VPN tunnel between ASA5510 and Pix router allows all traffic.

ozguycisco · ‎10-02-2011

HI guru's,

We've created an ipsec VPN tunnel between our ASA5510 (8.3) and a Pix firewall (not sure of the specific version, etc).

The tunnel works fine, except for timing at times (traffic only goes through a few times a day), and a wierd problem with all traffic being allowed even though I'm only allowing specific ports (SFTP, SQL Server 1433) from a network at the client site to a specific server in our Data center.

I was surprised that I could RDP into the server, as well as telnet any other port exposed on this server from the client site. Now as I write this i realize that I did not check whether any of our other data center servers can be reached via the tunnel.....

Not having set up many VPN tunnels before using ASA (only Checkpoint - Checkpoint before this), I'm wondering whether i need to include another rule in the VPN tunnel cryptomap to deny all other traffic from their network to our network, or whether there's a global config I need to add a rule to.

I am moderately conversant in the command line, but because of my lack of Cisco VPN tunnel experience I did use the ASDM site-to-site VPN tunnel wizard to set the tunnel up. Not sure if there were any defaults i would have to override using that method.

Thanks in advance for any advice or information you can provide.

Jennifer Halim · ‎10-02-2011

VPN configuration on Check Point is slightly different to ASA/PIX. With Check Point, you would specify the VPN Domain and you can also configure ports to specify the VPN domain.

However, with Cisco devices, typically you would configure network/subnet as the domain that you would like to encrypt.

To block/allow further on port specific, please configure those on the firewall section.

In your case, you can either configure it at the client's end (PIX) on the inbound interface of the LAN interface, or alternatively, you can configure it on the outbound direction of your server farm interface at the server (ASA) end.

eg:

1) permit outbound to the specific ports from client towards the server end.

2) deny outbound from client network towards server network

3) permit any towards the server network

ozguycisco · ‎10-04-2011

Thanks for your response Jennifer.

I placed an any:any:allservices:deny after the allow entries in the cryptomap, and it seems to work.

access-list wan0_2_cryptomap extended permit tcp 192.168.8.0 255.255.255.0 object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_11 log 
access-list wan0_2_cryptomap extended permit udp 192.168.8.0 255.255.255.0 host xxxxx_int object-group SQL_Server_UDP 
access-list wan0_2_cryptomap extended permit tcp 192.168.8.0 255.255.255.0 host SFTPserver_int eq ssh
access-list wan0_2_cryptomap extended deny object-group TCPUDP any any object-group All_services

In the GUI it shows a line number within the cryptogroup, but looking at the config I don't see any, so I was not sure which order the rules would be processed. Either way this does seem to work now.

I just need to remember to put in such a deny rule in the future, for other VPN tunnels I create.

Is this what you were recommending Jennifer?

Thanks again,

Alan

Jennifer Halim · ‎10-05-2011

No, not quite right...

There are 2 different ACL, one is applied to the crypto map, ie: this is to determine the interesting traffic to be sent across the VPN tunnel, and normally it should just be from IP of local subnet, to destination subnet.

The second ACL that I was referring to is your Firewall access-list that gets applied to the interfaces.

If you can share your current configuration, maybe it is easier for me to show you what exactly needs to be configured.

ozguycisco · ‎10-05-2011

Here is the config.

The VPN tunnel rules are in wan0_1_cryptomap:

access-list wan0_1_cryptomap extended permit tcp host 111.22.33.444 host SITE_client3_int object-group SQL_Server

access-list wan0_1_cryptomap extended permit tcp host 111.22.33.444 host SITE_SFTPserver_int eq ssh

access-list wan0_1_cryptomap extended permit udp host 111.22.33.444 host SITE_client3_int object-group SQL_Server_UDP

access-list wan0_1_cryptomap extended deny tcp any any object-group All_services

111.22.33.444 is the IP at the client site we are allowing certain access to.

SITE_client3_int is the internal IP of SQL Server at our data center.

SITE_SFTPserver_int is the internal IP of SFTP Server at our data center.

I'm sorry if this is to much info. I've redacted a ton (and changed/munged external IP's, encrypted passwords, etc), but tried to keep more rather than less so you have more information:

: Saved

:

ASA Version 8.0(2)

!

hostname pfafw01

domain-name xxxxx.com

enable password asdfbewlrgblkjgb encrypted

names

name 192.168.84.80 catalyst_int

name 192.168.85.0 wlan0_network description Wireless LAN on Cisco AiroNet

name 192.168.84.112 SITE_client2_int

name 192.168.84.111 SITE_client1_int

name 192.168.84.119 SITE_template

name 222.3.444.123 SITE_client3_ext

name 192.168.84.113 SITE_client3_int

name 222.3.444.117 SITE_client2_ext

name client1_FW

name 222.3.444.115 SITE_client1_ext

name 222.3.444.120 SITE_SFTPserver_ext

name 192.168.84.118 SITE_SFTPserver_int

!

interface Ethernet0/0

description Internal 83 Network

nameif Internal

security-level 100

ip address 192.168.83.1 255.255.255.0

!

interface Ethernet0/1

description DMZ Interface

nameif DMZ0

security-level 50

ip address 192.168.84.1 255.255.255.0

!

interface Ethernet0/2

description Wireless LAN 85 network

nameif wlan0

security-level 75

ip address 192.168.85.1 255.255.255.0

!

interface Ethernet0/3

description Internet

duplex full

nameif wan0

security-level 0

ip address 222.3.444.55 255.255.255.224

!

interface Management0/0

description ADSM Interface LAN 192.168.1.X

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd wertqeertyuyert64ert74 encrypted

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup Internal

dns domain-lookup wlan0

dns domain-lookup wan0

dns server-group DMZ_DNS

name-server openfiler01_dns_dmz

dns server-group DefaultDNS

name-server 4.2.2.1

name-server 4.2.2.2

domain-name comp.com

dns server-group openfiler01

name-server xo_dns_2

name-server 4.2.2.1

name-server xo_dns_1

domain-name comp.com

dns-group openfiler01

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service All_services tcp-udp

description All services

port-object range 1 65535

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_7

network-object 0.0.0.0 0.0.0.0

group-object catalyst_access

object-group network DM_INLINE_NETWORK_8

network-object host xo_dns_2

network-object host xo_dns_1

object-group network consultant_vpn

description consultant 88.X Network

network-object Consultants_VPN_IP_Range 255.255.255.0

object-group network DM_INLINE_NETWORK_12

network-object host SITE_client1_int

network-object host SITE_client2_int

network-object host SITE_client3_int

network-object host SITE_SFTPserver_int

object-group service SQL_Server tcp

port-object range 1433 1435

object-group network DM_INLINE_NETWORK_2

network-object host SITE_client1_int

network-object host SITE_client2_int

network-object host SITE_client3_int

network-object host SITE_SFTPserver_int

network-object host SITE_template

object-group network DM_INLINE_NETWORK_3

network-object host SITE_client1_int

network-object host SITE_SFTPserver_int

object-group network DM_INLINE_NETWORK_6

network-object host SITE_client1_int

network-object host SITE_SFTPserver_int

object-group network DM_INLINE_NETWORK_9

network-object 192.168.8.0 255.255.255.0

network-object host 111.22.33.444

object-group service SQL_Server_UDP udp

port-object eq 1434

object-group service DM_INLINE_TCP_11 tcp

group-object SQL_Server

port-object eq ssh

access-list wan0_access_in extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_20 any object-group All_services

access-list wan0_access_in extended permit object-group DM_INLINE_PROTOCOL_1 wlan0_network 255.255.255.0 any log warnings

access-list wan0_access_in extended permit object-group TCPUDP any wlan0_network 255.255.255.0

access-list wan0_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_TCP_7 log disable

access-list wan0_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host catalyst_ext eq www log

access-list wan0_access_in extended permit tcp any object-group DM_INLINE_NETWORK_5 eq https log warnings

access-list wan0_access_in extended permit tcp any host rapidReport_dev_ext object-group DM_INLINE_TCP_2 log disable

access-list wan0_access_in extended permit tcp object-group DM_INLINE_NETWORK_29 object-group DM_INLINE_NETWORK_26 object-group All_services

access-list company_splitTunnelAcl standard permit 192.168.83.0 255.255.255.0

access-list company_splitTunnelAcl standard permit 192.168.84.0 255.255.255.0

access-list management_nat0_outbound extended permit ip any 192.168.86.2 255.255.255.254

access-list administrators_splitTunnelAcl standard permit any

access-list nonat extended permit ip 192.168.83.0 255.255.255.0 vpn_network 255.255.255.0

access-list nonat extended permit ip 192.168.83.0 255.255.255.0 192.168.84.0 255.255.255.0

access-list nonat extended permit ip 192.168.83.0 255.255.255.0 Consultants_VPN_IP_Range 255.255.255.0

access-list nonat extended permit ip 192.168.83.0 255.255.255.0 wlan0_network 255.255.255.0

access-list nonat extended permit ip object-group DM_INLINE_NETWORK_3 192.168.8.0 255.255.255.0

access-list DMZ0_nat0_outbound extended permit ip 192.168.84.0 255.255.255.0 vpn_network 255.255.255.0

access-list DMZ0_nat0_outbound extended permit ip 192.168.84.0 255.255.255.0 vpn 255.255.255.0

access-list DMZ0_nat0_outbound extended permit ip 192.168.84.0 255.255.255.0 Consultants_VPN_IP_Range 255.255.255.0

access-list DMZ0_nat0_outbound extended permit ip 192.168.84.0 255.255.255.0 wlan0_network 255.255.255.0

access-list DMZ0_nat0_outbound extended permit ip host SITE_client3_int host 111.22.33.444

access-list DMZ0_nat0_outbound extended permit ip host SITE_SFTPserver_int object-group DM_INLINE_NETWORK_9

access-list DMZ0_nat0_outbound extended permit ip host SITE_client1_int 192.168.8.0 255.255.255.0

access-list DMZ0_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 host SITE_client1_int

access-list Internal_access_in extended permit icmp 192.168.83.0 255.255.255.0 any

access-list Internal_access_in extended permit ip any any log disable

access-list Internal_access_in extended permit ip wlan0_network 255.255.255.0 host svnmail_int

access-list Internal_access_in remark Allow consultants VPN access to any .83 device for agile dev.

access-list Internal_access_in extended permit tcp wlan0_network 255.255.255.0 host svnmail_int object-group svn

access-list Internal_access_in extended permit tcp object-group DM_INLINE_NETWORK_24 any object-group DM_INLINE_TCP_3

access-list company_development_splitTunnelAcl standard permit 192.168.84.0 255.255.255.0

access-list DMZ_in extended permit icmp any any

access-list DMZ_in extended permit tcp any any eq https

access-list DMZ_in extended permit tcp any any eq www log disable

access-list DMZ_in extended permit tcp object-group DM_INLINE_NETWORK_12 any object-group DM_INLINE_TCP_10 log warnings

access-list DMZ_in extended permit tcp object-group DM_INLINE_NETWORK_2 any object-group All_services

access-list DMZ_in extended permit tcp object-group DM_INLINE_NETWORK_25 any object-group All_services

access-list capin extended permit icmp any any

access-list company_customer_splitTunnelAcl standard permit 192.168.84.0 255.255.255.0

access-list consultants_splitTunnelAcl standard permit 192.168.83.0 255.255.255.0

access-list DMZ0_nat0_outbound_1 extended permit ip 192.168.84.0 255.255.255.0 wlan0_network 255.255.255.0

access-list wlan0_nat0_outbound extended permit ip wlan0_network 255.255.255.0 192.168.84.0 255.255.255.0

access-list wlan0_nat0_outbound extended permit ip wlan0_network 255.255.255.0 333.4.555.66 255.255.255.224

access-list wlan0_nat0_outbound extended permit ip wlan0_network 255.255.255.0 192.168.83.0 255.255.255.0

access-list wan0_nat0_outbound_1 extended permit ip 222.3.444.55 255.255.255.224 wlan0_network 255.255.255.0

access-list wan0_1_cryptomap extended permit tcp host 111.22.33.444 host SITE_client3_int object-group SQL_Server

access-list wan0_1_cryptomap extended permit tcp host 111.22.33.444 host SITE_SFTPserver_int eq ssh

access-list wan0_1_cryptomap extended permit udp host 111.22.33.444 host SITE_client3_int object-group SQL_Server_UDP

access-list wan0_1_cryptomap extended deny tcp any any object-group All_services

access-list wan0_2_cryptomap extended permit tcp 192.168.8.0 255.255.255.0 object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_11 log

access-list wan0_2_cryptomap extended permit udp 192.168.8.0 255.255.255.0 host SITE_client1_int object-group SQL_Server_UDP

access-list wan0_2_cryptomap extended deny object-group TCPUDP any any object-group All_services

pager lines 24

logging enable

logging buffer-size 16384

logging monitor informational

logging buffered warnings

logging asdm warnings

logging mail errors

logging recipient-address achoyna@comp.com level errors

logging class auth mail errors

mtu Internal 1500

mtu DMZ0 1500

mtu wlan0 1500

mtu wan0 1500

mtu management 1500

ip local pool IPSec_IP_DMZ_Pool 192.168.87.2-192.168.87.252 mask 255.255.255.0

ip local pool management 192.168.1.2-192.168.1.10 mask 255.255.255.0

ip local pool IPSec_IP_Pool 192.168.86.2-192.168.86.252 mask 255.255.255.0

ip local pool consultants 192.168.88.2-192.168.88.12 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Internal

asdm image disk0:/asdm-603.bin

no asdm history enable

arp wan0 secure.comp.biz_ext 001d.7066.7f61 alias

arp wan0 www.comp.com_dev_ext 001d.7066.7f61 alias

arp wan0 www.comp.com_proxy_ext 001d.7066.7f61 alias

arp wan0 collab.comp.com_ext 001d.7066.7f61 alias

arp timeout 14400

global (wan0) 1 interface

nat (Internal) 0 access-list nonat

nat (Internal) 1 0.0.0.0 0.0.0.0

nat (DMZ0) 0 access-list DMZ0_nat0_outbound

nat (DMZ0) 0 access-list DMZ0_nat0_outbound_1 outside

nat (DMZ0) 1 0.0.0.0 0.0.0.0

nat (wlan0) 0 access-list wlan0_nat0_outbound

nat (wlan0) 1 0.0.0.0 0.0.0.0

nat (wan0) 0 access-list wan0_nat0_outbound_1 outside

nat (wan0) 1 vpn 255.255.255.0

nat (management) 0 access-list management_nat0_outbound

static (wan0,Internal) udp interface domain Openfiler domain netmask 255.255.255.255

static (wan0,DMZ0) udp interface domain openfiler01_dns_dmz domain netmask 255.255.255.255

static (Internal,DMZ0) 192.168.83.0 192.168.83.0 netmask 255.255.255.0

access-group Internal_access_in in interface Internal

access-group DMZ_in in interface DMZ0

access-group wlan0_access_in in interface wlan0

access-group wan0_access_in in interface wan0

route wan0 0.0.0.0 0.0.0.0 444.5.666.77 1

route Internal 192.168.83.0 255.255.255.0 192.168.83.1 1

route DMZ0 192.168.84.0 255.255.255.0 192.168.84.1 1

route wlan0 wlan0_network 255.255.255.0 192.168.85.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

aaa authentication secure-http-client

aaa authorization exec authentication-server

http server enable

http 192.168.1.0 255.255.255.0 management

http vpn_network 255.255.255.0 wan0

http vpn_network 255.255.255.0 Internal

http 192.168.83.0 255.255.255.0 Internal

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-MD5 ESP-3DES-MD5 ESP-3DES-SHA ESP-AES-256-SHA ESP-DES-SHA ESP-DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5

crypto map wan0_map 1 match address wan0_1_cryptomap

crypto map wan0_map 1 set pfs

crypto map wan0_map 1 set peer 111.22.33.444

crypto map wan0_map 1 set transform-set ESP-AES-256-MD5

crypto map wan0_map 2 match address wan0_2_cryptomap

crypto map wan0_map 2 set pfs

crypto map wan0_map 2 set peer 55.666.77.888

crypto map wan0_map 2 set transform-set ESP-AES-256-MD5

crypto map wan0_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map wan0_map interface wan0

crypto map wlan0_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map wlan0_map interface wlan0

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

fqdn pfafw01.comp.com

email support@comp.com

subject-name CN=compinder Develpment,OU=compinder,O=compinder,C=US,St=IL,L=Philly

keypair pfafw01.comp.key

no client-types

crl configure

crypto ca trustpoint LOCAL-CA-SERVER

keypair LOCAL-CA-SERVER

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment self

fqdn pfafw01

subject-name CN=pfafw01

serial-number

no client-types

proxy-ldc-issuer

crl configure

crypto ca server

crypto ca certificate map DefaultCertificateMap 10

crypto ca certificate map company_Cet_SSL_map 20

crypto ca certificate chain LOCAL-CA-SERVER

certificate ca 01

578e18e7 e995ca3b e4094e8f 125e7aa7 ac698318 71cee009 23ae2608 31223333

f396f0ea 29e8f987 d882395e e2cd1f88 225777c4 cd

quit

crypto ca certificate chain ASDM_TrustPoint1

certificate 31

ba3fcdf6 fae75665 aed957c1 cd91e4de 5dc24efb 319f37aa 43e4a325 3905cab4

a7eb6cc6 275f9318 76166470 8985cf6e b2d61b9a b2fcbd7b 46

quit

crypto isakmp identity address

crypto isakmp enable wlan0

crypto isakmp enable wan0

crypto isakmp policy 3

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 120

telnet 192.168.83.45 255.255.255.255 Internal

telnet timeout 5

ssh scopy enable

ssh 192.168.83.0 255.255.255.0 Internal

ssh 192.168.0.0 255.255.0.0 Internal

ssh vpn_network 255.255.255.0 wan0

ssh timeout 20

ssh version 2

console timeout 0

management-access Internal

dhcpd dns Openfiler xo_dns_2

dhcpd lease 1200

dhcpd domain comp.com

dhcpd option 6 ip Openfiler Openfiler

!

dhcpd address 192.168.83.100-192.168.83.171 Internal

dhcpd dns Openfiler interface Internal

dhcpd domain comp.com interface Internal

dhcpd update dns both interface Internal

dhcpd option 5 ip Openfiler openfiler01_dns_dmz interface Internal

dhcpd option 3 ip 192.168.83.1 interface Internal

dhcpd option 4 ip Openfiler interface Internal

dhcpd enable Internal

!

dhcpd address 192.168.85.2-192.168.85.240 wlan0

dhcpd dns Openfiler interface wlan0

dhcpd wins 192.168.83.77 interface wlan0

dhcpd update dns both interface wlan0

dhcpd option 3 ip 192.168.85.1 interface wlan0

dhcpd option 6 ip openfiler01_dns_dmz interface wlan0

dhcpd option 4 ip Openfiler interface wlan0

dhcpd enable wlan0

!

vpn load-balancing

interface lbpublic DMZ0

interface lbprivate DMZ0

priority-queue wan0

threat-detection basic-threat

threat-detection statistics

!

class-map wan0-class

description RTP VOIP

match rtp 10000 10000

!

policy-map wan0-policy-voip

description RTP VOIP

class wan0-class

priority

policy-map type inspect sip Secure_SIP

description sip policy for securing traffic flow

parameters

max-forwards-validation action drop log

state-checking action drop-connection log

software-version action mask log

strict-header-validation action drop log

no traffic-non-sip

uri-non-sip action mask log

rtp-conformance enforce-payloadtype

!

service-policy wan0-policy-voip interface wan0

ntp server 64.247.17.254 source wan0 prefer

ntp server 64.34.180.101 source wan0

ntp server 64.202.112.75 source wan0

ntp server 69.93.111.178 source wan0

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1

ssl trust-point ASDM_TrustPoint1

ssl certificate-authentication interface wan0 port 443

ssl certificate-authentication interface wlan0 port 443

webvpn

enable Internal

enable DMZ0

enable wlan0

enable wan0

svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1

svc image disk0:/sslclient-win-1.1.4.176-anyconnect.pkg 2

svc image disk0:/sslclient-win-1.1.4.176.pkg 3

svc enable

tunnel-group-list enable

internal-password enable

certificate-group-map company_Cet_SSL_map 20 compinder

group-policy company_development internal

group-policy company_development attributes

dns-server value 192.168.84.77 192.168.84.250

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelall

default-domain value comp.com

group-policy compinder internal

group-policy compinder attributes

dns-server none

vpn-idle-timeout 120

vpn-session-timeout 600

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value company_splitTunnelAcl

default-domain value comp.com

webvpn

url-list value PFA_AnyConnect_Bookmark

svc ask enable

group-policy company_customer internal

group-policy company_customer attributes

wins-server value 192.168.84.77

dns-server value 192.168.84.77 192.168.84.250

vpn-tunnel-protocol IPSec svc webvpn

default-domain value comp.com

webvpn

svc keep-installer none

group-policy company_split_tunnel internal

group-policy company_split_tunnel attributes

dns-server none

vpn-idle-timeout 120

vpn-session-timeout 600

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value company_splitTunnelAcl

default-domain value comp.com

webvpn

url-list value PFA_AnyConnect_Bookmark

svc ask enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy client1 internal

group-policy client1 attributes

vpn-tunnel-protocol IPSec

group-policy consultants internal

group-policy consultants attributes

dns-server none

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value consultants_splitTunnelAcl

group-policy client3 internal

group-policy client3 attributes

vpn-tunnel-protocol IPSec

username fffremote password erthetyhetyjry encrypted privilege 15

username cisco password rthertheth encrypted privilege 15

username fffadmin password dfgggeg encrypted privilege 15

username fffadmin attributes

service-type admin

memberof compinder

vpn-group-policy consultants

group-lock value consultants

service-type remote-access

memberof consultants

tunnel-group DefaultRAGroup webvpn-attributes

group-alias customer disable

group-alias comp.com disable

tunnel-group compinder type remote-access

tunnel-group compinder general-attributes

address-pool (wan0) IPSec_IP_Pool

address-pool IPSec_IP_Pool

authentication-server-group (wan0) LOCAL

authentication-server-group (wlan0) LOCAL

authorization-server-group LOCAL

default-group-policy compinder

password-management

tunnel-group compinder webvpn-attributes

group-alias staff.comp.com enable

tunnel-group compinder ipsec-attributes

pre-shared-key *

tunnel-group company_customer type remote-access

tunnel-group company_customer general-attributes

address-pool IPSec_IP_DMZ_Pool

authentication-server-group (DMZ0) LOCAL

authorization-server-group LOCAL

default-group-policy company_development

tunnel-group company_customer webvpn-attributes

group-alias customer.comp.com enable

tunnel-group company_customer ipsec-attributes

pre-shared-key *

tunnel-group company_anyconnect type remote-access

tunnel-group company_anyconnect general-attributes

address-pool IPSec_IP_Pool

tunnel-group consultants type remote-access

tunnel-group consultants general-attributes

address-pool consultants

default-group-policy consultants

tunnel-group consultants ipsec-attributes

pre-shared-key *

tunnel-group company_split_tunnel type remote-access

tunnel-group company_split_tunnel general-attributes

address-pool (wan0) IPSec_IP_Pool

address-pool IPSec_IP_Pool

authentication-server-group (wan0) LOCAL

authentication-server-group (wlan0) LOCAL

default-group-policy company_split_tunnel

password-management

tunnel-group company_split_tunnel ipsec-attributes

pre-shared-key *

tunnel-group 111.22.33.444 type ipsec-l2l

tunnel-group 111.22.33.444 ipsec-attributes

pre-shared-key *

tunnel-group 55.666.77.888 type ipsec-l2l

tunnel-group 55.666.77.888 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:f4fghhtjryukiooop9e0b

: end

asdm image disk0:/asdm-603.bin

asdm location SITE_client1_int 255.255.255.255 Internal

asdm location SITE_client2_int 255.255.255.255 Internal

asdm location SITE_client3_int 255.255.255.255 Internal

asdm location client1_FW 255.255.255.255 Internal

asdm location SITE_SFTPserver_int 255.255.255.255 Internal

asdm location SITE_SFTPserver_ext 255.255.255.255 Internal

no asdm history enable

tholmes · ‎10-06-2011

Hi Alan,

You could alternately create an access list that permits only the traffic you specify and blocks all else from the remote LAN and apply it for traffic exiting the DMZ0 interface

e.g.

access-list DMZ0_Outbound permit tcp host 111.22.33.44 host W.X.Y.Z eq .. permits the tcp traffic you want

access-list DMZ0_Outbound deny ip host 111.22.33.44 host W.X.Y.Z any ... denies the remote site any further access

access-list DMZ0_Outbound per IP any any ... permits existing traffic entering the DMZ0 (as it does now)

then apply this access list to the DMZ 0 interface but in the OUTBOUND direction

access-group DMZ0_Outbound out interface DMZ0

Regards Tony