Hi
The scenario is I have a customer with an MPLS network.
At one site there is an internet breakout with an ASA on the end of it.
The ASA is aware of all the remote MPLS networks.
I am trying to create a LAN to LAN VPN into the ASA from the internet and provide access to one of the remote networks.
The LAN to LAN is setup OK but I am having an issue when trying to connect from the remote VPN site to the remote MPLS site.
Site with ASA and breakout 10.2.2.x
MPLS remote site which requires access 192.168.5.x
VPN remote site 192.168.90.x
Error:
4 May 04 2012 14:38:09 402116 81.x.x.9 195.x.x.194 IPSEC: Received an ESP packet (SPI= 0xF7DCDD1A, sequence number= 0x5) from 81.x.x.9 (user= 81.137.138.9) to 195.x.x.194. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 192.168.5.98, its source as 192.168.90.2, and its protocol as 1. The SA specifies its local proxy as 10.2.2.0/255.255.255.0/0/0 and its remote_proxy as 192.168.90.0/255.255.255.0/0/0.
I am sure there is something I need to provide to let the SA know about the multiple networks but I cannot figure out what.
I have added the remote MPLS network to the crypto map source.
Any help would be appeciated
Here is a current config, its in the middle of poking about trying to fix this.
Thanks for any help!
: Saved
:
ASA Version 8.2(1)
!
hostname FWGDCSheff
enable password y/Pr2LedIYfv7ya4 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 195.x.x.194 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.2.2.250 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
banner exec ******************************************************************
banner exec * WARNING *
banner exec IF YOU ARE NOT AUTHORISED TO ACCESS THIS SYSTEM EXIT IMMEDIATELY
banner exec Unauthorised users are subject to criminal and civil penalties
banner exec as well as company initiated disciplinary proceedings.
banner exec By entry into this system you acknowledge that you are
banner exec authorised to access it and have the level of privilege at which
banner exec you subsequently operate on this system. You consent by entry
banner exec into this system to the monitoring of your activities.
banner exec ******************************************************************
banner login ******************************************************************
banner login * WARNING *
banner login IF YOU ARE NOT AUTHORISED TO ACCESS THIS SYSTEM EXIT IMMEDIATELY
banner login Unauthorised users are subject to criminal and civil penalties
banner login as well as company initiated disciplinary proceedings.
banner login By entry into this system you acknowledge that you are
banner login authorised to access it and have the level of privilege at which
banner login you subsequently operate on this system. You consent by entry
banner login into this system to the monitoring of your activities.
banner login ******************************************************************
banner motd ******************************************************************
banner motd * WARNING *
banner motd IF YOU ARE NOT AUTHORISED TO ACCESS THIS SYSTEM EXIT IMMEDIATELY
banner motd Unauthorised users are subject to criminal and civil penalties
banner motd as well as company initiated disciplinary proceedings.
banner motd By entry into this system you acknowledge that you are
banner motd authorised to access it and have the level of privilege at which
banner motd you subsequently operate on this system. You consent by entry
banner motd into this system to the monitoring of your activities.
banner motd ******************************************************************
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object icmp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.200.0 255.255.255.0
network-object 192.168.201.0 255.255.255.0
network-object 192.168.202.0 255.255.255.0
network-object 192.168.203.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
network-object 192.168.6.0 255.255.255.0
network-object 192.168.90.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 10.2.2.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 10.2.2.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object 10.2.2.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object 10.2.2.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_6
network-object 10.2.2.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
access-list RemoteAccess_splitTunnelAcl standard permit 10.2.2.0 255.255.255.0
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0 192.168.128.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.2.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 192.168.90.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 192.168.90.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list test extended permit ip any any
access-list test extended permit icmp any any
access-list OUTSIDE_ACL extended permit ip any host 195.x.x.194
access-list OUTSIDE_ACL extended permit ip any host 195.x.x.195
access-list OUTSIDE_ACL extended permit ip any host 195.x.x.196
access-list tcp_bypass extended permit object-group DM_INLINE_PROTOCOL_1 10.2.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.5.0 255.255.255.0 any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 192.168.5.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 192.168.90.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_1_cryptomap extended deny ip object-group DM_INLINE_NETWORK_4 192.168.90.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_6 192.168.90.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 192.168.5.0 255.255.255.0 192.168.90.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNPool 192.168.128.1-192.168.128.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 195.x.x.195 4015 10.2.2.15 3389 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 13010 10.2.2.10 3389 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 13024 10.2.2.24 3389 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 pop3 10.2.2.1 pop3 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 135 10.2.2.1 135 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 imap4 10.2.2.1 imap4 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 993 10.2.2.1 993 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 8443 10.2.2.1 8443 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 https 10.2.2.1 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.2.2.1 smtp netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 4433 10.2.2.252 https netmask 255.255.255.255
static (inside,outside) tcp interface https 10.2.2.24 255.255.255.255
static (inside,outside) tcp interface 13001 10.2.2.1 3389 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.196 https 192.168.5.90 https netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.196 smtp 192.168.5.118 smtp netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.196 7979 192.168.5.118 7979 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.196 8000 192.168.5.98 8000 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.196 5963 192.168.5.98 5963 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.196 8089 192.168.5.99 8089 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.196 255.255.255.255
static (inside,outside) tcp 195.x.x.196 3389 192.168.5.11 3389 netmask 255.255.255.255
access-group OUTSIDE_ACL in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 195.x.x.193 1
route inside 192.168.1.0 255.255.255.0 10.2.2.221 1
route inside 192.168.2.0 255.255.255.0 10.2.2.221 1
route inside 192.168.3.0 255.255.255.0 10.2.2.221 1
route inside 192.168.5.0 255.255.255.0 10.2.2.221 1
route inside 192.168.6.0 255.255.255.0 10.2.2.221 1
route inside 192.168.200.0 255.255.255.0 10.2.2.221 1
route inside 192.168.201.0 255.255.255.0 10.2.2.221 1
route inside 192.168.202.0 255.255.255.0 10.2.2.221 1
route inside 192.168.203.0 255.255.255.0 10.2.2.221 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DeviceAccess protocol radius
aaa-server DeviceAccess (outside) host 86.x.x.234
key
authentication-port 1812
accounting-port 1813
radius-common-pw
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 9443
http 0.0.0.0 255.255.255.255 inside
http 86.x.x.234 255.255.255.255 outside
snmp-server host outside 86.x.x.234 community version 2c
snmp-server location
snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 81.x.x.9
crypto map outside_map 1 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 match address outside_1_cryptomap_1
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 81.x.x.9
crypto map outside_map 2 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 86.x.x.234 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
vpn-filter value RemoteAccess_splitTunnelAcl
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
default-domain value
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool VPNPool
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *
tunnel-group 81.x.x.9 type ipsec-l2l
tunnel-group 81.x.x.9 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
class-map tcp_bypass
description "TCP traffic to bypass stateful firewall"
match access-list tcp_bypass
class-map bypass_traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
policy-map tcp_bypass_policy
class tcp_bypass
set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
service-policy tcp_bypass_policy interface inside
prompt hostname context
Cryptochecksum:dc22cb5386d9ffbebf5d71e70ed2f52a
: end
no asdm history enable
The scenario is I have a customer with an MPLS network.
At one site there is an internet breakout with an ASA on the end of it.
The ASA is aware of all the remote MPLS networks.
I am trying to create a LAN to LAN VPN into the ASA from the internet and provide access to one of the remote networks.
The LAN to LAN is setup OK but I am having an issue when trying to connect from the remote VPN site to the remote MPLS site.
Site with ASA and breakout 10.2.2.x
MPLS remote site which requires access 192.168.5.x
VPN remote site 192.168.90.x
Error:
4 May 04 2012 14:38:09 402116 81.x.x.9 195.x.x.194 IPSEC: Received an ESP packet (SPI= 0xF7DCDD1A, sequence number= 0x5) from 81.x.x.9 (user= 81.137.138.9) to 195.x.x.194. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 192.168.5.98, its source as 192.168.90.2, and its protocol as 1. The SA specifies its local proxy as 10.2.2.0/255.255.255.0/0/0 and its remote_proxy as 192.168.90.0/255.255.255.0/0/0.
I am sure there is something I need to provide to let the SA know about the multiple networks but I cannot figure out what.
I have added the remote MPLS network to the crypto map source.
Any help would be appeciated
Here is a current config, its in the middle of poking about trying to fix this.
Thanks for any help!
: Saved
:
ASA Version 8.2(1)
!
hostname FWGDCSheff
enable password y/Pr2LedIYfv7ya4 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 195.x.x.194 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.2.2.250 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
banner exec ******************************************************************
banner exec * WARNING *
banner exec IF YOU ARE NOT AUTHORISED TO ACCESS THIS SYSTEM EXIT IMMEDIATELY
banner exec Unauthorised users are subject to criminal and civil penalties
banner exec as well as company initiated disciplinary proceedings.
banner exec By entry into this system you acknowledge that you are
banner exec authorised to access it and have the level of privilege at which
banner exec you subsequently operate on this system. You consent by entry
banner exec into this system to the monitoring of your activities.
banner exec ******************************************************************
banner login ******************************************************************
banner login * WARNING *
banner login IF YOU ARE NOT AUTHORISED TO ACCESS THIS SYSTEM EXIT IMMEDIATELY
banner login Unauthorised users are subject to criminal and civil penalties
banner login as well as company initiated disciplinary proceedings.
banner login By entry into this system you acknowledge that you are
banner login authorised to access it and have the level of privilege at which
banner login you subsequently operate on this system. You consent by entry
banner login into this system to the monitoring of your activities.
banner login ******************************************************************
banner motd ******************************************************************
banner motd * WARNING *
banner motd IF YOU ARE NOT AUTHORISED TO ACCESS THIS SYSTEM EXIT IMMEDIATELY
banner motd Unauthorised users are subject to criminal and civil penalties
banner motd as well as company initiated disciplinary proceedings.
banner motd By entry into this system you acknowledge that you are
banner motd authorised to access it and have the level of privilege at which
banner motd you subsequently operate on this system. You consent by entry
banner motd into this system to the monitoring of your activities.
banner motd ******************************************************************
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object icmp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.200.0 255.255.255.0
network-object 192.168.201.0 255.255.255.0
network-object 192.168.202.0 255.255.255.0
network-object 192.168.203.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
network-object 192.168.6.0 255.255.255.0
network-object 192.168.90.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 10.2.2.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 10.2.2.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object 10.2.2.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object 10.2.2.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_6
network-object 10.2.2.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
access-list RemoteAccess_splitTunnelAcl standard permit 10.2.2.0 255.255.255.0
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0 192.168.128.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.2.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 192.168.90.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 192.168.90.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list test extended permit ip any any
access-list test extended permit icmp any any
access-list OUTSIDE_ACL extended permit ip any host 195.x.x.194
access-list OUTSIDE_ACL extended permit ip any host 195.x.x.195
access-list OUTSIDE_ACL extended permit ip any host 195.x.x.196
access-list tcp_bypass extended permit object-group DM_INLINE_PROTOCOL_1 10.2.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.5.0 255.255.255.0 any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 192.168.5.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 192.168.90.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_1_cryptomap extended deny ip object-group DM_INLINE_NETWORK_4 192.168.90.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_6 192.168.90.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 192.168.5.0 255.255.255.0 192.168.90.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNPool 192.168.128.1-192.168.128.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 195.x.x.195 4015 10.2.2.15 3389 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 13010 10.2.2.10 3389 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 13024 10.2.2.24 3389 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 pop3 10.2.2.1 pop3 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 135 10.2.2.1 135 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 imap4 10.2.2.1 imap4 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 993 10.2.2.1 993 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 8443 10.2.2.1 8443 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 https 10.2.2.1 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.2.2.1 smtp netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.195 4433 10.2.2.252 https netmask 255.255.255.255
static (inside,outside) tcp interface https 10.2.2.24 255.255.255.255
static (inside,outside) tcp interface 13001 10.2.2.1 3389 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.196 https 192.168.5.90 https netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.196 smtp 192.168.5.118 smtp netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.196 7979 192.168.5.118 7979 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.196 8000 192.168.5.98 8000 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.196 5963 192.168.5.98 5963 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.196 8089 192.168.5.99 8089 netmask 255.255.255.255
static (inside,outside) tcp 195.x.x.196 255.255.255.255
static (inside,outside) tcp 195.x.x.196 3389 192.168.5.11 3389 netmask 255.255.255.255
access-group OUTSIDE_ACL in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 195.x.x.193 1
route inside 192.168.1.0 255.255.255.0 10.2.2.221 1
route inside 192.168.2.0 255.255.255.0 10.2.2.221 1
route inside 192.168.3.0 255.255.255.0 10.2.2.221 1
route inside 192.168.5.0 255.255.255.0 10.2.2.221 1
route inside 192.168.6.0 255.255.255.0 10.2.2.221 1
route inside 192.168.200.0 255.255.255.0 10.2.2.221 1
route inside 192.168.201.0 255.255.255.0 10.2.2.221 1
route inside 192.168.202.0 255.255.255.0 10.2.2.221 1
route inside 192.168.203.0 255.255.255.0 10.2.2.221 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DeviceAccess protocol radius
aaa-server DeviceAccess (outside) host 86.x.x.234
key
authentication-port 1812
accounting-port 1813
radius-common-pw
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 9443
http 0.0.0.0 255.255.255.255 inside
http 86.x.x.234 255.255.255.255 outside
snmp-server host outside 86.x.x.234 community version 2c
snmp-server location
snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 81.x.x.9
crypto map outside_map 1 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 match address outside_1_cryptomap_1
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 81.x.x.9
crypto map outside_map 2 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 86.x.x.234 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
vpn-filter value RemoteAccess_splitTunnelAcl
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
default-domain value
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool VPNPool
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *
tunnel-group 81.x.x.9 type ipsec-l2l
tunnel-group 81.x.x.9 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
class-map tcp_bypass
description "TCP traffic to bypass stateful firewall"
match access-list tcp_bypass
class-map bypass_traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
policy-map tcp_bypass_policy
class tcp_bypass
set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
service-policy tcp_bypass_policy interface inside
prompt hostname context
Cryptochecksum:dc22cb5386d9ffbebf5d71e70ed2f52a
: end
no asdm history enable
