Good morning.
I recently inherited a network running an ASA 5510 firwall, I have a few VPN clients connecting to it and a new VPN tunnel being setup to an external company.
I have an inside network for our office and then a vpn tunnel setup on a vlan. I know more about the asa than I did 3 days ago enough to be really dangerous. The inside is on eth 0/1 with 10.69.69.0 and the vlan/vpn is configured on eth0/3 with 10.55.132.0
I need to be able to send traffic from inside to the vlan, I have gotten it so that I can get network access and internet access from the vlan to the outside and to inside but I can't go from the inside to the vlan. I also can't seem to get the VPN tunnel to go up. I set some static routes to allow for communication between inside and the vlan. Can anyone shed some light or point me in the right direction? I've posted a scrubbed copy of my asa config of the parts I think are important to this issue. The vpn tunnel in question is identified as 140. Thank you for any help.
Most of this has been done in the ASDM interface. I used the CLI to add some static routes to get internet access working on the vlan. As fast as I'm learning I'm still not even a cisco neophyte.
asdm image disk0:/asdm-508.bin
asdm location 10.69.69.14 255.255.255.255 inside
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname My company
domain-name mycompany.com
enable password PHw01ZVp6U9DNB/K encrypted
passwd PHw01ZVp6U9DNB/K encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.185.202 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.69.69.5 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description VLAN for External Company VPN
nameif Azteca
security-level 100
ip address 10.55.132.30 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
same-security-traffic permit inter-interface
object-group service SasserVirus tcp
port-object range 9996 9996
port-object range 445 445
port-object range 5554 5554
object-group service RDP tcp
port-object range 3389 3389
object-group service Company2 tcp
description External group for company2 pop3 delivery and sending
port-object range 587 587
port-object eq pop3
port-object eq smtp
object-group service company1 tcp
port-object range 587 587
port-object eq pop3
port-object eq smtp
port-object eq imap4
access-list out_access_in extended permit tcp 216.157.255.0 255.255.255.0 host x.x.185.203 eq smtp inactive
access-list out_access_in extended permit tcp 216.157.241.0 255.255.255.0 host x.x.185.203 eq smtp inactive
access-list out_access_in extended permit tcp any host x.x.185.203 eq www
access-list out_access_in extended deny tcp any object-group SasserVirus any object-group SasserVirus
access-list out_access_in extended permit tcp any host x.x.185.204 eq 4000
access-list out_access_in remark company2 pop mail
access-list out_access_in extended permit tcp 216.157.241.0 255.255.255.0 host x.x.185.203 eq pop3 inactive
access-list out_access_in remark company2 pop mail
access-list out_access_in extended permit tcp 216.157.255.0 255.255.255.0 host x.x.185.203 eq pop3 inactive
access-list out_access_in remark a
ccess-list out_access_in extended permit tcp x.203.78.0 255.255.255.0 host x.x.185.203 object-group RDP
access-list out_access_in remark RDP to Domain Controller
access-list out_access_in extended permit tcp host 69.64.102.188 object-group RDP host 10.69.69.14 object-group RDP
access-list out_access_in remark Cleanmail
access-list out_access_in extended permit tcp 66.203.78.0 255.255.255.0 host 208.251.185.203 eq smtp
access-list out_access_in remark secondary cleanmail
access-list out_access_in extended permit tcp host 70.109.219.157 host x.x.185.203 eq smtp inactive
access-list out_access_in remark Cleanmmail 2 smtp
access-list out_access_in extended permit tcp host 173.162.225.202 host x.x.185.203 eq smtp
access-list out_access_in remark Blackberry External pop3
access-list out_access_in extended permit tcp any host x.x.185.203 object-group ExternalCPRasset
access-list out_access_in remark Braver Cleanmail POP
access-list out_access_in extended permit tcp x.203.78.0 255.255.255.0 host x.x.185.203 eq pop3
access-list out_access_in remark secondary cleanmail POP
access-list out_access_in extended permit tcp host 75.147.23.29 host x.x.185.203 eq smtp inactive
access-list out_access_in remark RDP to mail
access-list out_access_in extended permit tcp x.x.78.0 255.255.255.0 host 208.251.185.205 object-group RDP
access-list out_access_in remark Termserv RDP
access-list out_access_in extended permit tcp any object-group RDP host x.x.185.206 object-group RDP
access-list out_access_in remark Outlook Webaccess Rule for mail07
access-list out_access_in extended permit tcp any host x.x.185.205 eq https
access-list out_access_in remark CleanMail
access-list out_access_in extended permit tcp host 173.162.225.202 host x.x.185.205 object-group MailGroup
access-list out_access_in remark CleanMail 2
access-list out_access_in extended permit tcp x.x.78.0 255.255.255.0 host x.x.185.205 object-group UCFundMailGroup
access-list out_access_in remark IMAP for Exchange
access-list out_access_in extended permit tcp any host x.x.185.205 object-group UCFundMailGroup
access-list 101 extended permit ip 10.69.69.0 255.255.255.0 10.69.70.0 255.255.255.0
access-list nonat extended permit ip 10.69.69.0 255.255.255.0 10.69.70.0 255.255.255.0
access-list nonat extended permit ip 10.69.69.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip host 10.69.69.65 10.55.132.0 255.255.255.0
access-list nonat extended permit ip host 10.69.69.65 172.16.0.0 255.255.0.0
access-list outside_cryptomap_20 extended deny ip 10.69.69.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap_40 extended permit ip host 10.69.69.65 10.55.132.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip host 10.69.69.65 10.55.132.0 255.255.255.0
access-list outside_cryptomap_80 extended permit ip host 10.69.69.65 172.16.0.0 255.255.0.0
access-list outside_cryptomap_100 extended permit ip host 10.69.69.65 172.16.0.0 255.255.0.0
access-list outside_cryptomap_120 extended permit ip host 10.69.69.65 10.55.132.0 255.255.255.0
access-list Azteca_nat0_outbound extended permit ip 10.55.132.0 255.255.255.0 host 10.51.110.75
access-list outside_cryptomap_140 extended permit ip 10.55.132.0 255.255.255.0 host 10.51.110.75
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging mail informational
logging host inside 10.69.69.13 format emblem
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu Azteca 1500
ip local pool ippool 10.69.70.1-10.69.70.254
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
monitor-interface Azteca
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Azteca) 0 access-list Azteca_nat0_outbound
nat (Azteca) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.185.203 10.69.69.10 netmask 255.255.255.255
static (inside,outside) x.x.185.204 10.69.69.8 netmask 255.255.255.255
static (inside,outside) x.x.185.205 10.69.69.16 netmask 255.255.255.255
static (inside,outside) x.x.185.206 10.69.69.17 netmask 255.255.255.255
static (inside,Azteca) 10.69.69.0 10.69.69.0 netmask 255.255.255.0
static (Azteca,inside) 10.55.132.0 10.55.132.0 netmask 255.255.255.0
access-group out_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.185.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs enable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy vpn3000 internal
group-policy vpn3000 attributes
dns-server value 10.69.69.14
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 101
default-domain value potomacrc.us
webvpn
username user1 password Psfs1ByxjUTIuPO3 encrypted
username user1 attributes
vpn-group-policy vpn3000
webvpn
http server enable
http 10.69.69.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 500 set transform-set ESP-3DES-MD5
crypto dynamic-map dynmap 500 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 500 set security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 1000 set transform-set myset
crypto dynamic-map dynmap 1000 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 1000 set security-association lifetime kilobytes 4608000
crypto map remote 20 match address outside_cryptomap_20
crypto map remote 20 set peer x.x.167.214
crypto map remote 20 set transform-set ESP-3DES-MD5
crypto map remote 20 set security-association lifetime seconds 28800
crypto map remote 20 set security-association lifetime kilobytes 4608000
crypto map remote 20 set phase1-mode aggressive
crypto map remote 80 match address outside_cryptomap_80
crypto map remote 80 set pfs
crypto map remote 80 set peer x.x.78.130
crypto map remote 80 set transform-set ESP-3DES-MD5
crypto map remote 80 set security-association lifetime seconds 28800
crypto map remote 80 set security-association lifetime kilobytes 4608000
crypto map remote 100 match address outside_cryptomap_100
crypto map remote 100 set pfs
crypto map remote 100 set peer x.x.78.130
crypto map remote 100 set transform-set ESP-3DES-MD5
crypto map remote 100 set security-association lifetime seconds 28800
crypto map remote 100 set security-association lifetime kilobytes 4608000
crypto map remote 140 match address outside_cryptomap_140
crypto map remote 140 set peer x.38.105.56
crypto map remote 140 set transform-set ESP-3DES-SHA
crypto map remote 140 set security-association lifetime seconds 28800
crypto map remote 140 set security-association lifetime kilobytes 4608000
crypto map remote 1000 ipsec-isakmp dynamic dynmap
crypto map remote interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
isakmp nat-traversal 10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
address-pool ippool
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group 69.147.167.214 type ipsec-l2l
tunnel-group 69.147.167.214 ipsec-attributes
pre-shared-key *
chain
tunnel-group "Aggressive" type ipsec-l2l
tunnel-group "Aggressive" ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group x.203.78.130 type ipsec-l2l
tunnel-group x.203.78.130 ipsec-attributes
pre-shared-key *
tunnel-group x.38.105.56 type ipsec-l2l
tunnel-group x.38.105.56 ipsec-attributes
pre-shared-key *
telnet 10.69.69.0 255.255.255.0 inside
telnet timeout 5
ssh 12.43.252.3 255.255.255.255 outside
ssh 12.157.81.131 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:efdf64ac7d48f9094a60255d11123b03
: end
I recently inherited a network running an ASA 5510 firwall, I have a few VPN clients connecting to it and a new VPN tunnel being setup to an external company.
I have an inside network for our office and then a vpn tunnel setup on a vlan. I know more about the asa than I did 3 days ago enough to be really dangerous. The inside is on eth 0/1 with 10.69.69.0 and the vlan/vpn is configured on eth0/3 with 10.55.132.0
I need to be able to send traffic from inside to the vlan, I have gotten it so that I can get network access and internet access from the vlan to the outside and to inside but I can't go from the inside to the vlan. I also can't seem to get the VPN tunnel to go up. I set some static routes to allow for communication between inside and the vlan. Can anyone shed some light or point me in the right direction? I've posted a scrubbed copy of my asa config of the parts I think are important to this issue. The vpn tunnel in question is identified as 140. Thank you for any help.
Most of this has been done in the ASDM interface. I used the CLI to add some static routes to get internet access working on the vlan. As fast as I'm learning I'm still not even a cisco neophyte.
asdm image disk0:/asdm-508.bin
asdm location 10.69.69.14 255.255.255.255 inside
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname My company
domain-name mycompany.com
enable password PHw01ZVp6U9DNB/K encrypted
passwd PHw01ZVp6U9DNB/K encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.185.202 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.69.69.5 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description VLAN for External Company VPN
nameif Azteca
security-level 100
ip address 10.55.132.30 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
same-security-traffic permit inter-interface
object-group service SasserVirus tcp
port-object range 9996 9996
port-object range 445 445
port-object range 5554 5554
object-group service RDP tcp
port-object range 3389 3389
object-group service Company2 tcp
description External group for company2 pop3 delivery and sending
port-object range 587 587
port-object eq pop3
port-object eq smtp
object-group service company1 tcp
port-object range 587 587
port-object eq pop3
port-object eq smtp
port-object eq imap4
access-list out_access_in extended permit tcp 216.157.255.0 255.255.255.0 host x.x.185.203 eq smtp inactive
access-list out_access_in extended permit tcp 216.157.241.0 255.255.255.0 host x.x.185.203 eq smtp inactive
access-list out_access_in extended permit tcp any host x.x.185.203 eq www
access-list out_access_in extended deny tcp any object-group SasserVirus any object-group SasserVirus
access-list out_access_in extended permit tcp any host x.x.185.204 eq 4000
access-list out_access_in remark company2 pop mail
access-list out_access_in extended permit tcp 216.157.241.0 255.255.255.0 host x.x.185.203 eq pop3 inactive
access-list out_access_in remark company2 pop mail
access-list out_access_in extended permit tcp 216.157.255.0 255.255.255.0 host x.x.185.203 eq pop3 inactive
access-list out_access_in remark a
ccess-list out_access_in extended permit tcp x.203.78.0 255.255.255.0 host x.x.185.203 object-group RDP
access-list out_access_in remark RDP to Domain Controller
access-list out_access_in extended permit tcp host 69.64.102.188 object-group RDP host 10.69.69.14 object-group RDP
access-list out_access_in remark Cleanmail
access-list out_access_in extended permit tcp 66.203.78.0 255.255.255.0 host 208.251.185.203 eq smtp
access-list out_access_in remark secondary cleanmail
access-list out_access_in extended permit tcp host 70.109.219.157 host x.x.185.203 eq smtp inactive
access-list out_access_in remark Cleanmmail 2 smtp
access-list out_access_in extended permit tcp host 173.162.225.202 host x.x.185.203 eq smtp
access-list out_access_in remark Blackberry External pop3
access-list out_access_in extended permit tcp any host x.x.185.203 object-group ExternalCPRasset
access-list out_access_in remark Braver Cleanmail POP
access-list out_access_in extended permit tcp x.203.78.0 255.255.255.0 host x.x.185.203 eq pop3
access-list out_access_in remark secondary cleanmail POP
access-list out_access_in extended permit tcp host 75.147.23.29 host x.x.185.203 eq smtp inactive
access-list out_access_in remark RDP to mail
access-list out_access_in extended permit tcp x.x.78.0 255.255.255.0 host 208.251.185.205 object-group RDP
access-list out_access_in remark Termserv RDP
access-list out_access_in extended permit tcp any object-group RDP host x.x.185.206 object-group RDP
access-list out_access_in remark Outlook Webaccess Rule for mail07
access-list out_access_in extended permit tcp any host x.x.185.205 eq https
access-list out_access_in remark CleanMail
access-list out_access_in extended permit tcp host 173.162.225.202 host x.x.185.205 object-group MailGroup
access-list out_access_in remark CleanMail 2
access-list out_access_in extended permit tcp x.x.78.0 255.255.255.0 host x.x.185.205 object-group UCFundMailGroup
access-list out_access_in remark IMAP for Exchange
access-list out_access_in extended permit tcp any host x.x.185.205 object-group UCFundMailGroup
access-list 101 extended permit ip 10.69.69.0 255.255.255.0 10.69.70.0 255.255.255.0
access-list nonat extended permit ip 10.69.69.0 255.255.255.0 10.69.70.0 255.255.255.0
access-list nonat extended permit ip 10.69.69.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip host 10.69.69.65 10.55.132.0 255.255.255.0
access-list nonat extended permit ip host 10.69.69.65 172.16.0.0 255.255.0.0
access-list outside_cryptomap_20 extended deny ip 10.69.69.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap_40 extended permit ip host 10.69.69.65 10.55.132.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip host 10.69.69.65 10.55.132.0 255.255.255.0
access-list outside_cryptomap_80 extended permit ip host 10.69.69.65 172.16.0.0 255.255.0.0
access-list outside_cryptomap_100 extended permit ip host 10.69.69.65 172.16.0.0 255.255.0.0
access-list outside_cryptomap_120 extended permit ip host 10.69.69.65 10.55.132.0 255.255.255.0
access-list Azteca_nat0_outbound extended permit ip 10.55.132.0 255.255.255.0 host 10.51.110.75
access-list outside_cryptomap_140 extended permit ip 10.55.132.0 255.255.255.0 host 10.51.110.75
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging mail informational
logging host inside 10.69.69.13 format emblem
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu Azteca 1500
ip local pool ippool 10.69.70.1-10.69.70.254
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
monitor-interface Azteca
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Azteca) 0 access-list Azteca_nat0_outbound
nat (Azteca) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.185.203 10.69.69.10 netmask 255.255.255.255
static (inside,outside) x.x.185.204 10.69.69.8 netmask 255.255.255.255
static (inside,outside) x.x.185.205 10.69.69.16 netmask 255.255.255.255
static (inside,outside) x.x.185.206 10.69.69.17 netmask 255.255.255.255
static (inside,Azteca) 10.69.69.0 10.69.69.0 netmask 255.255.255.0
static (Azteca,inside) 10.55.132.0 10.55.132.0 netmask 255.255.255.0
access-group out_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.185.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs enable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy vpn3000 internal
group-policy vpn3000 attributes
dns-server value 10.69.69.14
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 101
default-domain value potomacrc.us
webvpn
username user1 password Psfs1ByxjUTIuPO3 encrypted
username user1 attributes
vpn-group-policy vpn3000
webvpn
http server enable
http 10.69.69.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 500 set transform-set ESP-3DES-MD5
crypto dynamic-map dynmap 500 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 500 set security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 1000 set transform-set myset
crypto dynamic-map dynmap 1000 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 1000 set security-association lifetime kilobytes 4608000
crypto map remote 20 match address outside_cryptomap_20
crypto map remote 20 set peer x.x.167.214
crypto map remote 20 set transform-set ESP-3DES-MD5
crypto map remote 20 set security-association lifetime seconds 28800
crypto map remote 20 set security-association lifetime kilobytes 4608000
crypto map remote 20 set phase1-mode aggressive
crypto map remote 80 match address outside_cryptomap_80
crypto map remote 80 set pfs
crypto map remote 80 set peer x.x.78.130
crypto map remote 80 set transform-set ESP-3DES-MD5
crypto map remote 80 set security-association lifetime seconds 28800
crypto map remote 80 set security-association lifetime kilobytes 4608000
crypto map remote 100 match address outside_cryptomap_100
crypto map remote 100 set pfs
crypto map remote 100 set peer x.x.78.130
crypto map remote 100 set transform-set ESP-3DES-MD5
crypto map remote 100 set security-association lifetime seconds 28800
crypto map remote 100 set security-association lifetime kilobytes 4608000
crypto map remote 140 match address outside_cryptomap_140
crypto map remote 140 set peer x.38.105.56
crypto map remote 140 set transform-set ESP-3DES-SHA
crypto map remote 140 set security-association lifetime seconds 28800
crypto map remote 140 set security-association lifetime kilobytes 4608000
crypto map remote 1000 ipsec-isakmp dynamic dynmap
crypto map remote interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
isakmp nat-traversal 10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
address-pool ippool
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group 69.147.167.214 type ipsec-l2l
tunnel-group 69.147.167.214 ipsec-attributes
pre-shared-key *
chain
tunnel-group "Aggressive" type ipsec-l2l
tunnel-group "Aggressive" ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group x.203.78.130 type ipsec-l2l
tunnel-group x.203.78.130 ipsec-attributes
pre-shared-key *
tunnel-group x.38.105.56 type ipsec-l2l
tunnel-group x.38.105.56 ipsec-attributes
pre-shared-key *
telnet 10.69.69.0 255.255.255.0 inside
telnet timeout 5
ssh 12.43.252.3 255.255.255.255 outside
ssh 12.157.81.131 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:efdf64ac7d48f9094a60255d11123b03
: end