We have a ASA running 7.2(3). We have recently moved internet connections and added a more secure DMZ. Our inbound DMZ through the xo-outside address works fine for users at home over the Internet. The problem is our internal wireless is on the DMZ and the DMZ cannot reach the outside address.
Can I can't connect to the DMZ address to create the VPN link. How can I do this so that our users can connect to the VPN both from the outside and wireless without changing their configuration?
below is my config with a lot of cruft since we moved our Internet from outside to xo-outside and I haven't cleaned everything out yet.
: Saved
:
ASA Version 7.2(3)
!
hostname ceqfw
domain-name cequint.local
enable password 8Ry2Yjseu7RRXU24 encrypted
names
name 192.168.10.15 ceqfs01
name 192.168.10.10 ceqsbs01
name 192.168.10.5 lserver
name 192.168.10.60 pserver
name 192.168.10.83 lserver2
name 192.168.10.102 nameid01
name 192.168.10.21 ceqexc01
name 192.168.10.13 ceqback01
name 192.168.10.85 lserver3
name 192.168.10.114 tracy
name 64.81.165.222 uscc.cequint.com
name 192.168.10.108 stephanick
name 64.81.165.168 Primary description Primary public IP for Cisco
name 64.81.165.155 test2.cequint.com description To Senja
name 192.168.10.88 test2
name 64.81.165.211 vanilla.cequint.com
name 64.81.165.212 reg.cequintidml.com
name 192.168.10.35 reg.cequint.local
name 64.81.165.204 dev.cequintidml.com
name 64.81.165.210 dev01.cequint.com
name 64.81.165.207 dev02.cequint.com
name 64.81.165.208 test01.cequint.com
name 192.168.200.59 cas.test01
name 192.168.200.55 cas.dev01
name 192.168.200.57 cas.dev02
name 192.168.200.46 ecidmgmt01
name 192.168.200.61 ecidmgmt02
name 209.117.21.131 xo.ceqexec01.cequint.com
name 209.117.21.132 xo.ns01.cequintecid.com
name 209.117.21.133 xo.ns02.cequintecid.com
name 209.117.21.138 xo.dev.cequintidml.com
name 209.117.21.137 xo.reg.cequintidml.com
name 209.117.21.136 xo.test2.cequint.com
name 209.117.21.142 xo.cas.dev02.cequintecid.com
name 209.117.21.144 xo.cas.test01.cequintecid.com
name 209.117.21.145 xo.vanilla.cequint.com
name 192.168.10.86 dev.cequintidml.local
name 65.47.31.158 xo-primary
name 209.117.21.140 xo.cas.dev01.cequintecid.com
name 192.168.200.56 cf.dev01
name 209.117.21.141 cf.dev01.cequintecid.com
name 192.168.200.58 cf.dev02
name 209.117.21.143 cf.dev02.cequintecid.com
name 192.168.200.60 cf.test01
name 209.117.21.149 cf.test01.cequintecid.com
name 209.117.21.151 xo.cas.test02.cequintecid.com
name 209.117.21.150 xo.cas.int02.cequintclrcityid.com
name 209.117.21.153 xo.cf.int02.cequintclrcityid.com
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address Primary 255.255.255.0
ospf cost 10
!
interface Vlan3
nameif dmz
security-level 100
ip address 209.117.21.129 255.255.255.224
ospf cost 10
!
interface Vlan13
nameif phone
security-level 100
ip address 10.128.10.254 255.255.255.0
!
interface Vlan200
nameif ECID
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Vlan210
nameif xo-outside
security-level 0
ip address xo-primary 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 210
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 13
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 210
!
interface Ethernet0/6
switchport access vlan 200
switchport trunk allowed vlan 2
!
interface Ethernet0/7
!
passwd pP85NCWvaJIRP98A encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name cequint.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service CnamGroup tcp
description Cnam port 11000
port-object range 11000 11000
object-group service LserverGroup tcp
description port 80, 443, 8080, 8443 for Lserver (and 8000 for debug)
port-object range 8080 8080
port-object eq www
port-object eq https
port-object range 8443 8443
port-object range 8000 8000
port-object range 9080 9080
port-object range 11000 11005
port-object range 8043 8043
object-group service LserverGroup2 udp
description open up UDP for 11000
port-object range 11000 11000
object-group network DC_CNAM_Subnet
network-object 10.0.0.0 255.0.0.0
object-group network Temp
network-object 10.1.1.8 255.255.255.248
object-group network CNAM_ED
network-object 10.1.1.0 255.255.255.0
network-object 10.1.2.0 255.255.255.0
object-group network cnam
network-object 10.1.1.0 255.255.255.0
object-group network HumeDC
description Access to SCP
network-object 64.135.10.16 255.255.255.240
object-group service ECID-CAS-CP tcp
description ECID CAS and CP
port-object range 8080 8080
port-object range 8090 8090
port-object eq https
object-group network dmz
network-object 209.117.21.128 255.255.255.224
object-group service mail tcp
port-object range 993 993
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 172.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 172.1.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 172.2.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 172.1.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 64.135.10.16 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.1.0.0 255.255.0.0 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 209.117.21.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 host xo-primary
access-list outside_access_in extended permit tcp any host 64.81.165.201 eq imap4
access-list outside_access_in extended permit tcp any host 64.81.165.201 eq smtp
access-list outside_access_in extended permit tcp any host 64.81.165.201 eq 993
access-list outside_access_in extended permit tcp any host 64.81.165.201 eq https
access-list outside_access_in extended permit tcp any host 64.81.165.201 eq pop3
access-list outside_access_in extended permit tcp any host 64.81.165.201 eq www
access-list outside_access_in extended permit tcp any host 64.81.165.221 object-group LserverGroup
access-list outside_access_in extended permit tcp any host reg.cequintidml.com object-group LserverGroup
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any eq Primary eq www
access-list outside_access_in extended permit tcp any host vanilla.cequint.com eq 8080
access-list outside_access_in extended permit tcp any host vanilla.cequint.com eq https
access-list outside_access_in extended permit tcp any host vanilla.cequint.com eq www
access-list outside_access_in extended permit tcp any host dev.cequintidml.com object-group LserverGroup
access-list outside_access_in extended permit tcp any host dev.cequintidml.com eq 43443
access-list outside_access_in extended permit tcp any host dev01.cequint.com object-group ECID-CAS-CP
access-list outside_access_in extended permit tcp any host dev02.cequint.com object-group ECID-CAS-CP
access-list outside_access_in extended permit tcp any host test01.cequint.com object-group ECID-CAS-CP
access-list outside_access_in extended permit tcp any eq 2200 host Primary eq 2200
access-list outside_access_in extended permit udp any host test01.cequint.com eq domain
access-list outside_access_in extended permit udp any host dev02.cequint.com eq domain
access-list outside_access_in extended permit tcp any host test01.cequint.com eq domain
access-list outside_access_in extended permit tcp any host dev02.cequint.com eq domain
access-list inside_access_in extended permit ip any any
access-list cequintvpn_splitTunnelAcl remark Cequint Internal Network
access-list cequintvpn_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list cequintvpn_splitTunnelAcl remark VPN network
access-list cequintvpn_splitTunnelAcl standard permit 192.168.12.0 255.255.255.0
access-list cequintvpn_splitTunnelAcl standard permit 10.128.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_5_cryptomap extended permit ip 192.168.10.0 255.255.255.0 object-group CNAM_ED
access-list phone_access_in extended permit ip any any
access-list outside_access_phone extended permit tcp any eq eq www
access-list phone_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 10.128.10.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 64.135.10.16 255.255.255.240
access-list ECID_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list ECID_access_in_1 extended permit ip any any
access-list ECID_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list ECID_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list ECID_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list ECID_nat0_outbound extended permit ip any 192.168.12.0 255.255.255.0
access-list ECID_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 172.1.0.0 255.255.0.0
access-list ECID_nat_outbound extended permit ip 192.168.200.0 255.255.255.0 any
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list cequintecid_splitTunnelAcl standard permit any
access-list xo-outside_access_in extended permit icmp any object-group dmz
access-list xo-outside_access_in extended permit icmp any any echo-reply
access-list xo-outside_access_in extended permit tcp any host xo.ceqexec01.cequint.com object-group mail
access-list xo-outside_access_in extended permit tcp any host xo.test2.cequint.com object-group LserverGroup
access-list xo-outside_access_in extended permit tcp any host xo.reg.cequintidml.com object-group LserverGroup
access-list xo-outside_access_in extended permit tcp any host xo.vanilla.cequint.com object-group LserverGroup
access-list xo-outside_access_in extended permit tcp any host xo.dev.cequintidml.com object-group LserverGroup
access-list xo-outside_access_in extended permit tcp any host xo.dev.cequintidml.com eq 43443
access-list xo-outside_access_in extended permit tcp any host xo.cas.dev01.cequintecid.com object-group ECID-CAS-CP
access-list xo-outside_access_in extended permit tcp any host xo.cas.dev02.cequintecid.com object-group ECID-CAS-CP
access-list xo-outside_access_in extended permit tcp any host xo.cas.test01.cequintecid.com object-group ECID-CAS-CP
access-list xo-outside_access_in extended permit tcp any host xo.ns01.cequintecid.com eq domain
access-list xo-outside_access_in extended permit tcp any host xo.ns02.cequintecid.com eq domain
access-list xo-outside_access_in extended permit udp any host xo.ns01.cequintecid.com eq domain
access-list xo-outside_access_in extended permit udp any host xo.ns02.cequintecid.com eq domain
access-list xo-outside_access_in extended permit tcp any host xo-primary eq www
access-list xo-outside_access_in extended permit tcp any host cf.dev01.cequintecid.com object-group ECID-CAS-CP
access-list xo-outside_access_in extended permit tcp any host cf.dev02.cequintecid.com object-group ECID-CAS-CP
access-list xo-outside_access_in extended permit tcp any host cf.test01.cequintecid.com object-group ECID-CAS-CP
access-list xo-outside_access_in extended permit tcp any host xo.dev.cequintidml.com eq 8800
access-list xo-outside_access_in extended permit tcp any host xo.cas.int02.cequintclrcityid.com object-group ECID-CAS-CP
access-list xo-outside_access_in extended permit tcp any host xo.cas.test02.cequintecid.com object-group ECID-CAS-CP
access-list xo-outside_access_in extended permit tcp any host xo.cf.int02.cequintclrcityid.com object-group ECID-CAS-CP
access-list xo-outside_nat0_outbound extended permit ip any object-group dmz
access-list xo-outside_nat0_outbound extended permit ip 209.117.21.128 255.255.255.224 any
access-list xo-outside_cryptomap_1 extended permit ip 192.168.10.0 255.255.255.0 object-group CNAM_ED
access-list xo-outside_cryptomap_2 extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list xo-outside_nat0_outbound_1 extended permit ip 209.117.21.128 255.255.255.224 any
access-list dmz_nat0_outbound extended permit ip object-group dmz any
access-list xo-outside_cryptomap_3 extended permit ip 192.168.10.0 255.255.255.0 64.135.10.16 255.255.255.240
access-list xo-outside_4_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.90.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging trap warnings
logging history debugging
logging asdm notifications
logging host dmz 192.168.10.82
logging host ECID ecidmgmt01 6/5076
logging debug-trace
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu phone 1500
mtu ECID 1500
mtu xo-outside 1500
ip local pool VPN-newpool 192.168.12.100-192.168.12.199 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (xo-outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.10.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 1 209.117.21.128 255.255.255.224 dns
nat (phone) 0 access-list phone_nat0_outbound
nat (phone) 1 access-list outside_access_phone
nat (ECID) 0 access-list ECID_nat0_outbound
nat (ECID) 1 access-list ECID_nat_outbound
nat (xo-outside) 0 access-list xo-outside_nat0_outbound
nat (xo-outside) 0 access-list xo-outside_nat0_outbound_1 outside
static (inside,dmz) xo.ceqexec01.cequint.com ceqexc01 netmask 255.255.255.255
static (inside,xo-outside) xo.ceqexec01.cequint.com ceqexc01 netmask 255.255.255.255
static (inside,xo-outside) xo.reg.cequintidml.com reg.cequintidml.com netmask 255.255.255.255
static (inside,xo-outside) xo.test2.cequint.com test2 netmask 255.255.255.255
static (inside,xo-outside) xo.vanilla.cequint.com 192.168.10.89 netmask 255.255.255.255
static (inside,xo-outside) xo.dev.cequintidml.com dev.cequintidml.local netmask 255.255.255.255
static (inside,inside) xo.ceqexec01.cequint.com ceqexc01 netmask 255.255.255.255
static (inside,outside) xo.ceqexec01.cequint.com ceqexc01 netmask 255.255.255.255 dns
static (ECID,xo-outside) xo.ns02.cequintecid.com ecidmgmt02 netmask 255.255.255.255
static (ECID,xo-outside) xo.ns01.cequintecid.com ecidmgmt01 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group phone_access_in in interface phone
access-group ECID_access_in_1 in interface ECID
access-group xo-outside_access_in in interface xo-outside
route inside 172.1.0.0 255.255.0.0 192.168.10.2 1
route xo-outside 0.0.0.0 0.0.0.0 65.47.31.157 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server VPN protocol radius
aaa-server VPN host 192.168.10.12
key pr3C+Nu#u9u!
http server enable
http 192.168.10.0 255.255.255.0 inside
snmp-server host inside pserver community cequint version 2c
snmp-server host inside 192.168.10.26 community public version 2c
snmp-server location wiring closet
no snmp-server contact
snmp-server community cequint
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set reverse-route
crypto dynamic-map Outside_dyn_map 40 set reverse-route
crypto dynamic-map Outside_dyn_map 60 set reverse-route
crypto dynamic-map ECID_dyn_map 20 set pfs
crypto dynamic-map ECID_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map ECID_dyn_map 40 set pfs
crypto dynamic-map ECID_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map xo-outside_dyn_map 1 set pfs
crypto dynamic-map xo-outside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto dynamic-map xo-outside_dyn_map 2 set pfs
crypto dynamic-map xo-outside_dyn_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 98.247.100.36
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 64.135.45.42
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer 67.212.134.55
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map Outside_map 20 ipsec-isakmp dynamic Outside_dyn_map
crypto map ECID_map 65535 ipsec-isakmp dynamic ECID_dyn_map
crypto map ECID_map interface ECID
crypto map xo-outside_map 1 match address xo-outside_cryptomap_1
crypto map xo-outside_map 1 set pfs
crypto map xo-outside_map 1 set peer 67.212.134.55
crypto map xo-outside_map 1 set transform-set ESP-3DES-SHA
crypto map xo-outside_map 2 match address xo-outside_cryptomap_2
crypto map xo-outside_map 2 set peer 98.247.100.36
crypto map xo-outside_map 2 set transform-set ESP-3DES-MD5
crypto map xo-outside_map 3 match address xo-outside_cryptomap_3
crypto map xo-outside_map 3 set peer 64.135.45.42
crypto map xo-outside_map 3 set transform-set ESP-3DES-SHA
crypto map xo-outside_map 4 match address xo-outside_4_cryptomap
crypto map xo-outside_map 4 set pfs
crypto map xo-outside_map 4 set peer 69.199.206.162
crypto map xo-outside_map 4 set transform-set ESP-3DES-SHA
crypto map xo-outside_map 65535 ipsec-isakmp dynamic xo-outside_dyn_map
crypto map xo-outside_map interface xo-outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable phone
crypto isakmp enable ECID
crypto isakmp enable xo-outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 15
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 15
console timeout 0
dhcpd dns 66.93.87.2 216.231.41.2 interface dmz
dhcpd lease 14400 interface dmz
dhcpd ping_timeout 10 interface dmz
!
dhcprelay timeout 60
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns MY_DNS_INSPECT_MAP
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect pptp
inspect ftp
inspect dns MY_DNS_INSPECT_MAP
!
service-policy global_policy global
group-policy TexasPolicy internal
group-policy TexasPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
vpn-nac-exempt none
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy cequint2 internal
group-policy cequint2 attributes
dns-server value 192.168.10.12 192.168.10.11
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
group-policy cequintecid internal
group-policy cequintecid attributes
wins-server value 192.168.10.12 192.168.10.11
dns-server value 192.168.10.12 192.168.10.11
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cequintecid_splitTunnelAcl
default-domain value cequint.local
group-policy cequintvpn internal
group-policy cequintvpn attributes
wins-server value 192.168.10.12 192.168.10.11
dns-server value 192.168.10.12 192.168.10.11
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cequintvpn_splitTunnelAcl
default-domain value cequint.local
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-newpool
authentication-server-group VPN
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group cequintvpn type ipsec-ra
tunnel-group cequintvpn general-attributes
address-pool VPN-newpool
authentication-server-group VPN
default-group-policy cequintvpn
tunnel-group cequintvpn ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp keepalive threshold infinite
tunnel-group cequintvpn ppp-attributes
authentication ms-chap-v2
tunnel-group 98.247.100.36 type ipsec-l2l
tunnel-group 98.247.100.36 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group 67.212.134.55 type ipsec-l2l
tunnel-group 67.212.134.55 ipsec-attributes
pre-shared-key *
tunnel-group 71.231.46.179 type ipsec-l2l
tunnel-group 71.231.46.179 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group cequint2 type ipsec-ra
tunnel-group cequint2 general-attributes
address-pool VPN-newpool
authentication-server-group VPN
default-group-policy cequint2
tunnel-group cequint2 ipsec-attributes
pre-shared-key *
tunnel-group 64.135.45.42 type ipsec-l2l
tunnel-group 64.135.45.42 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group cequintecid type ipsec-ra
tunnel-group cequintecid general-attributes
address-pool VPN-newpool
authentication-server-group VPN
default-group-policy cequintecid
tunnel-group cequintecid ipsec-attributes
pre-shared-key *
tunnel-group 69.199.206.162 type ipsec-l2l
tunnel-group 69.199.206.162 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
smtp-server 192.168.10.21
prompt hostname context
Cryptochecksum:4664a78967d0620fe69cea05c6433bc8
: end
Can I can't connect to the DMZ address to create the VPN link. How can I do this so that our users can connect to the VPN both from the outside and wireless without changing their configuration?
below is my config with a lot of cruft since we moved our Internet from outside to xo-outside and I haven't cleaned everything out yet.
: Saved
:
ASA Version 7.2(3)
!
hostname ceqfw
domain-name cequint.local
enable password 8Ry2Yjseu7RRXU24 encrypted
names
name 192.168.10.15 ceqfs01
name 192.168.10.10 ceqsbs01
name 192.168.10.5 lserver
name 192.168.10.60 pserver
name 192.168.10.83 lserver2
name 192.168.10.102 nameid01
name 192.168.10.21 ceqexc01
name 192.168.10.13 ceqback01
name 192.168.10.85 lserver3
name 192.168.10.114 tracy
name 64.81.165.222 uscc.cequint.com
name 192.168.10.108 stephanick
name 64.81.165.168 Primary description Primary public IP for Cisco
name 64.81.165.155 test2.cequint.com description To Senja
name 192.168.10.88 test2
name 64.81.165.211 vanilla.cequint.com
name 64.81.165.212 reg.cequintidml.com
name 192.168.10.35 reg.cequint.local
name 64.81.165.204 dev.cequintidml.com
name 64.81.165.210 dev01.cequint.com
name 64.81.165.207 dev02.cequint.com
name 64.81.165.208 test01.cequint.com
name 192.168.200.59 cas.test01
name 192.168.200.55 cas.dev01
name 192.168.200.57 cas.dev02
name 192.168.200.46 ecidmgmt01
name 192.168.200.61 ecidmgmt02
name 209.117.21.131 xo.ceqexec01.cequint.com
name 209.117.21.132 xo.ns01.cequintecid.com
name 209.117.21.133 xo.ns02.cequintecid.com
name 209.117.21.138 xo.dev.cequintidml.com
name 209.117.21.137 xo.reg.cequintidml.com
name 209.117.21.136 xo.test2.cequint.com
name 209.117.21.142 xo.cas.dev02.cequintecid.com
name 209.117.21.144 xo.cas.test01.cequintecid.com
name 209.117.21.145 xo.vanilla.cequint.com
name 192.168.10.86 dev.cequintidml.local
name 65.47.31.158 xo-primary
name 209.117.21.140 xo.cas.dev01.cequintecid.com
name 192.168.200.56 cf.dev01
name 209.117.21.141 cf.dev01.cequintecid.com
name 192.168.200.58 cf.dev02
name 209.117.21.143 cf.dev02.cequintecid.com
name 192.168.200.60 cf.test01
name 209.117.21.149 cf.test01.cequintecid.com
name 209.117.21.151 xo.cas.test02.cequintecid.com
name 209.117.21.150 xo.cas.int02.cequintclrcityid.com
name 209.117.21.153 xo.cf.int02.cequintclrcityid.com
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address Primary 255.255.255.0
ospf cost 10
!
interface Vlan3
nameif dmz
security-level 100
ip address 209.117.21.129 255.255.255.224
ospf cost 10
!
interface Vlan13
nameif phone
security-level 100
ip address 10.128.10.254 255.255.255.0
!
interface Vlan200
nameif ECID
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Vlan210
nameif xo-outside
security-level 0
ip address xo-primary 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 210
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 13
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 210
!
interface Ethernet0/6
switchport access vlan 200
switchport trunk allowed vlan 2
!
interface Ethernet0/7
!
passwd pP85NCWvaJIRP98A encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name cequint.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service CnamGroup tcp
description Cnam port 11000
port-object range 11000 11000
object-group service LserverGroup tcp
description port 80, 443, 8080, 8443 for Lserver (and 8000 for debug)
port-object range 8080 8080
port-object eq www
port-object eq https
port-object range 8443 8443
port-object range 8000 8000
port-object range 9080 9080
port-object range 11000 11005
port-object range 8043 8043
object-group service LserverGroup2 udp
description open up UDP for 11000
port-object range 11000 11000
object-group network DC_CNAM_Subnet
network-object 10.0.0.0 255.0.0.0
object-group network Temp
network-object 10.1.1.8 255.255.255.248
object-group network CNAM_ED
network-object 10.1.1.0 255.255.255.0
network-object 10.1.2.0 255.255.255.0
object-group network cnam
network-object 10.1.1.0 255.255.255.0
object-group network HumeDC
description Access to SCP
network-object 64.135.10.16 255.255.255.240
object-group service ECID-CAS-CP tcp
description ECID CAS and CP
port-object range 8080 8080
port-object range 8090 8090
port-object eq https
object-group network dmz
network-object 209.117.21.128 255.255.255.224
object-group service mail tcp
port-object range 993 993
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 172.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 172.1.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 172.2.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 172.1.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 64.135.10.16 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.1.0.0 255.255.0.0 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 209.117.21.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 host xo-primary
access-list outside_access_in extended permit tcp any host 64.81.165.201 eq imap4
access-list outside_access_in extended permit tcp any host 64.81.165.201 eq smtp
access-list outside_access_in extended permit tcp any host 64.81.165.201 eq 993
access-list outside_access_in extended permit tcp any host 64.81.165.201 eq https
access-list outside_access_in extended permit tcp any host 64.81.165.201 eq pop3
access-list outside_access_in extended permit tcp any host 64.81.165.201 eq www
access-list outside_access_in extended permit tcp any host 64.81.165.221 object-group LserverGroup
access-list outside_access_in extended permit tcp any host reg.cequintidml.com object-group LserverGroup
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any eq Primary eq www
access-list outside_access_in extended permit tcp any host vanilla.cequint.com eq 8080
access-list outside_access_in extended permit tcp any host vanilla.cequint.com eq https
access-list outside_access_in extended permit tcp any host vanilla.cequint.com eq www
access-list outside_access_in extended permit tcp any host dev.cequintidml.com object-group LserverGroup
access-list outside_access_in extended permit tcp any host dev.cequintidml.com eq 43443
access-list outside_access_in extended permit tcp any host dev01.cequint.com object-group ECID-CAS-CP
access-list outside_access_in extended permit tcp any host dev02.cequint.com object-group ECID-CAS-CP
access-list outside_access_in extended permit tcp any host test01.cequint.com object-group ECID-CAS-CP
access-list outside_access_in extended permit tcp any eq 2200 host Primary eq 2200
access-list outside_access_in extended permit udp any host test01.cequint.com eq domain
access-list outside_access_in extended permit udp any host dev02.cequint.com eq domain
access-list outside_access_in extended permit tcp any host test01.cequint.com eq domain
access-list outside_access_in extended permit tcp any host dev02.cequint.com eq domain
access-list inside_access_in extended permit ip any any
access-list cequintvpn_splitTunnelAcl remark Cequint Internal Network
access-list cequintvpn_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list cequintvpn_splitTunnelAcl remark VPN network
access-list cequintvpn_splitTunnelAcl standard permit 192.168.12.0 255.255.255.0
access-list cequintvpn_splitTunnelAcl standard permit 10.128.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_5_cryptomap extended permit ip 192.168.10.0 255.255.255.0 object-group CNAM_ED
access-list phone_access_in extended permit ip any any
access-list outside_access_phone extended permit tcp any eq eq www
access-list phone_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 10.128.10.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 64.135.10.16 255.255.255.240
access-list ECID_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list ECID_access_in_1 extended permit ip any any
access-list ECID_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list ECID_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list ECID_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list ECID_nat0_outbound extended permit ip any 192.168.12.0 255.255.255.0
access-list ECID_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 172.1.0.0 255.255.0.0
access-list ECID_nat_outbound extended permit ip 192.168.200.0 255.255.255.0 any
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list cequintecid_splitTunnelAcl standard permit any
access-list xo-outside_access_in extended permit icmp any object-group dmz
access-list xo-outside_access_in extended permit icmp any any echo-reply
access-list xo-outside_access_in extended permit tcp any host xo.ceqexec01.cequint.com object-group mail
access-list xo-outside_access_in extended permit tcp any host xo.test2.cequint.com object-group LserverGroup
access-list xo-outside_access_in extended permit tcp any host xo.reg.cequintidml.com object-group LserverGroup
access-list xo-outside_access_in extended permit tcp any host xo.vanilla.cequint.com object-group LserverGroup
access-list xo-outside_access_in extended permit tcp any host xo.dev.cequintidml.com object-group LserverGroup
access-list xo-outside_access_in extended permit tcp any host xo.dev.cequintidml.com eq 43443
access-list xo-outside_access_in extended permit tcp any host xo.cas.dev01.cequintecid.com object-group ECID-CAS-CP
access-list xo-outside_access_in extended permit tcp any host xo.cas.dev02.cequintecid.com object-group ECID-CAS-CP
access-list xo-outside_access_in extended permit tcp any host xo.cas.test01.cequintecid.com object-group ECID-CAS-CP
access-list xo-outside_access_in extended permit tcp any host xo.ns01.cequintecid.com eq domain
access-list xo-outside_access_in extended permit tcp any host xo.ns02.cequintecid.com eq domain
access-list xo-outside_access_in extended permit udp any host xo.ns01.cequintecid.com eq domain
access-list xo-outside_access_in extended permit udp any host xo.ns02.cequintecid.com eq domain
access-list xo-outside_access_in extended permit tcp any host xo-primary eq www
access-list xo-outside_access_in extended permit tcp any host cf.dev01.cequintecid.com object-group ECID-CAS-CP
access-list xo-outside_access_in extended permit tcp any host cf.dev02.cequintecid.com object-group ECID-CAS-CP
access-list xo-outside_access_in extended permit tcp any host cf.test01.cequintecid.com object-group ECID-CAS-CP
access-list xo-outside_access_in extended permit tcp any host xo.dev.cequintidml.com eq 8800
access-list xo-outside_access_in extended permit tcp any host xo.cas.int02.cequintclrcityid.com object-group ECID-CAS-CP
access-list xo-outside_access_in extended permit tcp any host xo.cas.test02.cequintecid.com object-group ECID-CAS-CP
access-list xo-outside_access_in extended permit tcp any host xo.cf.int02.cequintclrcityid.com object-group ECID-CAS-CP
access-list xo-outside_nat0_outbound extended permit ip any object-group dmz
access-list xo-outside_nat0_outbound extended permit ip 209.117.21.128 255.255.255.224 any
access-list xo-outside_cryptomap_1 extended permit ip 192.168.10.0 255.255.255.0 object-group CNAM_ED
access-list xo-outside_cryptomap_2 extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list xo-outside_nat0_outbound_1 extended permit ip 209.117.21.128 255.255.255.224 any
access-list dmz_nat0_outbound extended permit ip object-group dmz any
access-list xo-outside_cryptomap_3 extended permit ip 192.168.10.0 255.255.255.0 64.135.10.16 255.255.255.240
access-list xo-outside_4_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.90.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging trap warnings
logging history debugging
logging asdm notifications
logging host dmz 192.168.10.82
logging host ECID ecidmgmt01 6/5076
logging debug-trace
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu phone 1500
mtu ECID 1500
mtu xo-outside 1500
ip local pool VPN-newpool 192.168.12.100-192.168.12.199 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (xo-outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.10.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 1 209.117.21.128 255.255.255.224 dns
nat (phone) 0 access-list phone_nat0_outbound
nat (phone) 1 access-list outside_access_phone
nat (ECID) 0 access-list ECID_nat0_outbound
nat (ECID) 1 access-list ECID_nat_outbound
nat (xo-outside) 0 access-list xo-outside_nat0_outbound
nat (xo-outside) 0 access-list xo-outside_nat0_outbound_1 outside
static (inside,dmz) xo.ceqexec01.cequint.com ceqexc01 netmask 255.255.255.255
static (inside,xo-outside) xo.ceqexec01.cequint.com ceqexc01 netmask 255.255.255.255
static (inside,xo-outside) xo.reg.cequintidml.com reg.cequintidml.com netmask 255.255.255.255
static (inside,xo-outside) xo.test2.cequint.com test2 netmask 255.255.255.255
static (inside,xo-outside) xo.vanilla.cequint.com 192.168.10.89 netmask 255.255.255.255
static (inside,xo-outside) xo.dev.cequintidml.com dev.cequintidml.local netmask 255.255.255.255
static (inside,inside) xo.ceqexec01.cequint.com ceqexc01 netmask 255.255.255.255
static (inside,outside) xo.ceqexec01.cequint.com ceqexc01 netmask 255.255.255.255 dns
static (ECID,xo-outside) xo.ns02.cequintecid.com ecidmgmt02 netmask 255.255.255.255
static (ECID,xo-outside) xo.ns01.cequintecid.com ecidmgmt01 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group phone_access_in in interface phone
access-group ECID_access_in_1 in interface ECID
access-group xo-outside_access_in in interface xo-outside
route inside 172.1.0.0 255.255.0.0 192.168.10.2 1
route xo-outside 0.0.0.0 0.0.0.0 65.47.31.157 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server VPN protocol radius
aaa-server VPN host 192.168.10.12
key pr3C+Nu#u9u!
http server enable
http 192.168.10.0 255.255.255.0 inside
snmp-server host inside pserver community cequint version 2c
snmp-server host inside 192.168.10.26 community public version 2c
snmp-server location wiring closet
no snmp-server contact
snmp-server community cequint
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set reverse-route
crypto dynamic-map Outside_dyn_map 40 set reverse-route
crypto dynamic-map Outside_dyn_map 60 set reverse-route
crypto dynamic-map ECID_dyn_map 20 set pfs
crypto dynamic-map ECID_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map ECID_dyn_map 40 set pfs
crypto dynamic-map ECID_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map xo-outside_dyn_map 1 set pfs
crypto dynamic-map xo-outside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto dynamic-map xo-outside_dyn_map 2 set pfs
crypto dynamic-map xo-outside_dyn_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 98.247.100.36
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 64.135.45.42
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer 67.212.134.55
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map Outside_map 20 ipsec-isakmp dynamic Outside_dyn_map
crypto map ECID_map 65535 ipsec-isakmp dynamic ECID_dyn_map
crypto map ECID_map interface ECID
crypto map xo-outside_map 1 match address xo-outside_cryptomap_1
crypto map xo-outside_map 1 set pfs
crypto map xo-outside_map 1 set peer 67.212.134.55
crypto map xo-outside_map 1 set transform-set ESP-3DES-SHA
crypto map xo-outside_map 2 match address xo-outside_cryptomap_2
crypto map xo-outside_map 2 set peer 98.247.100.36
crypto map xo-outside_map 2 set transform-set ESP-3DES-MD5
crypto map xo-outside_map 3 match address xo-outside_cryptomap_3
crypto map xo-outside_map 3 set peer 64.135.45.42
crypto map xo-outside_map 3 set transform-set ESP-3DES-SHA
crypto map xo-outside_map 4 match address xo-outside_4_cryptomap
crypto map xo-outside_map 4 set pfs
crypto map xo-outside_map 4 set peer 69.199.206.162
crypto map xo-outside_map 4 set transform-set ESP-3DES-SHA
crypto map xo-outside_map 65535 ipsec-isakmp dynamic xo-outside_dyn_map
crypto map xo-outside_map interface xo-outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable phone
crypto isakmp enable ECID
crypto isakmp enable xo-outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 15
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 15
console timeout 0
dhcpd dns 66.93.87.2 216.231.41.2 interface dmz
dhcpd lease 14400 interface dmz
dhcpd ping_timeout 10 interface dmz
!
dhcprelay timeout 60
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns MY_DNS_INSPECT_MAP
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect pptp
inspect ftp
inspect dns MY_DNS_INSPECT_MAP
!
service-policy global_policy global
group-policy TexasPolicy internal
group-policy TexasPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
vpn-nac-exempt none
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy cequint2 internal
group-policy cequint2 attributes
dns-server value 192.168.10.12 192.168.10.11
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
group-policy cequintecid internal
group-policy cequintecid attributes
wins-server value 192.168.10.12 192.168.10.11
dns-server value 192.168.10.12 192.168.10.11
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cequintecid_splitTunnelAcl
default-domain value cequint.local
group-policy cequintvpn internal
group-policy cequintvpn attributes
wins-server value 192.168.10.12 192.168.10.11
dns-server value 192.168.10.12 192.168.10.11
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cequintvpn_splitTunnelAcl
default-domain value cequint.local
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-newpool
authentication-server-group VPN
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group cequintvpn type ipsec-ra
tunnel-group cequintvpn general-attributes
address-pool VPN-newpool
authentication-server-group VPN
default-group-policy cequintvpn
tunnel-group cequintvpn ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp keepalive threshold infinite
tunnel-group cequintvpn ppp-attributes
authentication ms-chap-v2
tunnel-group 98.247.100.36 type ipsec-l2l
tunnel-group 98.247.100.36 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group 67.212.134.55 type ipsec-l2l
tunnel-group 67.212.134.55 ipsec-attributes
pre-shared-key *
tunnel-group 71.231.46.179 type ipsec-l2l
tunnel-group 71.231.46.179 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group cequint2 type ipsec-ra
tunnel-group cequint2 general-attributes
address-pool VPN-newpool
authentication-server-group VPN
default-group-policy cequint2
tunnel-group cequint2 ipsec-attributes
pre-shared-key *
tunnel-group 64.135.45.42 type ipsec-l2l
tunnel-group 64.135.45.42 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group cequintecid type ipsec-ra
tunnel-group cequintecid general-attributes
address-pool VPN-newpool
authentication-server-group VPN
default-group-policy cequintecid
tunnel-group cequintecid ipsec-attributes
pre-shared-key *
tunnel-group 69.199.206.162 type ipsec-l2l
tunnel-group 69.199.206.162 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
smtp-server 192.168.10.21
prompt hostname context
Cryptochecksum:4664a78967d0620fe69cea05c6433bc8
: end
