[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.2

ASA 5510 and 5505 VPN Routing Question

Asked by SihleIns in Network Routers, Virtual Private Networking (VPN), Networking Hardware Firewalls

Tags: Cisco ASA 5510 5505 VPN Routing Routes

I setup a VPN tunnel from a remote office using an ASA 5505 connecting to an ASA 5510.  I'm able to ping back and forth on the networks without a problem as long as i'm on the same subnet as the ASA on either side. However if I try to ping a different VLAN on the corporate network from the ASA 5505 side I can't and those other VLAN's can't ping anything on the ASA 5505 side.  I'm also unable to ping or connect to the "Inside" interface on the 5505 or 5510 over the VPN tunnel.  I have no problem connecting to the inside interface of either ASA as long as I'm connecting to it from the local network.  What do I need to do so that every device on the network can see each other with out a problem.

 (ASA 5505 IP-10.1.1.1) <-------> (Internet) <---------> (ASA 5510 IP-10.0.0.253) <--- (Cisco 4503 IP-10.0.0.1) <----Client Computers

The 4503 router is the default Gateway for all client and the ASA 5510 is the default route for the 4503.

The clients on the ASA 5505 side have the 5505 as the default gateway 10.1.1.1 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:
437:
438:
439:
440:
441:
442:
443:
444:
445:
446:
447:
448:
449:
450:
451:
452:
453:
454:
455:
456:
457:
458:
459:
460:
461:
462:
463:
464:
465:
466:
467:
468:
469:
470:
471:
472:
473:
474:
475:
476:
477:
478:
479:
480:
481:
482:
483:
484:
485:
486:
487:
488:
489:
490:
491:
492:
493:
494:
495:
496:
497:
498:
499:
500:
501:
502:
503:
504:
505:
506:
507:
508:
509:
510:
511:
512:
513:
514:
515:
516:
517:
518:
519:
520:
521:
522:
523:
524:
525:
526:
527:
528:
529:
530:
531:
532:
533:
534:
535:
536:
537:
538:
539:
540:
541:
542:
543:
544:
545:
546:
547:
548:
549:
550:
551:
552:
553:
554:
555:
556:
557:
558:
559:
560:
561:
562:
563:
564:
565:
566:
567:
568:
569:
570:
571:
572:
573:
574:
575:
576:
577:
578:
579:
580:
581:
582:
583:
584:
585:
586:
587:
588:
589:
590:
591:
592:
593:
594:
595:
596:
597:
598:
599:
600:
601:

Here is the ASA 5505 Config followed by the 5510 Config
 
ASA 5505 Remote office
Result of the command: "Show running-config"
 
: Saved
:
ASA Version 8.2(1) 
!
hostname CiscoASA-Panhandle
domain-name corp.DOMAIN.com
enable password Q7tm encrypted
passwd 2KFQ encrypted
names
name 10.0.0.0 Altamonte-10.0.0.0 description Altamonte Main Office
name 10.0.4.0 Jacksonville description Jacksonville Network
name 10.1.2.0 Deland description Deland Network
name 10.1.5.0 Tampa description Tampa Network
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address "Public Static IP" 255.255.255.224 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name corp.domain.com
object-group service RDP tcp
 description RDP
 port-object eq 3389
object-group network DM_INLINE_NETWORK_1
 network-object Altamonte-10.0.0.0 255.255.255.0
 network-object Jacksonville 255.255.255.0
 network-object Deland 255.255.255.0
 network-object Tampa 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 Altamonte-10.0.0.0 255.255.255.0 
access-list Panhandle-VPN extended permit icmp Altamonte-10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list Panhandle-VPN extended permit tcp Altamonte-10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0 object-group RDP 
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 68.225.124.193 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.1.1.1 255.255.255.255 inside
http 10.1.1.0 255.255.255.0 inside
http Altamonte-10.0.0.0 255.255.255.0 inside
http 209.16.116.126 255.255.255.255 outside
http 97.104.107.117 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 209.16.116.126 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.1.1.100-10.1.1.199 inside
dhcpd dns 10.0.0.2 68.1.18.229 interface inside
dhcpd wins 10.0.0.2 10.0.0.5 interface inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username administrator password Bwe.XAhg6TV4aBqa encrypted
tunnel-group 209.16.116.126 type ipsec-l2l
tunnel-group 209.16.116.126 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:b2e65033c68346e13ce763ef88fb6c4d
: end
 
*******************************************************************************************************************
ASA 5510 Main Office
 
: Saved
:
ASA Version 8.2(1) 
!
hostname ciscoasa
domain-name corp.domain.com
enable password Q7tm/ encrypted
passwd 2KFQ encrypted
names
name 10.1.1.0 Panhandle-10.1.1.0 description VPN Traffic to Panhandle
name 10.0.4.0 Jacksonville description Jacksonville Network
name 10.0.0.55 A-10.0.0.55 description Altamonte Phone System
name 10.1.1.5 Panhandle_Phone_System description Panhandle Phone System
name 10.1.1.15 Panhandle_Printer_Lanier description Panhandle Printer Lanier
dns-guard
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif Outside
 security-level 0
 ip address "Public Static IP" 255.255.255.252 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 10.0.0.253 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
 name-server 10.0.0.2
 domain-name corp.sihle.com
object-group service RDP tcp
 description Terminal Services Connections
 port-object range 3389 3389
object-group service IMAP4 tcp-udp
 description IMAP4  iPhones
 port-object range 143 143
object-group service SSL-IMAP tcp-udp
 description SSL IMAP for iPhones
 port-object range 993 993
object-group service Inter-tel-5566 tcp
 description Inter-tel TCP 5566
 port-object eq 5566
object-group service Inter-tel-5567 udp
 description Inter-tel UDP 5567
 port-object eq 5567
object-group service DM_INLINE_TCP_1 tcp
 group-object IMAP4
 group-object SSL-IMAP
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group service Blocked-Ports
 description Q-Charts Ports 8048 - 8049 unassigned
 service-object tcp-udp eq 8048 
 service-object tcp-udp eq 8049 
 service-object tcp-udp eq 2189 
 service-object tcp-udp source eq 23100 eq 23100 
 service-object tcp-udp source eq 24100 eq 24100 
object-group service SSL-VPN tcp-udp
 description Cisco SSL VPN Client
 port-object eq 444
object-group service TrendMicro-OfficeScan tcp-udp
 description TrendMicro Client_LocalServer_Port
 port-object eq 18283
object-group service TrendMicro-WebSite tcp-udp
 description TrendMicro Admin Website
 port-object eq 8000
object-group service Altiris-Server tcp-udp
 description Altiris Server Client Access Port 402
 port-object range 401 402
object-group service Altiris-RemoteControl tcp-udp
 description Altiris Server Remote Control Ports
 port-object range 5001 5002
object-group service Printer_Port tcp-udp
 description Printing Port Number 9100
 port-object eq 9100
object-group service Inter-Tel_DB tcp-udp
 description Inter-tel DB Programming Port 4000
 port-object eq 4000
object-group service 135-139 tcp-udp
 description Ports 135-139
 port-object range 135 139
object-group service Inter-tel tcp-udp
 description Inter-tel Phone System 5570
 port-object eq 5570
object-group service 2427 tcp-udp
 description Inter-tel Port 2427
 port-object eq 2427
object-group service Kerberos88 tcp-udp
 description Kerberos TCP-UDP Port 88
 port-object eq 88
object-group service DM_INLINE_TCPUDP_1 tcp-udp
 group-object Kerberos88
 port-object eq kerberos
object-group service LDAP tcp-udp
 description LDAP TCP-UDP 389
 port-object eq 389
object-group service PC-Anywhere_TimD tcp-udp
 description PC Anywhere Tim Donovan
 port-object range 2310 2311
object-group service Altiris-Filter-Transfer tcp-udp
 description File Transfer Port
 port-object eq 5010
object-group service Altiris-Task-Ports tcp-udp
 description Altiris Task Server Ports
 port-object eq 4011
 port-object range 50120 50124
 port-object range 67 69
object-group service DM_INLINE_TCPUDP_2 tcp-udp
 group-object Altiris-Filter-Transfer
 group-object Altiris-Server
 group-object Altiris-Task-Ports
 group-object Altiris-RemoteControl
access-list Outside_access_in remark Terminal Server Connections
access-list Outside_access_in extended permit tcp any interface Outside object-group RDP 
access-list Outside_access_in remark Inscope Website
access-list Outside_access_in extended permit tcp any interface Outside eq 8081 
access-list Outside_access_in remark SMTP Postini Inbound to SihleExchange
access-list Outside_access_in extended permit tcp 64.18.0.0 255.255.240.0 interface Outside eq smtp 
access-list Outside_access_in remark SSL IMAP iPhones
access-list Outside_access_in extended permit tcp any interface Outside object-group DM_INLINE_TCP_1 inactive 
access-list Outside_access_in remark Outlook Web Access SSL Connection
access-list Outside_access_in extended permit tcp any interface Outside object-group DM_INLINE_TCP_2 
access-list Outside_access_in remark Inter-tel TCP Port 5566
access-list Outside_access_in extended permit tcp any interface Outside eq 5566 
access-list Outside_access_in remark Inter-tel TCP Port 5567
access-list Outside_access_in extended permit udp any interface Outside eq 5567 
access-list Outside_access_in remark IP Phone Audio
access-list Outside_access_in extended permit udp any interface Outside range 5000 5565 
access-list Inside_access_out remark SMTP Outbound SihleExchange
access-list Inside_access_out extended permit tcp host 10.0.0.4 64.18.0.0 255.255.240.0 eq smtp 
access-list Inside_access_out remark Block All Outbound SMTP Traffic
access-list Inside_access_out extended deny tcp any any eq smtp 
access-list Inside_access_out remark Block AOL Instant Messenger
access-list Inside_access_out extended deny tcp any any eq aol inactive 
access-list Inside_access_out remark Q-Charts
access-list Inside_access_out extended deny object-group Blocked-Ports any any 
access-list Inside_access_out extended permit ip any any 
access-list VPN_Clients remark VPN Clients
access-list VPN_Clients extended permit ip any 192.168.25.0 255.255.255.0 
access-list VPN_Clients extended permit ip any 192.168.50.0 255.255.255.0 
access-list VPN_Clients extended permit ip any Panhandle-10.1.1.0 255.255.255.0 
access-list Audio_Visual_VLAN_Only remark VLAN 40 Access Only
access-list Audio_Visual_VLAN_Only standard permit 10.1.40.0 255.255.255.0 
access-list Audio_Visual_VLAN_Only remark VLAN 12 Access Only
access-list Audio_Visual_VLAN_Only standard permit 10.1.12.0 255.255.255.0 
access-list Audio_Visual_VLAN_Only remark No Access
access-list Audio_Visual_VLAN_Only standard deny any 
access-list Outside_1_cryptomap extended permit ip any Panhandle-10.1.1.0 255.255.255.0 
access-list Panhandle_VPN extended permit ip host Panhandle_Phone_System any 
access-list Panhandle_VPN extended permit ip host Panhandle_Printer_Lanier any 
access-list Panhandle_VPN extended permit icmp Panhandle-10.1.1.0 255.255.255.0 any 
access-list Panhandle_VPN remark DNS Port 53
access-list Panhandle_VPN extended permit udp Panhandle-10.1.1.0 255.255.255.0 any eq domain 
access-list Panhandle_VPN remark Network Time Protocol
access-list Panhandle_VPN extended permit udp Panhandle-10.1.1.0 255.255.255.0 any eq ntp 
access-list Panhandle_VPN extended permit tcp Panhandle-10.1.1.0 255.255.255.0 host 10.0.0.4 eq smtp 
access-list Panhandle_VPN remark Port 443 HTTPS
access-list Panhandle_VPN extended permit tcp Panhandle-10.1.1.0 255.255.255.0 any eq https 
access-list Panhandle_VPN remark Terminal Server Connections
access-list Panhandle_VPN extended permit tcp Panhandle-10.1.1.0 255.255.255.0 any eq 3389 
access-list Panhandle_VPN remark Inscope Website
access-list Panhandle_VPN extended permit tcp Panhandle-10.1.1.0 255.255.255.0 any eq 8081 
access-list Panhandle_VPN extended permit object-group TCPUDP Panhandle-10.1.1.0 255.255.255.0 any object-group 135-139 
access-list Panhandle_VPN extended permit object-group TCPUDP Panhandle-10.1.1.0 255.255.255.0 any object-group DM_INLINE_TCPUDP_2 
access-list Panhandle_VPN extended permit object-group TCPUDP Panhandle-10.1.1.0 255.255.255.0 any object-group LDAP 
access-list Panhandle_VPN extended permit object-group TCPUDP Panhandle-10.1.1.0 255.255.255.0 any object-group DM_INLINE_TCPUDP_1 
access-list Panhandle_VPN remark TrendMicro Client-Server Port
access-list Panhandle_VPN extended permit object-group TCPUDP Panhandle-10.1.1.0 255.255.255.0 any object-group TrendMicro-OfficeScan 
access-list Panhandle_VPN remark TrendMicro Admin Website Port 8000
access-list Panhandle_VPN extended permit object-group TCPUDP Panhandle-10.1.1.0 255.255.255.0 any object-group TrendMicro-WebSite 
access-list Panhandle_VPN remark Port 80
access-list Panhandle_VPN extended permit object-group TCPUDP Panhandle-10.1.1.0 255.255.255.0 any eq www 
access-list Panhandle_VPN remark Tim Donovan - PC Anywhere
access-list Panhandle_VPN extended permit object-group TCPUDP Panhandle-10.1.1.0 255.255.255.0 any object-group PC-Anywhere_TimD 
pager lines 24
logging enable
logging list Custom-Log level debugging
logging asdm errors
logging from-address ASA5510@domain.com
logging recipient-address WPlotkin@domain.com level emergencies
logging facility 16
logging debug-trace
logging ftp-server 10.0.0.248 ASA5510 administrator ****
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPN 192.168.25.100-192.168.25.150 mask 255.255.255.0
ip local pool Vendors 192.168.50.100-192.168.50.105 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 0 access-list VPN_Clients
nat (Inside) 0 192.168.25.0 255.255.255.0
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp interface 3389 10.0.0.3 3389 netmask 255.255.255.255 
static (Inside,Outside) tcp interface 8081 10.0.0.11 8081 netmask 255.255.255.255 
access-group Outside_access_in in interface Outside
access-group Inside_access_out in interface Inside
route Outside 0.0.0.0 0.0.0.0 209.16.116.125 10
route Inside Jacksonville 255.255.255.0 10.0.0.254 1
route Inside 10.1.2.0 255.255.255.0 10.0.0.254 1
route Inside 10.1.5.0 255.255.255.0 10.0.0.254 1
route Inside 10.1.12.0 255.255.255.0 10.1.12.1 1
route Inside 10.1.15.0 255.255.255.0 10.1.15.1 1
route Inside 10.1.20.0 255.255.255.0 10.1.20.1 1
route Inside 10.1.35.0 255.255.255.0 10.1.35.1 1
route Inside 10.1.40.0 255.255.255.0 10.1.40.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server 10.0.0.2 protocol radius
aaa-server 10.0.0.2 (Inside) host Sihle-DC
 key ***********************
 radius-common-pw *************************
aaa-server Sihle-Domain protocol nt
aaa-server Sihle-Domain (Inside) host Sihle-DC
 nt-auth-domain-controller Sihle-DC
aaa authentication telnet console LOCAL 
aaa authorization command LOCAL 
http server enable
http 10.0.0.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer 68.225.124.200 
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint ASDM_TrustPoint2
 crl configure
crypto ca trustpoint ASDM_TrustPoint4
 crl configure
crypto ca trustpoint ASDM_TrustPoint5
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 no client-types
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint3
 enrollment terminal
 subject-name CN=webvpn.domain.com,OU=webvpn,O=domain,C=US,St=Florida,L=Altamonte
 keypair webvpn.key
 crl configure
crypto ca server 
 shutdown
 cdp-url http://Ciscoasa.corp.domain.com/+CSCOCA+/asa_ca.crl
 issuer-name CN=Ciscoasa.corp.domain.com
 smtp from-address admin@Ciscoasa.corp.domain.com
crypto ca certificate chain ASDM_TrustPoint1
 certificate ca 0295baac7a
    cbdee178 4b6e72b4
  quit
crypto ca certificate chain ASDM_TrustPoint0
 certificate ca 0301
  quit
crypto ca certificate chain ASDM_TrustPoint3
 certificate 07487374
    9ce02658 33f9e0
  quit
crypto isakmp enable Outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 10.0.0.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 10.0.0.2 10.0.0.5
dhcpd wins 10.0.0.2 10.0.0.2
dhcpd domain corp.domain.com
!
dhcpd address 192.168.1.2-192.168.1.254 management
!
vpn load-balancing 
 interface lbpublic Inside
 interface lbprivate Inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint3 Outside
ssl trust-point ASDM_TrustPoint3 Outside vpnlb-ip
webvpn
 port 1021
 enable Outside
 dtls port 444
 csd image disk0:/csd_3.4.1108.pkg
 csd enable
 svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 2
 svc enable
 tunnel-group-list enable
 internal-password enable
group-policy Panhandle-Office internal
group-policy Panhandle-Office attributes
 vpn-filter value Panhandle_VPN
 vpn-tunnel-protocol IPSec svc 
group-policy DfltGrpPolicy attributes
 wins-server value 10.0.0.2
 dns-server value 10.0.0.2 10.0.0.5
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy vendor-access internal
group-policy vendor-access attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Audio_Visual_VLAN_Only
 webvpn
  svc rekey time 30
  svc rekey method ssl
  svc ask none default svc
group-policy Employees internal
 vpn-group-policy vendor-access
 vpn-access-hours none
 group-lock value Vendors
 service-type remote-access
 webvpn
  svc profiles none
username 
username
 vpn-group-policy DfltGrpPolicy
tunnel-group Employees type remote-access
tunnel-group Employees general-attributes
 address-pool (Inside) VPN
 address-pool VPN
 authentication-server-group Sihle-Domain
 authentication-server-group (Inside) Sihle-Domain
 default-group-policy Employees
tunnel-group Employees webvpn-attributes
 group-alias Employees enable
tunnel-group Vendors type remote-access
tunnel-group Vendors general-attributes
 address-pool (Inside) Vendors
 address-pool Vendors
 authentication-server-group (Inside) LOCAL
 authorization-server-group LOCAL
 default-group-policy vendor-access
tunnel-group Vendors webvpn-attributes
 group-alias Vendors enable
tunnel-group 68.225.124.200 type ipsec-l2l
tunnel-group 68.225.124.200 general-attributes
 default-group-policy Panhandle-Office
tunnel-group 68.225.124.200 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
smtp-server 10.0.0.4
prompt hostname context 
Cryptochecksum:4a820ecafc8e7313d62312735f012207
: end
[+][-]06/16/09 01:35 PM, ID: 24642272Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: Network Routers, Virtual Private Networking (VPN), Networking Hardware Firewalls
Tags: Cisco ASA 5510 5505 VPN Routing Routes
Sign Up Now!
Solution Provided By: 3nerds
Participating Experts: 1
Solution Grade: A
 
[+][-]06/16/09 12:50 PM, ID: 24641826Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]06/16/09 01:00 PM, ID: 24641917Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]06/16/09 01:14 PM, ID: 24642065Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/16/09 05:35 PM, ID: 24643903Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/17/09 06:05 AM, ID: 24647680Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]06/17/09 07:39 AM, ID: 24648719Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/17/09 08:09 AM, ID: 24649083Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]06/17/09 08:21 AM, ID: 24649254Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/17/09 09:14 AM, ID: 24649813Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]06/17/09 09:17 AM, ID: 24649844Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]06/17/09 12:27 PM, ID: 24651598Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/17/09 12:37 PM, ID: 24651711Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]06/17/09 07:13 PM, ID: 24654103Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/18/09 05:40 AM, ID: 24656784Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091111-EE-VQP-92 - Hierarchy / EE_QW_3_20080625