I've searched for this and haven't found an answer for this particular question: A client of mine has set up sixteen site-to-site tunnels to a central office. All offices can be accessed when connected to the inside interface, but none of the offices (aside from the central office) can be accessed via Cisco VPN client connection. It appears traffic isn't moving through the tunnels. A predecessor of mine configured the VPN address pool to be on the same subnet as the main office (10.48.0.0, 255.240.0.0), which allowed them access to all offices except the main office (for obvious reasons). This is not a good solution.
After taking this over, I changed created a second VPN pool on a different subnet, which now allows access ONLY to the main office. I want access to the main office and all outlying offices through the client VPN connection. Any ideas? Below is the config. Please concentrate only on the VPN pool called VPNPool2.
ASA Version 8.0(2)
!
hostname MARSH-ASA01
domain-name xxx.com
enable password bhRGavm2KVZg8e3G encrypted
names
name 64.x.x.x PBURGSCHOOL description SCHOOL DISTRICT
name 64.x.x.x xm-radio description xm radio sites
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 64.x.x.x 255.255.255.192
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.48.0.2 255.240.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd bhRGavm2KVZg8e3G encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone GST 4
dns server-group DefaultDNS
domain-name xxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network facebook
description blocking facebook
network-object host 128.242.240.20
network-object host 66.220.145.10
network-object host 168.143.171.84
network-object host 69.63.181.16
object-group network DM_INLINE_NETWORK_1
network-object host 128.242.240.20
group-object facebook
object-group network DM_INLINE_NETWORK_2
network-object 10.32.0.0 255.240.0.0
network-object 10.48.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.32.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.64.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.128.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.112.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.80.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.16.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.176.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.160.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.96.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.208.0.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.208.16.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.208.32.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.208.48.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.208.80.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.208.96.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.208.112.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.208.128.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.192.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 172.16.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 10.32.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip any 172.16.16.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.32.0.0 255.240.0.0
access-list outside_2_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.64.0.0 255.240.0.0
access-list outside_3_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.128.0.0 255.240.0.0
access-list outside_cryptomap_1 extended permit ip 172.16.16.0 255.255.255.0 10.32.0.0 255.240.0.0
access-list outside_6_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.80.0.0 255.240.0.0
access-list inside_out remark denie xm radio
access-list inside_out extended deny ip host xm-radio any
access-list inside_out extended permit ip any any
access-list inside_out extended deny tcp any object-group facebook eq www
access-list outside_in extended permit tcp any host 64.x.x.x eq smtp
access-list outside_in extended permit tcp any host 64.x.x.x eq www
access-list outside_in remark to allow pop3 clients through the firewall
access-list outside_in extended permit tcp any host 64.x.x.x eq pop3
access-list outside_in extended permit tcp any host 64.x.x.x eq imap4
access-list outside_in extended permit icmp any any
access-list outside_in remark TO ALLOW SCHOOL CLIENTS TO GET WEBMAIL
access-list outside_in extended permit tcp host PBURGSCHOOL host 64.x.x.x eq access-list outside_in remark block access to xm radio
access-list outside_in extended deny ip any host xm-radio inactive
access-list outside_in extended deny udp object-group DM_INLINE_NETWORK_1 any eq www
access-list outside_in extended deny udp any object-group facebook eq www
access-list Primary_VPN_splitTunnelAcl standard permit 10.48.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.32.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.64.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.80.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.96.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.112.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.128.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.160.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.176.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.192.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.208.16.0 255.255.240.0
access-list outside_7_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.112.0.0 255.240.0.0
access-list outside_5_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.16.0.0 255.240.0.0
access-list outside_8_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.176.0.0 255.240.0.0
access-list TestVPN_splitTunnelAcl standard permit 10.128.0.0 255.240.0.0
access-list TestVPN_splitTunnelAcl standard permit 10.208.16.0 255.255.240.0
access-list TestVPN_splitTunnelAcl standard permit 10.48.0.0 255.240.0.0
access-list TestVPN_splitTunnelAcl standard permit 10.32.0.0 255.240.0.0
access-list outside_19_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.192.0.0 255.240.0.0
access-list outside_11_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.96.0.0 255.240.0.0
access-list outside_11_cryptomap_1 extended permit ip 10.48.0.0 255.240.0.0 10.208.0.0 255.255.240.0
access-list outside_12_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.208.112.0 255.255.240.0
access-list outside_13_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.208.128.0 255.255.240.0
access-list outside_14_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.208.48.0 255.255.240.0
access-list outside_15_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.208.80.0 255.255.240.0
access-list outside_16_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.208.96.0 255.255.240.0
access-list outside_17_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.208.32.0 255.255.240.0
access-list outside_18_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.208.16.0 255.255.240.0
access-list VPN_Access_splitTunnelAcl standard permit any
access-list vpn extended permit ip 172.16.16.0 255.255.255.0 any
access-list outside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 10.32.0.0 255.240.0.0
access-list outside_nat0_outbound_1 extended permit ip 172.16.16.0 255.255.255.0 10.32.0.0 255.240.0.0
access-list TestVPN_splitTunnelAcl_1 standard permit any
pager lines 24
logging enable
logging monitor errors
logging buffered emergencies
logging trap alerts
logging asdm emergencies
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool 10.48.255.100-10.48.255.200 mask 255.240.0.0
ip local pool VPNPool2 172.16.16.100-172.16.16.200 mask 255.255.255.0
ip local pool VPNPool3 10.0.0.100-10.0.0.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.48.0.6 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 255.255.255.255
static (inside,outside) tcp interface pop3 10.48.0.6 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface imap4 10.48.0.6 imap4 netmask 255.255.255.255
access-group outside_in in interface outside
access-group inside_out in interface inside
route outside 0.0.0.0 0.0.0.0 64.21.122.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 64.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 64.x.x.x
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 64.x.x.x
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer 64.x.x.x
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 6 match address outside_6_cryptomap
crypto map outside_map 6 set pfs
crypto map outside_map 6 set peer 64.x.x.x
crypto map outside_map 6 set transform-set ESP-3DES-SHA
crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer 64.x.x.x
crypto map outside_map 7 set transform-set ESP-3DES-SHA
crypto map outside_map 8 match address outside_8_cryptomap
crypto map outside_map 8 set pfs
crypto map outside_map 8 set peer 64.x.x.x
crypto map outside_map 8 set transform-set ESP-3DES-SHA
crypto map outside_map 10 match address outside_11_cryptomap
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer 64.x.x.x
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 11 match address outside_11_cryptomap_1
crypto map outside_map 11 set peer 64.x.x.x
crypto map outside_map 11 set transform-set ESP-3DES-SHA
crypto map outside_map 12 match address outside_12_cryptomap
crypto map outside_map 12 set peer 64.x.x.x
crypto map outside_map 12 set transform-set ESP-3DES-SHA
crypto map outside_map 13 match address outside_13_cryptomap
crypto map outside_map 13 set peer 64.x.x.x
crypto map outside_map 13 set transform-set ESP-3DES-SHA
crypto map outside_map 14 match address outside_14_cryptomap
crypto map outside_map 14 set peer 64.x.x.x
crypto map outside_map 14 set transform-set ESP-3DES-SHA
crypto map outside_map 15 match address outside_15_cryptomap
crypto map outside_map 15 set peer 64.x.x.x
crypto map outside_map 15 set transform-set ESP-3DES-SHA
crypto map outside_map 16 match address outside_16_cryptomap
crypto map outside_map 16 set peer 64.x.x.x
crypto map outside_map 16 set transform-set ESP-3DES-SHA
crypto map outside_map 17 match address outside_17_cryptomap
crypto map outside_map 17 set peer 64.x.x.x
crypto map outside_map 17 set transform-set ESP-3DES-SHA
crypto map outside_map 18 match address outside_18_cryptomap
crypto map outside_map 18 set peer 64.x.x.x
crypto map outside_map 18 set transform-set ESP-3DES-SHA
crypto map outside_map 19 match address outside_19_cryptomap
crypto map outside_map 19 set peer 64.x.x.x
crypto map outside_map 19 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
management-access inside
no threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
group-policy Primary_VPN internal
group-policy Primary_VPN attributes
wins-server value 10.48.0.7
dns-server value 10.48.0.7
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Primary_VPN_splitTunnelAcl
default-domain value xxx.com
address-pools value vpnpool
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
intercept-dhcp enable
address-pools value VPNPool2
group-policy VPN_Test internal
group-policy VPN_Test attributes
wins-server value 10.48.0.7
dns-server value 10.48.0.7
vpn-tunnel-protocol IPSec
split-tunnel-network-list value Primary_VPN_splitTunnelAcl
default-domain value xxx.com
address-pools value VPNPool2
group-policy VPN_Access internal
group-policy VPN_Access attributes
wins-server value 10.48.0.7
dns-server value 10.48.0.7
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Primary_VPN_splitTunnelAcl
default-domain value xxx.com
address-pools value VPNPool2
username norwescap password zIkyshVuMlu6J0fu encrypted
username test password z0you0vrFnZqDQuH encrypted privilege 0
username test attributes
vpn-group-policy VPN_Access
username hitech password fG6r3iLoc2jBsVyi encrypted
username transnet password y8qyWe8kktJHzubT encrypted privilege 15
username stephens password INam3hxXT6FIWyh4 encrypted privilege 15
username contractor password TF5P7OSc6Pc3w0vw encrypted
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group Primary_VPN type remote-access
tunnel-group Primary_VPN general-attributes
address-pool vpnpool
default-group-policy Primary_VPN
tunnel-group Primary_VPN ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group VPN_Access type remote-access
tunnel-group VPN_Access general-attributes
address-pool VPNPool2
default-group-policy VPN_Access
tunnel-group VPN_Access ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group VPN_Test type remote-access
tunnel-group VPN_Test general-attributes
address-pool VPNPool2
default-group-policy VPN_Test
tunnel-group VPN_Test ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:750e0cae7a247476b6e17d766c04dd13
: end
After taking this over, I changed created a second VPN pool on a different subnet, which now allows access ONLY to the main office. I want access to the main office and all outlying offices through the client VPN connection. Any ideas? Below is the config. Please concentrate only on the VPN pool called VPNPool2.
ASA Version 8.0(2)
!
hostname MARSH-ASA01
domain-name xxx.com
enable password bhRGavm2KVZg8e3G encrypted
names
name 64.x.x.x PBURGSCHOOL description SCHOOL DISTRICT
name 64.x.x.x xm-radio description xm radio sites
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 64.x.x.x 255.255.255.192
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.48.0.2 255.240.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd bhRGavm2KVZg8e3G encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone GST 4
dns server-group DefaultDNS
domain-name xxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network facebook
description blocking facebook
network-object host 128.242.240.20
network-object host 66.220.145.10
network-object host 168.143.171.84
network-object host 69.63.181.16
object-group network DM_INLINE_NETWORK_1
network-object host 128.242.240.20
group-object facebook
object-group network DM_INLINE_NETWORK_2
network-object 10.32.0.0 255.240.0.0
network-object 10.48.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.32.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.64.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.128.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.112.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.80.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.16.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.176.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.160.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.96.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.208.0.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.208.16.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.208.32.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.208.48.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.208.80.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.208.96.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.208.112.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.208.128.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 10.192.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.48.0.0 255.240.0.0 172.16.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 10.32.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip any 172.16.16.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.32.0.0 255.240.0.0
access-list outside_2_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.64.0.0 255.240.0.0
access-list outside_3_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.128.0.0 255.240.0.0
access-list outside_cryptomap_1 extended permit ip 172.16.16.0 255.255.255.0 10.32.0.0 255.240.0.0
access-list outside_6_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.80.0.0 255.240.0.0
access-list inside_out remark denie xm radio
access-list inside_out extended deny ip host xm-radio any
access-list inside_out extended permit ip any any
access-list inside_out extended deny tcp any object-group facebook eq www
access-list outside_in extended permit tcp any host 64.x.x.x eq smtp
access-list outside_in extended permit tcp any host 64.x.x.x eq www
access-list outside_in remark to allow pop3 clients through the firewall
access-list outside_in extended permit tcp any host 64.x.x.x eq pop3
access-list outside_in extended permit tcp any host 64.x.x.x eq imap4
access-list outside_in extended permit icmp any any
access-list outside_in remark TO ALLOW SCHOOL CLIENTS TO GET WEBMAIL
access-list outside_in extended permit tcp host PBURGSCHOOL host 64.x.x.x eq access-list outside_in remark block access to xm radio
access-list outside_in extended deny ip any host xm-radio inactive
access-list outside_in extended deny udp object-group DM_INLINE_NETWORK_1 any eq www
access-list outside_in extended deny udp any object-group facebook eq www
access-list Primary_VPN_splitTunnelAcl standard permit 10.48.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.32.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.64.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.80.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.96.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.112.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.128.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.160.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.176.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.192.0.0 255.240.0.0
access-list Primary_VPN_splitTunnelAcl standard permit 10.208.16.0 255.255.240.0
access-list outside_7_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.112.0.0 255.240.0.0
access-list outside_5_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.16.0.0 255.240.0.0
access-list outside_8_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.176.0.0 255.240.0.0
access-list TestVPN_splitTunnelAcl standard permit 10.128.0.0 255.240.0.0
access-list TestVPN_splitTunnelAcl standard permit 10.208.16.0 255.255.240.0
access-list TestVPN_splitTunnelAcl standard permit 10.48.0.0 255.240.0.0
access-list TestVPN_splitTunnelAcl standard permit 10.32.0.0 255.240.0.0
access-list outside_19_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.192.0.0 255.240.0.0
access-list outside_11_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.96.0.0 255.240.0.0
access-list outside_11_cryptomap_1 extended permit ip 10.48.0.0 255.240.0.0 10.208.0.0 255.255.240.0
access-list outside_12_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.208.112.0 255.255.240.0
access-list outside_13_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.208.128.0 255.255.240.0
access-list outside_14_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.208.48.0 255.255.240.0
access-list outside_15_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.208.80.0 255.255.240.0
access-list outside_16_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.208.96.0 255.255.240.0
access-list outside_17_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.208.32.0 255.255.240.0
access-list outside_18_cryptomap extended permit ip 10.48.0.0 255.240.0.0 10.208.16.0 255.255.240.0
access-list VPN_Access_splitTunnelAcl standard permit any
access-list vpn extended permit ip 172.16.16.0 255.255.255.0 any
access-list outside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 10.32.0.0 255.240.0.0
access-list outside_nat0_outbound_1 extended permit ip 172.16.16.0 255.255.255.0 10.32.0.0 255.240.0.0
access-list TestVPN_splitTunnelAcl_1 standard permit any
pager lines 24
logging enable
logging monitor errors
logging buffered emergencies
logging trap alerts
logging asdm emergencies
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool 10.48.255.100-10.48.255.200 mask 255.240.0.0
ip local pool VPNPool2 172.16.16.100-172.16.16.200 mask 255.255.255.0
ip local pool VPNPool3 10.0.0.100-10.0.0.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.48.0.6 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 255.255.255.255
static (inside,outside) tcp interface pop3 10.48.0.6 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface imap4 10.48.0.6 imap4 netmask 255.255.255.255
access-group outside_in in interface outside
access-group inside_out in interface inside
route outside 0.0.0.0 0.0.0.0 64.21.122.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 64.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 64.x.x.x
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 64.x.x.x
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer 64.x.x.x
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 6 match address outside_6_cryptomap
crypto map outside_map 6 set pfs
crypto map outside_map 6 set peer 64.x.x.x
crypto map outside_map 6 set transform-set ESP-3DES-SHA
crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer 64.x.x.x
crypto map outside_map 7 set transform-set ESP-3DES-SHA
crypto map outside_map 8 match address outside_8_cryptomap
crypto map outside_map 8 set pfs
crypto map outside_map 8 set peer 64.x.x.x
crypto map outside_map 8 set transform-set ESP-3DES-SHA
crypto map outside_map 10 match address outside_11_cryptomap
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer 64.x.x.x
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 11 match address outside_11_cryptomap_1
crypto map outside_map 11 set peer 64.x.x.x
crypto map outside_map 11 set transform-set ESP-3DES-SHA
crypto map outside_map 12 match address outside_12_cryptomap
crypto map outside_map 12 set peer 64.x.x.x
crypto map outside_map 12 set transform-set ESP-3DES-SHA
crypto map outside_map 13 match address outside_13_cryptomap
crypto map outside_map 13 set peer 64.x.x.x
crypto map outside_map 13 set transform-set ESP-3DES-SHA
crypto map outside_map 14 match address outside_14_cryptomap
crypto map outside_map 14 set peer 64.x.x.x
crypto map outside_map 14 set transform-set ESP-3DES-SHA
crypto map outside_map 15 match address outside_15_cryptomap
crypto map outside_map 15 set peer 64.x.x.x
crypto map outside_map 15 set transform-set ESP-3DES-SHA
crypto map outside_map 16 match address outside_16_cryptomap
crypto map outside_map 16 set peer 64.x.x.x
crypto map outside_map 16 set transform-set ESP-3DES-SHA
crypto map outside_map 17 match address outside_17_cryptomap
crypto map outside_map 17 set peer 64.x.x.x
crypto map outside_map 17 set transform-set ESP-3DES-SHA
crypto map outside_map 18 match address outside_18_cryptomap
crypto map outside_map 18 set peer 64.x.x.x
crypto map outside_map 18 set transform-set ESP-3DES-SHA
crypto map outside_map 19 match address outside_19_cryptomap
crypto map outside_map 19 set peer 64.x.x.x
crypto map outside_map 19 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
management-access inside
no threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
group-policy Primary_VPN internal
group-policy Primary_VPN attributes
wins-server value 10.48.0.7
dns-server value 10.48.0.7
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Primary_VPN_splitTunnelAcl
default-domain value xxx.com
address-pools value vpnpool
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
intercept-dhcp enable
address-pools value VPNPool2
group-policy VPN_Test internal
group-policy VPN_Test attributes
wins-server value 10.48.0.7
dns-server value 10.48.0.7
vpn-tunnel-protocol IPSec
split-tunnel-network-list value Primary_VPN_splitTunnelAcl
default-domain value xxx.com
address-pools value VPNPool2
group-policy VPN_Access internal
group-policy VPN_Access attributes
wins-server value 10.48.0.7
dns-server value 10.48.0.7
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Primary_VPN_splitTunnelAcl
default-domain value xxx.com
address-pools value VPNPool2
username norwescap password zIkyshVuMlu6J0fu encrypted
username test password z0you0vrFnZqDQuH encrypted privilege 0
username test attributes
vpn-group-policy VPN_Access
username hitech password fG6r3iLoc2jBsVyi encrypted
username transnet password y8qyWe8kktJHzubT encrypted privilege 15
username stephens password INam3hxXT6FIWyh4 encrypted privilege 15
username contractor password TF5P7OSc6Pc3w0vw encrypted
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group Primary_VPN type remote-access
tunnel-group Primary_VPN general-attributes
address-pool vpnpool
default-group-policy Primary_VPN
tunnel-group Primary_VPN ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group VPN_Access type remote-access
tunnel-group VPN_Access general-attributes
address-pool VPNPool2
default-group-policy VPN_Access
tunnel-group VPN_Access ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group VPN_Test type remote-access
tunnel-group VPN_Test general-attributes
address-pool VPNPool2
default-group-policy VPN_Test
tunnel-group VPN_Test ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:750e0cae7a247476b6e17d766c04dd13
: end
