Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
No more split tunnel 1
- Thread starter rswift
- Start date
-
1
- #2
Without looking at your config you'll need to add:
same-security-traffic permit intra-interface
nat (outside) 1 <vpn subnet> <mask>
of course change the 1 to match your global statement.
I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
same-security-traffic permit intra-interface
nat (outside) 1 <vpn subnet> <mask>
of course change the 1 to match your global statement.
I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
- Thread starter
- #3
Scrubed, limited config:
: Saved
:
ASA Version 8.2(1)
!
hostname pix-Atkins
domain-name dbs.doe.state.fl.us
enable password R1CfMW.FfhmyvwBL encrypted
passwd nrPMAQ4xLrUoTJkI encrypted
names
name 150.176.6.142 owa-outside
dns-guard
!
interface Ethernet0/0
nameif dmz
security-level 50
ip address 192.999.4.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.999.1.3 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif outside
security-level 0
ip address 150.176.6.130 255.255.255.240
!
interface Ethernet0/3
shutdown
nameif vpn
security-level 60
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
banner motd Access to this device is limited to authorized persons only. All efforts to achieve access, whether direct or
indirect, are subject to monitoring activities. Unauthorized access is prohibited and will be subject to incident report
ing procedures including notification of local, state and federal authorities.
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name any.domain.com
access-list FROM_INSIDE extended permit icmp any any
access-list FROM_INSIDE extended deny udp any any eq netbios-ns
access-list FROM_INSIDE extended deny udp any any eq netbios-dgm
access-list FROM_INSIDE extended deny udp any any eq 15118
access-list FROM_INSIDE extended deny udp any any eq 445
access-list FROM_INSIDE remark *** Permit Any ***
access-list FROM_INSIDE extended permit ip 192.999.1.0 255.255.255.0 any
access-list FROM_INSIDE remark *** End of ACL ***
access-list FROM_INSIDE extended permit ip 192.0.0.0 255.0.0.0 any
access-list nat extended permit ip 192.999.1.0 255.255.255.0 any
access-list nat extended permit ip 192.0.0.0 255.0.0.0 any
access-list nonat extended permit ip 192.999.1.0 255.255.255.0 192.192.14.0 255.255.255.0
access-list nonat extended permit ip 192.999.1.0 255.255.255.0 192.0.0.0 255.0.0.0
access-list nonat extended permit ip 172.17.2.0 255.255.255.0 192.0.0.0 255.0.0.0
access-list nonat extended permit ip 192.0.0.0 255.0.0.0 172.17.2.0 255.255.255.0
access-list nonat extended permit ip host 192.999.1.0 192.34.7.0 255.255.255.0
access-list crypto extended permit ip 192.999.1.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list crypto extended permit ip 192.999.1.0 255.255.255.0 192.0.0.0 255.0.0.0
access-list no-nat-dmz extended permit ip 192.999.4.0 255.255.255.0 192.999.1.0 255.255.255.0
access-list FROM_OUTSIDE remark *** ACL FOR OUTSIDE INT ***
access-list FROM_OUTSIDE remark *** Bogon address blocking ***
access-list FROM_OUTSIDE remark *** ICMP Filtering ***
access-list FROM_OUTSIDE extended permit icmp any any
access-list FROM_OUTSIDE remark deny icmp any any
access-list FROM_OUTSIDE extended deny tcp any any eq 5900
access-list FROM_OUTSIDE remark deny icmp any any
access-list FROM_OUTSIDE remark *** Permit Core-specific app-requests ***
access-list FROM_OUTSIDE extended permit tcp any eq pptp any
access-list FROM_OUTSIDE remark *** END OF ACL ***
access-list FROM_OUTSIDE extended permit tcp any host 150.176.6.138 eq https
access-list cap extended permit ip host 192.999.1.50 host 150.176.6.139
access-list cap extended permit ip host 171.68.225.212 any
access-list cap extended permit ip any host 171.68.225.212
access-list Split_Tunnel_List standard permit 192.999.1.0 255.255.255.0
access-list Split_Tunnel_List remark VPN web access
access-list vpn_1_cryptomap extended permit ip host 192.999.1.0 192.34.7.0 255.255.255.0
pager lines 24
logging enable
logging asdm errors
mtu dmz 1500
mtu inside 1500
mtu outside 1500
mtu vpn 1500
mtu management 1500
ip local pool ippool 172.17.2.1-172.17.2.254
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.999.1.0 255.255.255.0 inside
icmp permit any inside
no asdm history enable
arp timeout 60
nat-control
global (dmz) 1 interface
global (outside) 1 interface
nat (dmz) 0 access-list no-nat-dmz
nat (inside) 0 access-list nonat
nat (inside) 1 192.0.0.0 255.0.0.0
access-group from-dmz in interface dmz
access-group FROM_INSIDE in interface inside
access-group FROM_OUTSIDE in interface outside
access-group FROM_INSIDE in interface management
timeout xlate 6:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.999.1.0 255.255.255.0 management
http 192.999.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto map clientmap 2 match address doe-link
crypto map clientmap 2 set pfs
crypto map clientmap 2 set peer 150.176.8.253
crypto map clientmap 2 set transform-set myset
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap interface outside
crypto map vpn_map 1 match address vpn_1_cryptomap
crypto map vpn_map 1 set pfs
crypto map vpn_map 1 set peer 74.191.68.18
crypto map vpn_map 1 set transform-set myset
crypto map vpn_map interface vpn
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable vpn
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 128.9.176.30
ntp server 209.81.9.7
tftp-server inside 192.999.1.50 c:\TFTP-Root\running-config
webvpn
group-policy 3000client internal
group-policy 3000client attributes
wins-server value 192.999.1.71 192.999.1.72
dns-server value 192.999.1.71 192.999.1.72
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value fldbs.net
username John.doe password M2.eD4.38VT/NASh encrypted
tunnel-group 150.176.8.253 type ipsec-l2l
tunnel-group 150.176.8.253 ipsec-attributes
pre-shared-key *
tunnel-group 3000client type remote-access
tunnel-group 3000client general-attributes
address-pool ippool
default-group-policy 3000client
tunnel-group 3000client ipsec-attributes
pre-shared-key *
tunnel-group Daytona type ipsec-l2l
tunnel-group Daytona ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3441bc4e00d9514eec0b405b02832001
: end
: Saved
:
ASA Version 8.2(1)
!
hostname pix-Atkins
domain-name dbs.doe.state.fl.us
enable password R1CfMW.FfhmyvwBL encrypted
passwd nrPMAQ4xLrUoTJkI encrypted
names
name 150.176.6.142 owa-outside
dns-guard
!
interface Ethernet0/0
nameif dmz
security-level 50
ip address 192.999.4.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.999.1.3 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif outside
security-level 0
ip address 150.176.6.130 255.255.255.240
!
interface Ethernet0/3
shutdown
nameif vpn
security-level 60
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
banner motd Access to this device is limited to authorized persons only. All efforts to achieve access, whether direct or
indirect, are subject to monitoring activities. Unauthorized access is prohibited and will be subject to incident report
ing procedures including notification of local, state and federal authorities.
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name any.domain.com
access-list FROM_INSIDE extended permit icmp any any
access-list FROM_INSIDE extended deny udp any any eq netbios-ns
access-list FROM_INSIDE extended deny udp any any eq netbios-dgm
access-list FROM_INSIDE extended deny udp any any eq 15118
access-list FROM_INSIDE extended deny udp any any eq 445
access-list FROM_INSIDE remark *** Permit Any ***
access-list FROM_INSIDE extended permit ip 192.999.1.0 255.255.255.0 any
access-list FROM_INSIDE remark *** End of ACL ***
access-list FROM_INSIDE extended permit ip 192.0.0.0 255.0.0.0 any
access-list nat extended permit ip 192.999.1.0 255.255.255.0 any
access-list nat extended permit ip 192.0.0.0 255.0.0.0 any
access-list nonat extended permit ip 192.999.1.0 255.255.255.0 192.192.14.0 255.255.255.0
access-list nonat extended permit ip 192.999.1.0 255.255.255.0 192.0.0.0 255.0.0.0
access-list nonat extended permit ip 172.17.2.0 255.255.255.0 192.0.0.0 255.0.0.0
access-list nonat extended permit ip 192.0.0.0 255.0.0.0 172.17.2.0 255.255.255.0
access-list nonat extended permit ip host 192.999.1.0 192.34.7.0 255.255.255.0
access-list crypto extended permit ip 192.999.1.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list crypto extended permit ip 192.999.1.0 255.255.255.0 192.0.0.0 255.0.0.0
access-list no-nat-dmz extended permit ip 192.999.4.0 255.255.255.0 192.999.1.0 255.255.255.0
access-list FROM_OUTSIDE remark *** ACL FOR OUTSIDE INT ***
access-list FROM_OUTSIDE remark *** Bogon address blocking ***
access-list FROM_OUTSIDE remark *** ICMP Filtering ***
access-list FROM_OUTSIDE extended permit icmp any any
access-list FROM_OUTSIDE remark deny icmp any any
access-list FROM_OUTSIDE extended deny tcp any any eq 5900
access-list FROM_OUTSIDE remark deny icmp any any
access-list FROM_OUTSIDE remark *** Permit Core-specific app-requests ***
access-list FROM_OUTSIDE extended permit tcp any eq pptp any
access-list FROM_OUTSIDE remark *** END OF ACL ***
access-list FROM_OUTSIDE extended permit tcp any host 150.176.6.138 eq https
access-list cap extended permit ip host 192.999.1.50 host 150.176.6.139
access-list cap extended permit ip host 171.68.225.212 any
access-list cap extended permit ip any host 171.68.225.212
access-list Split_Tunnel_List standard permit 192.999.1.0 255.255.255.0
access-list Split_Tunnel_List remark VPN web access
access-list vpn_1_cryptomap extended permit ip host 192.999.1.0 192.34.7.0 255.255.255.0
pager lines 24
logging enable
logging asdm errors
mtu dmz 1500
mtu inside 1500
mtu outside 1500
mtu vpn 1500
mtu management 1500
ip local pool ippool 172.17.2.1-172.17.2.254
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.999.1.0 255.255.255.0 inside
icmp permit any inside
no asdm history enable
arp timeout 60
nat-control
global (dmz) 1 interface
global (outside) 1 interface
nat (dmz) 0 access-list no-nat-dmz
nat (inside) 0 access-list nonat
nat (inside) 1 192.0.0.0 255.0.0.0
access-group from-dmz in interface dmz
access-group FROM_INSIDE in interface inside
access-group FROM_OUTSIDE in interface outside
access-group FROM_INSIDE in interface management
timeout xlate 6:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.999.1.0 255.255.255.0 management
http 192.999.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto map clientmap 2 match address doe-link
crypto map clientmap 2 set pfs
crypto map clientmap 2 set peer 150.176.8.253
crypto map clientmap 2 set transform-set myset
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap interface outside
crypto map vpn_map 1 match address vpn_1_cryptomap
crypto map vpn_map 1 set pfs
crypto map vpn_map 1 set peer 74.191.68.18
crypto map vpn_map 1 set transform-set myset
crypto map vpn_map interface vpn
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable vpn
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 128.9.176.30
ntp server 209.81.9.7
tftp-server inside 192.999.1.50 c:\TFTP-Root\running-config
webvpn
group-policy 3000client internal
group-policy 3000client attributes
wins-server value 192.999.1.71 192.999.1.72
dns-server value 192.999.1.71 192.999.1.72
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value fldbs.net
username John.doe password M2.eD4.38VT/NASh encrypted
tunnel-group 150.176.8.253 type ipsec-l2l
tunnel-group 150.176.8.253 ipsec-attributes
pre-shared-key *
tunnel-group 3000client type remote-access
tunnel-group 3000client general-attributes
address-pool ippool
default-group-policy 3000client
tunnel-group 3000client ipsec-attributes
pre-shared-key *
tunnel-group Daytona type ipsec-l2l
tunnel-group Daytona ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3441bc4e00d9514eec0b405b02832001
: end
- Thread starter
- #4
you don't need that line in there at all
I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
Code:
nat (outside) 1 172.17.2.0 255.255.255.0
same-security-traffic permit intra-interface
group-policy 3000client attributes
split-tunnel-policy tunnelall
no split-tunnel-network-list value Split_Tunnel_ListI hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
- Thread starter
- #6
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question