernet0/6

description Unassigned interface

switchport access vlan 999

shutdown

!

interface Ethernet0/7

description Wireless Access Point

switchport access vlan 20

!

banner motd  ____________________________________________________________________________

banner motd |                                                                            |

banner motd | Use of this Network is restricted to authorized users.  User activity is   |

banner motd | Monitored and recorded by system personnel.  Anyone using the Network      |

banner motd | expressly consents to such monitoring and recording.  BE ADVISED, if       |

banner motd | possible criminal activity is detected, system records, along with certain |

<--- More --->

banner motd | personal information, may be provided to law enforcement officials.        |

banner motd |____________________________________________________________________________|

banner motd

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

domain-name kensington.org

object-group network DM_INLINE_NETWORK_1

network-object 10.1.0.0 255.255.252.0

network-object 172.16.2.0 255.255.255.0

access-list match-icmp-acl remark Match all ICMP traffic

access-list match-icmp-acl extended permit icmp any any inactive

access-list match-client-udp-acl remark Match all Client based UDP traffic

access-list match-client-udp-acl extended permit udp any any inactive

access-list match-client-tcp-acl remark Match all Client based TCP traffic

access-list match-client-tcp-acl extended permit tcp any any inactive

access-list inside_access_in remark Allow anything

access-list inside_access_in extended permit ip 10.2.0.0 255.255.252.0 any

access-list inside_access_in remark Clean up rule for logging

access-list inside_access_in extended deny ip any any

access-list outside_access_in remark Clean up rule for logging

access-list outside_access_in extended deny ip any any inactive

access-list outside_access_in extended permit ip host 10.2.0.1 any inactive

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 object-group DM_INLINE_NETWORK_1

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 10.1.0.0 255.255.252.0

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 10.8.0.0 255.255.255.0

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 10.100.0.0 255.255.252.0

access-list outside_cryptomap extended permit ip host *Remote Site Public IP* host *Main Site Public IP*

access-list INSIDE-NAT0 extended permit ip 10.2.0.0 255.255.252.0 10.1.0.0 255.255.252.0

access-list jrsvpn-splittun-acl standard permit 10.1.0.0 255.255.252.0

access-list jrsvpn-splittun-acl standard permit 10.7.0.0 255.255.255.0

access-list jrsvpn-splittun-acl standard permit 10.2.0.0 255.255.252.0

access-list jrsvpn-splittun-acl standard permit 10.8.0.0 255.255.255.0

access-list jrsvpn-splittun-acl standard permit 172.16.0.0 255.255.252.0

pager lines 24

logging enable

logging timestamp

logging buffer-size 65535

logging asdm-buffer-size 512

logging monitor debugging

logging buffered debugging

logging trap notifications

logging asdm notifications

logging queue 2048

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface dmz

ip audit name attack attack action alarm

ip audit name info info action alarm

ip audit interface outside info

ip audit interface outside attack

ip audit interface inside info

ip audit interface inside attack

ip audit interface dmz info

ip audit interface dmz attack

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-623.bin

asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list INSIDE-NAT0

nat (inside) 10 10.2.0.0 255.255.252.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 *.*.*.105 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http *.*.*.192 255.255.255.224 outside

http 10.1.0.0 255.255.252.0 inside

http 0.0.0.0 0.0.0.0 inside

snmp-server location

snmp-server contact IT

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

sysopt connection preserve-vpn-flows

service resetinbound interface inside

service resetinbound interface dmz

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map2 1 match address outside_cryptomap

crypto map outside_map2 1 set pfs group5

crypto map outside_map2 1 set peer *Main Site Public IP*

crypto map outside_map2 1 set transform-set ESP-AES-256-SHA

crypto map outside_map2 interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp disconnect-notify

telnet timeout 5

ssh timeout 15

ssh version 2

console timeout 15

management-access inside

dhcp-client client-id interface outside

dhcpd dns 10.2.0.85 10.1.0.82

dhcpd lease 86400

dhcpd domain kensington.org

!

dhcpd address 10.2.0.100-10.2.0.200 inside

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 128.10.252.9

ntp server 10.1.0.85 source inside prefer

ntp server 128.10.252.10

ssl trust-point orion-FW1-outside outside

ssl trust-point orion-FW1-inside inside

webvpn

group-policy jrsvpn internal

group-policy jrsvpn attributes

vpn-tunnel-protocol IPSec

group-policy Site_to_Site_Policy internal

group-policy Site_to_Site_Policy attributes

vpn-idle-timeout 60

vpn-tunnel-protocol IPSec svc

tunnel-group *Main Site Public IP* type ipsec-l2l

tunnel-group *Main Site Public IP* general-attributes

default-group-policy Site_to_Site_Policy

tunnel-group *Main Site Public IP* ipsec-attributes

pre-shared-key *****

!

class-map match-client-udp-cm

description Classify Client based UDP traffic

match access-list match-client-udp-acl

class-map match-icmp-cm

description Classify ICMP Traffic

match access-list match-icmp-acl

class-map inspection_default

match default-inspection-traffic

class-map match-client-tcp-cm

description Classify Client based TCP traffic

match access-list match-client-tcp-acl

class-map type regex match-any match-im-cm

match regex _default_aim-messenger

match regex _default_yahoo-messenger

match regex _default_GoToMyPC-tunnel

match regex _default_gator

match regex _default_firethru-tunnel_2

match regex _default_firethru-tunnel_1

match regex _default_msn-messenger

match regex _default_x-kazaa-network

match regex _default_GoToMyPC-tunnel_2

match regex _default_icy-metadata

match regex _default_gnu-http-tunnel_uri

match regex _default_httport-tunnel

match regex _default_windows-media-player-tunnel

match regex _default_gnu-http-tunnel_arg

match regex _default_http-tunnel

match regex _default_shoutcast-tunneling-protocol

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map inside_policy

class match-client-udp-cm

  set connection per-client-max 100

class match-client-tcp-cm

  set connection per-client-max 100 per-client-embryonic-max 50

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect http

  inspect icmp

  inspect icmp error

  inspect ipsec-pass-thru

  inspect pptp

  inspect snmp

  inspect ip-options

class match-icmp-cm

  police input 180000 1000

policy-map type inspect im log-im-pm

parameters

match service chat conference file-transfer games voice-chat webcam

  log

match protocol msn-im yahoo-im

  log

match version regex class match-im-cm

  log

!

service-policy global_policy global

service-policy inside_policy interface inside

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

: end

Orion-FW1#     show r   nat

NAT policies on Interface inside:

  match ip inside 10.2.0.0 255.255.252.0 outside 10.1.0.0 255.255.252.0

    NAT exempt

    translate_hits = 34959, untranslate_hits = 8718

  match ip inside 10.2.0.0 255.255.252.0 inside 10.1.0.0 255.255.252.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip inside 10.2.0.0 255.255.252.0 dmz 10.1.0.0 255.255.252.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip inside 10.2.0.0 255.255.252.0 _internal_loopback 10.1.0.0 255.255.252.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip inside 10.2.0.0 255.255.252.0 outside any

    dynamic translation to pool 10 (*Remote Site Public IP* [Interface PAT])

    translate_hits = 19144, untranslate_hits = 3170

  match ip inside 10.2.0.0 255.255.252.0 inside any

    dynamic translation to pool 10 (No matching global)

    translate_hits = 0, untranslate_hits = 0

  match ip inside 10.2.0.0 255.255.252.0 dmz any

    dynamic translation to pool 10 (No matching global)

    translate_hits = 0, untranslate_hits = 0

  match ip inside 10.2.0.0 255.255.252.0 _internal_loopback any

    dynamic translation to pool 10 (No matching global)

    translate_hits = 0, untranslate_hits = 0

Main Site Config

ASA Version 8.4(2)

!

hostname Troy-FW1

domain-name Kensington.org

no names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address *Main Site Public IP* 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.0.1 255.255.248.0

!

interface Ethernet0/2

nameif perimeter

security-level 50

<--- More --->

ip address 172.16.1.1 255.255.255.240

!

interface Ethernet0/3

nameif tmgdmz

security-level 25

ip address 172.16.2.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

!

time-range All-services

periodic Saturday 16:30 to 19:30

periodic Sunday 8:00 to 14:00

periodic Wednesday 17:30 to 21:45

!

time-range Business-hours

periodic weekdays 7:00 to 18:00

!

time-range Saturday-service

periodic Saturday 16:30 to 19:30

<--- More --->

!

time-range Sunday-services

periodic Sunday 8:00 to 14:00

!

time-range Wednesday-service

periodic Wednesday 17:30 to 21:45

!

banner exec conf t

boot system disk0:/asa842-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns domain-lookup perimeter

dns domain-lookup tmgdmz

dns domain-lookup management

dns server-group DefaultDNS

domain-name Kensington.org

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 object obj-10.100.0.0

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 172.16.1.0 255.255.255.240

access-list inside_nat0_outbound remark Exempt traffic from Troy facility to Warehouse

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 10.7.0.0 255.255.255.0

access-list inside_nat0_outbound remark Exempt traffic from Troy facility to TMGDMZ

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 172.16.2.0 255.255.255.0

access-list inside_nat0_outbound remark Exempt traffic from Troy facility to Orlando

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 10.8.0.0 255.255.255.0

access-list inside_nat0_outbound remark Exempt Traffic from Main facility to Remote Site Orion

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 10.2.0.0 255.255.252.0

access-list kccvpn_splitTunnelAcl standard permit 10.1.0.0 255.255.252.0

access-list inside_out remark Pandora

access-list inside_out extended permit object-group Web_Services 10.1.0.0 255.255.252.0 object ExchangeOA inactive

access-list inside_out extended deny ip any object-group DM_INLINE_NETWORK_1 inactive

access-list inside_out extended permit ip object-group DM_INLINE_NETWORK_8 object TMG-OWAListener

access-list inside_out remark Patch Desktop to streambox

access-list inside_out extended permit tcp host 10.1.0.206 object obj-172.16.1.7 eq 4899

access-list inside_out extended deny ip any object-group Blackberry-Internet-Service

access-list inside_out remark Deny FTP during service times so as not to disturb streaming feed.

access-list inside_out extended permit tcp host 10.1.0.54 object Troy-TMG eq 3389

access-list inside_out extended deny tcp any any object-group DM_INLINE_TCP_19 time-range All-services inactive

access-list inside_out remark block SSH

access-list inside_out remark added 11/16/08

access-list inside_out extended deny tcp any any eq ssh

access-list inside_out extended permit object-group TCPUDP any host *.*.*.208 eq www

access-list inside_out extended permit tcp host 10.1.0.140 any eq smtp

access-list inside_out extended permit tcp host 10.1.0.141 any eq smtp

access-list inside_out extended permit tcp host 10.1.0.142 any eq smtp

access-list inside_out extended permit tcp host 10.1.0.58 any eq smtp

access-list inside_out remark Greg to send email

access-list inside_out extended permit tcp host 10.1.0.202 any object-group DM_INLINE_TCP_10

access-list inside_out remark Greg to send email

access-list inside_out extended permit tcp host 10.1.0.203 any object-group DM_INLINE_TCP_32

access-list inside_out extended deny ip any 172.16.1.0 255.255.255.240

access-list inside_out extended permit object-group Web_Services object-group DM_INLINE_NETWORK_7 object Troy-TMG inactive

access-list inside_out extended permit tcp object-group DM_INLINE_NETWORK_9 object TMG-LyncListener object-group LyncPublish

access-list inside_out remark Block outbound SMTP from any other sources.

access-list inside_out extended deny tcp any any object-group DM_INLINE_TCP_7

access-list inside_out remark Block battle.net traffic

access-list inside_out extended deny object-group TCPUDP any any eq 6112

access-list inside_out extended permit icmp any any

access-list inside_out remark Block Secure POP3 (SSL-POP)

access-list inside_out remark Block POP3;

access-list inside_out extended deny tcp any any object-group DM_INLINE_TCP_54

access-list inside_out remark Block Secure IMAP (IMAP4-SSL)

access-list inside_out remark Block IMAP4 over SSL

access-list inside_out remark Block IMAP4

access-list inside_out remark Changed to Permit 9/21/12 by MK - Testing to see if network can

access-list inside_out remark handle the added traffic

access-list inside_out remark and for the convience of Mac users such as Tyler.

access-list inside_out extended permit tcp any any object-group DM_INLINE_TCP_56

access-list inside_out remark Allow DNS queries from DNS Servers (Domain Controllers)

access-list inside_out remark DNS Queries -> UDP

access-list inside_out remark DNS Zone Transfers -> TCP

access-list inside_out extended permit object-group TCPUDP object-group DomainControllers any eq domain

access-list inside_out remark Block DNS queries from all other sources

access-list inside_out remark DNS Queries -> UDP

access-list inside_out remark DNS Zone Transfers -> TCP

access-list inside_out extended deny object-group TCPUDP any any eq domain

access-list inside_out remark Allow time sync from Troy-DC2 to tick.usno.navy.mil

access-list inside_out extended permit udp object-group DomainControllers object-group External-Time-Sources eq ntp

access-list inside_out remark Block time sync from any other sources

access-list inside_out extended deny udp any any object-group DM_INLINE_UDP_2

access-list inside_out remark allow troy-scom and troy-email2 access to Microsoft Update site

access-list inside_out extended permit ip object-group DM_INLINE_NETWORK_2 object-group Windows-Update

access-list inside_out remark block all other machines from getting to Microsoft Update site

access-list inside_out extended deny ip any object-group Windows-Update inactive

access-list inside_out extended permit object-group DM_INLINE_SERVICE_8 any object Troy-Lionserver

access-list inside_out extended deny ip any 172.16.2.0 255.255.255.0 inactive

access-list inside_out extended permit ip any any

access-list inside_out extended permit ip 10.8.0.0 255.255.255.0 any inactive

access-list perimeter_access_in extended permit object-group DM_INLINE_SERVICE_1 object obj-172.16.1.7 any

access-list perimeter_access_in extended permit object-group DM_INLINE_SERVICE_5 object Outside-LyncEdge any

access-list perimeter_access_in extended permit ip object DirectAccess any

access-list perimeter_access_in extended permit ip object Outside-LyncEdge any inactive

access-list perimeter_access_in remark video encoder

access-list perimeter_access_in extended permit udp object Streambox any eq 1770 time-range All-services inactive

access-list perimeter_access_in extended deny ip any 10.1.0.0 255.255.252.0

access-list perimeter_access_in remark From Lync to world

access-list perimeter_access_in remark www.microsoft.com

access-list perimeter_access_in remark www.update.microsoft.com

access-list perimeter_access_in remark www.update.microsoft.com

access-list perimeter_access_in remark whole subnet

access-list perimeter_access_in remark whole subnet

access-list perimeter_access_in remark whole subnet

access-list perimeter_access_in remark whole subnet

access-list perimeter_access_in remark whole subnet

access-list perimeter_access_in remark whole subnet

access-list perimeter_access_in remark whole subnet

access-list perimeter_access_in remark whole subnet

access-list outside-10-whse-fw1-cm extended permit ip 10.1.0.0 255.255.252.0 10.7.0.0 255.255.255.0

access-list outside-10-whse-fw1-cm extended permit ip any 10.7.0.0 255.255.255.0

access-list outside-10-whse-fw1-cm extended permit ip host *Main Site Public IP* host *.57

access-list jrsvpn-splittun-acl standard permit 10.1.0.0 255.255.252.0

access-list jrsvpn-splittun-acl standard permit 172.16.0.0 255.255.252.0

access-list jrsvpn-splittun-acl standard permit 10.7.0.0 255.255.255.0

access-list jrsvpn-splittun-acl standard permit 10.8.0.0 255.255.255.0

access-list jrsvpn-splittun-acl standard permit 10.2.0.0 255.255.252.0

access-list tmgdmz_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 object obj-10.100.0.0

access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_11 10.8.0.0 255.255.255.0

access-list outside_cryptomap_1 extended permit ip host *Main Site Public IP* host *.146

access-list outside_nat0_outbound remark Exempt VPN traffic to remote sites

access-list outside_nat0_outbound extended permit ip object obj-10.100.0.0 10.7.0.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip 10.7.0.0 255.255.255.0 object obj-10.100.0.0

access-list outside_nat0_outbound extended permit ip object obj-10.100.0.0 10.8.0.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip 10.8.0.0 255.255.255.0 object obj-10.100.0.0

access-list outside_nat0_outbound remark Exempt VPN Traffic to remote sites

access-list outside_nat0_outbound extended permit ip object obj-10.100.0.0 10.2.0.0 255.255.252.0

access-list outside_nat0_outbound extended permit ip 10.2.0.0 255.255.252.0 object obj-10.100.0.0

access-list outside-1-orion-fw1-cm extended permit ip 10.1.0.0 255.255.252.0 10.2.0.0 255.255.252.0

access-list outside-1-orion-fw1-cm extended permit ip any 10.2.0.0 255.255.252.0

access-list outside-1-orion-fw1-cm extended permit ip host *Main Site Public IP* host *.254 inactive

access-list outside-1-orion-fw1-cm extended permit ip host *Main Site Public IP* host *Remote Site Public IP*

access-list outside-1-orion-fw1-cm extended permit ip object obj-10.100.0.0 10.2.0.0 255.255.252.0

access-list INTERNET extended permit tcp any object troy-wordpress eq www

access-list INTERNET extended permit tcp any object EMSClient object-group DM_INLINE_TCP_35

access-list INTERNET extended permit tcp any object VirtualEMS object-group DM_INLINE_TCP_34

access-list INTERNET extended permit tcp any object Troy-LiveService object-group DM_INLINE_TCP_33

access-list INTERNET extended permit tcp any object Troy-GiftCards object-group DM_INLINE_TCP_0

access-list INTERNET extended permit tcp any object Troy-VideoFTP eq www

access-list INTERNET extended permit udp any object WirelessController object-group CiscoWirelessController

access-list INTERNET extended permit object-group DM_INLINE_SERVICE_7 any object Troy-Lionserver

access-list INTERNET extended permit tcp any object Troy-Lync2 eq sip inactive

access-list INTERNET extended permit object-group Web_Services host *Main Site Public IP* 10.1.0.0 255.255.248.0 inactive

access-list INTERNET remark Block Torrents

access-list INTERNET extended deny object-group TCPUDP any any object-group Torrents

access-list INTERNET extended permit udp any object Troy-Lync2 object-group SIPTrunkMedia inactive

access-list INTERNET extended permit icmp any any time-exceeded

<--- More --->

access-list INTERNET extended permit icmp any any unreachable

access-list INTERNET extended permit gre any any

access-list INTERNET extended deny object-group TCPUDP object-group Blackberry-Internet-Service any

access-list INTERNET extended permit tcp any host 10.1.0.72 object-group DM_INLINE_TCP_36

access-list INTERNET extended permit tcp any host 10.1.0.88 object-group DM_INLINE_TCP_5

access-list INTERNET extended permit icmp any any

access-list INTERNET extended permit tcp any object obj-172.16.1.7 object-group DM_INLINE_TCP_31

access-list INTERNET extended permit object-group WorldCast_Services any object obj-172.16.1.7

access-list INTERNET extended permit object-group DM_INLINE_SERVICE_3 any object Streambox time-range All-services inactive

access-list INTERNET extended permit tcp any host 10.1.0.54 eq https

access-list INTERNET extended permit object-group DM_INLINE_SERVICE_9 any object ExchangeOA

access-list INTERNET extended permit tcp object-group Internet-To-Arena object Troy-TMG

access-list INTERNET extended permit object-group Web_Services any object Troy-TMG

access-list INTERNET extended permit object-group Web_Services any object TMG-OWAListener

access-list INTERNET extended permit tcp any object ExchangeOA eq smtp inactive

access-list INTERNET extended permit tcp any object DirectAccess eq https

access-list INTERNET extended permit tcp any object TMG-LyncListener object-group DM_INLINE_TCP_2

access-list INTERNET extended permit tcp object-group AppRiver object ExchangeOA eq smtp

access-list INTERNET extended permit object-group DM_INLINE_SERVICE_4 any object Lifesize

access-list INTERNET extended deny ip any object Lifesize

access-list INTERNET extended permit object-group DM_INLINE_SERVICE_6 any object Outside-LyncEdge

access-list INTERNET extended permit object-group DM_INLINE_SERVICE_0 any host 10.1.0.104

access-list INTERNET extended permit tcp object-group DM_INLINE_NETWORK_13 object Troy-Lync2 eq sip

access-list INTERNET extended permit tcp object-group DM_INLINE_NETWORK_12 object Troy-Lync1 eq sip

access-list INTERNET extended permit udp object-group DM_INLINE_NETWORK_3 object Troy-Lync2 object-group SIPTrunkMedia

access-list INTERNET extended permit udp object-group DM_INLINE_NETWORK_4 object Troy-Lync1 object-group SIPTrunkMedia

access-list tmgdmz_access_in extended permit udp object Troy-TMG object-group TMG-Inside-System-Access eq domain

access-list tmgdmz_access_in extended permit udp object TMG-OWAListener object-group TMG-Inside-System-Access eq domain

access-list tmgdmz_access_in extended permit udp object ExchangeOA object-group TMG-Inside-System-Access eq domain

access-list tmgdmz_access_in extended permit object-group Arena-Services object Troy-TMG object-group Arena

access-list tmgdmz_access_in extended permit object-group Arena-Services object Troy-TMG object-group DM_INLINE_NETWORK_5

access-list tmgdmz_access_in extended permit object-group Arena-Services object Troy-TMG host 10.1.0.127 inactive

access-list tmgdmz_access_in extended permit object-group Arena-Services object TMG-OWAListener object-group DM_INLINE_NETWORK_6

access-list tmgdmz_access_in extended permit tcp object TMG-OWAListener host 10.1.0.138 eq smtp inactive

access-list tmgdmz_access_in extended permit tcp object Troy-TMG object-group DM_INLINE_NETWORK_10 object-group LyncPublish

access-list tmgdmz_access_in extended permit tcp object ExchangeOA host 10.1.0.121 object-group LyncPublish inactive

access-list tmgdmz_access_in extended permit ip object Troy-TMG object-group Arena inactive

access-list tmgdmz_access_in extended permit tcp object Troy-TMG object Troy-Email1 eq smtp inactive

access-list tmgdmz_access_in extended permit ip object Troy-TMG object obj-10.100.0.0 inactive

access-list tmgdmz_access_in remark Migration, ACE (line 6) expanded: deny ip any object-group Privates

access-list tmgdmz_access_in extended deny ip any 10.1.0.0 255.255.252.0

access-list tmgdmz_access_in extended permit ip object ExchangeOA any inactive

access-list tmgdmz_access_in extended deny ip any 10.0.0.0 255.0.0.0

access-list tmgdmz_access_in extended deny ip any 172.16.2.0 255.255.255.0

access-list tmgdmz_access_in extended permit ip object TMG-OWAListener any inactive

access-list tmgdmz_access_in extended permit ip object Troy-TMG any

access-list tmgdmz_access_in extended deny ip any 172.16.0.0 255.240.0.0

access-list tmgdmz_access_in extended deny ip any 192.168.0.0 255.255.0.0

access-list tmgdmz_access_in remark Migration: End of expansion

access-list tmgdmz_access_in remark Migration: End of expansion

access-list tmgdmz_access_in extended deny ip any any

access-list tmgdmz_access_in extended permit ip object Troy-TMG object Troy-Admin inactive

access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_14 10.2.0.0 255.255.252.0

access-list outside_cryptomap_2 extended permit ip host *Main Site Public IP* host *Remote Site Public IP*

pager lines 24

logging enable

logging timestamp

logging buffer-size 65535

logging asdm-buffer-size 512

logging monitor debugging

logging buffered debugging

logging asdm notifications

logging from-address

logging device-id hostname

mtu outside 1500

mtu inside 1500

mtu perimeter 1500

mtu tmgdmz 1500

mtu management 1500

ip local pool vpnpool 10.100.0.1-10.100.0.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

<--- More --->

icmp permit any echo-reply outside

icmp permit any inside

asdm image disk0:/asdm-645-206.bin

asdm history enable

arp timeout 14400

nat (outside,outside) source static obj-10.100.0.0 obj-10.100.0.0 destination static obj-10.7.0.0 obj-10.7.0.0 no-proxy-arp route-lookup

nat (outside,outside) source static obj-10.7.0.0 obj-10.7.0.0 destination static obj-10.100.0.0 obj-10.100.0.0 no-proxy-arp route-lookup

nat (outside,outside) source static obj-10.100.0.0 obj-10.100.0.0 destination static obj-10.8.0.0 obj-10.8.0.0 no-proxy-arp route-lookup

nat (outside,outside) source static obj-10.8.0.0 obj-10.8.0.0 destination static obj-10.100.0.0 obj-10.100.0.0 no-proxy-arp route-lookup

nat (outside,outside) source static obj-10.8.0.0 obj-10.8.0.0 destination static TMG-DMZ TMG-DMZ no-proxy-arp route-lookup

nat (outside,outside) source static obj-10.100.0.0 obj-10.100.0.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup

nat (outside,outside) source static obj-10.2.0.0 obj-10.2.0.0 destination static obj-10.100.0.0 obj-10.100.0.0 no-proxy-arp route-lookup

nat (inside,any) source static obj-10.1.0.0 obj-10.1.0.0 destination static obj-10.100.0.0 obj-10.100.0.0 no-proxy-arp

nat (inside,any) source static obj-10.1.0.0 obj-10.1.0.0 destination static Permiter Permiter no-proxy-arp

nat (inside,any) source static obj-10.1.0.0 obj-10.1.0.0 destination static obj-10.7.0.0 obj-10.7.0.0 no-proxy-arp

nat (inside,any) source static obj-10.1.0.0 obj-10.1.0.0 destination static TMG-DMZ TMG-DMZ no-proxy-arp

nat (inside,any) source static obj-10.1.0.0 obj-10.1.0.0 destination static ExchangeOA ExchangeOA no-proxy-arp

nat (inside,any) source static obj-10.1.0.0 obj-10.1.0.0 destination static obj-10.8.0.0 obj-10.8.0.0 no-proxy-arp

nat (inside,any) source static obj-10.1.0.0 obj-10.1.0.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp

nat (tmgdmz,outside) source static TMG-DMZ TMG-DMZ destination static obj-10.100.0.0 obj-10.100.0.0 no-proxy-arp route-lookup

nat (tmgdmz,outside) source static TMG-DMZ TMG-DMZ destination static obj-10.8.0.0 obj-10.8.0.0 no-proxy-arp route-lookup

nat (tmgdmz,outside) source static ExchangeOA ExchangeOA destination static obj-10.100.0.0 obj-10.100.0.0 no-proxy-arp route-lookup

nat (tmgdmz,tmgdmz) source static TMG-DMZ TMG-DMZ destination static obj-10.100.0.0 obj-10.100.0.0 no-proxy-arp route-lookup

nat (tmgdmz,tmgdmz) source static ExchangeOA ExchangeOA destination static obj-10.100.0.0 obj-10.100.0.0 no-proxy-arp route-lookup

<--- More --->

!

object network obj-10.7.0.0

nat (outside,outside) dynamic *.*.*.222

object network obj-10.8.0.0

nat (outside,outside) dynamic *.*.*.222

object network obj-10.2.0.0

nat (outside,outside) dynamic *.*.*.222

object network obj-10.1.0.0

nat (inside,outside) dynamic *.*.*.222

nat (inside,outside) static *.*.*.202

object network VirtualEMS

nat (inside,outside) static *.*.*.205

object network EMSClient

nat (inside,outside) static *.*.*.206

object network troy-wordpress

nat (inside,outside) static *.*.*.200

access-group INTERNET in interface outside

access-group inside_out in interface inside

access-group perimeter_access_in in interface perimeter

access-group tmgdmz_access_in in interface tmgdmz

route outside 0.0.0.0 0.0.0.0 *.*.*.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host 10.1.0.76

key *****

radius-common-pw *****

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

http 192.168.1.0 255.255.255.0 management

http redirect outside 80

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection preserve-vpn-flows

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set kcc-trans esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

<--- More --->

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set kcc-trans

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map dyn-map 20 set security-association lifetime seconds 28800

crypto dynamic-map dyn-map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map dyn-map 20 set reverse-route

crypto map outside_map 2 match address outside_cryptomap_1

crypto map outside_map 2 set pfs group5

crypto map outside_map 2 set peer 71.41.213.146

crypto map outside_map 2 set ikev1 transform-set ESP-AES-256-SHA

crypto map outside_map 2 set ikev2 ipsec-proposal AES256

crypto map outside_map 2 set reverse-route

crypto map outside_map 3 match address outside_cryptomap_2

crypto map outside_map 3 set pfs group5

crypto map outside_map 3 set peer *Remote Site Public IP*

crypto map outside_map 3 set ikev1 transform-set ESP-AES-256-SHA

crypto map outside_map 3 set ikev2 ipsec-proposal AES256

crypto map outside_map 3 set reverse-route

crypto map outside_map 10 match address outside-10-whse-fw1-cm

crypto map outside_map 10 set pfs group5

crypto map outside_map 10 set peer 173.10.38.57

crypto map outside_map 10 set ikev1 transform-set ESP-AES-256-SHA

crypto map outside_map 10 set security-association lifetime seconds 28800

crypto map outside_map 10 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp disconnect-notify

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

<--- More --->

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 128.10.252.9

ntp server 10.1.0.85 source inside prefer

ntp server 128.10.252.10

ssl trust-point VPN_Trustpoint outside

webvpn

enable outside

csd image disk0:/vpn/csd_3.4.2048.pkg

anyconnect image disk0:/vpn/anyconnect-win-2.4.0202-k9.pkg 1

anyconnect enable

group-policy DfltGrpPolicy attributes

dns-server value 10.1.0.82 10.1.0.85

default-domain value Kensington.org

group-policy kccvpn internal

group-policy kccvpn attributes

banner value WARNING: This system is restricted solely to Kensington Community Church authorized users for legitimate business purpose only.

banner value

banner value Unauthorized access to this computer system is prohibited, and is subject to criminal and civil penalties. Your session will timeout after 23 hours or 10 minutes of idle activity.

wins-server value 10.1.0.85 10.1.0.82

dns-server value 10.1.0.85 10.1.0.82

vpn-idle-timeout 10

vpn-session-timeout 1440

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value kccvpn_splitTunnelAcl

default-domain value Kensington.org

group-policy kccwebvpn internal

group-policy kccwebvpn attributes

banner value WARNING: This system is restricted solely to Kensington Community Church authorized users for legitimate business purpose only.

banner value

banner value Unauthorized access to this computer system is prohibited, and is subject to criminal and civil penalties. Your session will timeout after 23 hours or 10 minutes of idle activity.

wins-server value 10.1.0.82

dns-server value 10.1.0.82

vpn-idle-timeout 10

vpn-session-timeout 1440

vpn-tunnel-protocol l2tp-ipsec ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value kccvpn_splitTunnelAcl

default-domain value kensington.org

split-dns value kensington.org

address-pools none

webvpn

  anyconnect keep-installer installed

  anyconnect dpd-interval client 30

  anyconnect dpd-interval gateway 30

  anyconnect ask none default anyconnect

group-policy jrsvpn internal

group-policy jrsvpn attributes

wins-server value 10.1.0.82

dns-server value 10.1.0.82

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value jrsvpn-splittun-acl

default-domain value Kensington.org

group-policy Site_to_Site_Policy internal

group-policy Site_to_Site_Policy attributes

vpn-idle-timeout 60

vpn-tunnel-protocol ikev1 ikev2

username FWAdmin password edMvlLvBPfZ1XKUf encrypted privilege 15

tunnel-group kccvpn type remote-access

tunnel-group kccvpn general-attributes

address-pool vpnpool

authentication-server-group partnerauth

default-group-policy kccvpn

tunnel-group kccvpn ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group kccwebvpn type remote-access

tunnel-group kccwebvpn general-attributes

address-pool vpnpool

authentication-server-group partnerauth

default-group-policy kccwebvpn

tunnel-group kccwebvpn webvpn-attributes

group-alias "KCC WebVPN" enable

group-url http://*Main Site Public IP* enable

group-url http://vpn.kensingtonchurch.org enable

group-url https://*Main Site Public IP* enable

group-url https://vpn.kensingtonchurch.org enable

tunnel-group *.*.*.57 type ipsec-l2l

tunnel-group *.*.*.57 general-attributes

default-group-policy Site_to_Site_Policy

tunnel-group *.*.*.57 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group jrsvpn type remote-access

tunnel-group jrsvpn general-attributes

address-pool vpnpool

default-group-policy jrsvpn

tunnel-group jrsvpn ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group *.*.*.146 type ipsec-l2l

tunnel-group *.*.*.146 general-attributes

default-group-policy Site_to_Site_Policy

tunnel-group *.*.*.146 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group *Remote Site Public IP* type ipsec-l2l

tunnel-group *Remote Site Public IP* general-attributes

default-group-policy Site_to_Site_Policy

tunnel-group *Remote Site Public IP* ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ils

  inspect icmp

  inspect pptp

<--- More --->

  inspect icmp error

  inspect ip-options

class class-default

  user-statistics accounting

!

service-policy global_policy global

smtp-server 10.1.0.59

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

: end

I know it is a lot I tried to trim it down best I can. Please feel free to let me know if I can help make sense of it for you. Our main config has 2 other site to sites accessing it as you can tell in the config.

Hi,

I would need to know the contents of the object-group DM_INLINE_NETWORK_14 on the Main Site as its part of the L2L VPN configurations. Just to be sure.

- Jouni

object-group network DM_INLINE_NETWORK_14

network-object 10.1.0.0 255.255.252.0

network-object 172.16.2.0 255.255.255.0

Hi,

First off a question about the log messages you posted earlier.

• Which ASA are they from?
• What (and how) exactly where you testing to generate those log messages/error?

I find it very wierd that we are seeing host addresses that are on the same network as the source and destination.

Now regarding the NAT0 rules and the ACL that define the L2L VPN traffic

MAIN SITE ACL

access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_14 10.2.0.0 255.255.252.0

access-list outside_cryptomap_2 extended permit ip host *Main Site Public IP* host *Remote Site Public IP*

REMOTE SITE ACL

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 object-group DM_INLINE_NETWORK_1

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 10.1.0.0 255.255.252.0

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 10.8.0.0 255.255.255.0

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 10.100.0.0 255.255.252.0

access-list outside_cryptomap extended permit ip host *Remote Site Public IP* host *Main Site Public IP*

On the MAIN SITE ACL we can see that its supposed to tunnel the following traffic

• MAIN SITE networks 10.1.0.0/22 and 172.16.2.0/24 to REMOTE SITE 10.2.0.0/22
• MAIN SITE public IP and REMOTE SITE public IP  

  • Is this line used to tunnel REMOTE SITE ASA management connections or what?

  • Otherwise it doesnt seem to be needed. Atleast for traffic between the actual LAN networks on both sites

Because of the above it would seem to me that the REMOTE SITE ACL should/could be made simpler. The ACL could for example only contain the following lines.

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 10.1.0.0 255.255.252.0

access-list outside_cryptomap extended permit ip 10.2.0.0 255.255.252.0 172.16.2.0 255.255.255.0

access-list outside_cryptomap extended permit ip host *Remote Site Public IP* host *Main Site Public IP*

Also considering I didnt know about the other MAIN SITE network that the REMOTE SITE needed to reach you would need this addition to the REMOTE SITE NAT0 ACL

access-list INSIDE-NAT0 extended permit ip 10.2.0.0 255.255.252.0 172.16.2.0 255.255.255.0

Now when I look at the NAT0 configurations on the MAIN SITE I'm not quite sure if it has a NAT0 configuration for the network 172.16.2.0/24 when it needs to reach the REMOTE SITE network of 10.2.0.0/22

Do the following "object" contain the said networks

• TMG-DMZ = 172.16.2.0/24
• obj-10.2.0.0 = 10.2.0.0/22

Then it would seem to me that you lack the following configuration which would make it possible for the 2 networks to communicate without NAT

nat (tmgdmz,outside) source static TMG-DMZ TMG-DMZ destination static obj-10.2.0.0 obj-10.2.0.0

In addition to the above I should know what networks/hosts arent able to communicate with eachother at the moment?

- Jouni

• Which ASA are they from? Orion/Remote ASA 5505 .

  I don't get any errors on the Main ASA

• What (and how) exactly where you testing to generate those log messages/error?

They generate consistently due to LDAP activity, RDP, as well as a lot of other network activity.

I find it very wierd that we are seeing host addresses that are on the same network as the source and destination.

I agree. But this only happens when we add the NAT settings, the sames one you suggested I have used before.

On the MAIN SITE ACL we can see that its supposed to tunnel the following traffic

• MAIN SITE networks 10.1.0.0/22 and 172.16.2.0/24 to REMOTE SITE 10.2.0.0/22
• MAIN SITE public IP and REMOTE SITE public IP  
  • Is this line used to tunnel REMOTE SITE ASA management connections or what?
  • Otherwise it doesnt seem to be needed. Atleast for traffic between the actual LAN networks on both sites

The only reason I have it tunneled is because that is how it is set up on the other sites. I thought it added security. However, I can see now that it is probably not needed.

We can ignore the 172. network for now. I am not concerned with it. I am only concerned with communication between the 10.1.0.0/22 and 10.2.0.0/22 which are the two networks that are having trouble communicating over the vpn. They are obviously are communicating somewhat but not well some traffic is being caught by the IDS.

nat (tmgdmz,outside) source static TMG-DMZ TMG-DMZ destination static obj-10.2.0.0 obj-10.2.0.0 

should this be added to Remote ASA or Main?

Also, wouldn't that be a secuirty risk and allow ip spoofing? Generally you don't want any outside traffic appearing the same as the inside ip.

Before we added the Global NAT setting (which I beleive is a Dynamic NAT policy) I would see traffic shown as 10.1.0.0 outside to destination 10.2.0.0 inside. Now that we have the dynamic NAT it is translating the 10.1.0.0 to 10.2.0.0. Can we stop that?

Hi,

Regarding the below NAT configuration I presumed that the TMG-DMZ contains the network 172.16.2.0/24.

nat (tmgdmz,outside) source static TMG-DMZ TMG-DMZ destination static obj-10.2.0.0 obj-10.2.0.0 

In that case this would tell the MAIN SITE ASA (where its configured) to do the following

• Do the specified NAT between "tmgdmz" and "outside" interface
• Do the NAT ONLY WHEN the source network is 172.16.2.0/24 and the destination network is 10.2.0.0/22
• And it that case DONT NAT the network specified. This is because the same "object" is entered twice. IF you wanted to actually NAT either of the networks there wouldnt be identical objects used on both "source" and "destination" sections
• I dont see it as being a security risk as its the configuration format you simply need for L2L VPNs in some cases.

And also some comments related to the Dynamic PAT translation on the REMOTE SITE.

The below configuration

global (outside) 10 interface

nat (inside) 10 10.2.0.0 255.255.252.0

Only does Dynamic PAT from the "inside" to "outside" at the REMOTE SITE. It does nothing to the traffic from the MAIN SITE to REMOTE SITE. The "nat" configuration line defines the source addresses/interface for the Dynamic PAT. The "global" defines the IP address and destination interface used for the Dynamic PAT.

So this should have absolutely no effect on the L2L VPN traffic coming from MAIN SITE to REMOTE SITE.

The NAT0 configuration we added is again a very basic NAT0 meant to make it possible for the 2 LAN networks to communicate without doing any NAT translations.

Some things I noticed earlier in the MAIN SITE ASA was that there were some NAT configurations that used "any" interface. I usually tend to avoid using "any" in the NAT configurations as it might lead to some unexpected behaviour.

If we now have doubt to how the traffic is getting NATed when MAIN SITE connects to REMOTE SITE then we can do a "packet-tracer" test on the MAIN SITE ASA. This will tell us which rules are applied to certain connections.

Here are example "packet-tracer" commands you could issue on the ASAs. This should tell us what rules are applied on each site when they try to initiate connection to the other site.

MAIN SITE

packet-tracer input inside tcp 10.1.0.100 1234 10.2.0.100 3389

REMOTE SITE

packet-tracer input inside tcp 10.2.0.100 1234 10.1.0.100 3389

If you could run the above commands on the CLI of the mentioned ASAs and copy/paste the complete output here.

- Jouni

Main Site

Troy-FW1# r   packet-tracer input inside tcp 10.1.0.100 1234 10.2.0.100 3389

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.2.0.0        255.255.252.0   outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_out in interface inside

access-list inside_out extended permit ip any any

<--- More --->

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,any) source static obj-10.1.0.0 obj-10.1.0.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp

Additional Information:

Static translate 10.1.0.100/1234 to 10.1.0.100/1234

Phase: 6

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

<--- More --->

Phase: 7

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: USER-STATISTICS

<--- More --->

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 37872288, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Remote Site

Orion-FW1> ena

Password: *************

Orion-FW1# packet-tracer input inside tcp 10.2.0.100 1234 10.1.0.100 3389

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.2.0.0        255.255.252.0   inside

<--- More --->

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip 10.2.0.0 255.255.252.0 any

access-list inside_access_in remark Clean up rule for logging

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip inside 10.2.0.0 255.255.252.0 outside 10.1.0.0 255.255.252.0

    NAT exempt

<--- More --->

    translate_hits = 48317, untranslate_hits = 11187

<--- More --->

Additional Information:

<--- More --->

<--- More --->

Phase: 7

<--- More --->

Type: NAT

<--- More --->

Subtype:

<--- More --->

Result: ALLOW

Config:

nat (inside) 10 10.2.0.0 255.255.252.0

  match ip inside 10.2.0.0 255.255.252.0 outside any

    dynamic translation to pool 10 (166.150.232.106 [Interface PAT])

    translate_hits = 36321, untranslate_hits = 5945

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 10 10.2.0.0 255.255.252.0

  match ip inside 10.2.0.0 255.255.252.0 outside any

    dynamic translation to pool 10 (166.150.232.106 [Interface PAT])

    translate_hits = 36321, untranslate_hits = 5945

Additional Information:

Phase: 9

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

<--- More --->

Additional Information:

Phase: 10

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 12

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 13

<--- More --->

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 6660883, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Those all pass perfectly fine. So the question now is why do the replies from 10.1.0.1 come back as 10.2.0.1 from the outside interface? I can stop that by adding the following configuration to the main ASA?

nat (tmgdmz,outside) source static TMG-DMZ TMG-DMZ destination static obj-10.2.0.0 obj-10.2.0.0