Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

5505 VPN client issue

Status
Not open for further replies.

MrHanMan

MIS
Sep 12, 2007
16
US
I'm trying to setup another VPN group and policy. So far, I can connect with it, and I can ping the ASA, but nothing else on the inside. The funny thing is, I've got another group and policy setup that works fine. I've tried to emulate it but I can't figure out what I'm doing wrong. I'll paste the config below. The one I'm having problems with is ERCGroup/ERCPolicy. Also, if there are any obvious goofs elsewhere, I wouldn't mind them being pointed out. Thanks.


: Saved
: Written by enable_15 at 08:41:29.028 CDT Wed Jun 23 2010
!
ASA Version 8.3(1)
!
hostname ciscoasa
domain-name domain
enable password asdf encrypted
passwd asdf encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.4.17.250 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xxx.xxx.xx 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
timeout 5
name-server 205.152.132.23
name-server 205.152.37.23
name-server 10.4.16.32
domain-name domain
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.4.16.0
subnet 10.4.16.0 255.255.255.0
object network obj-10.4.17.248
subnet 10.4.17.248 255.255.255.248
object network obj-10.4.18.0
subnet 10.4.18.0 255.255.254.0
object network obj-10.4.20.0
subnet 10.4.20.0 255.255.252.0
object network obj-10.4.24.0
subnet 10.4.24.0 255.255.248.0
object network obj-10.4.32.0
subnet 10.4.32.0 255.255.255.0
object network obj-10.4.48.0
subnet 10.4.48.0 255.255.255.0
object network obj-10.4.49.0
subnet 10.4.49.0 255.255.255.224
object network obj-10.4.51.0
subnet 10.4.51.0 255.255.255.224
object network obj-10.4.16.44
host 10.4.16.44
object network obj-10.4.16.44-01
host 10.4.16.44
object network obj-10.4.16.44-02
host 10.4.16.44
object network obj-10.4.16.34
host 10.4.16.34
object network obj-10.4.16.34-01
host 10.4.16.34
object network obj-10.4.16.43
host 10.4.16.43
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-10.4.16.44-03
host 10.4.16.44
object network obj-10.4.16.34-02
host 10.4.16.34
object network obj-10.4.16.34-03
host 10.4.16.34
object network obj-10.4.16.34-04
host 10.4.16.34
object network obj-10.4.16.34-05
host 10.4.16.34
object network obj-10.4.16.34-06
host 10.4.16.34
object network obj-10.4.16.34-07
host 10.4.16.34
object network obj-10.4.70.0
subnet 10.4.70.0 255.255.255.0
object network obj-10.4.71.0
subnet 10.4.71.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object host 65.38.22.5
network-object host 65.38.3.35
object-group service borderc
description Border Controller ports
service-object tcp destination eq h323
service-object udp destination eq 1719
service-object udp destination eq 2776
service-object tcp-udp destination eq 2777
object-group service DM_INLINE_TCP_2 tcp
port-object eq https
port-object eq pop3
port-object eq smtp
object-group service DM_INLINE_TCP_3 tcp
port-object eq ftp
port-object eq ftp-data
object-group service FTPSData tcp
description FTPS Data Ports
port-object range 50000 50004
access-list inside_access_in extended permit ip host 10.4.17.249 any
access-list inside_access_in extended permit ip object obj-10.4.17.248 any
access-list inside_access_in extended permit ip 10.4.16.0 255.255.255.0 any
access-list inside_access_in extended deny ip host 10.4.16.92 any
access-list inside_access_in extended deny ip host 10.4.16.93 any
access-list inside_access_in extended permit ip host 10.4.20.6 any
access-list inside_access_in extended permit ip host 10.4.20.7 any
access-list inside_access_in extended permit ip host 10.4.20.8 any
access-list inside_access_in extended permit ip host 10.4.20.9 any
access-list inside_access_in extended permit ip host 10.4.20.10 any
access-list inside_access_in extended permit ip 10.4.20.0 255.255.252.0 object-group DM_INLINE_NETWORK_1 inactive
access-list inside_access_in extended permit ip host 10.4.32.2 any
access-list inside_access_in extended permit ip 10.4.48.0 255.255.255.0 any
access-list inside_access_in extended permit ip 10.4.70.0 255.255.255.0 any
access-list inside_access_in extended permit ip 10.4.71.0 255.255.255.0 any
access-list inside_access_in extended permit ip 10.4.49.0 255.255.255.224 any
access-list inside_access_in extended permit ip host 10.4.100.10 any
access-list inside_access_in extended permit ip host 10.4.100.11 any
access-list inside_access_in extended permit ip host 10.4.100.12 any
access-list inside_access_in extended permit ip host 10.4.100.13 any
access-list inside_access_in extended permit ip host 10.4.100.14 any
access-list ERC_splitTunnelAcl standard permit 10.4.17.248 255.255.255.248
access-list ERC_splitTunnelAcl standard permit 10.4.70.0 255.255.255.0
access-list ERC_splitTunnelAcl standard permit 10.4.71.0 255.255.255.0
access-list nmmcbc_splitTunnelAcl standard permit 10.4.16.0 255.255.255.0
access-list nmmcbc_splitTunnelAcl standard permit 10.4.17.248 255.255.255.248
access-list nmmcbc_splitTunnelAcl standard permit 10.4.18.0 255.255.254.0
access-list nmmcbc_splitTunnelAcl standard permit 10.4.20.0 255.255.252.0
access-list nmmcbc_splitTunnelAcl standard permit 10.4.24.0 255.255.248.0
access-list nmmcbc_splitTunnelAcl standard permit 10.4.32.0 255.255.255.0
access-list nmmcbc_splitTunnelAcl standard permit 10.4.48.0 255.255.255.0
access-list nmmcbc_splitTunnelAcl standard permit 10.4.70.0 255.255.255.0
access-list nmmcbc_splitTunnelAcl standard permit 10.4.71.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.4.16.0 255.255.255.0 10.4.17.248 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.4.18.0 255.255.254.0 10.4.17.248 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.4.20.0 255.255.252.0 10.4.17.248 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.4.24.0 255.255.248.0 10.4.17.248 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.4.32.0 255.255.255.0 10.4.17.248 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.4.48.0 255.255.255.0 10.4.17.248 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.4.49.0 255.255.255.224 10.4.17.248 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.4.51.0 255.255.255.224 10.4.17.248 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.4.70.0 255.255.255.0 10.4.17.248 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.4.71.0 255.255.255.0 10.4.17.248 255.255.255.248
access-list outside_access_in remark Migration, ACE (line 2) expanded: permit tcp any host xx.xxx.xxx.84 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any host 10.4.16.44 eq https
access-list outside_access_in extended permit tcp any host 10.4.16.44 eq pop3
access-list outside_access_in extended permit tcp any host 10.4.16.44 eq smtp
access-list outside_access_in extended permit tcp any host 10.4.16.44 eq 993
access-list outside_access_in extended permit tcp any host 10.4.16.34 eq ftp
access-list outside_access_in remark Migration, ACE (line 3) expanded: permit tcp any host xx.xxx.xxx.82 object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp any host 10.4.16.34 eq 990
access-list outside_access_in extended permit tcp any host 10.4.16.34 object-group FTPSData
access-list outside_access_in extended permit udp host xx.xxx.xxx.83 host 10.4.16.43 eq syslog
access-list CCMAACL webtype permit tcp host 10.4.16.8 eq disable
access-list CCMAACL webtype deny url any log default
pager lines 24
logging enable
logging buffer-size 9000
logging buffered debugging
logging trap notifications
logging asdm notifications
logging host inside 10.4.16.43
logging permit-hostdown
no logging message 106016
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool iPsecPool2 10.4.17.253-10.4.17.254
ip local pool IPsecPool1 10.4.17.251
ip local pool ERCPool 10.4.71.100-10.4.71.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
asdm location xx.xxx.xxx.xy 255.255.255.255 inside
asdm history enable
arp timeout 14400
nat (inside,any) source static obj-10.4.16.0 obj-10.4.16.0 destination static obj-10.4.17.248 obj-10.4.17.248
nat (inside,any) source static obj-10.4.18.0 obj-10.4.18.0 destination static obj-10.4.17.248 obj-10.4.17.248
nat (inside,any) source static obj-10.4.20.0 obj-10.4.20.0 destination static obj-10.4.17.248 obj-10.4.17.248
nat (inside,any) source static obj-10.4.24.0 obj-10.4.24.0 destination static obj-10.4.17.248 obj-10.4.17.248
nat (inside,any) source static obj-10.4.32.0 obj-10.4.32.0 destination static obj-10.4.17.248 obj-10.4.17.248
nat (inside,any) source static obj-10.4.48.0 obj-10.4.48.0 destination static obj-10.4.17.248 obj-10.4.17.248
nat (inside,any) source static obj-10.4.49.0 obj-10.4.49.0 destination static obj-10.4.17.248 obj-10.4.17.248
nat (inside,any) source static obj-10.4.51.0 obj-10.4.51.0 destination static obj-10.4.17.248 obj-10.4.17.248
nat (inside,any) source static obj-10.4.70.0 obj-10.4.70.0 destination static obj-10.4.17.248 obj-10.4.17.248
nat (inside,any) source static obj-10.4.71.0 obj-10.4.71.0 destination static obj-10.4.17.248 obj-10.4.17.248
!
object network obj-10.4.16.44
nat (inside,outside) static xx.xxx.xxx.84 service tcp smtp smtp
object network obj-10.4.16.44-01
nat (inside,outside) static xx.xxx.xxx.84 service tcp pop3 pop3
object network obj-10.4.16.44-02
nat (inside,outside) static xx.xxx.xxx.84 service tcp https https
object network obj-10.4.16.34
nat (inside,outside) static interface service tcp ftp ftp
object network obj-10.4.16.43
nat (inside,outside) static interface service udp syslog syslog
object network obj_any
nat (inside,outside) dynamic interface
object network obj-10.4.16.44-03
nat (inside,outside) static xx.xxx.xxx.84 service tcp 993 993
object network obj-10.4.16.34-02
nat (inside,outside) static interface service tcp 990 990
object network obj-10.4.16.34-03
nat (inside,outside) static interface service tcp 50000 50000
object network obj-10.4.16.34-04
nat (inside,outside) static interface service tcp 50001 50001
object network obj-10.4.16.34-05
nat (inside,outside) static interface service tcp 50002 50002
object network obj-10.4.16.34-06
nat (inside,outside) static interface service tcp 50003 50003
object network obj-10.4.16.34-07
nat (inside,outside) static interface service tcp 50004 50004
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.81 1
route inside 10.4.16.0 255.255.255.0 10.4.17.252 1
route inside 10.4.18.0 255.255.254.0 10.4.17.252 1
route inside 10.4.20.0 255.255.252.0 10.4.17.252 1
route inside 10.4.24.0 255.255.248.0 10.4.17.252 1
route inside 10.4.32.0 255.255.255.0 10.4.17.252 1
route inside 10.4.48.0 255.255.255.0 10.4.17.252 1
route inside 10.4.49.0 255.255.255.224 10.4.17.252 1
route inside 10.4.51.0 255.255.255.224 10.4.17.252 1
route inside 10.4.70.0 255.255.255.0 10.4.17.252 1
route inside 10.4.71.0 255.255.255.0 10.4.17.250 1
route inside 10.4.100.0 255.255.255.0 10.4.17.252 1
route inside 10.5.24.0 255.255.255.0 10.4.17.252 1
route inside 10.101.28.0 255.255.255.0 10.4.16.200 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 8080
http 192.168.1.0 255.255.255.0 inside
http 10.4.17.0 255.255.255.0 inside
http 10.4.16.0 255.255.255.0 inside
snmp-server host inside 10.4.16.212 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn email aboatman@contoso.net
subject-name CN= ip-address xx.xxx.xx.124
crl configure
crypto ca trustpoint LOCAL-CA-SERVER
email admin@contoso.net
subject-name CN= Communications,O=Contoso,C=US,St=NY,L=NY,EA=admin@contoso.net
ip-address xx.xxx.xxx.82
keypair LOCAL-CA-SERVER
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment self
subject-name CN= Communications,O=Contoso,C=US,St=NY,L=NY,EA=admin@contoso.net
keypair LOCAL-CA-SERVER
proxy-ldc-issuer
crl configure
crypto ca server
lifetime certificate 3650
keysize 2048
keysize server 2048
issuer-name CN = smtp from-address admin@contoso.net
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 000
quit
crypto ca certificate chain ASDM_TrustPoint3
certificate 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 000000
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
no vpn-addr-assign aaa
vpn-addr-assign local reuse-delay 5
telnet 10.4.17.0 255.255.255.0 inside
telnet 10.4.16.0 255.255.255.0 inside
telnet timeout 5
ssh 10.4.17.0 255.255.255.0 inside
ssh 10.4.16.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.4.16.100 source inside prefer
tftp-server inside 10.4.16.32 /asa5505/conf.txt
ssl trust-point ASDM_TrustPoint3 outside
webvpn
enable outside
csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 2
svc enable
smart-tunnel list SmartTunnel1 InternetExplorer iexplore.exe platform windows
group-policy CCMAPolicy internal
group-policy CCMAPolicy attributes
vpn-tunnel-protocol webvpn
webvpn
url-list value CCMALinks
filter value CCMAACL
customization value CCMACustomization
hidden-shares none
smart-tunnel auto-start SmartTunnel1
file-entry disable
file-browsing disable
url-entry disable
group-policy CSRPolicy internal
group-policy CSRPolicy attributes
vpn-tunnel-protocol webvpn
webvpn
url-list value CSR
customization value CSRCustom
file-entry disable
file-browsing disable
url-entry disable
group-policy Telecorp internal
group-policy Telecorp attributes
vpn-simultaneous-logins 1
vpn-tunnel-protocol webvpn
webvpn
url-list value telecorp
customization value TelecorpCustom
hidden-shares none
file-entry disable
file-browsing disable
url-entry disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy ERCPolicy internal
group-policy ERCPolicy attributes
vpn-tunnel-protocol IPSec
group-lock value ERCGroup
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ERC_splitTunnelAcl
group-policy biomed internal
group-policy biomed attributes
dns-server value 10.4.16.32
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nmmcbc_splitTunnelAcl
address-pools value iPsecPool2 IPsecPool1
webvpn
url-list value Links
username user1 password asdf encrypted
username user1 attributes
vpn-group-policy CSRPolicy
vpn-tunnel-protocol webvpn
service-type remote-access
username user2 password asfd encrypted
username user2 attributes
vpn-group-policy Telecorp
service-type remote-access
username user3 password asdf encrypted privilege 0
username user3 attributes
vpn-group-policy biomed
vpn-framed-ip-address 10.4.17.253 255.255.255.248
webvpn
hidden-shares visible
smart-tunnel auto-start SmartTunnel1
username user4 password asdf encrypted privilege 0
username user4 attributes
vpn-group-policy biomed
vpn-framed-ip-address 10.4.17.251 255.255.255.248
username user5 password asdf encrypted
username user5 attributes
vpn-group-policy ERCPolicy
service-type remote-access
username user6 password asdf encrypted
username user6 attributes
vpn-group-policy CSRPolicy
vpn-tunnel-protocol webvpn
service-type remote-access
username user7 password asdf encrypted
username user7 attributes
vpn-group-policy CCMAPolicy
service-type remote-access
username admin password asdf encrypted
username user8 password asdf encrypted privilege 0
username user8 attributes
vpn-group-policy biomed
vpn-framed-ip-address 10.4.17.254 255.255.255.248
username user9 password asdf encrypted
username user9 attributes
vpn-group-policy biomed
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
url-list value Links
username user10 password asdf encrypted
username user10 attributes
vpn-group-policy CSRPolicy
vpn-tunnel-protocol webvpn
service-type remote-access
webvpn
file-browsing disable
file-entry disable
url-entry disable
url-list value CSR
customization value CSRCustom
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool iPsecPool2
address-pool IPsecPool1
tunnel-group biomed type remote-access
tunnel-group biomed general-attributes
address-pool iPsecPool2
address-pool IPsecPool1
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (outside) LOCAL
default-group-policy biomed
tunnel-group biomed ipsec-attributes
pre-shared-key psk
tunnel-group ERCGroup type remote-access
tunnel-group ERCGroup general-attributes
address-pool ERCPool
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (outside) LOCAL
default-group-policy ERCPolicy
tunnel-group ERCGroup ipsec-attributes
pre-shared-key psk
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
smtp-server 10.4.16.44
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1616fadd9d2e8ced7178b3cf8f2c2172
: end
 
More information - when I ping something on the inside, 10.4.70.2 for instance, I get this in the log:

5 Jun 23 2010 09:43:21 305013 10.4.71.255 137 Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.4.71.104/137 dst inside:10.4.71.255/137 denied due to NAT reverse path failure

5 Jun 23 2010 09:43:20 305013 10.4.71.2 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.4.71.104 dst inside:10.4.71.2 (type 8, code 0) denied due to NAT reverse path failure
 
Sorry, there was a tiny error in the previous post. The second log entry should be like this:

5 Jun 23 2010 09:49:50 305013 10.4.70.2 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.4.71.104 dst inside:10.4.70.2 (type 8, code 0) denied due to NAT reverse path failure
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top