Trying to keep what seems like a convoluted problem fairly simple.

For this particular problem, I have 4 interfaces on the ASA 5510 (untrust, trust, prod, dmz), 3 subnets and a single VPN network.

VPN network = 10.1.55.0

trust interface = 192.168.1.0

prod interface = 192.168.5.0

dmz interface = 192.168.6.0

VPN network is connected to ASA via S2S tunnel using 'HWVPN' tunnel group. There is an F5 BigIP Load balancer with interfaces on the 192.168.1.0, 192.168.5.0 and 192.168.6.0 networks. Virtual Servers for the F5 are on the 192.168.6.0 network.

I can ping from 10.1.55.210 (my computer) to 192.168.6.189 (F5 Load Balancer Virtual Server) just fine.

ping 192.168.6.189

Pinging 192.168.6.189 with 32 bytes of data:

Reply from 192.168.6.189: bytes=32 time=47ms TTL=255

Reply from 192.168.6.189: bytes=32 time=45ms TTL=255

Reply from 192.168.6.189: bytes=32 time=41ms TTL=255

Reply from 192.168.6.189: bytes=32 time=44ms TTL=255

Ping statistics for 192.168.6.189:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 41ms, Maximum = 47ms, Average = 44ms

I can hit the web interface (https://192.168.6.183) for the F5 via 10.1.55.210 just fine, login, etc. When I attempt to hit any of the F5 Virtual Servers/Proxies on the 192.168.6.0 network from the 10.1.55.0 network (over the VPN tunnel), I get these errors:

So the TCP handshake is failing. Some more information.. the F5 Virtual Server at 192.168.6.189 currently is associated with a load balancing pool with 1 member (192.168.5.14). So 10.1.55.210 (untrust interface) tries to make a TCP connection to 192.168.6.189 (dmz interface), which load balances that request over to 192.168.5.14 (prod interface), which then attempts to reply on its interface (prod) back to 10.1.55.210, and fails, because no connection is made through that interface. Here is the routing information for that server. (192.168.5.14)

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0    192.168.5.183     192.168.5.14    266

         10.1.0.0      255.255.0.0      192.168.5.1     192.168.5.14     11

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      192.168.1.0    255.255.255.0      192.168.5.1     192.168.5.14     11

      192.168.2.0    255.255.255.0      192.168.5.1     192.168.5.14     11

      192.168.5.0    255.255.255.0         On-link      192.168.5.14    266

     192.168.5.14  255.255.255.255         On-link      192.168.5.14    266

    192.168.5.255  255.255.255.255         On-link      192.168.5.14    266

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link      192.168.5.14    266

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link      192.168.5.14    266

===========================================================================

Persistent Routes:

  Network Address          Netmask  Gateway Address  Metric

          0.0.0.0          0.0.0.0    192.168.5.183  Default

===========================================================================

Typical traffic to this server (192.168.5.14) works fine (RDP, CIFS, etc.), but internal traffic routed to 192.168.6.0 and then load balanced back to 192.168.1.0 or 192.168.5.0 does not get back correctly. The 192.168.5.183 gateway in the routing table is the F5 load balancer.

We also have external IPs associated (NAT'd) for each F5 proxy/virtual server on the 192.168.6.0 network. If an internal (VPN or otherwise) computers hits the external IP, load balancers to the 192.168.1.0 or 192.168.5.0 networks, it goes back out and back in just fine. However, we want to point internal DNS at the 192.168.6.0 network, and have that route to/from the VPN networks (10.1.0.0) without having to use the external IP.

Here is our ASA config, less the user entries, and with public IPs "whited" out:

Result of the command: "sh run"

: Saved

:

ASA Version 8.4(3)

!

hostname fire2

domain-name XXXXXXXXXXXXX

enable password EKulpKJap2J/lkIx encrypted

passwd jI7uBnbk1SCnR6Lm encrypted

names

name 216.82.225.202 Bandwidth.com_2

name 216.82.224.202 Bandwidth.com_1

name 4.79.212.236 Bandwidth.com_0

name 169.254.255.2 AWS1 description IP ADdress for AWS Tunnel 1

name 169.254.255.6 AWS2

dns-guard

!

interface Ethernet0/0

description Internet

nameif untrust

security-level 0

ip address XX.XXX.XX.XX 255.255.255.240 standby XX.XXX.XX.XX

!

interface Ethernet0/1

description Subnet for Production Application Server Broadcast Containment

nameif prod

security-level 99

ip address 192.168.5.1 255.255.255.0 standby 192.168.5.2

!

interface Ethernet0/2

description DMZ for F5 Load Balancer Cluster

nameif dmz

security-level 98

ip address 192.168.6.1 255.255.255.0 standby 192.168.6.2

!

interface Ethernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

description Corporate Data Center Subnet

nameif trust

security-level 100

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name XXXXXXXXXXXXXXX

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj-192.168.5.0

subnet 192.168.5.0 255.255.255.0

object network obj-10.1.55.0

subnet 10.1.55.0 255.255.255.0

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.0

object network obj-10.1.70.0

subnet 10.1.70.0 255.255.255.0

object network obj-10.1.69.0

subnet 10.1.69.0 255.255.255.0

object network obj-192.168.5.10

host 192.168.5.10

object network obj-192.168.5.12

host 192.168.5.12

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-0.0.0.0

host 0.0.0.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network obj-192.168.6.181

host 192.168.6.181

object network obj-192.168.6.182

host 192.168.6.182

object network obj-192.168.6.183

host 192.168.6.183

object network obj-192.168.6.184

host 192.168.6.184

object network obj-192.168.6.0

subnet 192.168.6.0 255.255.255.0

object network obj_any-02

subnet 0.0.0.0 0.0.0.0

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network obj-192.168.0.0

subnet 192.168.0.0 255.255.0.0

object network obj-10.1.51.0

subnet 10.1.51.0 255.255.255.0

object network obj-192.168.1.11

host 192.168.1.11

object network obj-192.168.1.9

host 192.168.1.9

object network obj-192.168.1.8

host 192.168.1.8

object network obj-192.168.1.40

host 192.168.1.40

object network obj-192.168.1.41

host 192.168.1.41

object network obj-192.168.1.90

host 192.168.1.90

object network obj-192.168.1.83

host 192.168.1.83

object network obj-192.168.1.14

host 192.168.1.14

object network obj-192.168.1.178

host 192.168.1.178

object network obj-192.168.1.17

host 192.168.1.17

object network obj-192.168.1.70

host 192.168.1.70

object network obj-192.168.1.71

host 192.168.1.71

object network obj-192.168.1.161

host 192.168.1.161

object network obj-192.168.1.110

host 192.168.1.110

object network obj-192.168.1.189

host 192.168.1.189

object network obj-192.168.1.140

host 192.168.1.140

object network obj-192.168.1.30

host 192.168.1.30

object network obj-192.168.1.31

host 192.168.1.31

object network obj-192.168.1.151

host 192.168.1.151

object network obj-192.168.1.92

host 192.168.1.92

object network obj-192.168.1.95

host 192.168.1.95

object network obj-192.168.1.60

host 192.168.1.60

object network obj-192.168.1.15

host 192.168.1.15

object network obj_any-03

subnet 0.0.0.0 0.0.0.0

object network obj_any-04

subnet 0.0.0.0 0.0.0.0

object network obj_any-05

subnet 0.0.0.0 0.0.0.0

object network obj-192.168.6.185

host 192.168.6.185

object network obj-192.168.6.186

host 192.168.6.186

object network obj-192.168.6.187

host 192.168.6.187

object network obj-76.173.218.138

host 76.173.218.138

object network obj-131.179.210.51

host 131.179.210.51

object network obj-131.179.96.240

host 131.179.96.240

object network obj-103.28.248.0

subnet 103.28.248.0 255.255.252.0

object network obj-122.248.247.129

host 122.248.247.129

object network obj-146.185.22.162

host 146.185.22.162

object network obj-149.126.72.0

subnet 149.126.72.0 255.255.248.0

object network obj-159.253.143.23

host 159.253.143.23

object network obj-173.203.97.38

host 173.203.97.38

object network obj-174.37.187.198

host 174.37.187.198

object network obj-174.37.194.147

host 174.37.194.147

object network obj-176.32.89.123

host 176.32.89.123

object network obj-178.238.138.226

host 178.238.138.226

object network obj-178.238.138.227

host 178.238.138.227

object network obj-184.173.146.49

host 184.173.146.49

object network obj-184.73.240.163

host 184.73.240.163

object network obj-194.90.228.56

subnet 194.90.228.56 255.255.255.248

object network obj-199.59.160.137

host 199.59.160.137

object network obj-199.59.160.140

host 199.59.160.140

object network obj-199.83.128.0

subnet 199.83.128.0 255.255.248.0

object network obj-204.188.219.130

host 204.188.219.130

object network obj-207.210.68.26

host 207.210.68.26

object network obj-213.229.77.79

host 213.229.77.79

object network obj-216.12.199.130

host 216.12.199.130

object network obj-46.19.140.58

host 46.19.140.58

object network obj-46.51.174.78

host 46.51.174.78

object network obj-50.22.48.231

host 50.22.48.231

object network obj-50.23.225.32

host 50.23.225.32

object network obj-50.7.161.114

host 50.7.161.114

object network obj-50.7.161.138

host 50.7.161.138

object network obj-67.212.80.68

host 67.212.80.68

object network obj-67.228.61.200

host 67.228.61.200

object network obj-67.228.61.202

host 67.228.61.202

object network obj-79.125.118.62

host 79.125.118.62

object network obj-93.174.93.108

host 93.174.93.108

object network obj-93.174.96.108

host 93.174.96.108

object network 10.1.0.0

subnet 10.1.0.0 255.255.0.0

description Powis Network

object-group service Media tcp-udp

port-object range 10000 20000

object-group network Bandwidth.com

network-object Bandwidth.com_0 255.255.255.255

network-object Bandwidth.com_1 255.255.255.255

network-object Bandwidth.com_2 255.255.255.255

object-group service UDPMedia udp

port-object range 10000 30000

object-group network Postini

description Postini Mail Servers

network-object 64.18.0.0 255.255.240.0

object-group network DM_INLINE_NETWORK_1

network-object object obj-131.179.96.240

network-object object obj-76.173.218.138

object-group network DM_INLINE_NETWORK_2

network-object object Insperity1

network-object object Insperity2

network-object object Insperity3

network-object object Insperity4

network-object object HRSmart4

object-group network DM_INLINE_NETWORK_3

network-object object Insperity1

network-object object Insperity2

network-object object Insperity3

network-object object Insperity4

object-group network DM_INLINE_NETWORK_4

network-object object Insperity1

network-object object Insperity2

network-object object Insperity3

network-object object Insperity4

object-group network BlockDos

network-object object obj-103.28.248.0

network-object object obj-122.248.247.129

network-object object obj-146.185.22.162

network-object object obj-149.126.72.0

network-object object obj-159.253.143.23

network-object object obj-173.203.97.38

network-object object obj-174.37.187.198

network-object object obj-174.37.194.147

network-object object obj-176.32.89.123

network-object object obj-178.238.138.226

network-object object obj-178.238.138.227

network-object object obj-184.173.146.49

network-object object obj-184.73.240.163

network-object object obj-194.90.228.56

network-object object obj-199.59.160.137

network-object object obj-199.59.160.140

network-object object obj-199.83.128.0

network-object object obj-204.188.219.130

network-object object obj-207.210.68.26

network-object object obj-213.229.77.79

network-object object obj-216.12.199.130

network-object object obj-46.19.140.58

network-object object obj-46.51.174.78

network-object object obj-50.22.48.231

network-object object obj-50.23.225.32

network-object object obj-50.7.161.114

network-object object obj-50.7.161.138

network-object object obj-67.212.80.68

network-object object obj-67.228.61.200

network-object object obj-67.228.61.202

network-object object obj-79.125.118.62

network-object object obj-93.174.93.108

network-object object obj-93.174.96.108

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object tcp destination eq ftp

object-group network DM_INLINE_NETWORK_5

network-object 10.1.170.0 255.255.255.0

network-object 10.1.70.0 255.255.255.0

access-list trust_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list trust_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0

access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.51.0 255.255.255.0

access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.69.0 255.255.255.0

access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.70.0 255.255.255.0

access-list untrust_cryptomap_dyn_20 extended deny udp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list HWVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list HWVPN_splitTunnelAcl remark HW Corp LAN

access-list HWVPN_splitTunnelAcl standard permit 192.168.5.0 255.255.255.0

access-list HWVPN_splitTunnelAcl remark HW Corp LAN

access-list HWVPN_splitTunnelAcl standard permit 192.168.6.0 255.255.255.0

access-list RemoteDev_splitTunnelACL remark Gatlin Access

access-list RemoteDev_splitTunnelACL standard permit host 192.168.1.15

access-list RemoteDev_splitTunnelACL remark Wesson Access

access-list RemoteDev_splitTunnelACL standard permit host 192.168.1.11

access-list RemoteDev_splitTunnelACL remark Ruger Access

access-list RemoteDev_splitTunnelACL standard permit host 192.168.1.8

access-list RemoteDev_splitTunnelACL standard permit host 192.168.1.71

access-list untrust_cryptomap extended permit ip 192.168.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_5

access-list HomePez standard permit host 192.168.1.60

access-list HomePez standard permit host 192.168.1.15

access-list untrust_cryptomap_dyn_60 extended permit ip any 192.168.2.0 255.255.255.0

access-list trust_access_in extended permit ip any any

access-list untrust_cryptomap_dyn_30 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list untrust_cryptomap_680_1 extended permit ip 192.168.0.0 255.255.0.0 10.1.69.0 255.255.255.0

access-list trust_nat_0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list officeTOpeak10 extended permit ip 192.168.42.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list officeTOpeak10 extended permit ip any any

access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.69.0 255.255.255.0

access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.70.0 255.255.255.0

access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.71.0 255.255.255.0

access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.72.0 255.255.255.0

access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.73.0 255.255.255.0

access-list untrust_cryptomap_260_2 extended permit ip 192.168.0.0 255.255.0.0 10.1.71.0 255.255.255.0

access-list xx extended permit ip 192.168.1.0 255.255.255.0 10.2.72.0 255.255.255.0

access-list untrust_cryptomap_360_1 extended permit ip 192.168.0.0 255.255.0.0 10.1.71.0 255.255.255.0

access-list untrust_cryptomap_600 extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0

access-list tst remark Full Ruger Access

access-list tst remark Full Ruger Access

access-list RemoteDevAccess extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.0 eq domain

access-list RemoteDevAccess remark All DNS Server Access

access-list RemoteDevAccess extended permit udp 192.168.2.0 255.255.255.0 host 192.168.1.0 eq domain

access-list RemoteDevAccess extended permit icmp 192.168.2.0 255.255.255.0 host 192.168.1.91

access-list RemoteDevAccess remark Access to Oracle Dev

access-list RemoteDevAccess remark CVS Access

access-list RemoteDevAccess extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.15 eq 2401

access-list RemoteDevAccess extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.91 eq sqlnet inactive

access-list RemoteDevAccess remark SSH Access

access-list RemoteDevAccess extended permit tcp any host 192.168.1.15 eq ssh

access-list RemoteDevAccess remark All DNS Server Access

access-list RemoteDevAccess remark Access to Oracle Dev

access-list RemoteDevAccess remark CVS Access

access-list RemoteDevAccess extended permit icmp 192.168.2.0 255.255.255.0 host 192.168.1.11

access-list RemoteDevAccess extended permit tcp any host 192.168.1.11 eq ssh

access-list RemoteDevAccess extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.11 eq 8081

access-list qa_access_in extended permit ip any any

access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.1.55.0 255.255.255.0

access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.1.70.0 255.255.255.0

access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.1.69.0 255.255.255.0

access-list untrust_cryptomap_700 extended permit ip 192.168.0.0 255.255.0.0 10.1.51.0 255.255.255.0

access-list dmz_access_in extended permit ip any any

access-list untrust_access_in extended permit tcp any host 192.168.1.14 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.14 eq 9090

access-list untrust_access_in extended permit tcp object-group Postini host 192.168.1.8 eq smtp log

access-list untrust_access_in extended permit tcp any host 192.168.1.8 eq ldap log

access-list untrust_access_in extended permit tcp any host 192.168.1.8 eq www log

access-list untrust_access_in extended permit tcp any host 192.168.1.8 eq https log

access-list untrust_access_in extended permit tcp any host 192.168.1.8 eq imap4 log

access-list untrust_access_in extended permit tcp any host 192.168.1.14 eq 8080

access-list untrust_access_in extended permit tcp any host 192.168.1.14 eq domain

access-list untrust_access_in extended permit udp any host 192.168.1.14 eq domain inactive

access-list untrust_access_in extended permit tcp any host 192.168.1.17 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.17 eq https

access-list untrust_access_in extended permit tcp any host 192.168.1.17 eq ftp

access-list untrust_access_in extended permit tcp any host 192.168.1.15 eq ftp

access-list untrust_access_in extended permit tcp any host 192.168.1.9 eq ftp

access-list untrust_access_in extended permit tcp any host 192.168.1.9 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.161 eq 8080

access-list untrust_access_in extended permit tcp any host 192.168.1.151 eq 8080

access-list untrust_access_in extended permit tcp any host 192.168.1.83 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.9 eq https

access-list untrust_access_in extended permit tcp any host 192.168.1.83 eq https

access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq 8080

access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq 8888

access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq 3306

access-list untrust_access_in extended permit tcp any host 192.168.1.40 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.41 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.90 eq www

access-list untrust_access_in extended permit icmp any any inactive

access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq 9090

access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq ftp

access-list untrust_access_in extended permit tcp any host 192.168.1.83 eq ftp

access-list untrust_access_in extended permit tcp any host 192.168.1.83 eq 9000

access-list untrust_access_in extended permit ip any interface trust

access-list untrust_access_in extended permit udp any host 192.168.1.11 eq domain inactive

access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq domain

access-list untrust_access_in extended permit tcp any host 192.168.1.110 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.70 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.70 eq https

access-list untrust_access_in extended permit tcp any host 192.168.1.70 eq 5721

access-list untrust_access_in extended permit tcp any host 192.168.1.71 eq 3389 inactive

access-list untrust_access_in extended permit tcp any host 192.168.1.71 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.71 eq https

access-list untrust_access_in extended permit tcp any host 192.168.1.31 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.31 eq https

access-list untrust_access_in extended permit tcp any host 192.168.1.140 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.140 eq https

access-list untrust_access_in extended permit tcp any host 192.168.1.178 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.178 eq ftp

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.40 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.41 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.90 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.178 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.17 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.70 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.71 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.110 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.189 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.140 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.30 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.92 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.95 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.5.10 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.60 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.5.12 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.6.181 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.6.182 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.6.183 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.6.184 eq ssh

access-list untrust_access_in extended permit tcp host 65.102.78.242 XX.XXX.XX.0 255.255.255.0 eq ssh

access-list untrust_access_in extended permit tcp any host 192.168.1.178 eq ssh

access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq https

access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq 1935

access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq ftp

access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq ssh

access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq 8080

access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq 8085

access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq 8060

access-list untrust_access_in extended deny ip 210.163.43.0 255.255.255.0 any log warnings

access-list untrust_access_in extended permit tcp object-group BlockDos host 192.168.1.60 eq https

access-list untrust_access_in extended permit tcp object-group BlockDos host 192.168.1.60 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.30 eq www

access-list untrust_access_in extended permit tcp any host 192.168.1.95 eq 8080

access-list untrust_access_in extended permit tcp any host 192.168.1.92 eq 8080

access-list untrust_access_in extended permit tcp any host 192.168.5.10 eq https

access-list untrust_access_in extended permit tcp any host 192.168.5.12 eq www

access-list untrust_access_in extended permit tcp any host 192.168.5.10 eq www

access-list untrust_access_in extended permit tcp any host 192.168.6.181 eq https

access-list untrust_access_in extended permit tcp any host 192.168.6.182 eq https

access-list untrust_access_in extended permit tcp any host 192.168.6.183 eq https

access-list untrust_access_in extended permit tcp any host 192.168.6.184 eq https

access-list untrust_access_in extended permit tcp any host 192.168.6.185 eq https

access-list untrust_access_in extended permit tcp any host 192.168.6.185 eq www

access-list untrust_access_in extended permit tcp any host 192.168.6.186 eq https

access-list untrust_access_in extended permit tcp any host 192.168.6.186 eq www

access-list untrust_access_in extended permit tcp any host 192.168.6.187 eq https

access-list untrust_access_in extended permit tcp any host 192.168.6.187 eq www

access-list untrust_access_in remark David Jurgens access to ssh on gatlin

access-list untrust_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host 192.168.1.15 eq ssh

access-list untrust_access_in remark HRSmart Access to SFTP on bmusjaxweb01

access-list untrust_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 host 192.168.1.31 eq ssh

access-list untrust_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_3 host 192.168.1.31

access-list untrust_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 host 192.168.1.31 range 62000 64000

access-list untrust_access_in extended permit tcp any host 192.168.6.184 eq www

access-list capin extended permit tcp host 192.168.1.1 eq https host 10.1.55.150

access-list capin extended permit tcp host 10.1.55.150 host 192.168.1.1 eq https

access-list dmz_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 10.1.55.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging emblem

logging trap warnings

logging asdm informational

logging facility 16

logging host trust 192.168.1.16 format emblem

logging debug-trace

logging permit-hostdown

mtu untrust 1500

mtu prod 1500

mtu dmz 1500

mtu trust 1500

ip local pool HW-VPN-Pool 192.168.2.100-192.168.2.200 mask 255.255.255.0

ip audit name CompHosti info action alarm

ip audit name CompHost attack action alarm

ip audit interface trust CompHosti

ip audit interface trust CompHost

ip audit signature 2000 disable

ip audit signature 2001 disable

ip audit signature 2004 disable

failover

failover lan unit primary

failover lan interface failoverlink Ethernet0/3

failover replication http

failover link failoverlink Ethernet0/3

failover interface ip failoverlink 192.168.2.1 255.255.255.0 standby 192.168.2.2

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup

nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp route-lookup

nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp route-lookup

nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup

nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp route-lookup

nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp route-lookup

nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup

nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp route-lookup

nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp route-lookup

nat (trust,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp

nat (trust,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.5.0 obj-192.168.5.0 no-proxy-arp

nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.51.0 obj-10.1.51.0 no-proxy-arp

nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp

nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp

nat (trust,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 route-lookup

nat (dmz,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup

nat (dmz,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp route-lookup

nat (dmz,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp route-lookup

!

object network obj-192.168.5.0

nat (prod,untrust) dynamic interface

object network obj-192.168.5.10

nat (prod,untrust) static XX.XXX.XX.XX

object network obj-192.168.5.12

nat (prod,untrust) static XX.XXX.XX.XX

object network obj_any

nat (prod,untrust) dynamic obj-0.0.0.0

object network obj_any-01

nat (prod,dmz) dynamic obj-0.0.0.0

object network obj-192.168.6.181

nat (dmz,untrust) static XX.XXX.XX.XX

object network obj-192.168.6.182

nat (dmz,untrust) static XX.XXX.XX.XX

object network obj-192.168.6.183

nat (dmz,untrust) static XX.XXX.XX.XX

object network obj-192.168.6.184

nat (dmz,untrust) static XX.XXX.XX.XX

object network obj-192.168.6.0

nat (dmz,untrust) dynamic interface

object network obj_any-02

nat (dmz,untrust) dynamic obj-0.0.0.0

object network obj-192.168.1.0

nat (trust,untrust) dynamic interface

object network obj-192.168.1.11

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.9

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.8

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.40

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.41

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.90

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.83

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.14

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.178

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.17

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.70

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.71

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.161

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.110

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.189

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.140

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.30

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.31

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.151

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.60

nat (trust,untrust) static XX.XXX.XX.XX

object network obj-192.168.1.15

nat (trust,untrust) static XX.XXX.XX.XX

object network obj_any-03

nat (trust,untrust) dynamic obj-0.0.0.0

object network obj_any-04

nat (trust,prod) dynamic obj-0.0.0.0

object network obj_any-05

nat (trust,dmz) dynamic obj-0.0.0.0

object network obj-192.168.6.185

nat (dmz,untrust) static XX.XXX.XX.XX

object network obj-192.168.6.186

nat (dmz,untrust) static XX.XXX.XX.XX

object network obj-192.168.6.187

nat (dmz,untrust) static XX.XXX.XX.XX

access-group untrust_access_in in interface untrust

access-group qa_access_in in interface prod

access-group dmz_access_in in interface dmz

access-group trust_access_in in interface trust

route untrust 0.0.0.0 0.0.0.0 XX.XXX.XX.XX 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

reval-period 36000

sq-period 300

aaa authentication ssh console LOCAL

http server enable

http 10.1.69.0 255.255.255.0 untrust

http 74.167.160.132 255.255.255.255 untrust

http 192.168.1.0 255.255.255.0 trust

http 10.1.55.0 255.255.255.0 untrust

http 192.168.2.0 255.255.255.0 untrust

http 10.1.55.0 255.255.255.0 trust

snmp-server host trust 192.168.1.13 community *****

snmp-server host trust 192.168.1.14 community *****

snmp-server host trust 192.168.1.200 community ***** version 2c

snmp-server host trust 192.168.1.70 community *****

snmp-server location Peak10 A-4

snmp-server contact support@XXXXXXXXXX

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map untrust_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map untrust_dyn_map 40 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map untrust_dyn_map 60 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map untrust_dyn_map 80 set ikev1 transform-set ESP-3DES-SHA

crypto map untrust_map 1 match address untrust_cryptomap

crypto map untrust_map 1 set peer 69.180.83.93

crypto map untrust_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map untrust_map 600 match address untrust_cryptomap_600

crypto map untrust_map 600 set peer 70.91.144.153

crypto map untrust_map 600 set ikev1 transform-set ESP-3DES-SHA

crypto map untrust_map 680 match address untrust_cryptomap_680_1

crypto map untrust_map 680 set peer 76.106.137.57

crypto map untrust_map 680 set ikev1 transform-set ESP-3DES-SHA

crypto map untrust_map 700 match address untrust_cryptomap_700

crypto map untrust_map 700 set peer 174.65.109.36

crypto map untrust_map 700 set ikev1 transform-set ESP-3DES-SHA

crypto map untrust_map 65535 ipsec-isakmp dynamic untrust_dyn_map

crypto map untrust_map interface untrust

crypto isakmp identity address

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable untrust

crypto ikev1 enable untrust

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 40

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto ikev1 policy 80

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto ikev1 policy 100

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption aes

hash sha

group 2

lifetime 28800

telnet 192.168.1.0 255.255.255.0 trust

telnet 192.168.2.0 255.255.255.0 trust

telnet timeout 60

ssh 196.40.16.128 255.255.255.224 untrust

ssh 201.194.184.0 255.255.255.224 untrust

ssh 0.0.0.0 0.0.0.0 untrust

ssh 192.168.1.0 255.255.255.0 trust

ssh 192.168.2.0 255.255.255.0 trust

ssh 0.0.0.0 0.0.0.0 trust

ssh timeout 60

console timeout 0

management-access trust

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

dhcpd dns 192.168.1.8 192.168.1.71

dhcpd wins 192.168.1.8

dhcpd domain artisit.com

!

dhcpd address 192.168.1.201-192.168.1.220 trust

dhcpd enable trust

!

priority-queue untrust

  queue-limit   488

  tx-ring-limit 8

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

internal-password enable

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol ikev1

nac-settings value DfltGrpPolicy-nac-framework-create

webvpn

  anyconnect dpd-interval client none

  anyconnect dpd-interval gateway none

group-policy PSSGROUP internal

group-policy PSSGROUP attributes

split-tunnel-policy tunnelall

split-tunnel-all-dns enable

group-policy GroupPolicy_69.180.83.93 internal

group-policy GroupPolicy_69.180.83.93 attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy RemoteDevGroup internal

group-policy RemoteDevGroup attributes

wins-server none

dns-server value 192.168.1.8 192.168.1.71

vpn-filter value RemoteDevAccess

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteDevAccess

default-domain value XXXXXXXXXX

group-policy HWVPN internal

group-policy HWVPN attributes

wins-server none

dns-server value 192.168.1.8 192.168.1.71

vpn-tunnel-protocol ikev1 ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value HWVPN_splitTunnelAcl

default-domain value XXXXXXXXXX

tunnel-group DefaultL2LGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DefaultWEBVPNGroup general-attributes

authorization-server-group LOCAL

default-group-policy RemoteDevGroup

authorization-required

username-from-certificate use-entire-name

tunnel-group HWVPN type remote-access

tunnel-group HWVPN general-attributes

address-pool HW-VPN-Pool

default-group-policy HWVPN

tunnel-group HWVPN ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 69.180.83.93 type ipsec-l2l

tunnel-group 69.180.83.93 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication certificate

ikev2 local-authentication pre-shared-key *****

tunnel-group RemoveDevGroup type remote-access

tunnel-group RemoveDevGroup general-attributes

address-pool HW-VPN-Pool

default-group-policy RemoteDevGroup

tunnel-group RemoveDevGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 76.106.137.57 type ipsec-l2l

tunnel-group 76.106.137.57 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 174.65.109.36 type ipsec-l2l

tunnel-group 174.65.109.36 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 70.91.144.153 type ipsec-l2l

tunnel-group 70.91.144.153 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map Voice

match dscp ef

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect dns migrated_dns_map_1

  inspect pptp

  inspect icmp

  inspect ip-options

policy-map Voicepolicy

class Voice

  priority

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ed6537d0d73c127c1f28a3d7b069710b

: end