Routing or firewall?

cmptreasy · Oct 6, 2011

I have 3 networks. Networks A and B are local, and attached to an ASA firewall and are operating as desired. Network C is remote, and is connected to network A through a PIX firewall VPN, and is also operating normally. The issue is that network B cannot communicate with network C through the VPN tunnel that is established. From network A, I can ping all devices on network B and C, which is good. From network B, I can ping devices on network A and only the outside public interface of the remote PIX connected to network C, nothing inside. From network C, I can ping devices on network A but only the ASA interface connected to network B, nothing inside network B interface.

While in network C, I need to be able to address all devices on networks A and B and vice versa. By virtue of the ability to ping the interface of network B, it appears that the ping traffic is going up the VPN tunnel, so I am at a loss to explain why devices on network B cannot communicate to network C and vice versa. Bottom line is that I need traffic from all 3 networks to freely pass all interfaces, which is occurring between networks A and B, and A and C, but not B and C. What am I missing? I can share firewall configs if necessary..

stubnski · Oct 6, 2011

Hi, Please post the scrubbed configs.

Stubnski

cmptreasy · Oct 6, 2011

Result of the command: "show tech"

Cisco Adaptive Security Appliance Software Version 7.0(8)
Device Manager Version 5.0(8)

Compiled on Sat 31-May-08 23:48 by builders
System image file is "disk0:/asa708-k8.bin"
Config file at boot was "startup-config"

fw-phoenix up 65 days 7 hours

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: Ethernet0/0 : address is 0023.5ee5.ecca, irq 9
1: Ext: Ethernet0/1 : address is 0023.5ee5.eccb, irq 9
2: Ext: Ethernet0/2 : address is 0023.5ee5.eccc, irq 9
3: Ext: Ethernet0/3 : address is 0023.5ee5.eccd, irq 9
4: Ext: Management0/0 : address is 0023.5ee5.ecce, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : 150

This platform has an ASA 5510 Security Plus license.

0xb17078c4 0x0c1f10bb
Configuration register is 0x1
Configuration last modified by dhall at 13:09:25.759 MST Fri Sep 23 2011

------------------ show clock ------------------

06:40:03.759 MST Wed Oct 5 2011

------------------ show memory ------------------

Free memory: 199531440 bytes (74%)
Used memory: 68904016 bytes (26%)
------------- ----------------
Total memory: 268435456 bytes (100%)

------------------ show conn count ------------------

424 in use, 21379 most used

------------------ show xlate count ------------------

209 in use, 2077 most used

------------------ show blocks ------------------

SIZE MAX LOW CNT
4 300 276 299
80 100 88 100
256 2612 2589 2612
1550 9251 7463 7718
2048 100 99 100
2560 40 40 40
4096 30 30 30
8192 60 60 60
16384 102 102 102
65536 10 10 10

------------------ show blocks queue history detail ------------------

History buffer memory usage: 2136 bytes (default)

------------------ show interface ------------------

Interface Ethernet0/0 "outside1", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps
Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
Description: Outside interface for 159.87.64.x network
MAC address 0023.5ee5.ecca, MTU 1500
IP address x.x.x.x, subnet mask 255.255.255.0
854376435 packets input, 337054190678 bytes, 0 no buffer
Received 2188417 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
1077842024 packets output, 1275212842473 bytes, 244 underruns
17819 output errors, 12437850 collisions, 0 interface resets
25023979 late collisions, 59368255 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/31)
output queue (curr/max packets): hardware (0/255)
Traffic Statistics for "outside1":
854376435 packets input, 321407381200 bytes
1102884060 packets output, 1291393465718 bytes
1890863 packets dropped
1 minute input rate 397 pkts/sec, 44155 bytes/sec
1 minute output rate 627 pkts/sec, 880960 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 418 pkts/sec, 69282 bytes/sec
5 minute output rate 638 pkts/sec, 882648 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 1
Interface config status is active
Interface state is active
Interface Ethernet0/1 "inside1", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Description: First inside interface for 172.16.10.x network
MAC address 0023.5ee5.eccb, MTU 1500
IP address x.x.x.x, subnet mask 255.255.255.0
1100607635 packets input, 1242962832373 bytes, 1249 no buffer
Received 15044716 broadcasts, 0 runts, 0 giants
325 input errors, 0 CRC, 0 frame, 325 overrun, 0 ignored, 0 abort
206584 L2 decode drops
851010009 packets output, 311646453487 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (5/33)
output queue (curr/max packets): hardware (0/159)
Traffic Statistics for "inside1":
1100366569 packets input, 1222334138781 bytes
851010009 packets output, 293995135644 bytes
10275473 packets dropped
1 minute input rate 631 pkts/sec, 846786 bytes/sec
1 minute output rate 402 pkts/sec, 25988 bytes/sec
1 minute drop rate, 1 pkts/sec
5 minute input rate 639 pkts/sec, 849647 bytes/sec
5 minute output rate 421 pkts/sec, 50196 bytes/sec
5 minute drop rate, 2 pkts/sec
Control Point Interface States:
Interface number is 2
Interface config status is active
Interface state is active
Interface Ethernet0/2 "Inside2", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Description: Interface for OPM Server farm
MAC address 0023.5ee5.eccc, MTU 1500
IP address x.x.x.x, subnet mask 255.255.255.0
63594451 packets input, 54107501427 bytes, 0 no buffer
Received 1172855 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
56073475 packets output, 25803528720 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (1/33)
output queue (curr/max packets): hardware (0/32)
Traffic Statistics for "Inside2":
63594423 packets input, 52908439223 bytes
56073475 packets output, 24661286310 bytes
1104920 packets dropped
1 minute input rate 5 pkts/sec, 3717 bytes/sec
1 minute output rate 3 pkts/sec, 346 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 5 pkts/sec, 3073 bytes/sec
5 minute output rate 4 pkts/sec, 770 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
Interface Ethernet0/3 "", is administratively down, line protocol is down
Hardware is i82546GB rev03, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 0023.5ee5.eccd, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/0)
output queue (curr/max packets): hardware (0/0)
Control Point Interface States:
Interface number is unassigned
Interface Management0/0 "management", is down, line protocol is down
Hardware is i82557, BW 100 Mbps
Auto-Duplex, Auto-Speed
MAC address 0023.5ee5.ecce, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/0) software (0/0)
Traffic Statistics for "management":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Management-only interface. Blocked 0 through-the-device packets
0 IPv4 packets originated from management network
0 IPv4 packets destined to management network
0 IPv6 packets originated from management network
0 IPv6 packets destined to management network
Control Point Interface States:
Interface number is 4
Interface config status is active
Interface state is not active

------------------ show cpu usage ------------------

CPU utilization for 5 seconds = 2%; 1 minute: 2%; 5 minutes: 2%

------------------ show process ------------------

PC SP STATE Runtime SBASE Stack Process
Lwe 0010611d 011388c8 00ea7480 0 01136940 8072/8192 block_diag
Mrd 00210368 0128ace0 00ea7520 32491851 0126ad98 126572/131072 Dispatch Unit
Mwe 003d2125 0128fd78 00ea7438 0 0128de00 7764/8192 CF OIR
Mwe 00118e7d 019161b8 00ea7438 0 01914240 7788/8192 Reload Control Thread
Mwe 0011d13a 01920d90 00ea9308 20 0191ce48 14052/16384 aaa
Mwe 0013a8fe 01927858 00ea9b30 0 01923920 15820/16384 CMGR Server Process
Mwe 0013aec1 019299c0 00ea7438 0 01927a48 7960/8192 CMGR Timer Process
Lwe 0020f8f2 01933f88 00eb2040 0 01932010 7308/8192 dbgtrace
Msi 0043d9d7 019381d8 00ea7438 14564 01936260 7712/8192 557mcfix
Msi 0043d981 0193a300 00ea7438 3 01938388 7792/8192 557statspoll
Mwe 00c6eb85 0194abd0 00ea7438 0 01948c48 7804/8192 Chunk Manager
Msi 0079a9d6 01954068 00ea7438 25618 01952100 7460/8192 PIX Garbage Collector
Lsi 00b3cf5d 019561b0 00ea7438 1111 01954228 7444/8192 route_process
Mwe 007891e1 0195ee60 00e2f7e0 2 0195cee8 7500/8192 IP Address Assign
Mwe 0097f5b1 01964c28 00e3bd20 0 01962cb0 8056/8192 QoS Support Module
Mwe 007fa039 01966d88 00e304fc 1 01964e10 7688/8192 Client Update Task
Lwe 00c8bca1 01969668 00ea7438 3028796 019676f0 7544/8192 Checkheaps
Mwe 009bdd01 0196f9d0 00ea7438 4642 0196da68 7276/8192 Session Manager
Mwe 00ac29ed 0197a6c8 02f593f8 8 019767e0 15620/16384 uauth
Mwe 00a5c091 0197c880 00e48bb0 0 0197a908 7308/8192 Uauth_Proxy
Mwe 00abe79d 01980aa0 00e4af80 0 0197eb58 7660/8192 SMTP
Mwe 00aae8a5 01982bd8 00e4a948 1234535 01980c80 5820/8192 Logger
Mwe 00aaff71 01984d20 00ea7438 0 01982da8 7292/8192 Thread Logger
Mwe 00bb9493 01991400 00e755b8 0 0198f498 6956/8192 vpnlb_thread
Msi 00501a1b 01948a98 00ea7438 35349 01946b20 7184/8192 arp_timer
Mwe 0050ba11 0192dc00 00ec0508 0 0192bc98 7964/8192 arp_forward_thread
Msi 00ac4e7b 02136ae0 00ea7438 1144 02134b78 5516/8192 tcp_fast
Msi 00ac4c4f 02138af8 00ea7438 562 02136ba0 6188/8192 tcp_slow
Mwe 00ad5a9f 02148d10 00e4bb10 0 02146da8 8040/8192 udp_timer
Mwe 0018ae29 0197e9b8 00ea7438 0 0197ca30 7976/8192 CTCP Timer process
Mwe 00b699ed 02e21450 00ea7438 0 02e1f4f8 7928/8192 L2TP data daemon
Mwe 00b697dd 02e23488 00ea7438 0 02e21520 7944/8192 L2TP mgmt daemon
Mwe 00b533b7 02e5b590 00e70348 4152 02e57628 16052/16384 ppp_timer_thread
Msi 00bb9e9e 02e5d598 00ea7438 19817 02e5b650 7664/8192 vpnlb_timer_thread
Mwe 001a40e0 0198d1a0 0192efd8 3497 0198b248 5332/8192 IPsec message handler
Msi 001b4b55 02e626d8 00ea7438 316206 02e60770 6308/8192 CTM message handler
Mwe 008237bf 02ed72e8 00ea7438 0 02ed5380 7644/8192 NAT security-level reconfiguration
Mwe 00730835 02eeca88 00ea7438 11194 02ee8b20 15120/16384 IP Background
Mwe 00208657 02f4a600 00e09580 17270 02f2a6b8 122964/131072 tmatch compile thread
Mwe 008c4eed 0300c998 00ea7438 0 03008a10 15996/16384 Crypto PKI RECV
Mwe 008cb211 0300eab0 00ea7438 0 0300cb38 7788/8192 Crypto CA
Mwe 00b90ec0 0302a7b8 00e74794 0 03028860 8024/8192 vpnfo_thread_msg
Msi 00b9efcf 0302c8e0 00ea7438 19113 0302a988 7680/8192 vpnfo_thread_timer
Mwe 00b9b987 0302ea08 00e748a8 0 0302cab0 8024/8192 vpnfo_thread_sync
Msi 00b9e888 03030b40 00ea7438 108737 0302ebd8 7684/8192 vpnfo_thread_unsent
Lsi 007b11f9 03048ee8 00ea7438 271 03046f70 7736/8192 uauth_urlb clean
Lwe 00794ab5 031f7a78 00ea7438 8940 031f5b00 7128/8192 pm_timer_thread
Mwe 00494331 031fa858 00ea7438 81894 031f88e0 7572/8192 IKE Timekeeper
Mwe 00485d15 031ffd00 00e243b8 590627 031fc0a8 11292/16384 IKE Daemon
Mwe 00a69801 03202e08 00e4a130 0 03200e90 8056/8192 RADIUS Proxy Event Daemon
Mwe 00a3c814 03204dc0 0198e9e0 36 03202fb8 7244/8192 RADIUS Proxy Listener
Mwe 00a6b71d 03207068 00ea7438 0 032050e0 7976/8192 RADIUS Proxy Time Keeper
Mwe 002197b7 032454b0 00ce1348 22780 0323db78 28600/32768 ci/console
Msi 003fa636 03247bd8 00ea7438 11733 03245ca0 6920/8192 fover_thread
Mwe 00b362c2 03249d10 00f919d8 800 03247dc8 7492/8192 lu_ctl
Csi 007cd071 0324be58 00ea7438 184792 03249ef0 6456/8192 update_cpu_usage
Msi 007cd871 03251ff8 00ea7438 411683 03250140 5668/8192 NIC status poll
Mwe 003ee7d1 0196b750 00ebae78 0 01969818 7992/8192 fover_rx
Mwe 003f0565 03258480 00ebaed4 0 03256508 8056/8192 fover_tx
Mwe 003f740d 0325a4a8 00ec0580 0 03258530 8012/8192 fover_ip
Mwe 00400de1 0325e2c0 00ebaee8 0 0325a558 15644/16384 fover_rep
Mwe 003f10f6 032621d8 00ebaef0 6546 0325e580 15268/16384 fover_parse
Mwe 003e36ea 03264500 00eb9000 5059 032625a8 7844/8192 fover_ifc_test
Mwe 003e5e81 03266548 00ea7438 0 032645d0 7960/8192 fover_health_monitoring_thread
Mwe 004106ad 0326a798 00ea7438 0 03268820 7960/8192 ha_trans_ctl_tx
Mwe 004106ad 0327d7e8 00ea7438 0 0327b870 7960/8192 ha_trans_data_tx
Mwe 00408a5d 0327f810 00ea7438 0 0327d898 7012/8192 fover_FSM_thread
Mwe 00b366ed 03281838 00ec0640 0 0327f8c0 7900/8192 lu_rx
Lwe 00b36679 03283870 00f91908 0 032818e8 8072/8192 lu_dynamic_sync
Mwe 004f9b3d 03473970 00ec0710 113285 0346fa08 13192/16384 IP Thread
Mwe 004ff801 034759a8 00ec06d0 479695 03473a30 5324/8192 ARP Thread
Mwe 004426d5 034779d0 00ec0578 6574 03475a58 5896/8192 icmp_thread
Mwe 00ad54b0 03479918 02146bc4 0 03477a80 7832/8192 riprx
Msi 0099af89 0347ba20 00ea7438 1163 03479aa8 7500/8192 riptx
Mwe 00ad5af7 0347da28 00ea7438 12582 0347bad0 7624/8192 udp_thread
Mwe 00ac53f9 0347f940 00ec0708 4277 0347daf8 4808/8192 tcp_thread
Mwe 00549df1 03688ff0 00e25f8c 0 03687078 8056/8192 kerberos_work
Mwe 0010b3f5 0368af48 00ea7438 0 036890a0 7596/8192 kerberos_recv
Mwe 00980ec9 036a2fa0 00e3bd84 279 036a1028 5244/8192 radius_snd
Mwe 00ad54b0 036a4cc8 02146b18 3 036a3150 6092/8192 radius_rcv_auth
Mwe 00ad54b0 036a6df0 02146a6c 0 036a5278 6588/8192 radius_rcv_acct
Mwe 00ac2e0f 039bfbe8 040c4050 23 039bdd30 7412/8192 listen/https
Mwe 00297ee6 039c3cb0 00ea7438 5451 039bfd58 12740/16384 emweb/https
Mwe 00292639 03ccffe8 00ea7438 1237 03cce070 7592/8192 Timekeeper
Mwe 00ad54b0 03cd5860 02146914 0 03cd3fd8 6280/8192 snmp
Mwe 00a3c814 03cfecf8 03ce1298 57896 03cfcef0 7256/8192 IKE Receiver
Mwe 00ac2e0f 03d5f940 03e42948 0 03d5dae8 7332/8192 listen/telnet
Mwe 00ac2e0f 03d62440 03de0b48 3 03d605e8 5900/8192 listen/ssh
Mwe 006c5531 03daa4b8 00ea7438 56927 03da8540 4836/8192 NTP
Mwe 0076fd78 04379da0 02fe1e1c 97 04372408 28412/32768 accept/http
Mwe 0076e7b1 0436ea58 00ea7438 20 04366e80 28940/32768 accept/http
Mwe 00964514 04351570 00f2d9e8 375 0434f618 7828/8192 qos_metric_daemon
M* 00742953 0009feec 00ea7520 368 043c1700 24364/32768 accept/http
- - - - 5604316072 - - scheduler
- - - - 5643812625 - - total elapsed

------------------ show failover ------------------

Failover Off
Failover unit Secondary
Failover LAN Interface: not Configured
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum

------------------ show traffic ------------------

outside1:
received (in 1348515.514 secs):
854376435 packets 321407381200 bytes
2 pkts/sec 238000 bytes/sec
transmitted (in 1348515.514 secs):
1102884060 packets 1291393465718 bytes
2 pkts/sec 957000 bytes/sec
1 minute input rate 397 pkts/sec, 44155 bytes/sec
1 minute output rate 627 pkts/sec, 880960 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 418 pkts/sec, 69282 bytes/sec
5 minute output rate 638 pkts/sec, 882648 bytes/sec
5 minute drop rate, 0 pkts/sec
inside1:
received (in 1348515.514 secs):
1100366569 packets 1222334138781 bytes
0 pkts/sec 906002 bytes/sec
transmitted (in 1348515.514 secs):
851010009 packets 293995135644 bytes
0 pkts/sec 218001 bytes/sec
1 minute input rate 631 pkts/sec, 846786 bytes/sec
1 minute output rate 402 pkts/sec, 25988 bytes/sec
1 minute drop rate, 1 pkts/sec
5 minute input rate 639 pkts/sec, 849647 bytes/sec
5 minute output rate 421 pkts/sec, 50196 bytes/sec
5 minute drop rate, 2 pkts/sec
Inside2:
received (in 1348515.514 secs):
63594423 packets 52908439223 bytes
2 pkts/sec 39002 bytes/sec
transmitted (in 1348515.514 secs):
56073475 packets 24661286310 bytes
0 pkts/sec 18001 bytes/sec
1 minute input rate 5 pkts/sec, 3717 bytes/sec
1 minute output rate 3 pkts/sec, 346 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 5 pkts/sec, 3073 bytes/sec
5 minute output rate 4 pkts/sec, 770 bytes/sec
5 minute drop rate, 0 pkts/sec
management:
received (in 1348515.514 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 1348515.514 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec

----------------------------------------
Aggregated Traffic on Physical Interface
----------------------------------------
Ethernet0/0:
received (in 1348515.514 secs):
854376435 packets 337054190678 bytes
2 pkts/sec 249001 bytes/sec
transmitted (in 1348515.514 secs):
1077842027 packets 1275212846943 bytes
3 pkts/sec 945001 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/1:
received (in 1348515.514 secs):
1100607635 packets 1242962832373 bytes
0 pkts/sec 921000 bytes/sec
transmitted (in 1348515.514 secs):
851010009 packets 311646453487 bytes
0 pkts/sec 231001 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/2:
received (in 1348515.514 secs):
63594451 packets 54107501427 bytes
2 pkts/sec 40002 bytes/sec
transmitted (in 1348515.514 secs):
56073475 packets 25803528720 bytes
0 pkts/sec 19000 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/3:
received (in 1348515.514 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 1348515.514 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Management0/0:
received (in 1348515.514 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 1348515.514 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec

------------------ show perfmon ------------------

PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 0/s 0/s
TCP Conns 0/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept Established Conns 0/s 0/s
TCP Intercept Attempts 0/s 0/s
TCP Embryonic Conns Timeout 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s

VALID CONNS RATE in TCP INTERCEPT: Current Average
100.00% 115.00%

------------------ show counters ------------------

Protocol Counter Value Context
IP IN_PKTS 10212227 Summary
IP OUT_PKTS 887934179 Summary
IP OUT_DROP_DWN 12 Summary
IP TO_ARP 8206548 Summary
IP TO_UDP 1668576 Summary
IP TO_ICMP 145248 Summary
IP TO_TCP 104884 Summary
TCP IN_PKTS 104884 Summary
TCP OUT_PKTS 135941 Summary
TCP RCV_GOOD 6204 Summary
TCP NO_APP 29 Summary
TCP DROP_NRST 5 Summary
TCP SESS_CTOD 19 Summary
TCP CONN_RST1 86 Summary
TCP CONN_RST2 119 Summary
TCP DROP_IGNORE3 115 Summary
TCP DROP_IGNORE4 12876 Summary
TCP OUT_CLSD 581 Summary
TCP HASH_ADD 723 Summary
TCP HASH_MISS 757 Summary
TCP SND_ACK 6479 Summary
TCP RCV_ACK 96938 Summary
TCP RCV_ACK_NEST 254 Summary
UDP IN_PKTS 1668576 Summary
UDP OUT_PKTS 11759329 Summary
ICMP IN_PKTS 145248 Summary
ICMP OUT_PKTS 143608 Summary
ICMP PORT_UNREACH 35 Summary
SSL HANDSHAKE_START 662 Summary
SSL HANDSHAKE_DONE 611 Summary
SSL HANDSHAKE_FAILURE 643 Summary
SSL OPEN_SERVER 662 Summary
SSL CLOSE_CALL 659 Summary
SSL NEW_CTX 1 Summary
SSL WRITE_CALL 661247 Summary
SSL TCP_ERR_READ 34 Summary
SSL NEW_CONN 662 Summary
SSL GET_PKT 3148 Summary

------------------ show history ------------------

------------------ show firewall ------------------

Firewall mode: Router

------------------ show running-config ------------------

: Saved
:
ASA Version 7.0(8)
!
hostname fw-phoenix
domain-name azda.gov
enable password <removed>
passwd <removed>
no names
dns-guard
!
interface Ethernet0/0
description Outside interface for 159.87.64.x network
nameif outside1
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/1
description First inside interface for 172.16.10.x network
nameif inside1
security-level 100
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/2
description Interface for OPM Server farm
nameif Inside2
security-level 100
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!

ftp mode passive
clock timezone MST -7
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Hosts
object-group network All_VPN
network-object 172.16.11.0 255.255.255.0
network-object 172.16.12.0 255.255.255.0
network-object 172.16.17.0 255.255.255.0
network-object 172.16.18.0 255.255.255.0
network-object 172.16.14.0 255.255.255.0
network-object 172.16.15.0 255.255.255.0
object-group network Outside_Mail_Server
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
object-group service ActiveDir tcp
port-object eq ldap
port-object eq kerberos
port-object eq netbios-ssn
port-object eq 88
port-object eq 3269
port-object eq domain
port-object eq 3268
port-object eq ldaps
port-object eq 445
object-group service DNS tcp-udp
port-object eq domain
port-object eq 88
port-object eq 389
object-group network insideDNS
network-object x.x.x.x7 255.255.255.255
network-object x.x.x.x8 255.255.255.255
network-object 172.16.10.24 255.255.255.255
object-group network insideDC
network-object x.x.x.x7 255.255.255.255
network-object x.x.x.x8 255.255.255.255
object-group network ITManagers
network-object x.x.x.x3 255.255.255.255
network-object x.x.x.x6 255.255.255.255
object-group service Mail tcp
port-object eq 691
port-object eq pop3
port-object eq imap4
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 995
port-object eq 993
port-object eq aol
port-object range 1024 65535
port-object eq 135
port-object eq netbios-ssn
object-group network CiscoClients
network-object 172.16.10.224 255.255.255.240
object-group network CiscoClients_Outside
network-object 172.16.10.224 255.255.255.240
object-group network Outside_SQL
network-object x.x.x.x 255.255.255.255
object-group network Remote_switches
network-object 10.0.0.0 255.0.0.0
object-group service Citrix tcp
port-object range citrix-ica citrix-ica
port-object eq www
port-object eq https
object-group service Webports tcp
port-object eq www
port-object eq https

access-list outside1_cryptomap_10 extended permit ip 172.16.10.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list outside1_cryptomap_10 extended permit ip 10.168.30.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list AZDANet remark AZDANetwork
access-list AZDANet standard permit 172.16.10.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.9.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.18.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.15.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.17.0 255.255.255.0
access-list outside1_access_in extended deny ip host 203.229.126.240 any
access-list outside1_access_in extended deny ip host 208.85.53.26 any
access-list outside1_access_in extended deny ip host 66.231.80.236 any
access-list outside1_access_in extended deny ip host 208.69.101.152 any
access-list outside1_access_in extended deny ip host 208.85.51.96 any
access-list outside1_access_in extended deny ip host 69.25.202.44 any
access-list outside1_access_in extended deny ip host 69.25.202.43 any
access-list outside1_access_in extended permit ip x.x.x.x 255.255.255.0 any
access-list outside1_access_in extended permit icmp host x.x.x.x any
access-list outside1_access_in extended permit tcp object-group All_VPN gt 1024 host x.x.x.x log
access-list outside1_access_in extended permit tcp object-group All_VPN object-group insideDNS log
access-list outside1_access_in extended permit tcp object-group All_VPN object-group insideDNS object-group ActiveDir log
access-list outside1_access_in extended permit udp object-group All_VPN object-group insideDNS log
access-list outside1_access_in extended permit tcp object-group All_VPN object-group ActiveDir object-group insideDC log
access-list outside1_access_in extended permit ip object-group CiscoClients_Outside any
access-list outside1_access_in extended permit tcp any object-group Mail host x.x.x.x log
access-list outside1_access_in extended permit tcp host x.x.x.x host x.x.x.x eq 1433
access-list outside1_access_in extended permit ip x.x.x.x 255.255.0.0 host x.x.x.x log
access-list outside1_access_in extended permit tcp any object-group Webports host x.x.x.x
access-list outside1_access_in extended permit tcp any object-group Mail host x.x.x.x log
access-list outside1_access_in extended permit ip any host x.x.x.x log
access-list outside1_access_in extended permit ip object-group All_VPN host x.x.x.x
access-list outside1_access_in extended permit ip any host x.x.x.x log
access-list outside1_access_in extended permit ip any host x.x.x.x
access-list outside1_access_in extended permit icmp host x.x.x.x any
access-list outside1_access_in extended deny ip host x.x.x.x any
access-list outside1_access_in extended permit tcp any host x.x.x.x object-group Citrix log
access-list outside1_access_in extended permit ip any host x.x.x.x
access-list outside1_access_in extended permit tcp x.x.x.x 255.255.255.0 eq

http://www host

x.x.x.x inactive
access-list outside1_access_in extended permit tcp any any inactive
access-list outside1_access_in extended permit tcp any object-group DNS x.x.x.x 255.255.255.0
access-list outside1_access_in extended permit tcp any object-group OPM_HTTP_ref_1 eq www
access-list outside1_access_in extended permit tcp any object-group OPM_HTTPS_ref_1 eq https
access-list outside1_access_in extended permit tcp any object-group OPM_SSH_ref_1 eq ssh
access-list outside1_access_in extended permit tcp any host x.x.x.x eq 8080
access-list outside1_access_in extended permit tcp any host x.x.x.x eq 123
access-list outside1_access_in extended permit tcp any host x.x.x.x eq 7100
access-list outside1_access_in extended permit tcp any host x.x.x.x range ftp ssh inactive
access-list outside1_access_in extended permit tcp any host x.x.x.x eq smtp
access-list outside1_access_in extended permit tcp any host x.x.x.x range ftp ssh
access-list outside1_access_in extended permit tcp any host x.x.x.x eq www
access-list outside1_access_in extended deny tcp host x.x.x.x any
access-list outside1_access_in extended deny tcp host x.x.x.x any
access-list outside1_access_in extended deny tcp host 75.88.23.33 any
access-list outside1_access_in remark Spammer
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 64.202.160.40 eq https
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 64.202.160.40 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 149.5.128.0 255.255.255.0 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 149.5.128.0 255.255.255.0 eq https
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 24.248.61.65 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 216.161.172.34 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 63.245.209.10 range 1024 65535
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 66.135.33.47 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 184.168.239.1 eq www
access-list inside1_access_in extended permit ip host 172.16.10.62 172.16.10.0 255.255.255.0
access-list inside1_access_in extended permit ip host 172.16.10.62 10.168.30.0 255.255.255.0
access-list inside1_access_in extended deny ip host 172.16.10.62 any
access-list inside1_access_in extended permit ip any any log warnings
access-list inside1_access_in extended permit icmp any any log warnings inactive
access-list inside1_access_in extended permit tcp host x.x.x.x9 eq smtp any
access-list inside1_access_in extended deny tcp any eq smtp any
access-list capin extended permit ip host x.x.x.x2 any
access-list capin extended permit ip any host x.x.x.x2
access-list outside1_cryptomap_dyn_40 extended permit ip any 172.16.10.224 255.255.255.240
access-list outside1_nat0_inbound extended permit ip object-group CiscoClients_Outside object-group AZDA_Hosts
access-list outside1_cryptomap_30 extended permit ip 172.16.10.0 255.255.255.0 172.16.18.0 255.255.255.0
access-list cout extended permit ip host x.x.x.x host 159.87.70.66
access-list cout extended permit ip host 159.87.70.66 host x.x.x.x
access-list inside2_access_in extended permit ip any any log
access-list outside1_cryptomap_30_1 extended permit ip 172.16.10.0 255.255.255.0 172.16.18.0 255.255.255.0
access-list cin extended permit ip host x.x.x.x10 host 159.87.70.66
access-list cin extended permit ip host 159.87.70.66 host x.x.x.x10
access-list outside1_cryptomap_80 extended permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0
access-list outside1_cryptomap105 extended permit ip any 172.16.15.0 255.255.255.0
access-list outside1_cryptomap_20 extended permit ip 172.16.10.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list outside1_cryptomap_40_1 extended permit ip 172.16.10.0 255.255.255.0 172.16.15.0 255.255.255.0
access-list Inside2_access_in extended permit tcp 10.168.30.0 255.255.255.0 172.16.0.0 255.255.0.0 log warnings
access-list Inside2_access_in extended permit tcp any any log warnings
access-list Inside2_access_in extended permit ip any any
access-list Inside2_access_in extended permit tcp any 159.87.30.0 255.255.255.128
access-list nonat2 extended permit ip 10.168.30.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list outside1_cryptomap_60 extended permit ip 172.16.10.0 255.255.255.0 172.16.17.0 255.255.255.0
!
http-map http-map
strict-http action allow log
!
pager lines 24
logging enable
logging timestamp
logging buffer-size 40960
logging console warnings
logging trap warnings
logging asdm informational
logging device-id hostname
logging host inside1 x.x.x.x2
logging debug-trace
mtu outside1 1500
mtu inside1 1500
mtu Inside2 1500
mtu management 1500
ip local pool DefaultRSPool 172.16.10.224-172.16.10.239 mask 255.255.255.0
no failover
monitor-interface outside1
monitor-interface inside1
monitor-interface Inside2
monitor-interface management
icmp permit any outside1
icmp permit any inside1
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside1) 1 interface
nat (outside1) 0 access-list outside1_nat0_inbound outside
nat (outside1) 1 172.16.0.0 255.255.0.0
nat (inside1) 0 access-list nonat
nat (inside1) 1 172.16.10.0 255.255.255.0
nat (Inside2) 0 access-list nonat2
nat (Inside2) 1 10.168.30.0 255.255.255.0
static (inside1,outside1) 159.87.64.242 172.16.10.21 netmask 255.255.255.255
static (inside1,outside1) 159.87.64.244 x.x.x.x9 netmask 255.255.255.255
static (inside1,inside1) 172.16.11.0 159.87.60.146 netmask 255.255.255.255
static (inside1,outside1) 159.87.64.243 172.16.10.22 netmask 255.255.255.255
static (inside1,outside1) 159.87.64.6 x.x.x.x0 netmask 255.255.255.255
static (inside1,inside1) 172.16.12.0 209.181.122.61 netmask 255.255.255.255
static (inside1,outside1) 159.87.64.241 172.16.10.254 netmask 255.255.255.255
static (inside1,outside1) 159.87.64.239 172.16.10.32 netmask 255.255.255.255
static (inside1,outside1) 159.87.64.251 172.16.10.39 netmask 255.255.255.255
static (inside1,inside1) 172.16.18.0 159.87.222.1 netmask 255.255.255.255
static (inside1,outside1) 159.87.64.26 172.16.10.26 netmask 255.255.255.255
static (inside1,outside1) 159.87.64.44 172.16.10.44 netmask 255.255.255.255
static (inside1,outside1) 159.87.64.45 172.16.10.34 netmask 255.255.255.255
static (inside1,inside1) 172.16.14.0 159.87.222.57 netmask 255.255.255.255
static (inside1,inside1) 172.16.15.0 159.87.222.2 netmask 255.255.255.255
static (inside1,outside1) 159.87.64.250 172.16.10.53 netmask 255.255.255.255
static (inside1,Inside2) 172.16.10.0 172.16.10.0 netmask 255.255.255.0
static (Inside2,inside1) 10.168.30.0 10.168.30.0 netmask 255.255.255.0
static (inside1,Inside2) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
static (Inside2,outside1) 159.87.64.7 10.168.30.7 netmask 255.255.255.255
static (Inside2,outside1) 159.87.64.106 x.x.x.x06 netmask 255.255.255.255
static (Inside2,outside1) 159.87.64.5 10.168.30.5 netmask 255.255.255.255
static (Inside2,outside1) 159.87.64.60 10.168.30.60 netmask 255.255.255.255
static (Inside2,outside1) 159.87.64.31 10.168.30.65 netmask 255.255.255.255
static (Inside2,outside1) 159.87.64.2 10.168.30.22 netmask 255.255.255.255
static (Inside2,outside1) 159.87.64.3 10.168.30.3 netmask 255.255.255.255
static (inside1,inside1) 172.16.17.0 159.87.222.4 netmask 255.255.255.255
static (Inside2,outside1) 159.87.64.47 10.168.30.67 netmask 255.255.255.255
access-group outside1_access_in in interface outside1
access-group inside1_access_in in interface inside1
access-group Inside2_access_in in interface Inside2
route outside1 0.0.0.0 0.0.0.0 159.87.64.1 1
timeout xlate 10:00:00
timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 9:05:00 absolute uauth 9:00:00 inactivity
aaa-server azdavpn protocol kerberos
aaa-server azdavpn (inside1) host x.x.x.x7
kerberos-realm AZDA.GOV
aaa-server AZDA protocol radius
aaa-server AZDA (inside1) host x.x.x.x7
key azda!0503
radius-common-pw azda!0503
group-policy DfltGrpPolicy attributes
wins-server none
dns-server value 172.16.10.24 x.x.x.x8
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value azda.gov
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem enable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy CiscoClient internal
group-policy CiscoClient attributes
dns-server value 172.16.10.24 x.x.x.x8
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
password-storage enable
group-lock value CiscoClient
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AZDANet
default-domain value azda.gov
webvpn
username krysti password <removed> privilege 15
username aznet password <removed> privilege 15
username dhall password <removed> privilege 15
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 159.87.64.20 255.255.255.255 outside1
http x.x.x.x 255.255.255.255 outside1
http x.x.x.x 255.255.255.0 outside1
http 0.0.0.0 0.0.0.0 outside1
http x.x.x.x6 255.255.255.255 inside1
http x.x.x.x3 255.255.255.255 inside1
http 172.16.10.0 255.255.255.0 inside1
http 192.168.1.0 255.255.255.0 management
snmp-server host inside1 x.x.x.x6 community public
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Please type your username and password
auth-prompt accept Credentials accepted. Welcome to the Arizona Department of Agriculture Network
auth-prompt reject Invalid redentials
crypto ipsec transform-set AZDASet esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ADOR esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map AZDADynMap 20 set transform-set AZDASet
crypto dynamic-map AZDADynMap 20 set security-association lifetime seconds 28800
crypto dynamic-map AZDADynMap 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map AZDADynMap 25 set transform-set AZDASet
crypto dynamic-map AZDADynMap 25 set security-association lifetime seconds 28800
crypto dynamic-map AZDADynMap 25 set security-association lifetime kilobytes 4608000
crypto map AZDAMap 10 match address outside1_cryptomap_10
crypto map AZDAMap 10 set peer 159.87.60.146
crypto map AZDAMap 10 set transform-set AZDASet
crypto map AZDAMap 10 set security-association lifetime seconds 28800
crypto map AZDAMap 10 set security-association lifetime kilobytes 4608000
crypto map AZDAMap 20 match address outside1_cryptomap_20
crypto map AZDAMap 20 set peer 159.87.222.57
crypto map AZDAMap 20 set transform-set AZDASet
crypto map AZDAMap 20 set security-association lifetime seconds 28800
crypto map AZDAMap 20 set security-association lifetime kilobytes 4608000
crypto map AZDAMap 30 match address outside1_cryptomap_30_1
crypto map AZDAMap 30 set peer 159.87.222.1
crypto map AZDAMap 30 set transform-set AZDASet
crypto map AZDAMap 30 set security-association lifetime seconds 28800
crypto map AZDAMap 30 set security-association lifetime kilobytes 4608000
crypto map AZDAMap 40 match address outside1_cryptomap_40_1
crypto map AZDAMap 40 set peer 159.87.222.2
crypto map AZDAMap 40 set transform-set AZDASet
crypto map AZDAMap 40 set security-association lifetime seconds 28800
crypto map AZDAMap 40 set security-association lifetime kilobytes 4608000
crypto map AZDAMap 60 match address outside1_cryptomap_60
crypto map AZDAMap 60 set peer 159.87.222.4
crypto map AZDAMap 60 set transform-set AZDASet
crypto map AZDAMap 60 set security-association lifetime seconds 28800
crypto map AZDAMap 60 set security-association lifetime kilobytes 4608000
crypto map AZDAMap 80 match address outside1_cryptomap_80
crypto map AZDAMap 80 set peer 209.181.122.61
crypto map AZDAMap 80 set transform-set AZDASet
crypto map AZDAMap 80 set security-association lifetime seconds 28800
crypto map AZDAMap 80 set security-association lifetime kilobytes 4608000
crypto map AZDAMap 65535 ipsec-isakmp dynamic AZDADynMap
crypto map AZDAMap interface outside1
isakmp identity address
isakmp enable outside1
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal 21
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group DefaultRAGroup general-attributes
address-pool (outside1) DefaultRSPool
authentication-server-group azdavpn
authentication-server-group (inside1) azdavpn
authentication-server-group (outside1) azdavpn
dhcp-server 172.16.10.24
dhcp-server x.x.x.x8
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group 159.87.222.2 type ipsec-l2l
tunnel-group 159.87.222.2 ipsec-attributes
pre-shared-key *
tunnel-group CiscoClient type ipsec-ra
tunnel-group CiscoClient general-attributes
address-pool (outside1) DefaultRSPool
address-pool DefaultRSPool
authentication-server-group AZDA
authentication-server-group (outside1) AZDA
default-group-policy CiscoClient
tunnel-group CiscoClient ipsec-attributes
pre-shared-key *
tunnel-group 208.47.100.139 type ipsec-l2l
tunnel-group 208.47.100.139 ipsec-attributes
pre-shared-key *
tunnel-group 209.181.122.61 type ipsec-l2l
tunnel-group 209.181.122.61 ipsec-attributes
pre-shared-key *
tunnel-group 159.87.60.146 type ipsec-l2l
tunnel-group 159.87.60.146 ipsec-attributes
pre-shared-key *
tunnel-group 159.87.222.1 type ipsec-l2l
tunnel-group 159.87.222.1 ipsec-attributes
pre-shared-key *
tunnel-group 75.160.24.1 type ipsec-l2l
tunnel-group 75.160.24.1 ipsec-attributes
pre-shared-key *
tunnel-group 159.87.222.57 type ipsec-l2l
tunnel-group 159.87.222.57 ipsec-attributes
pre-shared-key *
tunnel-group 159.87.222.3 type ipsec-l2l
tunnel-group 159.87.222.3 ipsec-attributes
pre-shared-key *
tunnel-group 159.87.222.4 type ipsec-l2l
tunnel-group 159.87.222.4 ipsec-attributes
pre-shared-key *
tunnel-group-map enable rules
tunnel-group-map default-group DefaultL2LGroup
no vpn-addr-assign aaa
telnet 172.16.10.0 255.255.255.0 inside1
telnet timeout 1440
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 outside1
ssh 172.16.10.0 255.255.255.0 inside1
ssh timeout 60
console timeout 0
management-access Inside2
!
class-map outside1-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect esmtp
policy-map outside1-policy
description FTP
class outside1-class
inspect rtsp
inspect ftp
!
service-policy global_policy global
service-policy outside1-policy interface outside1
ntp server 204.123.2.5 source outside1
ntp server 18.26.4.105 source outside1
ntp server 209.81.9.7 source outside1
tftp-server inside1 x.x.x.x3 /
smtp-server x.x.x.x9
client-update enable
Cryptochecksum:f7f407fba2683a0ff43e7721cc5e5928
: end

------------------ show startup-config errors ------------------

WARNING: Most Kerberos servers require the realm to be expressed in UPPERCASE
*** Output from config line 420, " "

------------------ console logs ------------------

Message #1 : Message #2 : Message #3 : Message #4 : Message #5 : Message #6 : Message #7 : Message #8 : Message #9 : Message #10 : Message #11 : Message #12 : Message #13 : Message #14 :
Total SSMs found: 0
Message #15 :
Total NICs found: 7
Message #16 : mcwa Message #17 : i82557 Ethernet at irq 11Message #18 : MAC: 0023.5ee5.ecce
Message #19 : mcwa Message #20 : i82557 Ethernet at irq 5Message #21 : MAC: 0000.0001.0001
Message #22 : i82546GB rev03 Ethernet @ irq09 dev 3 index 00Message #23 : MAC: 0023.5ee5.ecca
Message #24 : i82546GB rev03 Ethernet @ irq09 dev 3 index 01Message #25 : MAC: 0023.5ee5.eccb
Message #26 : i82546GB rev03 Ethernet @ irq09 dev 2 index 02Message #27 : MAC: 0023.5ee5.eccc
Message #28 : i82546GB rev03 Ethernet @ irq09 dev 2 index 03Message #29 : MAC: 0023.5ee5.eccd
Message #30 : i82547GI rev00 Gigabit Ethernet @ irq11 dev 1 index 05Message #31 : MAC: 0000.0001.0002
Message #32 :
Licensed features for this platform:
Message #33 : Maximum Physical Interfaces : Unlimited
Message #34 : Maximum VLANs : 25
Message #35 : Inside Hosts : Unlimited
Message #36 : Failover : Active/Standby
Message #37 : VPN-DES : Enabled
Message #38 : VPN-3DES-AES : Enabled
Message #39 : Security Contexts : 0
Message #40 : GTP/GPRS : Disabled
Message #41 : VPN Peers : 150
Message #42 :
This platform has an ASA 5510 Security Plus license.
Message #43 :
Message #44 : Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Message #45 : Boot microcode : CNlite-MC-Boot-Cisco-1.2
Message #46 : SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
Message #47 : IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
Message #48 :
Cisco Adaptive Security Appliance Software Version 7.0(8)
Message #49 :
Message #50 : ****************************** Warning *******************************
Message #51 : This product contains cryptographic features and is
Message #52 : subject to United States and local country laws
Message #53 : governing, import, export, transfer, and use.
Message #54 : Delivery of Cisco cryptographic products does not
Message #55 : imply third-party authority to import, export,
Message #56 : distribute, or use encryption. Importers, exporters,
Message #57 : distributors and users are responsible for compliance
Message #58 : with U.S. and local country laws. By using this
Message #59 : product you agree to comply with applicable laws and
Message #60 : regulations. If you are unable to comply with U.S.
Message #61 : and local laws, return the enclosed items immediately.
Message #62 :
Message #63 : A summary of U.S. laws governing Cisco cryptographic
Message #64 : products may be found at:
Message #65 :

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

Message #66 :
Message #67 : If you require further assistance please contact us by
Message #68 : sending email to export@cisco.com.
Message #69 : ******************************* Warning *******************************
Message #70 :
Message #71 : Copyright (c) 1996-2008 by Cisco Systems, Inc.

Message #72 : Restricted Rights Legend

Message #73 : Use, duplication, or disclosure by the Government is
Message #74 : subject to restrictions as set forth in subparagraph
Message #75 : (c) of the Commercial Computer Software - Restricted
Message #76 : Rights clause at FAR sec. 52.227-19 and subparagraph
Message #77 : (c) (1) (ii) of the Rights in Technical Data and Computer
Message #78 : Software clause at DFARS sec. 252.227-7013.

Message #79 : Cisco Systems, Inc.
Message #80 : 170 West Tasman Drive
Message #81 : San Jose, California 95134-1706

unclerico · Oct 6, 2011

quite a bit of your config is still missing. post the scrubbed output from show run

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

cmptreasy · Oct 7, 2011

The more I look at this, the more I think it may be a route issue, although I am still not sure.

Result of the command: "show running-config"

: Saved
:
ASA Version 7.0(8)
!
hostname fw
domain-name DOMAIN
enable password ****** encrypted
passwd ****** encrypted
no names
dns-guard
!
interface Ethernet0/0
description Outside interface for 159.87.64.x network
nameif outside1
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/1
description First inside interface for 172.16.10.x network
nameif inside1
security-level 100
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/2
description Interface for OPM Server farm
nameif Inside2
security-level 100
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone MST -7
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Hosts
network-object 172.16.10.19 255.255.255.255
network-object 172.16.10.22 255.255.255.255
network-object 172.16.10.23 255.255.255.255
network-object 172.16.10.17 255.255.255.255
network-object 172.16.10.21 255.255.255.255
network-object 172.16.10.254 255.255.255.255
object-group network All_VPN
network-object 172.16.11.0 255.255.255.0
network-object 172.16.12.0 255.255.255.0
network-object 172.16.17.0 255.255.255.0
network-object 172.16.18.0 255.255.255.0
network-object 172.16.14.0 255.255.255.0
network-object 172.16.15.0 255.255.255.0
object-group service ActiveDir tcp
port-object eq ldap
port-object eq kerberos
port-object eq netbios-ssn
port-object eq 88
port-object eq 3269
port-object eq domain
port-object eq 3268
port-object eq ldaps
port-object eq 445
object-group service DNS tcp-udp
port-object eq domain
port-object eq 88
port-object eq 389
object-group network insideDNS
network-object 172.16.10.17 255.255.255.255
network-object 172.16.10.18 255.255.255.255
network-object 172.16.10.24 255.255.255.255
object-group network insideDC
network-object 172.16.10.17 255.255.255.255
network-object 172.16.10.18 255.255.255.255
object-group network ITManagers
network-object 172.16.10.13 255.255.255.255
network-object 172.16.10.16 255.255.255.255
object-group service Mail tcp
port-object eq 691
port-object eq pop3
port-object eq imap4
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 995
port-object eq 993
port-object eq aol
port-object range 1024 65535
port-object eq 135
port-object eq netbios-ssn
object-group network CiscoClients
network-object 172.16.10.224 255.255.255.240
object-group network CiscoClients_Outside
network-object 172.16.10.224 255.255.255.240
object-group network Remote_switches
network-object 10.0.0.0 255.0.0.0
object-group service Citrix tcp
port-object range citrix-ica citrix-ica
port-object eq www
port-object eq https
object-group service Webports tcp
port-object eq www
port-object eq https
object-group network OPM_HTTP
network-object 10.168.30.106 255.255.255.255
network-object 10.168.30.65 255.255.255.255
network-object 10.168.30.60 255.255.255.255
network-object 10.168.30.5 255.255.255.255
network-object 10.168.30.7 255.255.255.255
object-group network OPM_HTTPS
network-object 10.168.30.106 255.255.255.255
network-object 10.168.30.5 255.255.255.255
network-object 10.168.30.60 255.255.255.255
network-object 10.168.30.65 255.255.255.255
object-group network OPM_SSH
network-object 10.168.30.5 255.255.255.255
network-object 10.168.30.65 255.255.255.255
network-object 10.168.30.60 255.255.255.255
object-group network OPM_HTTP_ref_1
network-object 159.87.64.106 255.255.255.255
network-object 159.87.64.31 255.255.255.255
network-object 159.87.64.60 255.255.255.255
network-object 159.87.64.5 255.255.255.255
network-object 159.87.64.7 255.255.255.255
object-group network OPM_HTTPS_ref_1
network-object 159.87.64.106 255.255.255.255
network-object 159.87.64.5 255.255.255.255
network-object 159.87.64.60 255.255.255.255
network-object 159.87.64.31 255.255.255.255
access-list outside1_cryptomap_10 extended permit ip 172.16.10.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list outside1_cryptomap_10 extended permit ip 10.168.30.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list Net standard permit 172.16.10.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.9.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.18.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.15.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.16.17.0 255.255.255.0
access-list outside1_access_in extended deny ip host 203.229.126.240 any
access-list outside1_access_in extended deny ip host 208.85.53.26 any
access-list outside1_access_in extended deny ip host 66.231.80.236 any
access-list outside1_access_in extended deny ip host 208.69.101.152 any
access-list outside1_access_in extended deny ip host 208.85.51.96 any
access-list outside1_access_in extended deny ip host 69.25.202.44 any
access-list outside1_access_in extended deny ip host 69.25.202.43 any
access-list outside1_access_in extended permit ip 172.16.18.0 255.255.255.0 any
access-list outside1_access_in extended permit icmp host 159.87.222.1 any
access-list outside1_access_in extended permit ip 159.87.0.0 255.255.0.0 159.87.64.0 255.255.255.0 log notifications
access-list outside1_access_in extended permit tcp object-group All_VPN gt 1024 host 172.16.10.21 log
access-list outside1_access_in extended permit tcp object-group All_VPN object-group insideDNS log
access-list outside1_access_in extended permit tcp object-group All_VPN object-group insideDNS object-group ActiveDir log
access-list outside1_access_in extended permit udp object-group All_VPN object-group insideDNS log
access-list outside1_access_in extended permit tcp object-group All_VPN object-group ActiveDir object-group insideDC log
access-list outside1_access_in extended permit ip object-group CiscoClients_Outside any
access-list outside1_access_in extended permit tcp any object-group Mail host x.x.x.x log
access-list outside1_access_in extended permit tcp host 198.151.212.32 host 159.87.64.6 eq 1433
access-list outside1_access_in extended permit tcp any object-group Webports host 159.87.64.6
access-list outside1_access_in extended permit tcp any object-group Mail host 159.87.64.241 log
access-list outside1_access_in extended permit ip object-group All_VPN host 172.16.10.28 inactive
access-list outside1_access_in extended permit icmp host 209.181.122.61 any
access-list outside1_access_in extended deny ip host 124.120.232.250 any
access-list outside1_access_in extended permit tcp any host x.x.x.x object-group Citrix log
access-list outside1_access_in extended permit ip any host x.x.x.x
access-list outside1_access_in extended permit tcp any object-group DNS x.x.x.x 255.255.255.0
access-list outside1_access_in extended permit tcp any object-group OPM_HTTP_ref_1 eq www
access-list outside1_access_in extended permit tcp any object-group OPM_HTTPS_ref_1 eq https
access-list outside1_access_in extended permit tcp any object-group OPM_SSH_ref_1 eq ssh
access-list outside1_access_in extended deny tcp host 178.73.217.168 any
access-list outside1_access_in extended deny tcp host 82.192.88.2 any
access-list outside1_access_in extended deny tcp host 75.88.23.33 any
access-list outside1_access_in extended permit icmp 172.16.11.0 255.255.255.0 any
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 64.202.160.40 eq https
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 64.202.160.40 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 149.5.128.0 255.255.255.0 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 149.5.128.0 255.255.255.0 eq https
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 24.248.61.65 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 216.161.172.34 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 63.245.209.10 range 1024 65535
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 66.135.33.47 eq www
access-list inside1_access_in extended permit tcp host 172.16.10.62 host 184.168.239.1 eq www
access-list inside1_access_in extended permit ip host 172.16.10.62 172.16.10.0 255.255.255.0
access-list inside1_access_in extended permit ip host 172.16.10.62 10.168.30.0 255.255.255.0
access-list inside1_access_in extended deny ip host 172.16.10.62 any
access-list inside1_access_in extended permit ip any any log warnings
access-list inside1_access_in extended permit icmp any any log warnings inactive
access-list inside1_access_in extended permit tcp host 172.16.10.19 eq smtp any
access-list inside1_access_in extended deny tcp any eq smtp any
access-list capin extended permit ip host 172.16.10.12 any
access-list capin extended permit ip any host 172.16.10.12
access-list outside1_cryptomap_dyn_40 extended permit ip any 172.16.10.224 255.255.255.240
access-list outside1_nat0_inbound extended permit ip object-group CiscoClients_Outside object-group ****_Hosts
access-list outside1_cryptomap_30 extended permit ip 172.16.10.0 255.255.255.0 172.16.18.0 255.255.255.0
access-list cout extended permit ip host x.x.x.x host 159.87.70.66
access-list cout extended permit ip host x.x.x.x host 159.87.64.30
access-list inside2_access_in extended permit ip any any log
access-list outside1_cryptomap_30_1 extended permit ip 172.16.10.0 255.255.255.0 172.16.18.0 255.255.255.0
access-list cin extended permit ip host 172.16.10.110 host 159.87.70.66
access-list cin extended permit ip host x.x.x.x host 172.16.10.110
access-list outside1_cryptomap_80 extended permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0
access-list outside1_cryptomap105 extended permit ip any 172.16.15.0 255.255.255.0
access-list outside1_cryptomap_20 extended permit ip 172.16.10.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list outside1_cryptomap_40_1 extended permit ip 172.16.10.0 255.255.255.0 172.16.15.0 255.255.255.0
access-list Inside2_access_in extended permit tcp 10.168.30.0 255.255.255.0 172.16.0.0 255.255.0.0 log warnings
access-list Inside2_access_in extended permit tcp any any log warnings
access-list Inside2_access_in extended permit ip any any
access-list Inside2_access_in extended permit tcp any x.x.x.x 255.255.255.128
access-list nonat2 extended permit ip 10.168.30.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list outside1_cryptomap_60 extended permit ip 172.16.10.0 255.255.255.0 172.16.17.0 255.255.255.0
!
http-map http-map
strict-http action allow log
!
pager lines 24
logging enable
logging timestamp
logging buffer-size 40960
logging console warnings
logging trap warnings
logging asdm informational
logging device-id hostname
logging host inside1 172.16.10.12
logging debug-trace
mtu outside1 1500
mtu inside1 1500
mtu Inside2 1500
mtu management 1500
ip local pool DefaultRSPool 172.16.10.224-172.16.10.239 mask 255.255.255.0
no failover
monitor-interface outside1
monitor-interface inside1
monitor-interface Inside2
monitor-interface management
icmp permit any outside1
icmp permit any inside1
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside1) 1 interface
nat (outside1) 0 access-list outside1_nat0_inbound outside
nat (outside1) 1 172.16.0.0 255.255.0.0
nat (inside1) 0 access-list nonat
nat (inside1) 1 172.16.10.0 255.255.255.0
nat (Inside2) 0 access-list nonat2
nat (Inside2) 1 10.168.30.0 255.255.255.0
static (inside1,outside1) x.x.x.x 172.16.10.21 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.19 netmask 255.255.255.255
static (inside1,inside1) 172.16.11.0 159.87.60.146 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.22 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.10 netmask 255.255.255.255
static (inside1,inside1) 172.16.12.0 209.181.122.61 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.254 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.32 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.39 netmask 255.255.255.255
static (inside1,inside1) 172.16.18.0 x.x.x.x netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.26 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.44 netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.34 netmask 255.255.255.255
static (inside1,inside1) 172.16.14.0 x.x.x.x netmask 255.255.255.255
static (inside1,inside1) 172.16.15.0 x.x.x.x netmask 255.255.255.255
static (inside1,outside1) x.x.x.x 172.16.10.53 netmask 255.255.255.255
static (inside1,Inside2) 172.16.10.0 172.16.10.0 netmask 255.255.255.0
static (Inside2,inside1) 10.168.30.0 10.168.30.0 netmask 255.255.255.0
static (inside1,Inside2) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
static (Inside2,outside1) x.x.x.x 10.168.30.7 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.106 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.5 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.60 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.65 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.22 netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.3 netmask 255.255.255.255
static (inside1,inside1) 172.16.17.0 x.x.x.x netmask 255.255.255.255
static (Inside2,outside1) x.x.x.x 10.168.30.67 netmask 255.255.255.255
access-group outside1_access_in in interface outside1
access-group inside1_access_in in interface inside1
access-group Inside2_access_in in interface Inside2
route outside1 0.0.0.0 0.0.0.0 159.87.64.1 1
timeout xlate 10:00:00
timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 9:05:00 absolute uauth 9:00:00 inactivity
aaa-server vpn protocol kerberos
aaa-server vpn (inside1) host 172.16.10.17
kerberos-realm DOMAIN
aaa-server protocol radius
aaa-server (inside1) host 172.16.10.17
key *****
radius-common-pw ****
group-policy DfltGrpPolicy attributes
wins-server none
dns-server value 172.16.10.24 172.16.10.18
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value DOMAIN
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem enable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy CiscoClient internal
group-policy CiscoClient attributes
dns-server value 172.16.10.24 172.16.10.18
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
password-storage enable
group-lock value CiscoClient
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Net
default-domain value DOMAIN
webvpn
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http x.x.x.x 255.255.255.255 outside1
http x.x.x.x 255.255.255.255 outside1
http x.x.x.x 255.255.255.0 outside1
http 172.16.10.16 255.255.255.255 inside1
http 172.16.10.13 255.255.255.255 inside1
http 172.16.10.0 255.255.255.0 inside1
http 192.168.1.0 255.255.255.0 management
snmp-server host inside1 172.16.10.16 community public
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Please type your username and password
auth-prompt reject Invalid redentials
crypto ipsec transform-set Set esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set **** esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DynMap 20 set transform-set ****Set
crypto dynamic-map DynMap 20 set security-association lifetime seconds 28800
crypto dynamic-map DynMap 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map DynMap 25 set transform-set ****Set
crypto dynamic-map DynMap 25 set security-association lifetime seconds 28800
crypto dynamic-map DynMap 25 set security-association lifetime kilobytes 4608000
crypto map ****Map 10 match address outside1_cryptomap_10
crypto map ****Map 10 set peer x.x.x.x
crypto map ****Map 10 set transform-set ****Set
crypto map ****Map 10 set security-association lifetime seconds 28800
crypto map ****Map 10 set security-association lifetime kilobytes 4608000
crypto map ****Map 20 match address outside1_cryptomap_20
crypto map ****Map 20 set peer x.x.x.x
crypto map ****Map 20 set transform-set ****Set
crypto map ****Map 20 set security-association lifetime seconds 28800
crypto map ****Map 20 set security-association lifetime kilobytes 4608000
crypto map ****Map 30 match address outside1_cryptomap_30_1
crypto map ****Map 30 set peer x.x.x.x
crypto map ****Map 30 set transform-set ****Set
crypto map ****Map 30 set security-association lifetime seconds 28800
crypto map ****Map 30 set security-association lifetime kilobytes 4608000
crypto map ****Map 40 match address outside1_cryptomap_40_1
crypto map ****Map 40 set peer x.x.x.x
crypto map ****Map 40 set transform-set ****Set
crypto map ****Map 40 set security-association lifetime seconds 28800
crypto map ****Map 40 set security-association lifetime kilobytes 4608000
crypto map ****Map 60 match address outside1_cryptomap_60
crypto map ****Map 60 set peer x.x.x.x
crypto map ****Map 60 set transform-set ****Set
crypto map ****Map 60 set security-association lifetime seconds 28800
crypto map ****Map 60 set security-association lifetime kilobytes 4608000
crypto map ****Map 80 match address outside1_cryptomap_80
crypto map ****Map 80 set peer x.x.x.x
crypto map ****Map 80 set transform-set ****Set
crypto map ****Map 80 set security-association lifetime seconds 28800
crypto map ****Map 80 set security-association lifetime kilobytes 4608000
crypto map ****Map 65535 ipsec-isakmp dynamic ****DynMap
crypto map ****Map interface outside1
isakmp identity address
isakmp enable outside1
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal 21
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group DefaultRAGroup general-attributes
address-pool (outside1) DefaultRSPool
authentication-server-group azdavpn
authentication-server-group (inside1) vpn
authentication-server-group (outside1) vpn
dhcp-server 172.16.10.24
dhcp-server 172.16.10.18
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group CiscoClient type ipsec-ra
tunnel-group CiscoClient general-attributes
address-pool (outside1) DefaultRSPool
address-pool DefaultRSPool
authentication-server-group ****
authentication-server-group (outside1) ****
default-group-policy CiscoClient
tunnel-group CiscoClient ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group-map enable rules
tunnel-group-map default-group DefaultL2LGroup
no vpn-addr-assign aaa
telnet 172.16.10.0 255.255.255.0 inside1
telnet timeout 1440
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 outside1
ssh 172.16.10.0 255.255.255.0 inside1
ssh timeout 60
console timeout 0
management-access Inside2
!
class-map outside1-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect esmtp
policy-map outside1-policy
description FTP
class outside1-class
inspect rtsp
inspect ftp
!
service-policy global_policy global
service-policy outside1-policy interface outside1
ntp server 204.123.2.5 source outside1
ntp server 18.26.4.105 source outside1
ntp server 209.81.9.7 source outside1
tftp-server inside1 172.16.10.13 /
smtp-server 172.16.10.19
client-update enable
Cryptochecksum:0c40ecbc8f7802eba1caf35ee7e2e091
: end

cmptreasy · Oct 7, 2011

More info..when initializing a ping from the remote 172.16.11.0 network to the 10.168.30.0 network, the following lines are logged on the ASA firewall:
Oct 07 2011 10:48:10 fw-phoenix : %ASA-7-711001: ICMP echo request from outside1:172.16.11.217 to Inside2:10.168.30.3 ID=8521 seq=176 len=56
Oct 07 2011 10:48:10 fw-phoenix : %ASA-7-711001: ICMP echo reply from Inside2:10.168.30.3 to inside1:172.16.11.217 ID=8521 seq=176 len=56

It appears that the incoming ICMP request is processed from the outside interface and sent to the inside2 interface as it should be, but the reply is being sent from the inside2 interface to the inside1 interface, which is incorrect, it should go to the outside.
How do I fix this??

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Routing or firewall?

cmptreasy

IS-IT--Management

stubnski

MIS

cmptreasy

IS-IT--Management

unclerico

IS-IT--Management

cmptreasy

IS-IT--Management

cmptreasy

IS-IT--Management

Similar threads

Part and Inventory Search

Sponsor