Hi all,
We have a Cisco ASA 5510 device, without the Security Plus License. We had all our Internet connectivity/VPN terminating on the main internet connection on the Outside1 interface.
We now want to set up a second internet connection, that is practically a dedicated link to a remote network. This remote network will have a VPN tunnel terminate on this interface (Outside2). I have configured the VPN tunnel, but I cannot get it to connect. Is there something missing in my config?
I appreciate your help, as I am not overly confident with ASA configuration.
asdm image disk0:/asdm-507.bin
asdm location GXS_Server 255.255.255.255 outside2
asdm location ISA_Server 255.255.255.255 inside
asdm location PERIMETER 255.255.255.0 outside2
asdm location VPN_TS 255.255.255.0 outside2
asdm location INTERNAL 255.255.255.0 inside
asdm location VPN_DAVEH 255.255.255.0 outside2
asdm location TenFore_Server 255.255.255.255 outside2
asdm location VPN_OPEN 255.255.255.0 outside2
asdm location TenFore_Server 255.255.255.255 outside1
asdm location GXS_Server 255.255.255.255 outside1
asdm location VPN_OPEN 255.255.255.0 outside1
asdm location X.X.X.X 255.255.255.255 outside2
asdm location X.X.X.X 255.255.255.255 outside2
asdm location X.X.X.X 255.255.255.255 outside2
asdm location X.X.X.X 255.255.255.240 outside2
asdm group InternalDNSServers inside
asdm group OFFIS_SERVERS outside2
asdm group InternalNetworks inside
asdm group RemoteVPNSites outside1
no asdm history enable
: Saved
:
ASA Version 7.0(7)
!
hostname XXXX
domain-name domain.com
enable password XXX encrypted
names
name X.X.X.X GXS_Server description GXS VPN Server
name 172.16.16.1 ISA_Server description Internal ISA Server
name 192.168.18.X OBJECT1
name 192.168.18.X OBJECT2
name 192.168.18.X OBJECT3
name X.X.X.X TenFore_Server
name 192.168.18.X OBJECT4
name 192.168.18.X OBJECT5
name 192.168.118.0 VPN_TS
name 172.16.16.0 PERIMETER
name 192.168.108.0 VPN_OPEN
name 192.168.88.0 VPN_DAVE
name 192.168.18.0 INTERNAL
name 192.168.100.0 IPFX
name 192.168.38.0 VPN_LONDON
name 192.168.68.0 VPN_TORONTO
name 192.168.58.0 VPN_MATT
name 192.168.48.0 VPN_GARY
dns-guard
!
interface Ethernet0/0
description Internet Connection
shutdown
nameif outside1
security-level 0
ip address X.X.X.X 255.255.255.252
!
interface Ethernet0/1
description Big Air Connection
nameif outside2
security-level 0
ip address X.X.X.X 255.255.255.252
!
interface Ethernet0/2
description Internal (DMZ Network)
nameif inside
security-level 100
ip address 172.16.16.2 255.255.255.0
!
interface Management0/0
description Management Port Only
nameif management
security-level 0
ip address 10.10.10.1 255.255.255.0
management-only
!
passwd XXXX encrypted
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
object-group service WebAccess tcp
description HTTP/HTTPS access
port-object eq www
port-object eq https
object-group service DNS tcp-udp
description DNS Group
port-object range domain domain
object-group service GXS_TCP tcp
description Group for GXS TCP Protocols
port-object range 264 264
object-group service GXS_UDP udp
description Group for GXS UDP Protocols
port-object range 2746 2746
port-object range isakmp isakmp
object-group network InternalDNSServers
description Group containing all Internal DNS Servers
network-object OBJECT1 255.255.255.255
network-object OBJECT2 255.255.255.255
object-group network OFFIS_SERVERS
network-object X.X.X.X 255.255.255.255
network-object X.X.X.X 255.255.255.255
network-object X.X.X.X 255.255.255.255
network-object X.X.X.X 255.255.255.255
network-object X.X.X.X 255.255.255.255
object-group service Offis_FileShare tcp
port-object range 445 445
port-object range netbios-ssn netbios-ssn
object-group network InternalNetworks
description This includes Both Internal and IPFX Networks
network-object INTERNAL 255.255.255.0
network-object IPFX 255.255.255.0
object-group network RemoteVPNSites
description This Group Includes All Remote VPN Sites.
network-object VPN_DAVE 255.255.255.0
network-object VPN_LONDON 255.255.255.0
network-object VPN_TORONTO 255.255.255.0
network-object VPN_MATT 255.255.255.0
network-object VPN_GARY 255.255.255.0
access-list outside2_access_in remark Offis VPN
access-list outside2_access_in extended permit ip object-group OFFIS_SERVERS INTERNAL 255.255.255.0
access-list inside_access_in remark Allow SMTP Outbound (TCP 25) from Exchange Server only.
access-list inside_access_in extended permit tcp host OBJECT3 any eq smtp
access-list inside_access_in remark Allow DNS Outbound (UDP 53) from Internal DNS Servers only.
access-list inside_access_in extended permit udp object-group InternalDNSServers any eq domain
access-list inside_access_in remark Allow Web Access Outbound (HTTP/HTTPS) from ISA Server only.
access-list inside_access_in extended permit tcp host ISA_Server any object-group WebAccess
access-list inside_access_in remark Allow FTP (TCP 23) Outbound from Internal Network
access-list inside_access_in remark FTP Restrictions are placed on the ISA Server
access-list inside_access_in extended permit tcp INTERNAL 255.255.255.0 any eq ftp
access-list inside_access_in remark Allow NTP Outbound (UDP 123) from NTP Server only.
access-list inside_access_in extended permit udp host OBJECT1 any eq ntp
access-list inside_access_in remark Allow TCP 18247 Outbound to TenFore Server
access-list inside_access_in extended permit tcp host OBJECT4 host TenFore_Server eq 18247
access-list inside_access_in remark Allow Outbound GXS VPN Connection TCP Rule (TCP 264)
access-list inside_access_in extended permit tcp host OBJECT5 host GXS_Server object-group GXS_TCP
access-list inside_access_in remark Allow Outbound GXS VPN Connection UDP Rule (UDP 500/2746)
access-list inside_access_in extended permit udp host OBJECT5 host GXS_Server object-group GXS_UDP
access-list inside_access_in remark Allow Outbound Traffic to All Remote VPN Sites
access-list inside_access_in extended permit ip INTERNAL 255.255.255.0 object-group RemoteVPNSites
access-list inside_access_in remark Offis VPN
access-list inside_access_in extended permit ip INTERNAL 255.255.255.0 object-group OFFIS_SERVERS
access-list inside_nat0_outbound extended permit ip any PERIMETER 255.255.255.0 inactive
access-list inside_nat0_outbound extended permit ip any VPN_OPEN 255.255.255.0
access-list inside_nat0_outbound extended permit ip any VPN_TS 255.255.255.0
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 VPN_DAVE 255.255.255.0
access-list inside_nat0_outbound extended permit ip IPFX 255.255.255.0 VPN_DAVE 255.255.255.0
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 host X.X.X.X
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 host X.X.X.X
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 host X.X.X.X
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 X.X.X.X 255.255.255.240
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 VPN_LONDON 255.255.255.0
access-list inside_nat0_outbound extended permit ip IPFX 255.255.255.0 VPN_LONDON 255.255.255.0
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 VPN_TORONTO 255.255.255.0
access-list inside_nat0_outbound extended permit ip IPFX 255.255.255.0 VPN_TORONTO 255.255.255.0
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 VPN_MATT 255.255.255.0
access-list inside_nat0_outbound extended permit ip IPFX 255.255.255.0 VPN_MATT 255.255.255.0
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 VPN_GARY 255.255.255.0
access-list inside_nat0_outbound extended permit ip IPFX 255.255.255.0 VPN_GARY 255.255.255.0
access-list outside1_cryptomap_20 extended permit ip INTERNAL 255.255.255.0 VPN_DAVE 255.255.255.0
access-list outside1_cryptomap_20 extended permit ip IPFX 255.255.255.0 VPN_DAVE 255.255.255.0
access-list outside1_access_in remark Allow inbound SMTP (TCP 25) Access to Exchange Server only.
access-list outside1_access_in extended permit tcp any interface outside1 eq smtp
access-list outside1_access_in remark Allow inbound HTTPS (TCP 443) Access
access-list outside1_access_in remark HTTPS access only.
access-list outside1_access_in extended permit tcp any interface outside1 eq https
access-list outside1_access_in remark Allow Inbound VPN Traffic for All Remote VPN Sites.
access-list outside1_access_in remark This allows access to both INTERNAL and IPFX Networks.
access-list outside1_access_in extended permit ip object-group RemoteVPNSites object-group InternalNetworks
access-list outside1_access_in remark Allow Inbound VPN Traffic for OPEN_VPN_GRP. This includes the INTERNAL and IPFX Networks
access-list outside1_access_in extended permit ip VPN_OPEN 255.255.255.0 object-group InternalNetworks
access-list outside1_access_in remark Allow Inbound Traffic to ISA Proxy Server for Proxy Web Access to OPEN_VPN_GRP Users
access-list outside1_access_in extended permit tcp VPN_OPEN 255.255.255.0 host ISA_Server eq 8080
access-list outside1_access_in remark Allow Inbound Traffic to Terminal server for TS_VPN_GRP Users
access-list outside1_access_in extended permit tcp VPN_TS 255.255.255.0 host 192.168.18.X eq 3389
access-list outside2_cryptomap_20 extended permit ip INTERNAL 255.255.255.0 host X.X.X.X
access-list outside2_cryptomap_20 extended permit ip INTERNAL 255.255.255.0 host X.X.X.X
access-list outside2_cryptomap_20 extended permit ip INTERNAL 255.255.255.0 host X.X.X.X
access-list outside2_cryptomap_20 extended permit ip INTERNAL 255.255.255.0 X.X.X.X 255.255.255.240
access-list outside1_cryptomap_40 extended permit ip INTERNAL 255.255.255.0 VPN_LONDON 255.255.255.0
access-list outside1_cryptomap_40 extended permit ip IPFX 255.255.255.0 VPN_LONDON 255.255.255.0
access-list outside1_cryptomap_60 extended permit ip INTERNAL 255.255.255.0 VPN_TORONTO 255.255.255.0
access-list outside1_cryptomap_60 extended permit ip IPFX 255.255.255.0 VPN_TORONTO 255.255.255.0
access-list outside1_cryptomap_80 extended permit ip INTERNAL 255.255.255.0 VPN_MATT 255.255.255.0
access-list outside1_cryptomap_80 extended permit ip IPFX 255.255.255.0 VPN_MATT 255.255.255.0
access-list outside1_cryptomap_100 extended permit ip INTERNAL 255.255.255.0 VPN_GARY 255.255.255.0
access-list outside1_cryptomap_100 extended permit ip IPFX 255.255.255.0 VPN_GARY 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm notifications
logging mail critical
logging from-address asa@domain.com
logging recipient-address administrator@domain.com level critical
logging recipient-address test@domain.com level alerts
logging recipient-address me@domain.com level emergencies
logging facility 22
logging device-id hostname
logging host inside 192.168.18.X
mtu outside1 1500
mtu outside2 1500
mtu inside 1500
mtu management 1500
ip local pool OPEN_VPN_ADD_POOL 192.168.108.100-192.168.108.149 mask 255.255.255.0
ip local pool TS_VPN_ADD_POOL 192.168.118.100-192.168.118.149 mask 255.255.255.0
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside1) 20 interface
global (outside2) 10 interface
nat (outside2) 10 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 20 PERIMETER 255.255.255.0
nat (inside) 20 INTERNAL 255.255.255.0
static (inside,outside2) tcp interface smtp OBJECT3 smtp netmask 255.255.255.255
static (inside,outside2) tcp interface https OBJECT3 https netmask 255.255.255.255
static (inside,outside1) tcp interface smtp OBJECT3 smtp netmask 255.255.255.255
static (inside,outside1) tcp interface https OBJECT3 https netmask 255.255.255.255
access-group outside1_access_in in interface outside1
access-group outside2_access_in in interface outside2
access-group inside_access_in in interface inside
route outside1 0.0.0.0 0.0.0.0 X.X.X.X 1
route inside IPFX 255.255.255.0 ISA_Server 1
route inside 0.0.0.0 0.0.0.0 ISA_Server tunneled
route inside INTERNAL 255.255.255.0 ISA_Server 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy TS_VPN_GRP internal
group-policy TS_VPN_GRP attributes
wins-server value 192.168.18.X
dns-server value 192.168.18.X 192.168.18.X
default-domain value domain.local
webvpn
group-policy OPEN_VPN_GRP internal
group-policy OPEN_VPN_GRP attributes
wins-server value 192.168.18.X
dns-server value 192.168.18.X 192.168.18.X
default-domain value domain.local
webvpn
username O-USER1 password XXXX encrypted privilege 0
username O-USER1 attributes
vpn-group-policy OPEN_VPN_GRP
webvpn
username O-USER2 password XXXX encrypted privilege 0
username O-USER2 attributes
vpn-group-policy OPEN_VPN_GRP
webvpn
username O-USER3 password XXXX encrypted privilege 0
username O-USER3 attributes
vpn-group-policy OPEN_VPN_GRP
webvpn
username T-USER4 password XXXX encrypted privilege 0
username T-USER4 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER5 password XXXX encrypted privilege 0
username T-USER5 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER6 password XXXX encrypted privilege 0
username T-USER6 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER7 password XXXX encrypted privilege 0
username T-USER7 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER8 password XXXX encrypted privilege 0
username T-USER8 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER9 password XXXX encrypted privilege 0
username T-USER9 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER10 password XXXX encrypted privilege 0
username T-USER10 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER11 password XXXX encrypted privilege 0
username T-USER11 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER12 password XXXX. encrypted privilege 0
username T-USER12 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER13 password XXXX encrypted privilege 0
username T-USER13 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER14 password XXXX encrypted privilege 0
username T-USER14 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER15 password XXXX encrypted privilege 0
username T-USER15 attributes
vpn-group-policy TS_VPN_GRP
webvpn
http server enable
http ISA_Server 255.255.255.255 inside
http 10.10.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside1_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside1_map 20 match address outside1_cryptomap_20
crypto map outside1_map 20 set peer X.X.X.X
crypto map outside1_map 20 set transform-set ESP-3DES-SHA
crypto map outside1_map 40 match address outside1_cryptomap_40
crypto map outside1_map 40 set peer X.X.X.X
crypto map outside1_map 40 set transform-set ESP-3DES-SHA
crypto map outside1_map 60 match address outside1_cryptomap_60
crypto map outside1_map 60 set peer X.X.X.X
crypto map outside1_map 60 set transform-set ESP-3DES-SHA
crypto map outside1_map 80 match address outside1_cryptomap_80
crypto map outside1_map 80 set peer X.X.X.X
crypto map outside1_map 80 set transform-set ESP-3DES-SHA
crypto map outside1_map 100 match address outside1_cryptomap_100
crypto map outside1_map 100 set peer X.X.X.X
crypto map outside1_map 100 set transform-set ESP-3DES-SHA
crypto map outside1_map 65535 ipsec-isakmp dynamic outside1_dyn_map
crypto map outside1_map interface outside1
crypto map outside2_map 20 match address outside2_cryptomap_20
crypto map outside2_map 20 set peer X.X.X.X
crypto map outside2_map 20 set transform-set ESP-3DES-SHA
crypto map outside2_map interface outside2
isakmp enable outside1
isakmp enable outside2
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal 20
tunnel-group OPEN_VPN_GRP type ipsec-ra
tunnel-group OPEN_VPN_GRP general-attributes
address-pool OPEN_VPN_ADD_POOL
default-group-policy OPEN_VPN_GRP
tunnel-group OPEN_VPN_GRP ipsec-attributes
pre-shared-key *
tunnel-group TS_VPN_GRP type ipsec-ra
tunnel-group TS_VPN_GRP general-attributes
address-pool TS_VPN_ADD_POOL
default-group-policy TS_VPN_GRP
tunnel-group TS_VPN_GRP ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 5
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server X.X.X.X source outside1 prefer
smtp-server 192.168.18.X
Cryptochecksum:34973f13d3296461bc14bffdda2c319e
: end
We have a Cisco ASA 5510 device, without the Security Plus License. We had all our Internet connectivity/VPN terminating on the main internet connection on the Outside1 interface.
We now want to set up a second internet connection, that is practically a dedicated link to a remote network. This remote network will have a VPN tunnel terminate on this interface (Outside2). I have configured the VPN tunnel, but I cannot get it to connect. Is there something missing in my config?
I appreciate your help, as I am not overly confident with ASA configuration.
asdm image disk0:/asdm-507.bin
asdm location GXS_Server 255.255.255.255 outside2
asdm location ISA_Server 255.255.255.255 inside
asdm location PERIMETER 255.255.255.0 outside2
asdm location VPN_TS 255.255.255.0 outside2
asdm location INTERNAL 255.255.255.0 inside
asdm location VPN_DAVEH 255.255.255.0 outside2
asdm location TenFore_Server 255.255.255.255 outside2
asdm location VPN_OPEN 255.255.255.0 outside2
asdm location TenFore_Server 255.255.255.255 outside1
asdm location GXS_Server 255.255.255.255 outside1
asdm location VPN_OPEN 255.255.255.0 outside1
asdm location X.X.X.X 255.255.255.255 outside2
asdm location X.X.X.X 255.255.255.255 outside2
asdm location X.X.X.X 255.255.255.255 outside2
asdm location X.X.X.X 255.255.255.240 outside2
asdm group InternalDNSServers inside
asdm group OFFIS_SERVERS outside2
asdm group InternalNetworks inside
asdm group RemoteVPNSites outside1
no asdm history enable
: Saved
:
ASA Version 7.0(7)
!
hostname XXXX
domain-name domain.com
enable password XXX encrypted
names
name X.X.X.X GXS_Server description GXS VPN Server
name 172.16.16.1 ISA_Server description Internal ISA Server
name 192.168.18.X OBJECT1
name 192.168.18.X OBJECT2
name 192.168.18.X OBJECT3
name X.X.X.X TenFore_Server
name 192.168.18.X OBJECT4
name 192.168.18.X OBJECT5
name 192.168.118.0 VPN_TS
name 172.16.16.0 PERIMETER
name 192.168.108.0 VPN_OPEN
name 192.168.88.0 VPN_DAVE
name 192.168.18.0 INTERNAL
name 192.168.100.0 IPFX
name 192.168.38.0 VPN_LONDON
name 192.168.68.0 VPN_TORONTO
name 192.168.58.0 VPN_MATT
name 192.168.48.0 VPN_GARY
dns-guard
!
interface Ethernet0/0
description Internet Connection
shutdown
nameif outside1
security-level 0
ip address X.X.X.X 255.255.255.252
!
interface Ethernet0/1
description Big Air Connection
nameif outside2
security-level 0
ip address X.X.X.X 255.255.255.252
!
interface Ethernet0/2
description Internal (DMZ Network)
nameif inside
security-level 100
ip address 172.16.16.2 255.255.255.0
!
interface Management0/0
description Management Port Only
nameif management
security-level 0
ip address 10.10.10.1 255.255.255.0
management-only
!
passwd XXXX encrypted
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
object-group service WebAccess tcp
description HTTP/HTTPS access
port-object eq www
port-object eq https
object-group service DNS tcp-udp
description DNS Group
port-object range domain domain
object-group service GXS_TCP tcp
description Group for GXS TCP Protocols
port-object range 264 264
object-group service GXS_UDP udp
description Group for GXS UDP Protocols
port-object range 2746 2746
port-object range isakmp isakmp
object-group network InternalDNSServers
description Group containing all Internal DNS Servers
network-object OBJECT1 255.255.255.255
network-object OBJECT2 255.255.255.255
object-group network OFFIS_SERVERS
network-object X.X.X.X 255.255.255.255
network-object X.X.X.X 255.255.255.255
network-object X.X.X.X 255.255.255.255
network-object X.X.X.X 255.255.255.255
network-object X.X.X.X 255.255.255.255
object-group service Offis_FileShare tcp
port-object range 445 445
port-object range netbios-ssn netbios-ssn
object-group network InternalNetworks
description This includes Both Internal and IPFX Networks
network-object INTERNAL 255.255.255.0
network-object IPFX 255.255.255.0
object-group network RemoteVPNSites
description This Group Includes All Remote VPN Sites.
network-object VPN_DAVE 255.255.255.0
network-object VPN_LONDON 255.255.255.0
network-object VPN_TORONTO 255.255.255.0
network-object VPN_MATT 255.255.255.0
network-object VPN_GARY 255.255.255.0
access-list outside2_access_in remark Offis VPN
access-list outside2_access_in extended permit ip object-group OFFIS_SERVERS INTERNAL 255.255.255.0
access-list inside_access_in remark Allow SMTP Outbound (TCP 25) from Exchange Server only.
access-list inside_access_in extended permit tcp host OBJECT3 any eq smtp
access-list inside_access_in remark Allow DNS Outbound (UDP 53) from Internal DNS Servers only.
access-list inside_access_in extended permit udp object-group InternalDNSServers any eq domain
access-list inside_access_in remark Allow Web Access Outbound (HTTP/HTTPS) from ISA Server only.
access-list inside_access_in extended permit tcp host ISA_Server any object-group WebAccess
access-list inside_access_in remark Allow FTP (TCP 23) Outbound from Internal Network
access-list inside_access_in remark FTP Restrictions are placed on the ISA Server
access-list inside_access_in extended permit tcp INTERNAL 255.255.255.0 any eq ftp
access-list inside_access_in remark Allow NTP Outbound (UDP 123) from NTP Server only.
access-list inside_access_in extended permit udp host OBJECT1 any eq ntp
access-list inside_access_in remark Allow TCP 18247 Outbound to TenFore Server
access-list inside_access_in extended permit tcp host OBJECT4 host TenFore_Server eq 18247
access-list inside_access_in remark Allow Outbound GXS VPN Connection TCP Rule (TCP 264)
access-list inside_access_in extended permit tcp host OBJECT5 host GXS_Server object-group GXS_TCP
access-list inside_access_in remark Allow Outbound GXS VPN Connection UDP Rule (UDP 500/2746)
access-list inside_access_in extended permit udp host OBJECT5 host GXS_Server object-group GXS_UDP
access-list inside_access_in remark Allow Outbound Traffic to All Remote VPN Sites
access-list inside_access_in extended permit ip INTERNAL 255.255.255.0 object-group RemoteVPNSites
access-list inside_access_in remark Offis VPN
access-list inside_access_in extended permit ip INTERNAL 255.255.255.0 object-group OFFIS_SERVERS
access-list inside_nat0_outbound extended permit ip any PERIMETER 255.255.255.0 inactive
access-list inside_nat0_outbound extended permit ip any VPN_OPEN 255.255.255.0
access-list inside_nat0_outbound extended permit ip any VPN_TS 255.255.255.0
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 VPN_DAVE 255.255.255.0
access-list inside_nat0_outbound extended permit ip IPFX 255.255.255.0 VPN_DAVE 255.255.255.0
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 host X.X.X.X
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 host X.X.X.X
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 host X.X.X.X
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 X.X.X.X 255.255.255.240
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 VPN_LONDON 255.255.255.0
access-list inside_nat0_outbound extended permit ip IPFX 255.255.255.0 VPN_LONDON 255.255.255.0
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 VPN_TORONTO 255.255.255.0
access-list inside_nat0_outbound extended permit ip IPFX 255.255.255.0 VPN_TORONTO 255.255.255.0
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 VPN_MATT 255.255.255.0
access-list inside_nat0_outbound extended permit ip IPFX 255.255.255.0 VPN_MATT 255.255.255.0
access-list inside_nat0_outbound extended permit ip INTERNAL 255.255.255.0 VPN_GARY 255.255.255.0
access-list inside_nat0_outbound extended permit ip IPFX 255.255.255.0 VPN_GARY 255.255.255.0
access-list outside1_cryptomap_20 extended permit ip INTERNAL 255.255.255.0 VPN_DAVE 255.255.255.0
access-list outside1_cryptomap_20 extended permit ip IPFX 255.255.255.0 VPN_DAVE 255.255.255.0
access-list outside1_access_in remark Allow inbound SMTP (TCP 25) Access to Exchange Server only.
access-list outside1_access_in extended permit tcp any interface outside1 eq smtp
access-list outside1_access_in remark Allow inbound HTTPS (TCP 443) Access
access-list outside1_access_in remark HTTPS access only.
access-list outside1_access_in extended permit tcp any interface outside1 eq https
access-list outside1_access_in remark Allow Inbound VPN Traffic for All Remote VPN Sites.
access-list outside1_access_in remark This allows access to both INTERNAL and IPFX Networks.
access-list outside1_access_in extended permit ip object-group RemoteVPNSites object-group InternalNetworks
access-list outside1_access_in remark Allow Inbound VPN Traffic for OPEN_VPN_GRP. This includes the INTERNAL and IPFX Networks
access-list outside1_access_in extended permit ip VPN_OPEN 255.255.255.0 object-group InternalNetworks
access-list outside1_access_in remark Allow Inbound Traffic to ISA Proxy Server for Proxy Web Access to OPEN_VPN_GRP Users
access-list outside1_access_in extended permit tcp VPN_OPEN 255.255.255.0 host ISA_Server eq 8080
access-list outside1_access_in remark Allow Inbound Traffic to Terminal server for TS_VPN_GRP Users
access-list outside1_access_in extended permit tcp VPN_TS 255.255.255.0 host 192.168.18.X eq 3389
access-list outside2_cryptomap_20 extended permit ip INTERNAL 255.255.255.0 host X.X.X.X
access-list outside2_cryptomap_20 extended permit ip INTERNAL 255.255.255.0 host X.X.X.X
access-list outside2_cryptomap_20 extended permit ip INTERNAL 255.255.255.0 host X.X.X.X
access-list outside2_cryptomap_20 extended permit ip INTERNAL 255.255.255.0 X.X.X.X 255.255.255.240
access-list outside1_cryptomap_40 extended permit ip INTERNAL 255.255.255.0 VPN_LONDON 255.255.255.0
access-list outside1_cryptomap_40 extended permit ip IPFX 255.255.255.0 VPN_LONDON 255.255.255.0
access-list outside1_cryptomap_60 extended permit ip INTERNAL 255.255.255.0 VPN_TORONTO 255.255.255.0
access-list outside1_cryptomap_60 extended permit ip IPFX 255.255.255.0 VPN_TORONTO 255.255.255.0
access-list outside1_cryptomap_80 extended permit ip INTERNAL 255.255.255.0 VPN_MATT 255.255.255.0
access-list outside1_cryptomap_80 extended permit ip IPFX 255.255.255.0 VPN_MATT 255.255.255.0
access-list outside1_cryptomap_100 extended permit ip INTERNAL 255.255.255.0 VPN_GARY 255.255.255.0
access-list outside1_cryptomap_100 extended permit ip IPFX 255.255.255.0 VPN_GARY 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm notifications
logging mail critical
logging from-address asa@domain.com
logging recipient-address administrator@domain.com level critical
logging recipient-address test@domain.com level alerts
logging recipient-address me@domain.com level emergencies
logging facility 22
logging device-id hostname
logging host inside 192.168.18.X
mtu outside1 1500
mtu outside2 1500
mtu inside 1500
mtu management 1500
ip local pool OPEN_VPN_ADD_POOL 192.168.108.100-192.168.108.149 mask 255.255.255.0
ip local pool TS_VPN_ADD_POOL 192.168.118.100-192.168.118.149 mask 255.255.255.0
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside1) 20 interface
global (outside2) 10 interface
nat (outside2) 10 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 20 PERIMETER 255.255.255.0
nat (inside) 20 INTERNAL 255.255.255.0
static (inside,outside2) tcp interface smtp OBJECT3 smtp netmask 255.255.255.255
static (inside,outside2) tcp interface https OBJECT3 https netmask 255.255.255.255
static (inside,outside1) tcp interface smtp OBJECT3 smtp netmask 255.255.255.255
static (inside,outside1) tcp interface https OBJECT3 https netmask 255.255.255.255
access-group outside1_access_in in interface outside1
access-group outside2_access_in in interface outside2
access-group inside_access_in in interface inside
route outside1 0.0.0.0 0.0.0.0 X.X.X.X 1
route inside IPFX 255.255.255.0 ISA_Server 1
route inside 0.0.0.0 0.0.0.0 ISA_Server tunneled
route inside INTERNAL 255.255.255.0 ISA_Server 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy TS_VPN_GRP internal
group-policy TS_VPN_GRP attributes
wins-server value 192.168.18.X
dns-server value 192.168.18.X 192.168.18.X
default-domain value domain.local
webvpn
group-policy OPEN_VPN_GRP internal
group-policy OPEN_VPN_GRP attributes
wins-server value 192.168.18.X
dns-server value 192.168.18.X 192.168.18.X
default-domain value domain.local
webvpn
username O-USER1 password XXXX encrypted privilege 0
username O-USER1 attributes
vpn-group-policy OPEN_VPN_GRP
webvpn
username O-USER2 password XXXX encrypted privilege 0
username O-USER2 attributes
vpn-group-policy OPEN_VPN_GRP
webvpn
username O-USER3 password XXXX encrypted privilege 0
username O-USER3 attributes
vpn-group-policy OPEN_VPN_GRP
webvpn
username T-USER4 password XXXX encrypted privilege 0
username T-USER4 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER5 password XXXX encrypted privilege 0
username T-USER5 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER6 password XXXX encrypted privilege 0
username T-USER6 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER7 password XXXX encrypted privilege 0
username T-USER7 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER8 password XXXX encrypted privilege 0
username T-USER8 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER9 password XXXX encrypted privilege 0
username T-USER9 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER10 password XXXX encrypted privilege 0
username T-USER10 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER11 password XXXX encrypted privilege 0
username T-USER11 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER12 password XXXX. encrypted privilege 0
username T-USER12 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER13 password XXXX encrypted privilege 0
username T-USER13 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER14 password XXXX encrypted privilege 0
username T-USER14 attributes
vpn-group-policy TS_VPN_GRP
webvpn
username T-USER15 password XXXX encrypted privilege 0
username T-USER15 attributes
vpn-group-policy TS_VPN_GRP
webvpn
http server enable
http ISA_Server 255.255.255.255 inside
http 10.10.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside1_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside1_map 20 match address outside1_cryptomap_20
crypto map outside1_map 20 set peer X.X.X.X
crypto map outside1_map 20 set transform-set ESP-3DES-SHA
crypto map outside1_map 40 match address outside1_cryptomap_40
crypto map outside1_map 40 set peer X.X.X.X
crypto map outside1_map 40 set transform-set ESP-3DES-SHA
crypto map outside1_map 60 match address outside1_cryptomap_60
crypto map outside1_map 60 set peer X.X.X.X
crypto map outside1_map 60 set transform-set ESP-3DES-SHA
crypto map outside1_map 80 match address outside1_cryptomap_80
crypto map outside1_map 80 set peer X.X.X.X
crypto map outside1_map 80 set transform-set ESP-3DES-SHA
crypto map outside1_map 100 match address outside1_cryptomap_100
crypto map outside1_map 100 set peer X.X.X.X
crypto map outside1_map 100 set transform-set ESP-3DES-SHA
crypto map outside1_map 65535 ipsec-isakmp dynamic outside1_dyn_map
crypto map outside1_map interface outside1
crypto map outside2_map 20 match address outside2_cryptomap_20
crypto map outside2_map 20 set peer X.X.X.X
crypto map outside2_map 20 set transform-set ESP-3DES-SHA
crypto map outside2_map interface outside2
isakmp enable outside1
isakmp enable outside2
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal 20
tunnel-group OPEN_VPN_GRP type ipsec-ra
tunnel-group OPEN_VPN_GRP general-attributes
address-pool OPEN_VPN_ADD_POOL
default-group-policy OPEN_VPN_GRP
tunnel-group OPEN_VPN_GRP ipsec-attributes
pre-shared-key *
tunnel-group TS_VPN_GRP type ipsec-ra
tunnel-group TS_VPN_GRP general-attributes
address-pool TS_VPN_ADD_POOL
default-group-policy TS_VPN_GRP
tunnel-group TS_VPN_GRP ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 5
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server X.X.X.X source outside1 prefer
smtp-server 192.168.18.X
Cryptochecksum:34973f13d3296461bc14bffdda2c319e
: end
