03-04-2010 12:00 AM
ASA5510-Primary# show run
: Saved
:
ASA Version 8.2(2)
!
hostname ASA5510-Primary
enable password LnWsFCD5sXmFceYa encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
no names
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.128.171.33 255.255.255.0 standby 10.128.171.32
ospf cost 10
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 219.141.72.84 255.255.255.224 standby 219.141.72.86
ospf cost 10
!
interface Ethernet0/2
description LAN Failover Interface
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.254
ospf cost 10
management-only
!
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone GMT 8
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.0.8
name-server 202.96.128.86
access-list inside extended permit ip host 10.0.0.4 any
access-list inside extended permit ip host 10.0.0.6 any
access-list inside extended permit ip host 10.0.0.7 any
access-list inside extended permit ip host 10.0.0.8 any
access-list inside extended permit ip host 10.0.0.9 any
access-list inside extended permit ip host 10.0.0.10 any
access-list inside extended permit ip host 10.0.0.17 any
access-list inside extended permit ip host 10.0.0.45 any
access-list inside extended permit ip host 10.0.0.49 any
access-list inside extended permit ip host 10.0.0.72 any
access-list inside extended permit ip host 10.0.0.117 any
access-list inside extended permit ip host 10.0.0.138 any
access-list inside extended permit ip host 10.0.1.109 any
access-list inside extended permit ip host 10.0.1.113 any
access-list inside extended permit ip host 10.0.3.208 any
access-list inside extended permit ip host 10.0.8.160 any
access-list inside extended permit ip host 10.0.8.183 any
access-list inside extended permit ip host 10.0.8.186 any
access-list inside extended permit ip host 10.0.8.222 any
access-list inside extended permit ip host 10.0.11.55 any
access-list inside extended permit ip host 10.0.11.150 any
access-list inside extended permit ip host 10.0.12.104 any
access-list inside extended permit ip host 10.0.12.106 any
access-list inside extended permit ip host 10.0.12.107 any
access-list inside extended permit ip host 10.0.12.108 any
access-list inside extended permit ip host 10.0.12.122 any
access-list inside extended permit ip host 10.0.12.141 any
access-list inside extended permit ip host 10.0.12.144 any
access-list inside extended permit ip host 10.0.20.41 any
access-list inside extended permit ip host 10.0.20.52 any
access-list inside extended permit ip host 10.0.20.54 any
access-list inside extended permit ip host 10.0.20.60 any
access-list inside extended permit ip host 10.0.20.64 any
access-list inside extended permit ip host 10.0.20.67 any
access-list inside extended permit ip host 10.0.20.82 any
access-list inside extended permit ip host 10.0.20.93 any
access-list inside extended permit ip host 10.0.20.105 any
access-list inside extended permit ip host 10.0.20.168 any
access-list inside extended permit ip host 10.0.20.184 any
access-list inside extended permit ip host 10.0.20.200 any
access-list inside extended permit ip host 10.0.21.50 any
access-list inside extended permit ip host 10.0.21.51 any
access-list inside extended permit ip host 10.0.21.52 any
access-list inside extended permit ip host 10.0.21.53 any
access-list inside extended permit ip host 10.0.21.54 any
access-list inside extended permit ip host 10.0.21.55 any
access-list inside extended permit ip host 10.0.21.57 any
access-list inside extended permit ip host 10.0.21.65 any
access-list inside extended permit ip host 10.0.22.74 any
access-list inside extended permit ip host 10.0.24.55 any
access-list inside extended permit ip host 10.0.24.63 any
access-list inside extended permit ip host 10.0.24.64 any
access-list inside extended permit ip host 10.0.24.68 any
access-list inside extended permit ip host 10.0.24.70 any
access-list inside extended permit ip host 10.0.24.74 any
access-list inside extended permit ip host 10.0.24.73 any
access-list inside extended permit ip host 10.0.24.77 any
access-list inside extended permit ip host 10.0.24.78 any
access-list inside extended permit ip host 10.0.24.79 any
access-list inside extended permit ip host 10.0.24.87 any
access-list inside extended permit ip host 10.0.24.96 any
access-list inside extended permit ip host 10.0.24.98 any
access-list inside extended permit ip host 10.0.24.100 any
access-list inside extended permit ip host 10.0.24.101 any
access-list inside extended permit ip host 10.0.24.120 any
access-list inside extended permit ip host 10.0.24.126 any
access-list inside extended permit ip host 10.0.24.141 any
access-list inside extended permit ip host 10.0.24.150 any
access-list inside extended permit ip host 10.0.24.194 any
access-list inside extended permit ip host 10.0.24.210 any
access-list inside extended permit ip host 10.0.24.221 any
access-list inside extended permit ip host 10.0.24.222 any
access-list inside extended permit ip host 10.0.25.53 any
access-list inside extended permit ip host 10.0.25.54 any
access-list inside extended permit ip host 10.0.25.64 any
access-list inside extended permit ip host 10.0.26.57 any
access-list inside extended permit ip host 10.0.26.70 any
access-list inside extended permit ip host 10.0.26.77 any
access-list inside extended permit ip host 10.0.27.67 any
access-list inside extended permit ip host 10.0.27.80 any
access-list inside extended permit ip host 10.0.27.82 any
access-list inside extended permit ip host 10.0.27.96 any
access-list inside extended permit ip host 10.0.27.118 any
access-list inside extended permit ip host 10.0.28.62 any
access-list inside extended permit ip host 10.0.28.64 any
access-list inside extended permit ip host 10.0.28.80 any
access-list inside extended permit ip host 10.0.28.83 any
access-list inside extended permit ip host 10.0.28.86 any
access-list inside extended permit ip host 10.0.28.88 any
access-list inside extended permit ip host 10.0.28.98 any
access-list inside extended permit ip host 10.0.28.99 any
access-list inside extended permit ip host 10.0.28.100 any
access-list inside extended permit ip host 10.0.29.50 any
access-list inside extended permit ip host 10.0.29.54 any
access-list inside extended permit ip host 10.0.29.56 any
access-list inside extended permit ip host 10.0.29.58 any
access-list inside extended permit ip host 10.0.29.60 any
access-list inside extended permit ip host 10.0.29.61 any
access-list inside extended permit ip host 10.0.29.67 any
access-list inside extended permit ip host 10.0.29.69 any
access-list inside extended permit ip host 10.0.29.74 any
access-list inside extended permit ip host 10.0.29.75 any
access-list inside extended permit ip host 10.0.29.80 any
access-list inside extended permit ip host 10.0.29.210 any
access-list inside extended permit ip host 10.0.31.57 any
access-list inside extended permit ip host 10.0.31.59 any
access-list inside extended permit ip host 10.0.31.61 any
access-list inside extended permit ip host 10.0.31.64 any
access-list inside extended permit ip host 10.0.31.65 any
access-list inside extended permit ip host 10.0.31.68 any
access-list inside extended permit ip host 10.0.31.70 any
access-list inside extended permit ip host 10.0.31.73 any
access-list inside extended permit ip host 10.0.31.78 any
access-list inside extended permit ip host 10.0.31.88 any
access-list inside extended permit ip host 10.0.31.90 any
access-list inside extended permit ip host 10.0.31.92 any
access-list inside extended permit ip host 10.0.31.94 any
access-list inside extended permit ip host 10.0.31.96 any
access-list inside extended permit ip host 10.0.31.105 any
access-list inside extended permit ip host 10.0.31.106 any
access-list inside extended permit ip host 10.0.31.107 any
access-list inside extended permit ip host 10.0.31.116 any
access-list inside extended permit ip host 10.0.31.122 any
access-list inside extended permit ip host 10.0.31.150 any
access-list inside extended permit ip host 10.0.31.151 any
access-list inside extended permit ip host 10.0.31.152 any
access-list inside extended permit ip host 10.0.31.158 any
access-list inside extended permit ip host 10.0.31.221 any
access-list inside extended permit ip host 10.0.32.52 any
access-list inside extended permit ip host 10.0.32.59 any
access-list inside extended permit ip host 10.0.32.61 any
access-list inside extended permit ip host 10.0.32.108 any
access-list inside extended permit ip host 10.0.32.138 any
access-list inside extended permit ip host 10.0.32.166 any
access-list inside extended permit ip host 10.0.32.175 any
access-list inside extended permit ip host 10.0.34.55 any
access-list inside extended permit ip host 10.0.34.56 any
access-list inside extended permit ip host 10.0.34.60 any
access-list inside extended permit ip host 10.0.34.64 any
access-list inside extended permit ip host 10.0.34.67 any
access-list inside extended permit ip host 10.0.34.68 any
access-list inside extended permit ip host 10.0.34.71 any
access-list inside extended permit ip host 10.0.34.72 any
access-list inside extended permit ip host 10.0.34.74 any
access-list inside extended permit ip host 10.0.34.77 any
access-list inside extended permit ip host 10.0.34.78 any
access-list inside extended permit ip host 10.0.34.80 any
access-list inside extended permit ip host 10.0.34.82 any
access-list inside extended permit ip host 10.0.34.85 any
access-list inside extended permit ip host 10.0.34.91 any
access-list inside extended permit ip host 10.0.34.94 any
access-list inside extended permit ip host 10.0.34.102 any
access-list inside extended permit ip host 10.0.34.104 any
access-list inside extended permit ip host 10.0.34.105 any
access-list inside extended permit ip host 10.0.34.107 any
access-list inside extended permit ip host 10.0.34.108 any
access-list inside extended permit ip host 10.0.34.112 any
access-list inside extended permit ip host 10.0.34.131 any
access-list inside extended permit ip host 10.0.34.133 any
access-list inside extended permit ip host 10.0.34.135 any
access-list inside extended permit ip host 10.0.34.137 any
access-list inside extended permit ip host 10.0.34.141 any
access-list inside extended permit ip host 10.0.34.144 any
access-list inside extended permit ip host 10.0.34.145 any
access-list inside extended permit ip host 10.0.34.162 any
access-list inside extended permit ip host 10.0.34.177 any
access-list inside extended permit ip host 10.0.34.193 any
access-list inside extended permit ip host 10.0.34.194 any
access-list inside extended permit ip host 10.0.35.54 any
access-list inside extended permit ip host 10.0.36.51 any
access-list inside extended permit ip host 10.0.36.210 any
access-list inside extended permit ip host 10.11.12.13 any
access-list inside extended permit icmp any any
access-list inside extended permit ip host 10.0.27.51 any
access-list inside extended permit ip host 10.0.24.92 any
access-list inside extended permit ip host 10.0.29.51 any
access-list inside extended permit ip host 10.0.34.52 any
access-list inside extended permit ip host 10.0.34.117 any
access-list inside extended permit ip host 10.0.24.66 any
access-list inside extended permit ip host 10.0.34.58 any
access-list inside extended permit ip host 10.0.24.199 any
access-list inside extended permit ip host 10.0.20.72 any
access-list inside extended permit ip host 10.0.24.56 any
access-list inside extended permit ip host 10.0.24.53 any
access-list inside extended permit ip host 10.0.32.93 any
access-list inside extended permit ip host 10.0.20.71 any
access-list inside extended permit ip host 10.0.24.170 any
access-list inside extended permit ip host 10.0.20.74 any
access-list inside extended permit gre host 219.141.72.91 any
access-list inside extended permit ip host 10.0.27.88 any
access-list inside extended permit ip host 10.0.27.72 any
access-list inside extended permit ip host 10.0.27.89 any
access-list inside extended permit ip host 10.0.34.87 any
access-list inside extended permit ip host 10.0.20.86 any
access-list inside extended permit ip host 10.0.29.59 any
access-list inside extended permit ip host 10.0.34.98 any
access-list inside extended permit ip host 10.0.34.100 any
access-list inside extended permit ip host 10.0.34.146 any
access-list inside extended permit ip host 10.0.34.70 any
access-list inside extended permit ip host 10.0.34.65 any
access-list inside extended permit ip host 10.0.34.96 any
access-list inside extended permit ip host 10.0.34.116 any
access-list inside extended permit ip host 10.0.20.201 any
access-list inside extended permit ip host 10.0.26.54 any
access-list inside extended permit ip host 10.0.20.198 any
access-list inside extended permit ip host 10.0.20.221 any
access-list inside extended permit ip host 10.0.20.222 any
access-list inside extended permit ip host 10.0.20.192 any
access-list inside extended permit ip host 10.0.20.195 any
access-list inside extended permit ip host 10.0.20.193 any
access-list inside extended permit ip host 10.0.20.199 any
access-list inside extended permit ip host 10.0.20.197 any
access-list inside extended permit ip host 10.0.20.68 any
access-list inside extended permit ip host 10.0.20.196 any
access-list inside extended permit ip host 10.0.20.50 any
access-list inside extended permit ip host 10.0.24.187 any
access-list inside extended permit ip host 10.0.20.178 any
access-list inside extended permit ip host 10.0.20.179 any
access-list inside extended permit ip host 10.0.20.183 any
access-list inside extended permit ip host 10.0.28.54 any
access-list inside extended permit ip host 10.0.20.189 any
access-list inside extended permit ip host 10.0.20.99 any
access-list inside extended permit ip host 10.0.20.202 any
access-list inside extended permit ip host 10.0.29.83 any
access-list inside extended permit ip host 10.0.34.166 any
access-list inside extended permit ip host 10.0.27.108 any
access-list inside extended permit ip host 10.0.24.180 any
access-list inside extended permit ip host 10.0.20.220 any
access-list inside extended permit ip host 10.0.0.20 any
access-list inside extended permit ip host 10.0.28.81 any
access-list inside extended permit ip host 10.0.34.121 any
access-list inside extended permit ip host 10.0.29.94 any
access-list inside extended permit ip host 10.0.34.139 any
access-list inside extended permit ip host 10.0.20.103 any
access-list inside extended permit ip host 10.0.20.102 any
access-list inside extended permit ip host 10.0.27.198 any
access-list inside extended permit ip host 10.0.29.120 any
access-list inside extended permit ip host 10.0.20.145 any
access-list inside extended permit ip host 10.0.20.167 any
access-list inside extended permit ip host 10.0.22.224 any
access-list inside extended permit ip host 10.0.29.104 any
access-list inside extended permit ip host 10.0.20.129 any
access-list inside extended permit ip host 10.0.28.124 any
access-list inside extended permit ip host 10.0.29.107 any
access-list inside extended permit ip host 10.0.20.77 any
access-list inside extended permit ip host 10.0.20.88 any
access-list inside extended permit ip host 10.0.20.100 any
access-list inside extended permit ip host 10.0.20.51 any
access-list inside extended permit ip host 10.0.20.53 any
access-list inside extended permit ip host 10.0.34.50 any
access-list inside extended permit ip host 10.0.27.53 any
access-list inside extended permit ip host 10.0.34.160 any
access-list inside extended permit ip host 10.0.29.65 any
access-list inside extended permit ip host 10.0.27.50 any
access-list inside extended permit ip host 10.0.28.79 any
access-list inside extended permit ip host 10.0.34.75 any
access-list inside extended permit tcp host 219.141.72.91 eq pptp any
access-list inside extended permit udp host 219.141.72.91 eq 1723 any
access-list inside extended permit ip host 10.0.34.51 any
access-list inside extended permit ip host 10.0.20.56 any
access-list inside remark wong xi ji notebook
access-list inside extended permit ip host 10.0.32.60 any
access-list inside extended permit ip host 10.0.20.66 any
access-list inside extended permit ip host 10.0.20.73 any
access-list outside extended permit icmp any any
access-list outside extended permit ip host 219.141.72.91 any
access-list outside extended permit ip any host 219.131.63.91
access-list nonat extended permit ip host 219.131.63.91 any
access-list nonat extended permit ip 10.128.171.0 255.255.255.0 10.0.254.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.0.0 10.0.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 10.0.254.0 255.255.255.0
access-list george_splitTunnelAcl standard permit 10.128.171.0 255.255.255.0
access-list george_splitTunnelAcl standard permit 10.0.0.0 255.255.0.0
access-list george_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool pool 10.0.254.1-10.0.254.254 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface ha Ethernet0/2
failover interface ip ha 192.168.254.1 255.255.255.252 standby 192.168.254.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside in interface inside
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 219.131.63.65 1
route inside 10.0.0.0 255.0.0.0 10.128.171.13 1
route inside 10.0.253.0 255.255.255.0 10.128.171.254 1
route inside 192.168.0.0 255.255.0.0 10.128.171.254 1
route inside 219.141.72.91 255.255.255.255 10.128.171.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
telnet 10.0.0.0 255.0.0.0 inside
telnet 172.16.1.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.0.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.99 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 210.72.145.44
webvpn
group-policy george internal
group-policy george attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value george_splitTunnelAcl
client-access-rule none
username liraosheng password LpRxbP2heS/6Esks encrypted privilege 15
username ren0752 password 0h1PzdkPb4ELy.Ng encrypted privilege 15
username luomin password vIVR3wGXs5eOoAXS encrypted privilege 15
username tigerkin password Wi1Wkrjff8BUw0sv encrypted privilege 15
tunnel-group george type remote-access
tunnel-group george general-attributes
address-pool pool
default-group-policy george
tunnel-group george ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:95489d00423dd1dace5d8750d2aac089
: end
when i use cisco vpn client connect to ASA5510,I found my internet traffic just go out from my local adsl line,my internet traffic can't go through the remote ASA VPN SERVER to visit website
when i check the configraion of my PC,i get my PC IP ADDRESS,but there is no gateway for VPN
WHY??
WHO can tell me ? thanks a lot~~
03-04-2010 08:03 AM
You are missing the statement:
same-security-traffic permit intra-interface
Check out this link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml
03-04-2010 06:12 PM
I have tried ,but it was failed,it didn't work
03-04-2010 09:31 PM
Because you've implemented split tunnelling, normal internet traffic will continue to work as normal (ie. unencrypted) and only the following networks would be accessible over the VPN:
access-list george_splitTunnelAcl standard permit 10.128.171.0 255.255.255.0
access-list george_splitTunnelAcl standard permit 10.0.0.0 255.255.0.0
access-list george_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
Doing an ipconfig on the local workstation when connected to the VPN should continue to show you the gateway IP of your ASDL line/modem. Doing a 'netstat -nr', you should be able to see that the gateway for those 3 remote networks above is the DHCP IP address you've received from the firewall's ippool when connected to the VPN. Split tunnelling will cause the client to inject those 3 specific routes on the local workstation when connecting.
If you're trying to access a domain and are expecting it to go over the encrypted tunnel, that domain would need to translate to an IP that fits one of those 3 networks above. You may need to add a hosts file entry to get it working properly if that's what you need it to do. Try accessing the IP of the site in your browser when connected to see if it works properly.
James
03-13-2010 10:02 PM
i solve it ,when i build up a new ACL ,which would permit the dial in users to do NAT ,the problem is over~~~
nat (outside) 1 access-list permit-vpn_ia
access-list permit-vpn_ia extended permit ip 10.0.254.0 255.255.255.0 any
thansk all~~~
03-15-2010 12:29 AM
i solve it ,when i build up a new ACL ,which would permit the dial in users to do NAT ,the problem is over~~~
nat (outside) 1 access-list permit-vpn_ia
access-list permit-vpn_ia extended permit ip 10.0.254.0 255.255.255.0 any
thansk all~~~
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide