- Posts: 14
- Thank you received: 0
ASA VPN - Tunnel forms but no access to inside.
16 years 5 months ago #24030
by Torvald
ASA VPN - Tunnel forms but no access to inside. was created by Torvald
I can form the tunnel but can not ping or connect to anything inside. I inherited this mess and it's killing me... Any help would be great.
Outside security-level 0 ip address 55.56.58.10 255.255.255.0
Inside security-level 70 ip address 10.1.1.30 255.255.240.0
DMZ security-level 30 ip address 10.100.1.3 255.255.255.0
Management security-level 100 ip address 192.168.1.1 255.255.255.0
access-list Inside_cryptomap extended permit ip any 10.125.1.96 255.255.255.224 inactive
access-list TEST-VPN_splitTunnelAcl standard permit any
access-list NAT_0 extended permit ip any 10.125.1.96 255.255.255.224
access-list NONAT_DMZ extended permit ip any 10.125.1.96 255.255.255.224
access-list NONAT_MAN extended permit ip any 10.125.1.96 255.255.255.224
access-list Outside_cryptomap extended permit ip any 10.125.1.96 255.255.255.224
ip local pool TEST-VPN 10.125.1.100-10.125.1.125
global (Outside) 1 55.56.58.8 netmask 255.255.255.255
global (DMZ) 1 interface
nat (Inside) 0 access-list NAT_0
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list NONAT_DMZ
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list NONAT_MAN
route Outside 0.0.0.0 0.0.0.0 55.56.58.1 1
route Inside 10.0.0.0 255.0.0.0 10.1.7.50 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Inside_dyn_map 20 set transform-set ESP-AES-256-SHA ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-MD5
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map Inside_map 20 ipsec-isakmp dynamic Inside_dyn_map
crypto map Inside_map interface Inside
crypto map Outside_map 20 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group TEST-VPN type ipsec-ra
tunnel-group TEST-VPN general-attributes
address-pool TEST-VPN
default-group-policy TEST-VPN
tunnel-group TEST-VPN ipsec-attributes
pre-shared-key #######
group-policy TEST-VPN internal
group-policy TEST-VPN attributes
wins-server value 10.90.6.10 10.90.6.20
dns-server value 10.90.6.10 10.90.6.20
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TEST-VPN_splitTunnelAcl
default-domain value TEST.com
Outside security-level 0 ip address 55.56.58.10 255.255.255.0
Inside security-level 70 ip address 10.1.1.30 255.255.240.0
DMZ security-level 30 ip address 10.100.1.3 255.255.255.0
Management security-level 100 ip address 192.168.1.1 255.255.255.0
access-list Inside_cryptomap extended permit ip any 10.125.1.96 255.255.255.224 inactive
access-list TEST-VPN_splitTunnelAcl standard permit any
access-list NAT_0 extended permit ip any 10.125.1.96 255.255.255.224
access-list NONAT_DMZ extended permit ip any 10.125.1.96 255.255.255.224
access-list NONAT_MAN extended permit ip any 10.125.1.96 255.255.255.224
access-list Outside_cryptomap extended permit ip any 10.125.1.96 255.255.255.224
ip local pool TEST-VPN 10.125.1.100-10.125.1.125
global (Outside) 1 55.56.58.8 netmask 255.255.255.255
global (DMZ) 1 interface
nat (Inside) 0 access-list NAT_0
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list NONAT_DMZ
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list NONAT_MAN
route Outside 0.0.0.0 0.0.0.0 55.56.58.1 1
route Inside 10.0.0.0 255.0.0.0 10.1.7.50 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Inside_dyn_map 20 set transform-set ESP-AES-256-SHA ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-MD5
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map Inside_map 20 ipsec-isakmp dynamic Inside_dyn_map
crypto map Inside_map interface Inside
crypto map Outside_map 20 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group TEST-VPN type ipsec-ra
tunnel-group TEST-VPN general-attributes
address-pool TEST-VPN
default-group-policy TEST-VPN
tunnel-group TEST-VPN ipsec-attributes
pre-shared-key #######
group-policy TEST-VPN internal
group-policy TEST-VPN attributes
wins-server value 10.90.6.10 10.90.6.20
dns-server value 10.90.6.10 10.90.6.20
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TEST-VPN_splitTunnelAcl
default-domain value TEST.com
16 years 5 months ago #24044
by Torvald
Replied by Torvald on topic Re: ASA VPN - Tunnel forms but no access to inside.
No help?? do you want the full config?
16 years 5 months ago #24057
by sp1k3tou
Replied by sp1k3tou on topic Re: ASA VPN - Tunnel forms but no access to inside.
Post your access lists and are you using the TEST-VPN group?
16 years 5 months ago #24059
by Torvald
Replied by Torvald on topic Re: ASA VPN - Tunnel forms but no access to inside.
yes the TEST-VPN is what I'm working on thought I could blow it away and start over on that part.
Here's the full mess,
: Saved
: Written by Admin at 11:18:55.922 EST Wed Nov 21 2007
!
ASA Version 7.2(1)
!
hostname Firewall03
domain-name B-B.com
enable password XXXXX encrypted
names
name 55.56.57.28 CitrixGWext description Citrix External Gateway
name 10.90.6.101 HO1CO1CON
name 10.90.6.105 HO1CO1DEV
name 10.90.6.108 HO1CO1DOC
name 10.90.6.102 HO1CO1REC
name X.X.X.2 PROOFPOINT description www1.proofpoint.com
name 55.56.57.50 BWONLINEORDERING
name 55.56.57.51 RBJONESWEB
name 10.100.1.37 CTXMAILFE
name 10.1.1.27 HO1INTRANET
name 10.1.1.133 HO1SIDE1
name 10.1.2.6 USFPC1012 description CGI dial-in access
name 55.56.57.31 HO1CO1REC-EXT
name 55.56.57.32 HO1CO1DOC-EXT
name 55.56.57.33 HO1CO1DEV-EXT
name 10.1.1.246 HO1PC1185 description CANAL Admin Machine
name 10.1.1.252 HO1PC1002 description Input One Access
name 55.56.57.25 CANAL-EXT description CANAL External Access
name 55.56.57.20 EXT-WEB
name 55.56.57.23 KPC-EXT description KPC-PFLM Support
name 55.56.57.21 NETARX description Frank Poznick EXT Access NETARX NMS
name X.X.X.X CAPRICORN
name 10.90.7.0 CITRIX-NETWORK
name 55.56.57.217 MAILFILTER1-EXT
name 55.56.57.16 MAILFILTER2-EXT
name 10.100.1.16 MAILFILTER1-DMZ
name 10.100.1.17 MAILFILTER2-DMZ
name 10.1.2.24 TRAIN-1
name 55.56.57.34 TRAIN-1-EXT
name 10.1.2.25 TRAIN-2
name 55.56.57.35 TRAIN-2-EXT
name 10.1.2.26 TRAIN-3
name 55.56.57.36 TRAIN-3-EXT
name 10.1.2.27 TRAIN-4
name 55.56.57.37 TRAIN-4-EXT
name X.X.X.X BILLEDWARDS-EXT description Bill Edwards Outside PC IP
name 10.5.1.250 BILLEDWARDS-INT description Bill Edwards Desktop IP
name 55.56.57.30 MAGIC-EXT
name 10.10.1.102 ITC_SYSTEMS-INT
name X.X.X.X ITC_SYSTEMS description Scottsdale Insurance application support
name 55.56.57.42 ITC_SYSTEMS-EXT description ITC Systems External Access
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 55.56.57.10 255.255.255.0
!
interface GigabitEthernet0/1
nameif Inside
security-level 70
ip address 10.1.1.30 255.255.240.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 30
ip address 10.100.1.3 255.255.255.0
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd HrN6I232DZJH0mAr encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name B-B.com
same-security-traffic permit intra-interface
object-group network CitrixGWint
description Citrix Gateway Servers in the DMZ
network-object host 10.100.1.38
network-object host 10.100.1.39
network-object host 10.100.1.40
object-group network MailfiltersDMZ
description Mailfilter DMZ
network-object host MAILFILTER1-DMZ
network-object host MAILFILTER2-DMZ
object-group network MailfiltersExt
description ProofPoint Mail Filters
network-object host MAILFILTER2-EXT
network-object host MAILFILTER1-EXT
object-group service MailServices tcp
port-object eq pop2
port-object eq pop3
port-object eq imap4
port-object eq smtp
object-group service Webservices tcp
port-object eq https
port-object eq www
port-object range 993 993
object-group network CitrixFarm
network-object host 10.90.7.100
network-object host 10.90.7.101
network-object host 10.90.7.102
network-object host 10.90.7.10
network-object host 10.90.7.103
network-object host 10.90.7.104
network-object host 10.90.7.105
network-object host 10.90.7.106
network-object host 10.90.7.20
network-object host 10.90.7.21
network-object host 10.90.7.22
object-group network NetArxEXT
network-object host X.X.209.130
network-object host X.X.209.131
network-object host X.X.137.1
object-group network CanalAddresses
network-object host X.X.72.178
network-object host X.X.72.187
network-object host X.X.72.188
object-group network Epic
description Epic Solutions
network-object host X.X.128.70
network-object host X.X.128.79
network-object host X.X.194.11
network-object host X.X.163.158
object-group network ExgFarm
description Exchange Farm
network-object host 10.90.6.10
network-object host 10.90.6.11
network-object host 10.90.6.14
network-object host 10.90.6.20
network-object host 10.90.6.4
network-object host 10.90.6.6
network-object host 10.90.6.7
network-object host 10.90.6.8
object-group network BlockedSites
description Sites that are blocked
object-group service WebFTP tcp
port-object eq ftp-data
port-object eq ftp
port-object eq https
port-object eq www
object-group service PROOFPOINT_SUPPORT tcp
port-object eq ssh
port-object eq 1000
access-list DMZ_access_in extended permit tcp host MAILFILTER1-DMZ any eq smtp
access-list DMZ_access_in extended permit tcp host MAILFILTER2-DMZ any eq smtp
access-list DMZ_access_in extended permit tcp host CTXMAILFE any eq smtp
access-list DMZ_access_in extended permit ip host CTXMAILFE any
access-list DMZ_access_in extended permit ip host MAILFILTER2-DMZ any
access-list DMZ_access_in extended permit ip host MAILFILTER1-DMZ any
access-list DMZ_access_in extended permit ip object-group CitrixGWint object-group CitrixFarm
access-list DMZ_access_in extended permit tcp host BWONLINEORDERING host 10.100.1.45 object-group WebFTP
access-list DMZ_access_in extended permit tcp host RBJONESWEB host 10.100.1.46 object-group WebFTP
access-list DMZ_access_in extended permit tcp host 55.56.57.88 object-group Webservices host 10.100.1.25 object-group Webservices
access-list DMZ_access_in extended permit ip host CitrixGWext object-group CitrixGWint
access-list DMZ_access_in extended permit tcp host 55.56.57.43 object-group Webservices host CTXMAILFE object-group Webservices
access-list DMZ_access_in extended permit tcp 10.1.0.0 255.255.0.0 object-group MailfiltersDMZ object-group MailServices
access-list DMZ_access_in extended permit tcp any any
access-list DMZ_access_in extended permit ip any any
access-list Outside_access_in extended permit tcp any host 55.56.57.43 eq 3389
access-list Outside_access_in extended permit icmp any host 55.56.57.129
access-list Outside_access_in extended permit icmp any host 55.56.57.128
access-list Outside_access_in extended permit icmp any host 55.56.57.40
access-list Outside_access_in extended permit icmp any host 55.56.57.29
access-list Outside_access_in extended permit icmp any host CitrixGWext
access-list Outside_access_in remark TEMP ACL FOR TESTING
access-list Outside_access_in extended permit tcp host BILLEDWARDS-EXT host 55.56.57.38 eq pcanywhere-data
access-list Outside_access_in extended permit tcp any object-group MailfiltersExt object-group MailServices
access-list Outside_access_in extended permit tcp host X.X.X.174 host KPC-EXT eq www
access-list Outside_access_in extended permit tcp object-group NetArxEXT host NETARX eq 1040
access-list Outside_access_in extended permit tcp object-group CanalAddresses host CANAL-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp object-group Epic host TRAIN-1-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp object-group Epic host TRAIN-2-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp object-group Epic host TRAIN-3-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp object-group Epic host TRAIN-4-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp object-group Epic host MAGIC-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp object-group Epic host HO1CO1REC-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp object-group Epic host HO1CO1DOC-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp object-group Epic host HO1CO1DEV-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp host CAPRICORN host MAGIC-EXT object-group Webservices
access-list Outside_access_in remark ACL FOR CITRIX GW IN DMZ
access-list Outside_access_in extended permit tcp any host 55.56.57.129 eq https
access-list Outside_access_in extended permit tcp any host 55.56.57.128 eq https
access-list Outside_access_in extended permit tcp any host 55.56.57.40 eq https
access-list Outside_access_in extended permit tcp any host 55.56.57.29 eq https
access-list Outside_access_in extended permit tcp any host CitrixGWext eq https
access-list Outside_access_in extended permit tcp host X.X.X.130 host KPC-EXT eq pcanywhere-data
access-list Outside_access_in remark ACL FOR ISA SERVER
access-list Outside_access_in extended permit tcp any host 55.56.57.88 eq https
access-list Outside_access_in extended permit tcp any host 55.56.57.88 object-group Webservices
access-list Outside_access_in extended permit tcp any host 55.56.57.88 eq 993
access-list Outside_access_in extended permit tcp any host 55.56.57.88 eq www
access-list Outside_access_in remark ACL FOR CTXMAIL
access-list Outside_access_in extended permit tcp any host 55.56.57.43 eq www
access-list Outside_access_in extended permit tcp any host 55.56.57.43 eq https
access-list Outside_access_in extended permit ip any host 55.56.57.43
access-list Outside_access_in extended permit tcp any host 55.56.57.24 eq pcanywhere-data
access-list Outside_access_in extended permit tcp host PROOFPOINT object-group PROOFPOINT_SUPPORT object-group MailfiltersExt object-group PROOFPOINT_SUPPORT
access-list Outside_access_in extended permit tcp any host BWONLINEORDERING object-group WebFTP
access-list Outside_access_in extended deny icmp any host BWONLINEORDERING
access-list Outside_access_in extended permit tcp any host RBJONESWEB object-group WebFTP
access-list Outside_access_in extended deny icmp any host RBJONESWEB
access-list Outside_access_in extended permit tcp host ITC_SYSTEMS host ITC_SYSTEMS-EXT eq pcanywhere-data
access-list Outside_nat_static extended permit tcp host X.X.X.130 eq pcanywhere-data host KPC-EXT
access-list Inside_cryptomap extended permit ip any 10.125.1.96 255.255.255.224 inactive
access-list nat0 extended permit ip CITRIX-NETWORK 255.255.255.0 10.100.1.0 255.255.255.0
access-list nat0 extended permit ip 10.90.6.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list nat0 extended permit ip any 10.125.1.96 255.255.255.224
access-list Inside_access_in_1 extended permit ip any any
access-list nonat_dmz extended permit ip 10.100.1.0 255.255.255.0 CITRIX-NETWORK 255.255.255.0
access-list nonat_dmz extended permit ip 10.100.1.0 255.255.255.0 10.90.6.0 255.255.255.0
access-list nonat_dmz extended permit ip any 10.125.1.96 255.255.255.224
access-list nonat_outside extended permit ip any host MAILFILTER2-EXT
access-list nonat_outside extended permit ip any host MAILFILTER1-EXT
access-list TEST-VPN_splitTunnelAcl standard permit any
access-list management_nat0_outbound extended permit ip any 10.1.6.160 255.255.255.224
access-list management_nat0_outbound extended permit ip any 10.125.1.96 255.255.255.224
access-list Outside_cryptomap extended permit ip any 10.1.6.160 255.255.255.224
access-list Outside_cryptomap extended permit ip any 10.125.1.96 255.255.255.224
access-list Outside_cryptomap_1 extended permit ip any 10.125.1.96 255.255.255.224 inactive
pager lines 40
logging enable
logging standby
logging buffered warnings
logging trap warnings
logging asdm informational
logging host Inside 10.90.6.25
logging class auth trap emergencies
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool TEST-VPN 10.125.1.100-10.125.1.125
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/3
failover link Failover GigabitEthernet0/3
failover interface ip Failover 10.1.50.1 255.255.255.252 standby 10.1.50.2
monitor-interface Outside
monitor-interface Inside
monitor-interface DMZ
no monitor-interface management
asdm image disk0:/asdm521.bin
asdm history enable
arp timeout 14400
global (Outside) 1 55.56.57.8 netmask 255.255.255.255
global (DMZ) 1 interface
nat (Inside) 0 access-list nat0
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list nonat_dmz
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list management_nat0_outbound
static (Inside,Outside) tcp 55.56.57.38 pcanywhere-data BILLEDWARDS-INT pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp NETARX 1040 10.1.1.4 1040 netmask 255.255.255.255
static (Inside,Outside) tcp TRAIN-1-EXT pcanywhere-data TRAIN-1 pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp TRAIN-2-EXT pcanywhere-data TRAIN-2 pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp TRAIN-3-EXT pcanywhere-data TRAIN-3 pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp TRAIN-4-EXT pcanywhere-data TRAIN-4 pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp CANAL-EXT pcanywhere-data HO1PC1185 pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp KPC-EXT pcanywhere-data HO1PC1002 pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp MAGIC-EXT pcanywhere-data HO1CO1CON pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp HO1CO1REC-EXT pcanywhere-data HO1CO1REC pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp HO1CO1DOC-EXT pcanywhere-data HO1CO1DOC pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp HO1CO1DEV-EXT pcanywhere-data HO1CO1DEV pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp KPC-EXT www HO1INTRANET www netmask 255.255.255.255
static (Inside,Outside) tcp 55.56.57.24 pcanywhere-data USFPC1012 pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp MAGIC-EXT www HO1SIDE1 www netmask 255.255.255.255
static (Inside,Outside) tcp ITC_SYSTEMS-EXT pcanywhere-data ITC_SYSTEMS-INT pcanywhere-data netmask 255.255.255.255
static (DMZ,Outside) 55.56.57.40 10.100.1.40 netmask 255.255.255.255
static (DMZ,Outside) 55.56.57.88 10.100.1.25 netmask 255.255.255.255
static (DMZ,Outside) 55.56.57.43 CTXMAILFE netmask 255.255.255.255
static (DMZ,Outside) 55.56.57.29 10.100.1.39 netmask 255.255.255.255
static (DMZ,Outside) CitrixGWext 10.100.1.38 netmask 255.255.255.255
static (DMZ,Outside) MAILFILTER2-EXT MAILFILTER1-DMZ netmask 255.255.255.255
static (DMZ,Outside) MAILFILTER1-EXT MAILFILTER2-DMZ netmask 255.255.255.255
static (DMZ,Outside) BWONLINEORDERING 10.100.1.45 netmask 255.255.255.255
static (DMZ,Outside) RBJONESWEB 10.100.1.46 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group DMZ_access_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 55.56.57.1 1
route Inside 10.0.0.0 255.0.0.0 10.1.7.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 1:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server BandW protocol radius
aaa-server BandW host 10.90.6.10
aaa-server BandW host 10.90.6.20
group-policy DfltGrpPolicy attributes
banner value Private Network Access Restricted...
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy TEST-VPN internal
group-policy TEST-VPN attributes
wins-server value 10.90.6.10 10.90.6.20
dns-server value 10.90.6.10 10.90.6.20
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TEST-VPN_splitTunnelAcl
default-domain value B-B.com
username Admin password ####### encrypted privilege 15
username rmaxson password ######## encrypted privilege 5
username rmaxson attributes
vpn-group-policy DfltGrpPolicy
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 10.1.0.0 255.255.0.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Inside_dyn_map 20 set transform-set ESP-AES-256-SHA ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-MD5
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map Inside_map 20 ipsec-isakmp dynamic Inside_dyn_map
crypto map Inside_map interface Inside
crypto map Outside_map 20 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 5
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
tunnel-group TEST-VPN type ipsec-ra
tunnel-group TEST-VPN general-attributes
address-pool TEST-VPN
default-group-policy TEST-VPN
tunnel-group TEST-VPN ipsec-attributes
pre-shared-key #######
telnet timeout 5
ssh X.X.X.64 255.255.255.192 Outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 20
console timeout 0
management-access Inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 55.56.57.1 source Outside prefer
tftp-server Inside 10.1.6.121 5520
prompt hostname context
Cryptochecksum:16c14caaa44ed1c07737af4f020c5dbf
: end
Here's the full mess,
: Saved
: Written by Admin at 11:18:55.922 EST Wed Nov 21 2007
!
ASA Version 7.2(1)
!
hostname Firewall03
domain-name B-B.com
enable password XXXXX encrypted
names
name 55.56.57.28 CitrixGWext description Citrix External Gateway
name 10.90.6.101 HO1CO1CON
name 10.90.6.105 HO1CO1DEV
name 10.90.6.108 HO1CO1DOC
name 10.90.6.102 HO1CO1REC
name X.X.X.2 PROOFPOINT description www1.proofpoint.com
name 55.56.57.50 BWONLINEORDERING
name 55.56.57.51 RBJONESWEB
name 10.100.1.37 CTXMAILFE
name 10.1.1.27 HO1INTRANET
name 10.1.1.133 HO1SIDE1
name 10.1.2.6 USFPC1012 description CGI dial-in access
name 55.56.57.31 HO1CO1REC-EXT
name 55.56.57.32 HO1CO1DOC-EXT
name 55.56.57.33 HO1CO1DEV-EXT
name 10.1.1.246 HO1PC1185 description CANAL Admin Machine
name 10.1.1.252 HO1PC1002 description Input One Access
name 55.56.57.25 CANAL-EXT description CANAL External Access
name 55.56.57.20 EXT-WEB
name 55.56.57.23 KPC-EXT description KPC-PFLM Support
name 55.56.57.21 NETARX description Frank Poznick EXT Access NETARX NMS
name X.X.X.X CAPRICORN
name 10.90.7.0 CITRIX-NETWORK
name 55.56.57.217 MAILFILTER1-EXT
name 55.56.57.16 MAILFILTER2-EXT
name 10.100.1.16 MAILFILTER1-DMZ
name 10.100.1.17 MAILFILTER2-DMZ
name 10.1.2.24 TRAIN-1
name 55.56.57.34 TRAIN-1-EXT
name 10.1.2.25 TRAIN-2
name 55.56.57.35 TRAIN-2-EXT
name 10.1.2.26 TRAIN-3
name 55.56.57.36 TRAIN-3-EXT
name 10.1.2.27 TRAIN-4
name 55.56.57.37 TRAIN-4-EXT
name X.X.X.X BILLEDWARDS-EXT description Bill Edwards Outside PC IP
name 10.5.1.250 BILLEDWARDS-INT description Bill Edwards Desktop IP
name 55.56.57.30 MAGIC-EXT
name 10.10.1.102 ITC_SYSTEMS-INT
name X.X.X.X ITC_SYSTEMS description Scottsdale Insurance application support
name 55.56.57.42 ITC_SYSTEMS-EXT description ITC Systems External Access
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 55.56.57.10 255.255.255.0
!
interface GigabitEthernet0/1
nameif Inside
security-level 70
ip address 10.1.1.30 255.255.240.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 30
ip address 10.100.1.3 255.255.255.0
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd HrN6I232DZJH0mAr encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name B-B.com
same-security-traffic permit intra-interface
object-group network CitrixGWint
description Citrix Gateway Servers in the DMZ
network-object host 10.100.1.38
network-object host 10.100.1.39
network-object host 10.100.1.40
object-group network MailfiltersDMZ
description Mailfilter DMZ
network-object host MAILFILTER1-DMZ
network-object host MAILFILTER2-DMZ
object-group network MailfiltersExt
description ProofPoint Mail Filters
network-object host MAILFILTER2-EXT
network-object host MAILFILTER1-EXT
object-group service MailServices tcp
port-object eq pop2
port-object eq pop3
port-object eq imap4
port-object eq smtp
object-group service Webservices tcp
port-object eq https
port-object eq www
port-object range 993 993
object-group network CitrixFarm
network-object host 10.90.7.100
network-object host 10.90.7.101
network-object host 10.90.7.102
network-object host 10.90.7.10
network-object host 10.90.7.103
network-object host 10.90.7.104
network-object host 10.90.7.105
network-object host 10.90.7.106
network-object host 10.90.7.20
network-object host 10.90.7.21
network-object host 10.90.7.22
object-group network NetArxEXT
network-object host X.X.209.130
network-object host X.X.209.131
network-object host X.X.137.1
object-group network CanalAddresses
network-object host X.X.72.178
network-object host X.X.72.187
network-object host X.X.72.188
object-group network Epic
description Epic Solutions
network-object host X.X.128.70
network-object host X.X.128.79
network-object host X.X.194.11
network-object host X.X.163.158
object-group network ExgFarm
description Exchange Farm
network-object host 10.90.6.10
network-object host 10.90.6.11
network-object host 10.90.6.14
network-object host 10.90.6.20
network-object host 10.90.6.4
network-object host 10.90.6.6
network-object host 10.90.6.7
network-object host 10.90.6.8
object-group network BlockedSites
description Sites that are blocked
object-group service WebFTP tcp
port-object eq ftp-data
port-object eq ftp
port-object eq https
port-object eq www
object-group service PROOFPOINT_SUPPORT tcp
port-object eq ssh
port-object eq 1000
access-list DMZ_access_in extended permit tcp host MAILFILTER1-DMZ any eq smtp
access-list DMZ_access_in extended permit tcp host MAILFILTER2-DMZ any eq smtp
access-list DMZ_access_in extended permit tcp host CTXMAILFE any eq smtp
access-list DMZ_access_in extended permit ip host CTXMAILFE any
access-list DMZ_access_in extended permit ip host MAILFILTER2-DMZ any
access-list DMZ_access_in extended permit ip host MAILFILTER1-DMZ any
access-list DMZ_access_in extended permit ip object-group CitrixGWint object-group CitrixFarm
access-list DMZ_access_in extended permit tcp host BWONLINEORDERING host 10.100.1.45 object-group WebFTP
access-list DMZ_access_in extended permit tcp host RBJONESWEB host 10.100.1.46 object-group WebFTP
access-list DMZ_access_in extended permit tcp host 55.56.57.88 object-group Webservices host 10.100.1.25 object-group Webservices
access-list DMZ_access_in extended permit ip host CitrixGWext object-group CitrixGWint
access-list DMZ_access_in extended permit tcp host 55.56.57.43 object-group Webservices host CTXMAILFE object-group Webservices
access-list DMZ_access_in extended permit tcp 10.1.0.0 255.255.0.0 object-group MailfiltersDMZ object-group MailServices
access-list DMZ_access_in extended permit tcp any any
access-list DMZ_access_in extended permit ip any any
access-list Outside_access_in extended permit tcp any host 55.56.57.43 eq 3389
access-list Outside_access_in extended permit icmp any host 55.56.57.129
access-list Outside_access_in extended permit icmp any host 55.56.57.128
access-list Outside_access_in extended permit icmp any host 55.56.57.40
access-list Outside_access_in extended permit icmp any host 55.56.57.29
access-list Outside_access_in extended permit icmp any host CitrixGWext
access-list Outside_access_in remark TEMP ACL FOR TESTING
access-list Outside_access_in extended permit tcp host BILLEDWARDS-EXT host 55.56.57.38 eq pcanywhere-data
access-list Outside_access_in extended permit tcp any object-group MailfiltersExt object-group MailServices
access-list Outside_access_in extended permit tcp host X.X.X.174 host KPC-EXT eq www
access-list Outside_access_in extended permit tcp object-group NetArxEXT host NETARX eq 1040
access-list Outside_access_in extended permit tcp object-group CanalAddresses host CANAL-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp object-group Epic host TRAIN-1-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp object-group Epic host TRAIN-2-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp object-group Epic host TRAIN-3-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp object-group Epic host TRAIN-4-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp object-group Epic host MAGIC-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp object-group Epic host HO1CO1REC-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp object-group Epic host HO1CO1DOC-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp object-group Epic host HO1CO1DEV-EXT eq pcanywhere-data
access-list Outside_access_in extended permit tcp host CAPRICORN host MAGIC-EXT object-group Webservices
access-list Outside_access_in remark ACL FOR CITRIX GW IN DMZ
access-list Outside_access_in extended permit tcp any host 55.56.57.129 eq https
access-list Outside_access_in extended permit tcp any host 55.56.57.128 eq https
access-list Outside_access_in extended permit tcp any host 55.56.57.40 eq https
access-list Outside_access_in extended permit tcp any host 55.56.57.29 eq https
access-list Outside_access_in extended permit tcp any host CitrixGWext eq https
access-list Outside_access_in extended permit tcp host X.X.X.130 host KPC-EXT eq pcanywhere-data
access-list Outside_access_in remark ACL FOR ISA SERVER
access-list Outside_access_in extended permit tcp any host 55.56.57.88 eq https
access-list Outside_access_in extended permit tcp any host 55.56.57.88 object-group Webservices
access-list Outside_access_in extended permit tcp any host 55.56.57.88 eq 993
access-list Outside_access_in extended permit tcp any host 55.56.57.88 eq www
access-list Outside_access_in remark ACL FOR CTXMAIL
access-list Outside_access_in extended permit tcp any host 55.56.57.43 eq www
access-list Outside_access_in extended permit tcp any host 55.56.57.43 eq https
access-list Outside_access_in extended permit ip any host 55.56.57.43
access-list Outside_access_in extended permit tcp any host 55.56.57.24 eq pcanywhere-data
access-list Outside_access_in extended permit tcp host PROOFPOINT object-group PROOFPOINT_SUPPORT object-group MailfiltersExt object-group PROOFPOINT_SUPPORT
access-list Outside_access_in extended permit tcp any host BWONLINEORDERING object-group WebFTP
access-list Outside_access_in extended deny icmp any host BWONLINEORDERING
access-list Outside_access_in extended permit tcp any host RBJONESWEB object-group WebFTP
access-list Outside_access_in extended deny icmp any host RBJONESWEB
access-list Outside_access_in extended permit tcp host ITC_SYSTEMS host ITC_SYSTEMS-EXT eq pcanywhere-data
access-list Outside_nat_static extended permit tcp host X.X.X.130 eq pcanywhere-data host KPC-EXT
access-list Inside_cryptomap extended permit ip any 10.125.1.96 255.255.255.224 inactive
access-list nat0 extended permit ip CITRIX-NETWORK 255.255.255.0 10.100.1.0 255.255.255.0
access-list nat0 extended permit ip 10.90.6.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list nat0 extended permit ip any 10.125.1.96 255.255.255.224
access-list Inside_access_in_1 extended permit ip any any
access-list nonat_dmz extended permit ip 10.100.1.0 255.255.255.0 CITRIX-NETWORK 255.255.255.0
access-list nonat_dmz extended permit ip 10.100.1.0 255.255.255.0 10.90.6.0 255.255.255.0
access-list nonat_dmz extended permit ip any 10.125.1.96 255.255.255.224
access-list nonat_outside extended permit ip any host MAILFILTER2-EXT
access-list nonat_outside extended permit ip any host MAILFILTER1-EXT
access-list TEST-VPN_splitTunnelAcl standard permit any
access-list management_nat0_outbound extended permit ip any 10.1.6.160 255.255.255.224
access-list management_nat0_outbound extended permit ip any 10.125.1.96 255.255.255.224
access-list Outside_cryptomap extended permit ip any 10.1.6.160 255.255.255.224
access-list Outside_cryptomap extended permit ip any 10.125.1.96 255.255.255.224
access-list Outside_cryptomap_1 extended permit ip any 10.125.1.96 255.255.255.224 inactive
pager lines 40
logging enable
logging standby
logging buffered warnings
logging trap warnings
logging asdm informational
logging host Inside 10.90.6.25
logging class auth trap emergencies
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool TEST-VPN 10.125.1.100-10.125.1.125
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/3
failover link Failover GigabitEthernet0/3
failover interface ip Failover 10.1.50.1 255.255.255.252 standby 10.1.50.2
monitor-interface Outside
monitor-interface Inside
monitor-interface DMZ
no monitor-interface management
asdm image disk0:/asdm521.bin
asdm history enable
arp timeout 14400
global (Outside) 1 55.56.57.8 netmask 255.255.255.255
global (DMZ) 1 interface
nat (Inside) 0 access-list nat0
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list nonat_dmz
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list management_nat0_outbound
static (Inside,Outside) tcp 55.56.57.38 pcanywhere-data BILLEDWARDS-INT pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp NETARX 1040 10.1.1.4 1040 netmask 255.255.255.255
static (Inside,Outside) tcp TRAIN-1-EXT pcanywhere-data TRAIN-1 pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp TRAIN-2-EXT pcanywhere-data TRAIN-2 pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp TRAIN-3-EXT pcanywhere-data TRAIN-3 pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp TRAIN-4-EXT pcanywhere-data TRAIN-4 pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp CANAL-EXT pcanywhere-data HO1PC1185 pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp KPC-EXT pcanywhere-data HO1PC1002 pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp MAGIC-EXT pcanywhere-data HO1CO1CON pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp HO1CO1REC-EXT pcanywhere-data HO1CO1REC pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp HO1CO1DOC-EXT pcanywhere-data HO1CO1DOC pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp HO1CO1DEV-EXT pcanywhere-data HO1CO1DEV pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp KPC-EXT www HO1INTRANET www netmask 255.255.255.255
static (Inside,Outside) tcp 55.56.57.24 pcanywhere-data USFPC1012 pcanywhere-data netmask 255.255.255.255
static (Inside,Outside) tcp MAGIC-EXT www HO1SIDE1 www netmask 255.255.255.255
static (Inside,Outside) tcp ITC_SYSTEMS-EXT pcanywhere-data ITC_SYSTEMS-INT pcanywhere-data netmask 255.255.255.255
static (DMZ,Outside) 55.56.57.40 10.100.1.40 netmask 255.255.255.255
static (DMZ,Outside) 55.56.57.88 10.100.1.25 netmask 255.255.255.255
static (DMZ,Outside) 55.56.57.43 CTXMAILFE netmask 255.255.255.255
static (DMZ,Outside) 55.56.57.29 10.100.1.39 netmask 255.255.255.255
static (DMZ,Outside) CitrixGWext 10.100.1.38 netmask 255.255.255.255
static (DMZ,Outside) MAILFILTER2-EXT MAILFILTER1-DMZ netmask 255.255.255.255
static (DMZ,Outside) MAILFILTER1-EXT MAILFILTER2-DMZ netmask 255.255.255.255
static (DMZ,Outside) BWONLINEORDERING 10.100.1.45 netmask 255.255.255.255
static (DMZ,Outside) RBJONESWEB 10.100.1.46 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group DMZ_access_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 55.56.57.1 1
route Inside 10.0.0.0 255.0.0.0 10.1.7.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 1:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server BandW protocol radius
aaa-server BandW host 10.90.6.10
aaa-server BandW host 10.90.6.20
group-policy DfltGrpPolicy attributes
banner value Private Network Access Restricted...
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy TEST-VPN internal
group-policy TEST-VPN attributes
wins-server value 10.90.6.10 10.90.6.20
dns-server value 10.90.6.10 10.90.6.20
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TEST-VPN_splitTunnelAcl
default-domain value B-B.com
username Admin password ####### encrypted privilege 15
username rmaxson password ######## encrypted privilege 5
username rmaxson attributes
vpn-group-policy DfltGrpPolicy
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 10.1.0.0 255.255.0.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Inside_dyn_map 20 set transform-set ESP-AES-256-SHA ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-MD5
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map Inside_map 20 ipsec-isakmp dynamic Inside_dyn_map
crypto map Inside_map interface Inside
crypto map Outside_map 20 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 5
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
tunnel-group TEST-VPN type ipsec-ra
tunnel-group TEST-VPN general-attributes
address-pool TEST-VPN
default-group-policy TEST-VPN
tunnel-group TEST-VPN ipsec-attributes
pre-shared-key #######
telnet timeout 5
ssh X.X.X.64 255.255.255.192 Outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 20
console timeout 0
management-access Inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 55.56.57.1 source Outside prefer
tftp-server Inside 10.1.6.121 5520
prompt hostname context
Cryptochecksum:16c14caaa44ed1c07737af4f020c5dbf
: end
16 years 5 months ago #24060
by sp1k3tou
Replied by sp1k3tou on topic Re: ASA VPN - Tunnel forms but no access to inside.
I'm a noob still with the ASA but I don't think this line will allow you to connect to any of your vlans over the split tunnel.
access-list TEST-VPN_splitTunnelAcl standard permit any
I would try to configure one statement to allow access to one vlan like the below one.
access-list TEST-VPN_splitTunnelAcl standard permit 10.16.0.0 255.255.0.0
access-list TEST-VPN_splitTunnelAcl standard permit any
I would try to configure one statement to allow access to one vlan like the below one.
access-list TEST-VPN_splitTunnelAcl standard permit 10.16.0.0 255.255.0.0
16 years 5 months ago #24065
by Elohim
Replied by Elohim on topic Re: ASA VPN - Tunnel forms but no access to inside.
This is a disaster. Please draw a diagram of what you want connected and start fresh. Why are you doing split tunnelling?
I can form the tunnel but can not ping or connect to anything inside. I inherited this mess and it's killing me... Any help would be great.
Outside security-level 0 ip address 55.56.58.10 255.255.255.0
Inside security-level 70 ip address 10.1.1.30 255.255.240.0
DMZ security-level 30 ip address 10.100.1.3 255.255.255.0
Management security-level 100 ip address 192.168.1.1 255.255.255.0
access-list Inside_cryptomap extended permit ip any 10.125.1.96 255.255.255.224 inactive
access-list TEST-VPN_splitTunnelAcl standard permit any
access-list NAT_0 extended permit ip any 10.125.1.96 255.255.255.224
access-list NONAT_DMZ extended permit ip any 10.125.1.96 255.255.255.224
access-list NONAT_MAN extended permit ip any 10.125.1.96 255.255.255.224
access-list Outside_cryptomap extended permit ip any 10.125.1.96 255.255.255.224
ip local pool TEST-VPN 10.125.1.100-10.125.1.125
global (Outside) 1 55.56.58.8 netmask 255.255.255.255
global (DMZ) 1 interface
nat (Inside) 0 access-list NAT_0
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list NONAT_DMZ
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list NONAT_MAN
route Outside 0.0.0.0 0.0.0.0 55.56.58.1 1
route Inside 10.0.0.0 255.0.0.0 10.1.7.50 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Inside_dyn_map 20 set transform-set ESP-AES-256-SHA ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-MD5
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map Inside_map 20 ipsec-isakmp dynamic Inside_dyn_map
crypto map Inside_map interface Inside
crypto map Outside_map 20 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group TEST-VPN type ipsec-ra
tunnel-group TEST-VPN general-attributes
address-pool TEST-VPN
default-group-policy TEST-VPN
tunnel-group TEST-VPN ipsec-attributes
pre-shared-key #######
group-policy TEST-VPN internal
group-policy TEST-VPN attributes
wins-server value 10.90.6.10 10.90.6.20
dns-server value 10.90.6.10 10.90.6.20
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TEST-VPN_splitTunnelAcl
default-domain value TEST.com
Time to create page: 0.141 seconds