Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Internal Host Issue on ASA 5510

Status
Not open for further replies.
tdmelvin

tdmelvin

IS-IT--Management
Feb 8, 2009
26
0
0
US
ASA Version 8.0(4)
!
hostname lhc-fw01
domain-name chandom.internal
enable password dcbvmiVNKth1v4Xn encrypted
passwd dcbvmiVNKth1v4Xn encrypted
names
name 192.168.200.0 dmz description DMZ Interface
name 192.168.10.0 management description Management Interface
dns-guard
!
I have an issue, regarding the ASA 5510. I have an MPLS network, with an ASA. The internal network is 10.10.x.x/21 with a default GW of 10.10.0.252 [Inside Interface of ASA]. The next hop router for us is 10.10.0.254. I have 4 other sites on the MPLS network with 10.11.x.x/21 - 10.14.x.x/21, with each of their default GW's being 10.11.0.254, etc.. I need to open up our internal hosts to all of these other locations [i.e. Windows servers, HTTP, ICMP, etc.]. I can ping all of these locations from the ASA. I can also ping from those other locations to the 10.10.0.254, but that's it. I thought it was implied that inside could see inside? What am I missing?

Thanks in advance!

interface Ethernet0/0
description Outside Interface
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.248
!
interface Ethernet0/1
description Inside Ethernet Interface
nameif inside
security-level 100
ip address 10.10.0.252 255.255.248.0 standby 10.10.0.253
!
interface Ethernet0/2
description DMZ Interface
nameif dmz
security-level 50
ip address 192.168.200.1 255.255.255.0 standby 192.168.200.2
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
description Management Interface
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.10.1.1
name-server 10.10.1.2
name-server 64.192.64.140
name-server 64.140.193.60
domain-name chandom.internal
object-group service DM_INLINE_TCP_4 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
port-object eq https
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
object-group service IMR tcp
port-object range 2440 2444
object-group service IMS tcp
port-object range 2400 2403
object-group service Millbrook tcp
port-object eq 2500
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp eq www
object-group network DM_INLINE_NETWORK_1
network-object 10.12.0.0 255.255.248.0
network-object 10.13.0.0 255.255.248.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
network-object 192.168.7.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
network-object 10.11.0.0 255.255.248.0
object-group service DM_INLINE_TCP_1 tcp
group-object IMR
group-object IMS
group-object Millbrook
port-object eq https
port-object eq www
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.248.0 192.168.100.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.248.0 object-group DM_INLINE_NETWORK_1
access-list nonat extended permit ip any 192.168.100.0 255.255.255.0
access-list 100 extended permit ip any 192.168.100.0 255.255.255.0
access-list 100 extended permit ip 10.10.0.0 255.255.248.0 192.168.100.0 255.255.255.0
access-list 100 extended permit ip management 255.255.255.0 192.168.100.0 255.255.255.0
access-list 100 extended permit tcp any host X.X.X.X eq www
access-list 100 extended permit tcp any host X.X.X.X eq www
access-list 100 extended permit tcp any host X.X.X.X.45 eq smtp
access-list 100 extended permit tcp any host X.X.X.X eq smtp
access-list 100 extended permit tcp any host X.X.X.X eq https
access-list 100 extended permit tcp any host X.X.X.X eq https
access-list 100 extended permit tcp any host X.X.X.X eq https
access-list 100 extended permit tcp any host X.X.X.X object-group DM_INLINE_TCP_1
access-list management_nat0_outbound extended permit ip 10.10.0.0 255.255.248.0 192.168.100.0 255.255.255.0
access-list management_nat0_outbound extended permit ip management 255.255.255.0 192.168.100.0 255.255.255.0
access-list management_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_2 192.168.100.0 255.255.255.0 10.10.0.0 255.255.248.0
access-list management_nat0_outbound extended permit icmp 10.10.0.0 255.255.248.0 any
access-list inside_access_in extended permit ip any any
access-list CHANREMOTEVPN_splitTunnelAcl standard permit 10.10.0.0 255.255.248.0
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_4
access-list outside_2_cryptomap extended permit ip 10.10.0.0 255.255.248.0 192.168.5.0 255.255.255.0
access-list CHANVPN09_splitTunnelAcl standard permit 10.10.0.0 255.255.248.0
access-list CHANVPN09_splitTunnelAcl remark Inside Corporate Network
access-list nonat-in extended permit ip 10.10.0.0 255.255.248.0 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging from-address fwadmin@domain.org
logging recipient-address user@domain.org level errors
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool lhcchanpool 192.168.100.2-192.168.100.254 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface asa_primary Ethernet0/3
failover key *****
failover link asa_primary Ethernet0/3
failover interface ip asa_primary 10.1.10.2 255.255.255.248 standby 10.1.10.3
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list nonat
nat (inside) 101 X.X.X.X 255.255.255.248
nat (inside) 101 0.0.0.0 0.0.0.0
static (dmz,outside) X.X.X.X 192.168.200.10 netmask 255.255.255.255
static (inside,outside) X.X.X.X 10.10.1.11 netmask 255.255.255.255
static (inside,dmz) 192.168.200.10 10.10.1.35 netmask 255.255.255.255
static (inside,outside) X.X.X.X 10.10.1.36 netmask 255.255.255.255
static (inside,outside) X.X.X.X 10.10.1.12 netmask 255.255.255.255
access-group 100 in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
route inside 10.1.1.0 255.255.255.0 10.10.0.252 10
route inside 10.10.0.0 255.255.248.0 10.10.0.254 1
route inside 10.11.0.0 255.255.248.0 10.10.0.254 10
route inside 10.12.0.0 255.255.248.0 10.10.0.254 10
route inside 10.13.0.0 255.255.248.0 10.10.0.254 10
route inside 172.20.20.0 255.255.255.0 10.10.0.254 10
route inside 192.168.1.0 255.255.255.0 10.10.0.254 10
route inside 192.168.2.0 255.255.255.0 10.10.0.254 10
route inside 192.168.5.0 255.255.255.0 10.10.0.252 10
route inside 192.168.7.0 255.255.255.0 10.10.0.254 10
route inside 192.168.9.0 255.255.255.0 10.10.0.254 10
route inside 192.168.100.0 255.255.255.0 192.168.100.1 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server CHANDOM protocol nt
aaa-server CHANDOM (inside) host 10.10.1.1
timeout 5
nt-auth-domain-controller 10.10.1.1
aaa-server CHANDOM (inside) host 10.10.1.2
timeout 5
nt-auth-domain-controller 10.10.1.1
aaa-server CHANDOM (inside) host 10.1.1.60
nt-auth-domain-controller mother
aaa-server CHANDOM (inside) host 10.1.1.128
nt-auth-domain-controller 10.1.1.60
http server enable
http management 255.255.255.0 management
http 10.10.0.0 255.255.248.0 management
http 10.1.1.0 255.255.255.0 inside
http 10.10.0.0 255.255.248.0 inside
http 192.168.100.0 255.255.255.0 management
http redirect outside 80
snmp-server host inside 10.10.1.11 community private version 2c udp-port 161
no snmp-server location
no snmp-server contact
snmp-server community private
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set FirsSet esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set pfs group1
crypto dynamic-map dyn1 1 set transform-set FirsSet
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map management_map interface management
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap 2 match address outside_2_cryptomap
crypto map mymap 2 set pfs group1
crypto map mymap 2 set peer X.X.X.X
crypto map mymap 2 set transform-set ESP-3DES-SHA
crypto map mymap 2 set security-association lifetime seconds 28800
crypto map mymap 2 set security-association lifetime kilobytes 4608000
crypto map mymap interface outside
crypto ca trustpoint ASDM_TrustPoint0
revocation-check ocsp crl none
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
fqdn vpn.domain.com
subject-name CN=vpn.domain.com
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint4
crl configure
crypto ca trustpoint ASDM_TrustPoint5
crl configure
crypto ca certificate map DefaultCertificateMap 10
crypto ca certificate chain ASDM_TrustPoint0
certificate ca 1c8b350a4a3b6e8246d628266dec1c67
30820477 3082035f a0030201 0202101c 8b350a4a 3b6e8246 d628266d ec1c6730
0d06092a 864886f7 0d010105 05003041 31183016 060a0992 268993f2 2c640119
1608696e 7465726e 616c3117 3015060a 09922689 93f22c64 01191607 6368616e
646f6d31 0c300a06 03550403 13034c48 43301e17 0d303831 31303331 33353534
395a170d 31333131 30333134 30313433 5a304131 18301606 0a099226 8993f22c
64011916 08696e74 65726e61 6c311730 15060a09 92268993 f22c6401 19160763
68616e64 6f6d310c 300a0603 55040313 034c4843 30820122 300d0609 2a864886
f70d0101 01050003 82010f00 3082010a 02820101 00b142ab 2aae1a1b 373d3916
9ee80484 ebde6cbc 30471cf2 5cf11b32 70aa1b9d 5a3927e2 ea930fd1 204cc122
4ab7c4cd cea61bcf 155c9fea 43bafd78 9b0ef395 fa67f360 2b414dc7 2acb7eb0
9f3cc006 51043cea c75b60f7 934f015c 8a92127e e33243f3 81171e94 9e425eba
ab80fb29 f943b82b 61cf7f02 8b96aca5 9818fca6 13581ba3 db60f026 02f236fa
88d0bf26 c0250759 64d7740e 45798bfe 44097039 3cd848a5 184f516b 7b8eeb22
93ada25b b55eba7d 5a32927f 73a169e9 6f5c9bcf bc3dd52a aa3c7865 2856dabc
76cfe376 bc2fa61a 67f97264 3e9edec5 f34a3f0e 4613a98c 1ecfece6 02bb17ff
9e1744c4 ed62eab5 d1e4e01d 87245e33 1b29b416 bb020301 0001a382 01693082
01653013 06092b06 01040182 37140204 061e0400 43004130 0b060355 1d0f0404
03020186 300f0603 551d1301 01ff0405 30030101 ff301d06 03551d0e 04160414
6bb9cfd1 f5076c62 46d83fe8 7ec211df 8ed87548 3081fe06 03551d1f 0481f630
81f33081 f0a081ed a081ea86 81b16c64 61703a2f 2f2f434e 3d4c4843 2c434e3d
6c68632d 77656230 312c434e 3d434450 2c434e3d 5075626c 69632532 304b6579
25323053 65727669 6365732c 434e3d53 65727669 6365732c 434e3d43 6f6e6669
67757261 74696f6e 2c44433d 6368616e 646f6d2c 44433d69 6e746572 6e616c3f
63657274 69666963 61746552 65766f63 6174696f 6e4c6973 743f6261 73653f6f
626a6563 74436c61 73733d63 524c4469 73747269 62757469 6f6e506f 696e7486
34687474 703a2f2f 6c68632d 77656230 312e6368 616e646f 6d2e696e 7465726e
616c2f43 65727445 6e726f6c 6c2f4c48 432e6372 6c301006 092b0601 04018237
15010403 02010030 0d06092a 864886f7 0d010105 05000382 0101001d ebabcf92
751786a3 4d1a3690 525465d7 96dce61f e35ad234 07c29ad8 4bbb7be9 f2e3c3fb
779955d5 098c5c5e 13ac07d8 2218e4f7 b07ef4d8 364865bc 756f3834 4cf3250a
67f6685d 1a529f27 f6b6e57d f662c36a 1393acc6 7d976c69 ff61aa1f db2d69bd
36733255 f477e384 5d575433 80a6ae07 6c94ffec e19567f6 e6e8f14d bcc807be
a5623f06 a07e08c1 f71d69a8 8ba86db7 55b75285 0ef8a310 ec226261 412398bf
f4a11b62 ad708c77 a8028b4d 93199606 2a94d87d 65b7478b e0a2141e 3a178d7a
868430c2 c37c1f97 53d73b5c 18133fba 92e75ce0 4637d5ca f12c54de 52050879
91dadcf8 2f4d9404 668daa1d 4e4e7241 3fe643c0 e7650e88 e13f87
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate 31
30820214 3082017d a0030201 02020131 300d0609 2a864886 f70d0101 04050030
50312330 21060355 0403131a 6c68632d 66773031 2e6c616d 70726579 6865616c
74682e6f 72673129 30270609 2a864886 f70d0109 02161a6c 68632d66 7730312e
6c616d70 72657968 65616c74 682e6f72 67301e17 0d303831 31313031 37313431
355a170d 31383131 30383137 31343135 5a305031 23302106 03550403 131a6c68
632d6677 30312e6c 616d7072 65796865 616c7468 2e6f7267 31293027 06092a86
4886f70d 01090216 1a6c6863 2d667730 312e6c61 6d707265 79686561 6c74682e
6f726730 819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100
a8b247cd 0df19ea3 c06ed85b b1c1f852 688987e5 9d3ecdcb 8caca861 143864e9
8342745e b24b9410 1ef64130 8303069f 87df0ab0 3e3e3091 e2e0162e d7966acc
bbd30c9f 8ea7254a 5d974faf 8ab0b30a c2640500 3b6ec4aa c66f6ec3 83b4ecd8
ae6e6944 f3acbc77 861ce178 47b021eb 1c4a094a c6c2ee30 347b7faa 344f8df5
02030100 01300d06 092a8648 86f70d01 01040500 03818100 6776b80e e843d977
eb36b874 37d9e177 e3bdd6f0 ab46effb cee095bf 642cabc3 9252ab78 141eccfe
6533ed8a 149d551c 1d2c7fd8 a98fd7cb 7b90f444 80d49a66 584dc49d b4c05b7d
ad1952c6 d9cae72c 6849cbb7 97deb3e0 af6e09f7 2f34e8f2 6f7e57e2 c0203510
e8d9b1d6 ad2e2df0 ccbe03c1 49ea4107 2fd849e4 726cee31
quit
crypto ca certificate chain ASDM_TrustPoint2
certificate ca 1c8b350a4a3b6e8246d628266dec1c67
30820477 3082035f a0030201 0202101c 8b350a4a 3b6e8246 d628266d ec1c6730
0d06092a 864886f7 0d010105 05003041 31183016 060a0992 268993f2 2c640119
1608696e 7465726e 616c3117 3015060a 09922689 93f22c64 01191607 6368616e
646f6d31 0c300a06 03550403 13034c48 43301e17 0d303831 31303331 33353534
395a170d 31333131 30333134 30313433 5a304131 18301606 0a099226 8993f22c
64011916 08696e74 65726e61 6c311730 15060a09 92268993 f22c6401 19160763
68616e64 6f6d310c 300a0603 55040313 034c4843 30820122 300d0609 2a864886
f70d0101 01050003 82010f00 3082010a 02820101 00b142ab 2aae1a1b 373d3916
9ee80484 ebde6cbc 30471cf2 5cf11b32 70aa1b9d 5a3927e2 ea930fd1 204cc122
4ab7c4cd cea61bcf 155c9fea 43bafd78 9b0ef395 fa67f360 2b414dc7 2acb7eb0
9f3cc006 51043cea c75b60f7 934f015c 8a92127e e33243f3 81171e94 9e425eba
ab80fb29 f943b82b 61cf7f02 8b96aca5 9818fca6 13581ba3 db60f026 02f236fa
88d0bf26 c0250759 64d7740e 45798bfe 44097039 3cd848a5 184f516b 7b8eeb22
93ada25b b55eba7d 5a32927f 73a169e9 6f5c9bcf bc3dd52a aa3c7865 2856dabc
76cfe376 bc2fa61a 67f97264 3e9edec5 f34a3f0e 4613a98c 1ecfece6 02bb17ff
9e1744c4 ed62eab5 d1e4e01d 87245e33 1b29b416 bb020301 0001a382 01693082
01653013 06092b06 01040182 37140204 061e0400 43004130 0b060355 1d0f0404
03020186 300f0603 551d1301 01ff0405 30030101 ff301d06 03551d0e 04160414
6bb9cfd1 f5076c62 46d83fe8 7ec211df 8ed87548 3081fe06 03551d1f 0481f630
81f33081 f0a081ed a081ea86 81b16c64 61703a2f 2f2f434e 3d4c4843 2c434e3d
6c68632d 77656230 312c434e 3d434450 2c434e3d 5075626c 69632532 304b6579
25323053 65727669 6365732c 434e3d53 65727669 6365732c 434e3d43 6f6e6669
67757261 74696f6e 2c44433d 6368616e 646f6d2c 44433d69 6e746572 6e616c3f
63657274 69666963 61746552 65766f63 6174696f 6e4c6973 743f6261 73653f6f
626a6563 74436c61 73733d63 524c4469 73747269 62757469 6f6e506f 696e7486
34687474 703a2f2f 6c68632d 77656230 312e6368 616e646f 6d2e696e 7465726e
616c2f43 65727445 6e726f6c 6c2f4c48 432e6372 6c301006 092b0601 04018237
15010403 02010030 0d06092a 864886f7 0d010105 05000382 0101001d ebabcf92
751786a3 4d1a3690 525465d7 96dce61f e35ad234 07c29ad8 4bbb7be9 f2e3c3fb
779955d5 098c5c5e 13ac07d8 2218e4f7 b07ef4d8 364865bc 756f3834 4cf3250a
67f6685d 1a529f27 f6b6e57d f662c36a 1393acc6 7d976c69 ff61aa1f db2d69bd
36733255 f477e384 5d575433 80a6ae07 6c94ffec e19567f6 e6e8f14d bcc807be
a5623f06 a07e08c1 f71d69a8 8ba86db7 55b75285 0ef8a310 ec226261 412398bf
f4a11b62 ad708c77 a8028b4d 93199606 2a94d87d 65b7478b e0a2141e 3a178d7a
868430c2 c37c1f97 53d73b5c 18133fba 92e75ce0 4637d5ca f12c54de 52050879
91dadcf8 2f4d9404 668daa1d 4e4e7241 3fe643c0 e7650e88 e13f87
quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable management
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication rsa-sig
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet 10.1.1.0 255.255.255.0 management
telnet 10.10.0.0 255.255.248.0 management
telnet management 255.255.255.0 management
telnet timeout 5
ssh 10.10.0.0 255.255.0.0 management
ssh management 255.255.255.0 management
ssh timeout 5
console timeout 0
management-access management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.10.1.102 source inside prefer
tftp-server inside 10.10.3.9 XXXXX
ssl trust-point ASDM_TrustPoint1 outside
ssl trust-point ASDM_TrustPoint1 outside vpnlb-ip
webvpn
enable outside
enable inside
csd image disk0:/securedesktop-asa-3.3.0.151-k9.pkg
svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.1.0148-k9.pkg 2
svc enable
port-forward Citrix 2598 10.1.1.5 2598 Citrix Remote - Reliability
port-forward Citrix https 10.1.1.5 https Citrix Remote - HTTPS
port-forward Citrix citrix-ica 10.1.1.5 citrix-ica Citrix Remote - ICA
port-forward Citrix Remote - HTTP
tunnel-group-list enable
certificate-group-map DefaultCertificateMap 10 SSLClientProfile
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server value 10.1.1.60 10.1.1.128
dns-server value 10.1.1.60 10.1.1.128
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-network-list value CHANVPN09_splitTunnelAcl
default-domain value chandom.internal
address-pools value lhcchanpool
webvpn
url-list value SSLVPN
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy CHANREMOTEVPN internal
group-policy CHANREMOTEVPN attributes
wins-server value 10.10.1.1
dns-server value 10.10.1.1 10.10.1.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CHANREMOTEVPN_splitTunnelAcl
default-domain value chandom.internal
username testuser password H71CX14jHcYCmb5d encrypted privilege 0
username testuser attributes
vpn-group-policy CHANREMOTEVPN
username admin password 3CNayybjSxVPCxWO encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
authentication-server-group CHANDOM
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group CHANDOM
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
authentication-server-group CHANDOM
authentication-server-group (inside) CHANDOM
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
hic-fail-group-policy SSLClientPolicy
nbns-server 10.1.1.60 timeout 2 retry 2
nbns-server 10.10.1.128 timeout 2 retry 2
group-alias SSLVPNClient enable
tunnel-group CHANREMOTEVPN type remote-access
tunnel-group CHANREMOTEVPN general-attributes
address-pool lhcchanpool
default-group-policy CHANREMOTEVPN
tunnel-group CHANREMOTEVPN ipsec-attributes
pre-shared-key *
tunnel-group CHAN-MCHC type ipsec-l2l
tunnel-group CHAN-MCHC ipsec-attributes
pre-shared-key *
!
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
class global-class
csc fail-open
policy-map group_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
smtp-server 10.1.1.60 10.10.1.1
prompt hostname context
Cryptochecksum:788451e5a0bbd6d90fabd13f87a78320
: end
asdm image disk0:/asdm-615.bin
asdm location 10.10.1.35 255.255.255.255 inside
asdm location ASA Version 8.0(4)
!
hostname lhc-fw01
domain-name chandom.internal
enable password dcbvmiVNKth1v4Xn encrypted
passwd dcbvmiVNKth1v4Xn encrypted
names
name 192.168.200.0 dmz description DMZ Interface
name 192.168.10.0 management description Management Interface
dns-guard
!
interface Ethernet0/0
description Outside Interface
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.248
!
interface Ethernet0/1
description Inside Ethernet Interface
nameif inside
security-level 100
ip address 10.10.0.252 255.255.248.0 standby 10.10.0.253
!
interface Ethernet0/2
description DMZ Interface
nameif dmz
security-level 50
ip address 192.168.200.1 255.255.255.0 standby 192.168.200.2
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
description Management Interface
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.10.1.1
name-server 10.10.1.2
name-server 64.192.64.140
name-server 64.140.193.60
domain-name chandom.internal
object-group service DM_INLINE_TCP_4 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
port-object eq https
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
object-group service IMR tcp
port-object range 2440 2444
object-group service IMS tcp
port-object range 2400 2403
object-group service Millbrook tcp
port-object eq 2500
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp eq www
object-group network DM_INLINE_NETWORK_1
network-object 10.12.0.0 255.255.248.0
network-object 10.13.0.0 255.255.248.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
network-object 192.168.7.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
network-object 10.11.0.0 255.255.248.0
object-group service DM_INLINE_TCP_1 tcp
group-object IMR
group-object IMS
group-object Millbrook
port-object eq https
port-object eq www
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.248.0 192.168.100.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.248.0 object-group DM_INLINE_NETWORK_1
access-list nonat extended permit ip any 192.168.100.0 255.255.255.0
access-list 100 extended permit ip any 192.168.100.0 255.255.255.0
access-list 100 extended permit ip 10.10.0.0 255.255.248.0 192.168.100.0 255.255.255.0
access-list 100 extended permit ip management 255.255.255.0 192.168.100.0 255.255.255.0
access-list 100 extended permit tcp any host X.X.X.X eq www
access-list 100 extended permit tcp any host X.X.X.X eq www
access-list 100 extended permit tcp any host X.X.X.X.45 eq smtp
access-list 100 extended permit tcp any host X.X.X.X eq smtp
access-list 100 extended permit tcp any host X.X.X.X eq https
access-list 100 extended permit tcp any host X.X.X.X eq https
access-list 100 extended permit tcp any host X.X.X.X eq https
access-list 100 extended permit tcp any host X.X.X.X object-group DM_INLINE_TCP_1
access-list management_nat0_outbound extended permit ip 10.10.0.0 255.255.248.0 192.168.100.0 255.255.255.0
access-list management_nat0_outbound extended permit ip management 255.255.255.0 192.168.100.0 255.255.255.0
access-list management_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_2 192.168.100.0 255.255.255.0 10.10.0.0 255.255.248.0
access-list management_nat0_outbound extended permit icmp 10.10.0.0 255.255.248.0 any
access-list inside_access_in extended permit ip any any
access-list CHANREMOTEVPN_splitTunnelAcl standard permit 10.10.0.0 255.255.248.0
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_4
access-list outside_2_cryptomap extended permit ip 10.10.0.0 255.255.248.0 192.168.5.0 255.255.255.0
access-list CHANVPN09_splitTunnelAcl standard permit 10.10.0.0 255.255.248.0
access-list CHANVPN09_splitTunnelAcl remark Inside Corporate Network
access-list nonat-in extended permit ip 10.10.0.0 255.255.248.0 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging from-address fwadmin@domain.org
logging recipient-address user@domain.org level errors
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool lhcchanpool 192.168.100.2-192.168.100.254 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface asa_primary Ethernet0/3
failover key *****
failover link asa_primary Ethernet0/3
failover interface ip asa_primary 10.1.10.2 255.255.255.248 standby 10.1.10.3
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list nonat
nat (inside) 101 X.X.X.X 255.255.255.248
nat (inside) 101 0.0.0.0 0.0.0.0
static (dmz,outside) X.X.X.X 192.168.200.10 netmask 255.255.255.255
static (inside,outside) X.X.X.X 10.10.1.11 netmask 255.255.255.255
static (inside,dmz) 192.168.200.10 10.10.1.35 netmask 255.255.255.255
static (inside,outside) X.X.X.X 10.10.1.36 netmask 255.255.255.255
static (inside,outside) X.X.X.X 10.10.1.12 netmask 255.255.255.255
access-group 100 in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
route inside 10.1.1.0 255.255.255.0 10.10.0.252 10
route inside 10.10.0.0 255.255.248.0 10.10.0.254 1
route inside 10.11.0.0 255.255.248.0 10.10.0.254 10
route inside 10.12.0.0 255.255.248.0 10.10.0.254 10
route inside 10.13.0.0 255.255.248.0 10.10.0.254 10
route inside 172.20.20.0 255.255.255.0 10.10.0.254 10
route inside 192.168.1.0 255.255.255.0 10.10.0.254 10
route inside 192.168.2.0 255.255.255.0 10.10.0.254 10
route inside 192.168.5.0 255.255.255.0 10.10.0.252 10
route inside 192.168.7.0 255.255.255.0 10.10.0.254 10
route inside 192.168.9.0 255.255.255.0 10.10.0.254 10
route inside 192.168.100.0 255.255.255.0 192.168.100.1 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server CHANDOM protocol nt
aaa-server CHANDOM (inside) host 10.10.1.1
timeout 5
nt-auth-domain-controller 10.10.1.1
aaa-server CHANDOM (inside) host 10.10.1.2
timeout 5
nt-auth-domain-controller 10.10.1.1
aaa-server CHANDOM (inside) host 10.1.1.60
nt-auth-domain-controller mother
aaa-server CHANDOM (inside) host 10.1.1.128
nt-auth-domain-controller 10.1.1.60
http server enable
http management 255.255.255.0 management
http 10.10.0.0 255.255.248.0 management
http 10.1.1.0 255.255.255.0 inside
http 10.10.0.0 255.255.248.0 inside
http 192.168.100.0 255.255.255.0 management
http redirect outside 80
snmp-server host inside 10.10.1.11 community private version 2c udp-port 161
no snmp-server location
no snmp-server contact
snmp-server community private
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set FirsSet esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set pfs group1
crypto dynamic-map dyn1 1 set transform-set FirsSet
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map management_map interface management
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap 2 match address outside_2_cryptomap
crypto map mymap 2 set pfs group1
crypto map mymap 2 set peer X.X.X.X
crypto map mymap 2 set transform-set ESP-3DES-SHA
crypto map mymap 2 set security-association lifetime seconds 28800
crypto map mymap 2 set security-association lifetime kilobytes 4608000
crypto map mymap interface outside
crypto ca trustpoint ASDM_TrustPoint0
revocation-check ocsp crl none
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
fqdn vpn.domain.com
subject-name CN=vpn.domain.com
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint4
crl configure
crypto ca trustpoint ASDM_TrustPoint5
crl configure
crypto ca certificate map DefaultCertificateMap 10
crypto ca certificate chain ASDM_TrustPoint0
certificate ca 1c8b350a4a3b6e8246d628266dec1c67
30820477 3082035f a0030201 0202101c 8b350a4a 3b6e8246 d628266d ec1c6730
0d06092a 864886f7 0d010105 05003041 31183016 060a0992 268993f2 2c640119
1608696e 7465726e 616c3117 3015060a 09922689 93f22c64 01191607 6368616e
646f6d31 0c300a06 03550403 13034c48 43301e17 0d303831 31303331 33353534
395a170d 31333131 30333134 30313433 5a304131 18301606 0a099226 8993f22c
64011916 08696e74 65726e61 6c311730 15060a09 92268993 f22c6401 19160763
68616e64 6f6d310c 300a0603 55040313 034c4843 30820122 300d0609 2a864886
f70d0101 01050003 82010f00 3082010a 02820101 00b142ab 2aae1a1b 373d3916
9ee80484 ebde6cbc 30471cf2 5cf11b32 70aa1b9d 5a3927e2 ea930fd1 204cc122
4ab7c4cd cea61bcf 155c9fea 43bafd78 9b0ef395 fa67f360 2b414dc7 2acb7eb0
9f3cc006 51043cea c75b60f7 934f015c 8a92127e e33243f3 81171e94 9e425eba
ab80fb29 f943b82b 61cf7f02 8b96aca5 9818fca6 13581ba3 db60f026 02f236fa
88d0bf26 c0250759 64d7740e 45798bfe 44097039 3cd848a5 184f516b 7b8eeb22
93ada25b b55eba7d 5a32927f 73a169e9 6f5c9bcf bc3dd52a aa3c7865 2856dabc
76cfe376 bc2fa61a 67f97264 3e9edec5 f34a3f0e 4613a98c 1ecfece6 02bb17ff
9e1744c4 ed62eab5 d1e4e01d 87245e33 1b29b416 bb020301 0001a382 01693082
01653013 06092b06 01040182 37140204 061e0400 43004130 0b060355 1d0f0404
03020186 300f0603 551d1301 01ff0405 30030101 ff301d06 03551d0e 04160414
6bb9cfd1 f5076c62 46d83fe8 7ec211df 8ed87548 3081fe06 03551d1f 0481f630
81f33081 f0a081ed a081ea86 81b16c64 61703a2f 2f2f434e 3d4c4843 2c434e3d
6c68632d 77656230 312c434e 3d434450 2c434e3d 5075626c 69632532 304b6579
25323053 65727669 6365732c 434e3d53 65727669 6365732c 434e3d43 6f6e6669
67757261 74696f6e 2c44433d 6368616e 646f6d2c 44433d69 6e746572 6e616c3f
63657274 69666963 61746552 65766f63 6174696f 6e4c6973 743f6261 73653f6f
626a6563 74436c61 73733d63 524c4469 73747269 62757469 6f6e506f 696e7486
34687474 703a2f2f 6c68632d 77656230 312e6368 616e646f 6d2e696e 7465726e
616c2f43 65727445 6e726f6c 6c2f4c48 432e6372 6c301006 092b0601 04018237
15010403 02010030 0d06092a 864886f7 0d010105 05000382 0101001d ebabcf92
751786a3 4d1a3690 525465d7 96dce61f e35ad234 07c29ad8 4bbb7be9 f2e3c3fb
779955d5 098c5c5e 13ac07d8 2218e4f7 b07ef4d8 364865bc 756f3834 4cf3250a
67f6685d 1a529f27 f6b6e57d f662c36a 1393acc6 7d976c69 ff61aa1f db2d69bd
36733255 f477e384 5d575433 80a6ae07 6c94ffec e19567f6 e6e8f14d bcc807be
a5623f06 a07e08c1 f71d69a8 8ba86db7 55b75285 0ef8a310 ec226261 412398bf
f4a11b62 ad708c77 a8028b4d 93199606 2a94d87d 65b7478b e0a2141e 3a178d7a
868430c2 c37c1f97 53d73b5c 18133fba 92e75ce0 4637d5ca f12c54de 52050879
91dadcf8 2f4d9404 668daa1d 4e4e7241 3fe643c0 e7650e88 e13f87
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate 31
30820214 3082017d a0030201 02020131 300d0609 2a864886 f70d0101 04050030
50312330 21060355 0403131a 6c68632d 66773031 2e6c616d 70726579 6865616c
74682e6f 72673129 30270609 2a864886 f70d0109 02161a6c 68632d66 7730312e
6c616d70 72657968 65616c74 682e6f72 67301e17 0d303831 31313031 37313431
355a170d 31383131 30383137 31343135 5a305031 23302106 03550403 131a6c68
632d6677 30312e6c 616d7072 65796865 616c7468 2e6f7267 31293027 06092a86
4886f70d 01090216 1a6c6863 2d667730 312e6c61 6d707265 79686561 6c74682e
6f726730 819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100
a8b247cd 0df19ea3 c06ed85b b1c1f852 688987e5 9d3ecdcb 8caca861 143864e9
8342745e b24b9410 1ef64130 8303069f 87df0ab0 3e3e3091 e2e0162e d7966acc
bbd30c9f 8ea7254a 5d974faf 8ab0b30a c2640500 3b6ec4aa c66f6ec3 83b4ecd8
ae6e6944 f3acbc77 861ce178 47b021eb 1c4a094a c6c2ee30 347b7faa 344f8df5
02030100 01300d06 092a8648 86f70d01 01040500 03818100 6776b80e e843d977
eb36b874 37d9e177 e3bdd6f0 ab46effb cee095bf 642cabc3 9252ab78 141eccfe
6533ed8a 149d551c 1d2c7fd8 a98fd7cb 7b90f444 80d49a66 584dc49d b4c05b7d
ad1952c6 d9cae72c 6849cbb7 97deb3e0 af6e09f7 2f34e8f2 6f7e57e2 c0203510
e8d9b1d6 ad2e2df0 ccbe03c1 49ea4107 2fd849e4 726cee31
quit
crypto ca certificate chain ASDM_TrustPoint2
certificate ca 1c8b350a4a3b6e8246d628266dec1c67
30820477 3082035f a0030201 0202101c 8b350a4a 3b6e8246 d628266d ec1c6730
0d06092a 864886f7 0d010105 05003041 31183016 060a0992 268993f2 2c640119
1608696e 7465726e 616c3117 3015060a 09922689 93f22c64 01191607 6368616e
646f6d31 0c300a06 03550403 13034c48 43301e17 0d303831 31303331 33353534
395a170d 31333131 30333134 30313433 5a304131 18301606 0a099226 8993f22c
64011916 08696e74 65726e61 6c311730 15060a09 92268993 f22c6401 19160763
68616e64 6f6d310c 300a0603 55040313 034c4843 30820122 300d0609 2a864886
f70d0101 01050003 82010f00 3082010a 02820101 00b142ab 2aae1a1b 373d3916
9ee80484 ebde6cbc 30471cf2 5cf11b32 70aa1b9d 5a3927e2 ea930fd1 204cc122
4ab7c4cd cea61bcf 155c9fea 43bafd78 9b0ef395 fa67f360 2b414dc7 2acb7eb0
9f3cc006 51043cea c75b60f7 934f015c 8a92127e e33243f3 81171e94 9e425eba
ab80fb29 f943b82b 61cf7f02 8b96aca5 9818fca6 13581ba3 db60f026 02f236fa
88d0bf26 c0250759 64d7740e 45798bfe 44097039 3cd848a5 184f516b 7b8eeb22
93ada25b b55eba7d 5a32927f 73a169e9 6f5c9bcf bc3dd52a aa3c7865 2856dabc
76cfe376 bc2fa61a 67f97264 3e9edec5 f34a3f0e 4613a98c 1ecfece6 02bb17ff
9e1744c4 ed62eab5 d1e4e01d 87245e33 1b29b416 bb020301 0001a382 01693082
01653013 06092b06 01040182 37140204 061e0400 43004130 0b060355 1d0f0404
03020186 300f0603 551d1301 01ff0405 30030101 ff301d06 03551d0e 04160414
6bb9cfd1 f5076c62 46d83fe8 7ec211df 8ed87548 3081fe06 03551d1f 0481f630
81f33081 f0a081ed a081ea86 81b16c64 61703a2f 2f2f434e 3d4c4843 2c434e3d
6c68632d 77656230 312c434e 3d434450 2c434e3d 5075626c 69632532 304b6579
25323053 65727669 6365732c 434e3d53 65727669 6365732c 434e3d43 6f6e6669
67757261 74696f6e 2c44433d 6368616e 646f6d2c 44433d69 6e746572 6e616c3f
63657274 69666963 61746552 65766f63 6174696f 6e4c6973 743f6261 73653f6f
626a6563 74436c61 73733d63 524c4469 73747269 62757469 6f6e506f 696e7486
34687474 703a2f2f 6c68632d 77656230 312e6368 616e646f 6d2e696e 7465726e
616c2f43 65727445 6e726f6c 6c2f4c48 432e6372 6c301006 092b0601 04018237
15010403 02010030 0d06092a 864886f7 0d010105 05000382 0101001d ebabcf92
751786a3 4d1a3690 525465d7 96dce61f e35ad234 07c29ad8 4bbb7be9 f2e3c3fb
779955d5 098c5c5e 13ac07d8 2218e4f7 b07ef4d8 364865bc 756f3834 4cf3250a
67f6685d 1a529f27 f6b6e57d f662c36a 1393acc6 7d976c69 ff61aa1f db2d69bd
36733255 f477e384 5d575433 80a6ae07 6c94ffec e19567f6 e6e8f14d bcc807be
a5623f06 a07e08c1 f71d69a8 8ba86db7 55b75285 0ef8a310 ec226261 412398bf
f4a11b62 ad708c77 a8028b4d 93199606 2a94d87d 65b7478b e0a2141e 3a178d7a
868430c2 c37c1f97 53d73b5c 18133fba 92e75ce0 4637d5ca f12c54de 52050879
91dadcf8 2f4d9404 668daa1d 4e4e7241 3fe643c0 e7650e88 e13f87
quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable management
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication rsa-sig
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet 10.1.1.0 255.255.255.0 management
telnet 10.10.0.0 255.255.248.0 management
telnet management 255.255.255.0 management
telnet timeout 5
ssh 10.10.0.0 255.255.0.0 management
ssh management 255.255.255.0 management
ssh timeout 5
console timeout 0
management-access management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.10.1.102 source inside prefer
tftp-server inside 10.10.3.9 XXXXX
ssl trust-point ASDM_TrustPoint1 outside
ssl trust-point ASDM_TrustPoint1 outside vpnlb-ip
webvpn
enable outside
enable inside
csd image disk0:/securedesktop-asa-3.3.0.151-k9.pkg
svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.1.0148-k9.pkg 2
svc enable
port-forward Citrix 2598 10.1.1.5 2598 Citrix Remote - Reliability
port-forward Citrix https 10.1.1.5 https Citrix Remote - HTTPS
port-forward Citrix citrix-ica 10.1.1.5 citrix-ica Citrix Remote - ICA
port-forward Citrix Remote - HTTP
tunnel-group-list enable
certificate-group-map DefaultCertificateMap 10 SSLClientProfile
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server value 10.1.1.60 10.1.1.128
dns-server value 10.1.1.60 10.1.1.128
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-network-list value CHANVPN09_splitTunnelAcl
default-domain value chandom.internal
address-pools value lhcchanpool
webvpn
url-list value SSLVPN
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy CHANREMOTEVPN internal
group-policy CHANREMOTEVPN attributes
wins-server value 10.10.1.1
dns-server value 10.10.1.1 10.10.1.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CHANREMOTEVPN_splitTunnelAcl
default-domain value chandom.internal
username testuser password H71CX14jHcYCmb5d encrypted privilege 0
username testuser attributes
vpn-group-policy CHANREMOTEVPN
username admin password 3CNayybjSxVPCxWO encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
authentication-server-group CHANDOM
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group CHANDOM
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
authentication-server-group CHANDOM
authentication-server-group (inside) CHANDOM
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
hic-fail-group-policy SSLClientPolicy
nbns-server 10.1.1.60 timeout 2 retry 2
nbns-server 10.10.1.128 timeout 2 retry 2
group-alias SSLVPNClient enable
tunnel-group CHANREMOTEVPN type remote-access
tunnel-group CHANREMOTEVPN general-attributes
address-pool lhcchanpool
default-group-policy CHANREMOTEVPN
tunnel-group CHANREMOTEVPN ipsec-attributes
pre-shared-key *
tunnel-group CHAN-MCHC type ipsec-l2l
tunnel-group CHAN-MCHC ipsec-attributes
pre-shared-key *
!
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
class global-class
csc fail-open
policy-map group_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
smtp-server 10.1.1.60 10.10.1.1
prompt hostname context
Cryptochecksum:788451e5a0bbd6d90fabd13f87a78320
: end
asdm image disk0:/asdm-615.bin
asdm location 10.10.1.35 255.255.255.255 inside
asdm location X.X.X.X 255.255.255.255 inside
asdm location 10.1.1.136 255.255.255.255 inside
asdm location 10.10.1.1 255.255.255.255 inside
asdm location 10.10.1.12 255.255.255.255 inside
no asdm history enable 255.255.255.255 inside
asdm location 10.1.1.136 255.255.255.255 inside
asdm location 10.10.1.1 255.255.255.255 inside
asdm location 10.10.1.12 255.255.255.255 inside
no asdm history enable
 
Sort by date Sort by votes
Change your hosts default gateway to 10.10.0.254 and see if that works.
 
Upvote 0 Downvote
baddos,

Thanks for the reply. The problems is the if I change the hosts, then they won't be able to access the Internet. Plus doing that still doesn't allow me to ping the other networks [10.11.x.x/21, etc.].

Is there anything else i can do to access?
 
Upvote 0 Downvote
would you be able to post a .jpg of your network topology so we can get a better idea of what's happening??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
unclerico, I would, but I don't think it will let me post a jpg. here. Any ideas on how I can do that?
 
Upvote 0 Downvote
SITE 1----------------MAIN SITE------------SITE 2
ROUTER ROUTER ROUTER
10.11.0.254/21 10.10.0.254/21 10.12.0.254/21

HOST 10.11.1.1/21 ASA HOST 10.12.1.1/21
GATEWAY 10.11.0.254 10.10.0.252/21 GATEWAY 10.12.0.254

HOST 10.10.1.1/21
GATEWAY 10.10.0.252

Not the best diagram, but essentially, the main site router can ping either location, and can ping the ASA. The sites can ping all routers, and the ASA 10.10.0.252 interface. However, no host behind the ASA can get to the other sites, nor can the other sites get to anything behind the ASA.
 
Upvote 0 Downvote
Take a look at the attached file. It is a .jpg of what I think your environment looks like. Please confirm if this is true. If I am correct in my depiction of your topology then I believe it is an issue with your routing config not with your security config. Is this MPLS connection a managed service from your service provider?? Is BGP being used?? Have you or your service provider entered all of the routes necessary into the routing protocol??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
 http://www.box.net/shared/knfc4jthgo
Upvote 0 Downvote
unclerico,

Yes the diagram you attached is correct. I have all the routes in place on the ASA. I'll double check to see if our provider has them...

Thanks!
 
Upvote 0 Downvote
unclerico,

One thing to mention. If I am on a host [example 10.10.1.1/21] and try to ping anything on the remote hosts [i.e. 10.12.0.254] I receive a DENY on the ASA [Example: Deny inbound icmp src inside: 10.10.1.1 dst inside: 10.12.0.254 (type 8, code0)].
 
Upvote 0 Downvote
If you want to continue using your PIX/ASA as your default router, then I think you will need to have this command to allow it to route back to your MPLS router.

Code: 
same-security-traffic permit intra-interface
 
Upvote 0 Downvote
baddos,

Thanks. I added that, with no change.
 
Upvote 0 Downvote
The only difference is that the logs changed from Error to warning. Stating the same, that Deny inbound, but now it's based on an ACL.
 
Upvote 0 Downvote
tdmelvin, I take back what I said. I just reread your description and noticed that you are able to get to all of the other sites and from the other sites to the inside IP of your MPLS router on 10.10.0.254. For some reason it wasn't sinking in. Your routing is likely fine. I apologize for sending you on a wild goose chase if you had done any further investigation down that route.

Is the inside_access_in ACL the one being hit when you try and ping??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
unclerico,

Yes, it is. If I ping from a PC inside the ASA [10.10.3.9/21] to 10.11.0.254, I receive the warning on the logs stating deny icmp src inside: 10.10.3.9 dst inside: 10.11.0.254 (type 8, code 0) by access-group inside_access_in [0x0, 0x0]
 
Upvote 0 Downvote
Does your "inside_access_in" access list look like this currently?

Code: 
access-list inside_access_in extended permit ip any any

Are there more lines or such, because it doesn't be denying any traffic.
 
Upvote 0 Downvote
baddos, Thanks. Yes. I had that in initially. Then I added some for more granular access. So I change to permit http, https, etc. any any, including icmp [echo/echo-reply]. When I did that, I now receive the following Error on the logs:

No translating group found for icmp src inside: 10.10.3.9 dst inside: 10.11.0.254 (type 8, code 0)
 
Upvote 0 Downvote
Hmmm, have you tried to remove the ACL and see what happens?? You're right though, with that intra-interface traffic permitted there shouldn't be any issue here.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Unclerico,

I did remove the ICMP ACL. Same results. Weird.
 
Upvote 0 Downvote
I went back through the thread and found some contradicting information. In your first post you stated this:
I can ping all of these locations from the ASA. I can also ping from those other locations to the 10.10.0.254, but that's it.
Click to expand...
But then you said this:
Thanks for the reply. The problems is the if I change the hosts, then they won't be able to access the Internet. Plus doing that still doesn't allow me to ping the other networks [10.11.x.x/21, etc.].
Click to expand...
I can see them not being able to access the internet, but based on your first post they should be able to access the remote networks. This still doesn't explain why you get this
No translating group found for icmp src inside: 10.10.3.9 dst inside: 10.11.0.254 (type 8, code 0)
Click to expand...
which is an issue with your NAT config. At the same time though, no translation should be happening since all you are doing is telling what the next hop is. Not only that, but even if translations were happening, you've got your nonat ACL setup to bypass NAT for those networks. Interesting...

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Unclerico,

Sorry for the confusion. I was making changes along the way. As it stands now, I can get to the Internet, etc. I am now just getting the NAT translation error on pings. That's it...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
156
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
146
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
87
gkreg
gkreg
phjames
  • Locked
  • Question
Replacement for ASA-5510
Replies
1
Views
45
ADB100
ADB100

Part and Inventory Search

Sponsor

Back
Top