10-02-2011 08:16 PM
HI guru's,
We've created an ipsec VPN tunnel between our ASA5510 (8.3) and a Pix firewall (not sure of the specific version, etc).
The tunnel works fine, except for timing at times (traffic only goes through a few times a day), and a wierd problem with all traffic being allowed even though I'm only allowing specific ports (SFTP, SQL Server 1433) from a network at the client site to a specific server in our Data center.
I was surprised that I could RDP into the server, as well as telnet any other port exposed on this server from the client site. Now as I write this i realize that I did not check whether any of our other data center servers can be reached via the tunnel.....
Not having set up many VPN tunnels before using ASA (only Checkpoint - Checkpoint before this), I'm wondering whether i need to include another rule in the VPN tunnel cryptomap to deny all other traffic from their network to our network, or whether there's a global config I need to add a rule to.
I am moderately conversant in the command line, but because of my lack of Cisco VPN tunnel experience I did use the ASDM site-to-site VPN tunnel wizard to set the tunnel up. Not sure if there were any defaults i would have to override using that method.
Thanks in advance for any advice or information you can provide.
10-02-2011 08:51 PM
VPN configuration on Check Point is slightly different to ASA/PIX. With Check Point, you would specify the VPN Domain and you can also configure ports to specify the VPN domain.
However, with Cisco devices, typically you would configure network/subnet as the domain that you would like to encrypt.
To block/allow further on port specific, please configure those on the firewall section.
In your case, you can either configure it at the client's end (PIX) on the inbound interface of the LAN interface, or alternatively, you can configure it on the outbound direction of your server farm interface at the server (ASA) end.
eg:
1) permit outbound to the specific ports from client towards the server end.
2) deny outbound from client network towards server network
3) permit any towards the server network
10-04-2011 07:48 PM
Thanks for your response Jennifer.
I placed an any:any:allservices:deny after the allow entries in the cryptomap, and it seems to work.
access-list wan0_2_cryptomap extended permit tcp 192.168.8.0 255.255.255.0 object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_11 log
access-list wan0_2_cryptomap extended permit udp 192.168.8.0 255.255.255.0 host xxxxx_int object-group SQL_Server_UDPaccess-list wan0_2_cryptomap extended permit tcp 192.168.8.0 255.255.255.0 host SFTPserver_int eq sshaccess-list wan0_2_cryptomap extended deny object-group TCPUDP any any object-group All_services
In the GUI it shows a line number within the cryptogroup, but looking at the config I don't see any, so I was not sure which order the rules would be processed. Either way this does seem to work now.
I just need to remember to put in such a deny rule in the future, for other VPN tunnels I create.
Is this what you were recommending Jennifer?
Thanks again,
Alan
10-05-2011 05:53 AM
No, not quite right...
There are 2 different ACL, one is applied to the crypto map, ie: this is to determine the interesting traffic to be sent across the VPN tunnel, and normally it should just be from IP of local subnet, to destination subnet.
The second ACL that I was referring to is your Firewall access-list that gets applied to the interfaces.
If you can share your current configuration, maybe it is easier for me to show you what exactly needs to be configured.
10-05-2011 10:33 AM
Here is the config.
The VPN tunnel rules are in wan0_1_cryptomap:
access-list wan0_1_cryptomap extended permit tcp host 111.22.33.444 host SITE_client3_int object-group SQL_Server
access-list wan0_1_cryptomap extended permit tcp host 111.22.33.444 host SITE_SFTPserver_int eq ssh
access-list wan0_1_cryptomap extended permit udp host 111.22.33.444 host SITE_client3_int object-group SQL_Server_UDP
access-list wan0_1_cryptomap extended deny tcp any any object-group All_services
111.22.33.444 is the IP at the client site we are allowing certain access to.
SITE_client3_int is the internal IP of SQL Server at our data center.
SITE_SFTPserver_int is the internal IP of SFTP Server at our data center.
I'm sorry if this is to much info. I've redacted a ton (and changed/munged external IP's, encrypted passwords, etc), but tried to keep more rather than less so you have more information:
: Saved
:
ASA Version 8.0(2)
!
hostname pfafw01
domain-name xxxxx.com
enable password asdfbewlrgblkjgb encrypted
names
name 192.168.84.80 catalyst_int
name 192.168.85.0 wlan0_network description Wireless LAN on Cisco AiroNet
name 192.168.84.112 SITE_client2_int
name 192.168.84.111 SITE_client1_int
name 192.168.84.119 SITE_template
name 222.3.444.123 SITE_client3_ext
name 192.168.84.113 SITE_client3_int
name 222.3.444.117 SITE_client2_ext
name client1_FW
name 222.3.444.115 SITE_client1_ext
name 222.3.444.120 SITE_SFTPserver_ext
name 192.168.84.118 SITE_SFTPserver_int
!
interface Ethernet0/0
description Internal 83 Network
nameif Internal
security-level 100
ip address 192.168.83.1 255.255.255.0
!
interface Ethernet0/1
description DMZ Interface
nameif DMZ0
security-level 50
ip address 192.168.84.1 255.255.255.0
!
interface Ethernet0/2
description Wireless LAN 85 network
nameif wlan0
security-level 75
ip address 192.168.85.1 255.255.255.0
!
interface Ethernet0/3
description Internet
duplex full
nameif wan0
security-level 0
ip address 222.3.444.55 255.255.255.224
!
interface Management0/0
description ADSM Interface LAN 192.168.1.X
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd wertqeertyuyert64ert74 encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Internal
dns domain-lookup wlan0
dns domain-lookup wan0
dns server-group DMZ_DNS
name-server openfiler01_dns_dmz
dns server-group DefaultDNS
name-server 4.2.2.1
name-server 4.2.2.2
domain-name comp.com
dns server-group openfiler01
name-server xo_dns_2
name-server 4.2.2.1
name-server xo_dns_1
domain-name comp.com
dns-group openfiler01
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service All_services tcp-udp
description All services
port-object range 1 65535
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_7
network-object 0.0.0.0 0.0.0.0
group-object catalyst_access
object-group network DM_INLINE_NETWORK_8
network-object host xo_dns_2
network-object host xo_dns_1
object-group network consultant_vpn
description consultant 88.X Network
network-object Consultants_VPN_IP_Range 255.255.255.0
object-group network DM_INLINE_NETWORK_12
network-object host SITE_client1_int
network-object host SITE_client2_int
network-object host SITE_client3_int
network-object host SITE_SFTPserver_int
object-group service SQL_Server tcp
port-object range 1433 1435
object-group network DM_INLINE_NETWORK_2
network-object host SITE_client1_int
network-object host SITE_client2_int
network-object host SITE_client3_int
network-object host SITE_SFTPserver_int
network-object host SITE_template
object-group network DM_INLINE_NETWORK_3
network-object host SITE_client1_int
network-object host SITE_SFTPserver_int
object-group network DM_INLINE_NETWORK_6
network-object host SITE_client1_int
network-object host SITE_SFTPserver_int
object-group network DM_INLINE_NETWORK_9
network-object 192.168.8.0 255.255.255.0
network-object host 111.22.33.444
object-group service SQL_Server_UDP udp
port-object eq 1434
object-group service DM_INLINE_TCP_11 tcp
group-object SQL_Server
port-object eq ssh
access-list wan0_access_in extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_20 any object-group All_services
access-list wan0_access_in extended permit object-group DM_INLINE_PROTOCOL_1 wlan0_network 255.255.255.0 any log warnings
access-list wan0_access_in extended permit object-group TCPUDP any wlan0_network 255.255.255.0
access-list wan0_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_TCP_7 log disable
access-list wan0_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host catalyst_ext eq www log
access-list wan0_access_in extended permit tcp any object-group DM_INLINE_NETWORK_5 eq https log warnings
access-list wan0_access_in extended permit tcp any host rapidReport_dev_ext object-group DM_INLINE_TCP_2 log disable
access-list wan0_access_in extended permit tcp object-group DM_INLINE_NETWORK_29 object-group DM_INLINE_NETWORK_26 object-group All_services
access-list company_splitTunnelAcl standard permit 192.168.83.0 255.255.255.0
access-list company_splitTunnelAcl standard permit 192.168.84.0 255.255.255.0
access-list management_nat0_outbound extended permit ip any 192.168.86.2 255.255.255.254
access-list administrators_splitTunnelAcl standard permit any
access-list nonat extended permit ip 192.168.83.0 255.255.255.0 vpn_network 255.255.255.0
access-list nonat extended permit ip 192.168.83.0 255.255.255.0 192.168.84.0 255.255.255.0
access-list nonat extended permit ip 192.168.83.0 255.255.255.0 Consultants_VPN_IP_Range 255.255.255.0
access-list nonat extended permit ip 192.168.83.0 255.255.255.0 wlan0_network 255.255.255.0
access-list nonat extended permit ip object-group DM_INLINE_NETWORK_3 192.168.8.0 255.255.255.0
access-list DMZ0_nat0_outbound extended permit ip 192.168.84.0 255.255.255.0 vpn_network 255.255.255.0
access-list DMZ0_nat0_outbound extended permit ip 192.168.84.0 255.255.255.0 vpn 255.255.255.0
access-list DMZ0_nat0_outbound extended permit ip 192.168.84.0 255.255.255.0 Consultants_VPN_IP_Range 255.255.255.0
access-list DMZ0_nat0_outbound extended permit ip 192.168.84.0 255.255.255.0 wlan0_network 255.255.255.0
access-list DMZ0_nat0_outbound extended permit ip host SITE_client3_int host 111.22.33.444
access-list DMZ0_nat0_outbound extended permit ip host SITE_SFTPserver_int object-group DM_INLINE_NETWORK_9
access-list DMZ0_nat0_outbound extended permit ip host SITE_client1_int 192.168.8.0 255.255.255.0
access-list DMZ0_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 host SITE_client1_int
access-list Internal_access_in extended permit icmp 192.168.83.0 255.255.255.0 any
access-list Internal_access_in extended permit ip any any log disable
access-list Internal_access_in extended permit ip wlan0_network 255.255.255.0 host svnmail_int
access-list Internal_access_in remark Allow consultants VPN access to any .83 device for agile dev.
access-list Internal_access_in extended permit tcp wlan0_network 255.255.255.0 host svnmail_int object-group svn
access-list Internal_access_in extended permit tcp object-group DM_INLINE_NETWORK_24 any object-group DM_INLINE_TCP_3
access-list company_development_splitTunnelAcl standard permit 192.168.84.0 255.255.255.0
access-list DMZ_in extended permit icmp any any
access-list DMZ_in extended permit tcp any any eq https
access-list DMZ_in extended permit tcp any any eq www log disable
access-list DMZ_in extended permit tcp object-group DM_INLINE_NETWORK_12 any object-group DM_INLINE_TCP_10 log warnings
access-list DMZ_in extended permit tcp object-group DM_INLINE_NETWORK_2 any object-group All_services
access-list DMZ_in extended permit tcp object-group DM_INLINE_NETWORK_25 any object-group All_services
access-list capin extended permit icmp any any
access-list company_customer_splitTunnelAcl standard permit 192.168.84.0 255.255.255.0
access-list consultants_splitTunnelAcl standard permit 192.168.83.0 255.255.255.0
access-list DMZ0_nat0_outbound_1 extended permit ip 192.168.84.0 255.255.255.0 wlan0_network 255.255.255.0
access-list wlan0_nat0_outbound extended permit ip wlan0_network 255.255.255.0 192.168.84.0 255.255.255.0
access-list wlan0_nat0_outbound extended permit ip wlan0_network 255.255.255.0 333.4.555.66 255.255.255.224
access-list wlan0_nat0_outbound extended permit ip wlan0_network 255.255.255.0 192.168.83.0 255.255.255.0
access-list wan0_nat0_outbound_1 extended permit ip 222.3.444.55 255.255.255.224 wlan0_network 255.255.255.0
access-list wan0_1_cryptomap extended permit tcp host 111.22.33.444 host SITE_client3_int object-group SQL_Server
access-list wan0_1_cryptomap extended permit tcp host 111.22.33.444 host SITE_SFTPserver_int eq ssh
access-list wan0_1_cryptomap extended permit udp host 111.22.33.444 host SITE_client3_int object-group SQL_Server_UDP
access-list wan0_1_cryptomap extended deny tcp any any object-group All_services
access-list wan0_2_cryptomap extended permit tcp 192.168.8.0 255.255.255.0 object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_11 log
access-list wan0_2_cryptomap extended permit udp 192.168.8.0 255.255.255.0 host SITE_client1_int object-group SQL_Server_UDP
access-list wan0_2_cryptomap extended deny object-group TCPUDP any any object-group All_services
pager lines 24
logging enable
logging buffer-size 16384
logging monitor informational
logging buffered warnings
logging asdm warnings
logging mail errors
logging recipient-address achoyna@comp.com level errors
logging class auth mail errors
mtu Internal 1500
mtu DMZ0 1500
mtu wlan0 1500
mtu wan0 1500
mtu management 1500
ip local pool IPSec_IP_DMZ_Pool 192.168.87.2-192.168.87.252 mask 255.255.255.0
ip local pool management 192.168.1.2-192.168.1.10 mask 255.255.255.0
ip local pool IPSec_IP_Pool 192.168.86.2-192.168.86.252 mask 255.255.255.0
ip local pool consultants 192.168.88.2-192.168.88.12 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Internal
asdm image disk0:/asdm-603.bin
no asdm history enable
arp wan0 secure.comp.biz_ext 001d.7066.7f61 alias
arp wan0 www.comp.com_dev_ext 001d.7066.7f61 alias
arp wan0 www.comp.com_proxy_ext 001d.7066.7f61 alias
arp wan0 collab.comp.com_ext 001d.7066.7f61 alias
arp timeout 14400
global (wan0) 1 interface
nat (Internal) 0 access-list nonat
nat (Internal) 1 0.0.0.0 0.0.0.0
nat (DMZ0) 0 access-list DMZ0_nat0_outbound
nat (DMZ0) 0 access-list DMZ0_nat0_outbound_1 outside
nat (DMZ0) 1 0.0.0.0 0.0.0.0
nat (wlan0) 0 access-list wlan0_nat0_outbound
nat (wlan0) 1 0.0.0.0 0.0.0.0
nat (wan0) 0 access-list wan0_nat0_outbound_1 outside
nat (wan0) 1 vpn 255.255.255.0
nat (management) 0 access-list management_nat0_outbound
static (wan0,Internal) udp interface domain Openfiler domain netmask 255.255.255.255
static (wan0,DMZ0) udp interface domain openfiler01_dns_dmz domain netmask 255.255.255.255
static (Internal,DMZ0) 192.168.83.0 192.168.83.0 netmask 255.255.255.0
access-group Internal_access_in in interface Internal
access-group DMZ_in in interface DMZ0
access-group wlan0_access_in in interface wlan0
access-group wan0_access_in in interface wan0
route wan0 0.0.0.0 0.0.0.0 444.5.666.77 1
route Internal 192.168.83.0 255.255.255.0 192.168.83.1 1
route DMZ0 192.168.84.0 255.255.255.0 192.168.84.1 1
route wlan0 wlan0_network 255.255.255.0 192.168.85.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authentication secure-http-client
aaa authorization exec authentication-server
http server enable
http 192.168.1.0 255.255.255.0 management
http vpn_network 255.255.255.0 wan0
http vpn_network 255.255.255.0 Internal
http 192.168.83.0 255.255.255.0 Internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-MD5 ESP-3DES-MD5 ESP-3DES-SHA ESP-AES-256-SHA ESP-DES-SHA ESP-DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
crypto map wan0_map 1 match address wan0_1_cryptomap
crypto map wan0_map 1 set pfs
crypto map wan0_map 1 set peer 111.22.33.444
crypto map wan0_map 1 set transform-set ESP-AES-256-MD5
crypto map wan0_map 2 match address wan0_2_cryptomap
crypto map wan0_map 2 set pfs
crypto map wan0_map 2 set peer 55.666.77.888
crypto map wan0_map 2 set transform-set ESP-AES-256-MD5
crypto map wan0_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wan0_map interface wan0
crypto map wlan0_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wlan0_map interface wlan0
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn pfafw01.comp.com
email support@comp.com
subject-name CN=compinder Develpment,OU=compinder,O=compinder,C=US,St=IL,L=Philly
keypair pfafw01.comp.key
no client-types
crl configure
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
fqdn pfafw01
subject-name CN=pfafw01
serial-number
no client-types
proxy-ldc-issuer
crl configure
crypto ca server
crypto ca certificate map DefaultCertificateMap 10
crypto ca certificate map company_Cet_SSL_map 20
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
578e18e7 e995ca3b e4094e8f 125e7aa7 ac698318 71cee009 23ae2608 31223333
f396f0ea 29e8f987 d882395e e2cd1f88 225777c4 cd
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate 31
ba3fcdf6 fae75665 aed957c1 cd91e4de 5dc24efb 319f37aa 43e4a325 3905cab4
a7eb6cc6 275f9318 76166470 8985cf6e b2d61b9a b2fcbd7b 46
quit
crypto isakmp identity address
crypto isakmp enable wlan0
crypto isakmp enable wan0
crypto isakmp policy 3
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 120
telnet 192.168.83.45 255.255.255.255 Internal
telnet timeout 5
ssh scopy enable
ssh 192.168.83.0 255.255.255.0 Internal
ssh 192.168.0.0 255.255.0.0 Internal
ssh vpn_network 255.255.255.0 wan0
ssh timeout 20
ssh version 2
console timeout 0
management-access Internal
dhcpd dns Openfiler xo_dns_2
dhcpd lease 1200
dhcpd domain comp.com
dhcpd option 6 ip Openfiler Openfiler
!
dhcpd address 192.168.83.100-192.168.83.171 Internal
dhcpd dns Openfiler interface Internal
dhcpd domain comp.com interface Internal
dhcpd update dns both interface Internal
dhcpd option 5 ip Openfiler openfiler01_dns_dmz interface Internal
dhcpd option 3 ip 192.168.83.1 interface Internal
dhcpd option 4 ip Openfiler interface Internal
dhcpd enable Internal
!
dhcpd address 192.168.85.2-192.168.85.240 wlan0
dhcpd dns Openfiler interface wlan0
dhcpd wins 192.168.83.77 interface wlan0
dhcpd update dns both interface wlan0
dhcpd option 3 ip 192.168.85.1 interface wlan0
dhcpd option 6 ip openfiler01_dns_dmz interface wlan0
dhcpd option 4 ip Openfiler interface wlan0
dhcpd enable wlan0
!
vpn load-balancing
interface lbpublic DMZ0
interface lbprivate DMZ0
priority-queue wan0
threat-detection basic-threat
threat-detection statistics
!
class-map wan0-class
description RTP VOIP
match rtp 10000 10000
!
!
policy-map wan0-policy-voip
description RTP VOIP
class wan0-class
priority
policy-map type inspect sip Secure_SIP
description sip policy for securing traffic flow
parameters
max-forwards-validation action drop log
state-checking action drop-connection log
software-version action mask log
strict-header-validation action drop log
no traffic-non-sip
uri-non-sip action mask log
rtp-conformance enforce-payloadtype
!
service-policy wan0-policy-voip interface wan0
ntp server 64.247.17.254 source wan0 prefer
ntp server 64.34.180.101 source wan0
ntp server 64.202.112.75 source wan0
ntp server 69.93.111.178 source wan0
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
ssl trust-point ASDM_TrustPoint1
ssl certificate-authentication interface wan0 port 443
ssl certificate-authentication interface wlan0 port 443
webvpn
enable Internal
enable DMZ0
enable wlan0
enable wan0
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
svc image disk0:/sslclient-win-1.1.4.176-anyconnect.pkg 2
svc image disk0:/sslclient-win-1.1.4.176.pkg 3
svc enable
tunnel-group-list enable
internal-password enable
certificate-group-map company_Cet_SSL_map 20 compinder
group-policy company_development internal
group-policy company_development attributes
dns-server value 192.168.84.77 192.168.84.250
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelall
default-domain value comp.com
group-policy compinder internal
group-policy compinder attributes
dns-server none
vpn-idle-timeout 120
vpn-session-timeout 600
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value company_splitTunnelAcl
default-domain value comp.com
webvpn
url-list value PFA_AnyConnect_Bookmark
svc ask enable
group-policy company_customer internal
group-policy company_customer attributes
wins-server value 192.168.84.77
dns-server value 192.168.84.77 192.168.84.250
vpn-tunnel-protocol IPSec svc webvpn
default-domain value comp.com
webvpn
svc keep-installer none
group-policy company_split_tunnel internal
group-policy company_split_tunnel attributes
dns-server none
vpn-idle-timeout 120
vpn-session-timeout 600
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value company_splitTunnelAcl
default-domain value comp.com
webvpn
url-list value PFA_AnyConnect_Bookmark
svc ask enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy client1 internal
group-policy client1 attributes
vpn-tunnel-protocol IPSec
group-policy consultants internal
group-policy consultants attributes
dns-server none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value consultants_splitTunnelAcl
group-policy client3 internal
group-policy client3 attributes
vpn-tunnel-protocol IPSec
username fffremote password erthetyhetyjry encrypted privilege 15
username cisco password rthertheth encrypted privilege 15
username fffadmin password dfgggeg encrypted privilege 15
username fffadmin attributes
service-type admin
memberof compinder
vpn-group-policy consultants
group-lock value consultants
service-type remote-access
memberof consultants
tunnel-group DefaultRAGroup webvpn-attributes
group-alias customer disable
group-alias comp.com disable
tunnel-group compinder type remote-access
tunnel-group compinder general-attributes
address-pool (wan0) IPSec_IP_Pool
address-pool IPSec_IP_Pool
authentication-server-group (wan0) LOCAL
authentication-server-group (wlan0) LOCAL
authorization-server-group LOCAL
default-group-policy compinder
password-management
tunnel-group compinder webvpn-attributes
group-alias staff.comp.com enable
tunnel-group compinder ipsec-attributes
pre-shared-key *
tunnel-group company_customer type remote-access
tunnel-group company_customer general-attributes
address-pool IPSec_IP_DMZ_Pool
authentication-server-group (DMZ0) LOCAL
authorization-server-group LOCAL
default-group-policy company_development
tunnel-group company_customer webvpn-attributes
group-alias customer.comp.com enable
tunnel-group company_customer ipsec-attributes
pre-shared-key *
tunnel-group company_anyconnect type remote-access
tunnel-group company_anyconnect general-attributes
address-pool IPSec_IP_Pool
tunnel-group consultants type remote-access
tunnel-group consultants general-attributes
address-pool consultants
default-group-policy consultants
tunnel-group consultants ipsec-attributes
pre-shared-key *
tunnel-group company_split_tunnel type remote-access
tunnel-group company_split_tunnel general-attributes
address-pool (wan0) IPSec_IP_Pool
address-pool IPSec_IP_Pool
authentication-server-group (wan0) LOCAL
authentication-server-group (wlan0) LOCAL
default-group-policy company_split_tunnel
password-management
tunnel-group company_split_tunnel ipsec-attributes
pre-shared-key *
tunnel-group 111.22.33.444 type ipsec-l2l
tunnel-group 111.22.33.444 ipsec-attributes
pre-shared-key *
tunnel-group 55.666.77.888 type ipsec-l2l
tunnel-group 55.666.77.888 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:f4fghhtjryukiooop9e0b
: end
asdm image disk0:/asdm-603.bin
asdm location SITE_client1_int 255.255.255.255 Internal
asdm location SITE_client2_int 255.255.255.255 Internal
asdm location SITE_client3_int 255.255.255.255 Internal
asdm location client1_FW 255.255.255.255 Internal
asdm location SITE_SFTPserver_int 255.255.255.255 Internal
asdm location SITE_SFTPserver_ext 255.255.255.255 Internal
no asdm history enable
10-06-2011 01:41 AM
Hi Alan,
You could alternately create an access list that permits only the traffic you specify and blocks all else from the remote LAN and apply it for traffic exiting the DMZ0 interface
e.g.
access-list DMZ0_Outbound permit tcp host 111.22.33.44 host W.X.Y.Z eq
access-list DMZ0_Outbound deny ip host 111.22.33.44 host W.X.Y.Z any ... denies the remote site any further access
access-list DMZ0_Outbound per IP any any ... permits existing traffic entering the DMZ0 (as it does now)
then apply this access list to the DMZ 0 interface but in the OUTBOUND direction
access-group DMZ0_Outbound out interface DMZ0
Regards Tony
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide