Advertisement

10.15.2008 at 08:51AM PDT, ID: 23817115
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.2

VPN to WAN Routing with Cisco ASA

Asked by Summit-IT in Cisco PIX Firewall, Miscellaneous Networking

Tags: , , ,

We have multiple sites connected via an MPLS Connection.  My Main site has an ASA 5520, but the MPLS is connected to a Layer 3 switch which is then connected to the inside interface of the ASA.

If i static a pc on my lan with 10.1.1.111 (layer 3 switch) as the gateway, i can route traffic over the MPLS as seen below:
C:\Documents and Settings\ms>tracert company-dc1

Tracing route to company-dc1.ses.int [10.1.32.25]
over a maximum of 30 hops:

  1    11 ms     1 ms     1 ms  10.1.1.111  (Layer 3 switch)
  2     2 ms     2 ms     2 ms  10.1.1.252  (MPLS Router)
  3    53 ms    62 ms    60 ms  172.20.0.1
  4    83 ms    81 ms    72 ms  172.20.0.17
  5    93 ms    90 ms   134 ms  172.20.0.18  (ASA at destination)
  6    96 ms    91 ms    88 ms  company-dc1.ses.int [10.1.32.25]

I havent figured out how to route the VPN traffic over the MPLS.  Tracert goes nowhere.Start Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:
437:
438:
439:
440:
441:
442:
443:
444:
445:
446:
447:
448:
449:
450:
451:
452:
453:
454:
455:
456:
457:
458:
459:
460:
461:
462:
463:
464:
465:
466:
467:
468:
469:
470:
471:
472:
473:
474:
475:
476:
477:

ASA Version 8.0(3) 
!
names
dns-guard
!
interface GigabitEthernet0/0
 description Outside Interface - Internet
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.224 
 ospf cost 10
!
interface GigabitEthernet0/1
 description Inside interface -
 nameif inside
 security-level 100
 ip address 10.1.1.10 255.255.252.0 
 ospf cost 10
!
interface GigabitEthernet0/2
 description Subnetted Network for Internet Applications (DMZ)
 nameif intf2
 security-level 4
 ip address 10.1.4.1 255.255.255.0 
 ospf cost 10
!
interface GigabitEthernet0/3
 description VOIP to PBX w/ No Nat
 nameif PBX_VOIP
 security-level 1
 ip address xx.xx.xx.xx 255.255.255.248 
 ospf cost 10
!
interface Management0/0
 no nameif
 no security-level
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
 
boot system disk0:/asa803_01112008.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name xxx.xxx
object-group service Platts tcp
 description Platts Internal Access 
 port-object eq 1838
 port-object range pptp 1726
 port-object eq 700
object-group service GlobalView tcp
 port-object eq 700
 port-object range pptp 1727
object-group service Polycom tcp-udp
 description Polycom Video Conferencing
 port-object range 1503 1503
 port-object range 1720 1720
 port-object range 3230 3237
 port-object range sip sip
object-group service SC_PEM tcp
 description SurfControl_PEM Ports
 port-object range 8282 8282
 port-object range 8663 8663
object-group service SC_PEM_TCP-UDP tcp-udp
 description SC_PEM_TCP-UDP
 port-object range 8282 8282
 port-object range 8663 8663
object-group service 8282 tcp-udp
 description 8282
 port-object range 8281 8283
object-group service 8663 tcp-udp
 description 8663
 port-object range 8662 8664
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service Polycom_HDX
 description Polycom_HDX
 service-object tcp-udp range 1024 65535 
 service-object tcp-udp range 161 162 
 service-object tcp-udp eq 389 
 service-object tcp-udp eq 5001 
 service-object tcp-udp eq www 
 service-object tcp-udp eq sip 
 service-object tcp eq 1503 
 service-object tcp eq 1718 
 service-object tcp eq 1719 
 service-object tcp eq 1731 
 service-object tcp eq 24 
 service-object tcp eq 3601 
 service-object tcp eq 8080 
 service-object tcp eq h323 
 service-object tcp eq https 
 service-object tcp eq ldaps 
 service-object tcp eq telnet 
 service-object udp eq ntp 
 service-object udp eq syslog 
 service-object udp 
access-list deny-flow-max 143
access-list intf2 extended permit icmp 10.1.4.0 255.255.255.0 any 
access-list intf2 extended permit ip 10.1.4.0 255.255.255.0 any 
access-list no-nat extended permit ip 10.1.4.0 255.255.255.0 10.1.0.0 255.255.252.0 
access-list no-nat extended permit ip 10.1.4.0 255.255.255.0 172.21.246.0 255.255.255.0 
access-list no-nat-inside extended permit ip any 10.1.4.0 255.255.255.0 
access-list no-nat-inside extended permit ip any 172.21.246.0 255.255.255.0 
access-list no-nat-inside extended permit ip interface inside 172.21.246.0 255.255.255.0 
access-list no-nat-inside extended permit ip any xx.xx.xx.xx 255.255.255.248 
access-list 120 extended permit ip 10.1.0.0 255.255.248.0 172.21.246.0 255.255.255.0 
access-list 120 extended permit ip 172.21.246.0 255.255.255.0 10.1.0.0 255.255.248.0 
access-list inbound extended permit icmp any any 
access-list inbound extended permit udp host xx.xx.xx.xx host 0.0.0.0 inactive 
access-list inbound remark Dameware to Test Web Server
access-list inbound extended permit tcp any eq 6129 host xx.xx.xx.xx 
access-list inbound remark FTP to Test Web Server
access-list inbound extended permit tcp any eq ftp host xx.xx.xx.xx 
access-list inbound remark Dameware to Test Web Server
access-list inbound extended permit tcp any eq 6129 host xx.xx.xx.xx 
access-list inbound remark NeaxIPS2000 IP Phone Traffic
access-list inbound extended permit udp any host xx.xx.xx.xx eq 3456 
access-list inbound remark NeaxIPS2000 IP Phone Traffic
access-list inbound extended permit tcp any host xx.xx.xx.xx eq 3456 
access-list inbound remark NeaxIPS2000 IP Phone Traffic
access-list inbound extended permit tcp any host xx.xx.xx.xx range 60256 60511 
access-list inbound remark NeaxIPS2000 IP Phone Traffic
access-list inbound extended permit udp any host xx.xx.xx.xx range 60000 60254 
access-list inbound remark Production FTP Server
access-list inbound extended permit tcp any host xx.xx.xx.xx eq ftp 
access-list inbound remark Metering Solution
access-list inbound extended permit tcp any host xx.xx.xx.xx eq telnet 
access-list inbound remark Metering Solution
access-list inbound extended permit tcp any host xx.xx.xx.xx eq 6544 
access-list inbound remark Metering Solution
access-list inbound extended permit tcp any host xx.xx.xx.xx eq 7437 
access-list inbound remark Metering Solution
access-list inbound extended permit tcp any host xx.xx.xx.xx eq 2020 
access-list inbound remark Metering Solution
access-list inbound extended permit udp any host xx.xx.xx.xx eq 7437 
access-list inbound remark Metering Solution
access-list inbound extended permit udp any host xx.xx.xx.xx eq 2020 
access-list inbound remark Public .Net Application Server HTTP (Public Web, DV)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Public .Net Application Server HTTP (Public Web Beta)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Waterman Redirect HTTP
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Waterman Redirect HTTPS
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark Test Web Server HTTP
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Rockwell Server HTTP
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Rockwell HTTPS
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark Test Web Server HTTPS
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark UAT Web Server HTTP
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Polycom_HDX_Acess
access-list inbound extended permit object-group Polycom_HDX any host xx.xx.xx.xx log debugging 
access-list inbound remark UAT Web Server HTTPS
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark RMDV Server HTTP
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark RMDV Server HTTPS
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark RMDV Server RDP
access-list inbound extended permit tcp any host xx.xx.xx.xx eq 3389 
access-list inbound remark Test Web Server FTP allow Ground Zero Network
access-list inbound extended permit tcp any host xx.xx.xx.xx eq ftp 
access-list inbound remark Test Web Server RDP
access-list inbound extended permit tcp any host xx.xx.xx.xx eq 3389 
access-list inbound remark Public .Net Application Server HTTPS (Public Web, DV)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark Public .Net Application Server HTTP (SV)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Public .Net Application Server HTTP (SV)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark Temporary  Public .Net Application Server HTTP (Sourceview) - Maintenance Page
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Secondary Public .Net Application Server Secure HTTP Access (Sourceviewbeta)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Secondary Public .Net Application Server Secure HTTPS Access (Sourceviewbeta)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark Public Java Application Server HTTP Access (RMDV)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Polycom 8000
access-list inbound extended permit object-group TCPUDP any host xx.xx.xx.xx object-group Polycom 
access-list inbound remark Live Meeting Portal (Unsecure for Redirect to SSL)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Live Meeting Portal
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark Kimball Public Web
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Kimball Public Web (Secure)
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark Kimball FTP
access-list inbound extended permit tcp any host xx.xx.xx.xx eq ftp 
access-list inbound remark Front End Exchange Email Traffic
access-list inbound extended permit tcp any host xx.xx.xx.xx eq smtp 
access-list inbound remark Front End Exchange Web Email Traffic
access-list inbound extended permit tcp any host xx.xx.xx.xx eq www 
access-list inbound remark Front End Exchange Secure Email Traffic
access-list inbound extended permit tcp any host xx.xx.xx.xx eq https 
access-list inbound remark Surf Control 8282
access-list inbound extended permit tcp any host xx.xx.xx.xx eq 8282 
access-list inbound remark Surf Control 8663
access-list inbound extended permit tcp any host xx.xx.xx.xx eq 8663 
access-list inbound remark Xodiax Access for monitoring Exchange Web
access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq www 
access-list inbound remark Xodiax Access for monitoring Secure Exchange Web
access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq https 
access-list inbound remark Xodiax Access for monitoring Exchange
access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq smtp 
access-list inbound remark Xodiax Access for monitoring Exchange SMTP Anti-Virus Service
access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq 26 
access-list inbound remark Xodiax Access for monitoring Exchange SMTP Spam Filtering Service
access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq 27 
access-list inbound remark Xodiax Access for monitoring Secure Exchange Web
access-list inbound remark Xodiax Access for monitoring Exchange
access-list inbound remark Xodiax Access for monitoring Application (RMDV)
access-list inbound extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq www 
access-list inbound remark Allow all traffic from internet to PBX Network Only
access-list inbound extended permit ip any xx.xx.xx.xx 255.255.255.248 
access-list inbound remark Test WebServer 2
access-list inbound extended permit ip any host 10.1.1.241 
access-list ips extended permit ip any any 
access-list outside_cryptomap_dyn_30 extended permit ip interface inside 172.21.246.0 255.255.255.0 
access-list outside_nat0_inbound extended permit ip any xx.xx.xx.xx 255.255.255.248 
access-list 100 extended permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq https 
access-list 100 extended permit tcp host xx.xx.xx.xx eq https host xx.xx.xx.xx
access-list test extended permit ip host 10.1.2.29 any 
access-list test extended permit ip host xx.xx.xx.xx host 10.1.2.29 
access-list test extended permit ip host xx.xx.xx.xx host 10.1.2.29 
access-list test extended permit ip host xx.xx.xx.xx host 10.1.2.29 
access-list outside_cryptomap_dyn_50 extended permit ip any 172.21.246.0 255.255.255.0 
access-list outside_cryptomap_dyn_70 extended permit ip any 172.21.246.0 255.255.255.0 
access-list 101 extended permit tcp 10.0.0.0 255.0.0.0 host xx.xx.xx.xx eq https 
access-list 101 extended permit tcp host 63.227.188.23 eq https 10.0.0.0 255.0.0.0 
access-list PBX_VOIP_access_in remark Allow all incoming VOIP Traffic
access-list PBX_VOIP_access_in extended permit ip any any 
access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 
access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 
access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 
access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 
access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 
access-list test1 extended permit ip host xx.xx.xx.xx host xx.xx.xx.xx 
access-list capture extended permit tcp any eq www host xx.xx.xx.xx 
access-list capture extended permit tcp host 10.1.31.222 any eq www 
access-list capout extended permit tcp host xx.xx.xx.xx any 
access-list capout extended permit tcp any host xx.xx.xx.xx 
access-list capout extended permit tcp any host xx.xx.xx.xx eq www 
access-list capout extended permit tcp host xx.xx.xx.xx eq www any 
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging monitor debugging
logging buffered debugging
logging trap informational
logging asdm informational
logging host inside 10.1.1.54
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu PBX_VOIP 1500
ip local pool companyvpn 172.21.246.1-172.21.246.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm603.bin
asdm history enable
arp timeout 14400
global (outside) 1 xx.xx.xx.xx
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list no-nat-inside
nat (inside) 1 10.0.0.0 255.0.0.0
nat (intf2) 0 access-list no-nat
nat (intf2) 1 10.1.4.0 255.255.255.0
static (inside,outside) xx.xx.xx.xx 10.1.1.77 netmask 255.255.255.255 tcp 0 224 
static (intf2,outside) xx.xx.xx.xx 10.1.4.155 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.149 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.0.110 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.3.230 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.1.241 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.250 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.100 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.150 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.152 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.153 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.200 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.102 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.1.222 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.1.37 netmask 255.255.255.255 tcp 0 224 
static (inside,outside) xx.xx.xx.xx 10.1.1.195 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.1.43 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.1.17 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.1.65 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.1.239 netmask 255.255.255.255 
static (inside,outside) xx.xx.xx.xx 10.1.1.60 netmask 255.255.255.255 
static (intf2,outside) xx.xx.xx.xx 10.1.4.103 netmask 255.255.255.255 
access-group inbound in interface outside
access-group intf2 in interface intf2
access-group PBX_VOIP_access_in in interface PBX_VOIP
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
route inside 10.1.0.0 255.255.0.0 10.1.1.252 1
route inside 10.1.16.0 255.255.248.0 10.1.1.252 1
route inside 10.1.24.0 255.255.248.0 10.1.1.252 1
route inside 10.1.32.0 255.255.248.0 10.1.1.111 1
route inside 172.22.0.0 255.255.255.0 10.1.1.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server SDI protocol sdi
aaa-server SDI host 10.1.1.253
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL 
aaa local authentication attempts max-fail 10
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1460
crypto ipsec transform-set myset esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 30 match address outside_cryptomap_dyn_30
crypto dynamic-map dynmap 30 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmap 50 match address outside_cryptomap_dyn_50
crypto dynamic-map dynmap 50 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmap 70 match address outside_cryptomap_dyn_70
crypto dynamic-map dynmap 70 set transform-set ESP-3DES-SHA
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
client-update type Windows url http://xx.xx.xx.xx/updates/CiscoVPN/4.8.00.0440/setup.exe rev-nums vpnclient-win-is-4[1].7.00.0533-k9.exe
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh xx.xx.xx.xx 255.255.255.255 outside
ssh xx.xx.xx.xx 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 10.1.4.0 255.255.255.0 intf2
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics
wccp web-cache password 1CISCO
wccp interface inside web-cache redirect in
ntp server xx.xx.xx.xx source outside
ntp server xx.xx.xx.xx source outside
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
 svc enable
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 300
 vpn-idle-timeout 60
 vpn-tunnel-protocol IPSec svc webvpn
 password-storage enable
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc ask enable
  customization value DfltCustomization
group-policy companyssl internal
group-policy companyssl attributes
 dns-server value 10.1.1.25
 vpn-tunnel-protocol svc 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 120
 default-domain value ses.int
 split-dns value ses.int 
group-policy companypix internal
group-policy companypix attributes
 dns-server value 10.1.1.72
 vpn-simultaneous-logins 300
 vpn-idle-timeout 30
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 120
 default-domain value ses.int
 split-dns value ses.int 
group-policy companyrsa internal
group-policy companyrsa attributes
 dns-server value 10.1.1.72
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 120
 default-domain value ses.int
 split-dns value ses.int 
group-policy ctepl internal
group-policy ctepl attributes
 dns-server value 10.1.1.72
 vpn-simultaneous-logins 300
 vpn-idle-timeout 30
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 120
 default-domain value ses.int
 split-dns value ses.int 
 
 
 vpn-group-policy companyrsa
 
 vpn-group-policy ctepl
 
 address-pool xxvpn
 authentication-server-group SDI
 default-group-policy xxssl
tunnel-group xxpix type remote-access
tunnel-group xxpix general-attributes
 address-pool xxvpn
 default-group-policy xxrsa
tunnel-group companypix ipsec-attributes
 pre-shared-key *
tunnel-group companyrsa type remote-access
tunnel-group companyrsa general-attributes
 address-pool companyvpn
 authentication-server-group SDI
 default-group-policy companyrsa
tunnel-group companyrsa ipsec-attributes
 pre-shared-key *
tunnel-group ctepl type remote-access
tunnel-group ctepl general-attributes
 address-pool companyvpn
 default-group-policy ctepl
tunnel-group ctepl ipsec-attributes
 pre-shared-key *
tunnel-group iPhone type remote-access
tunnel-group iPhone general-attributes
 address-pool companyvpn
tunnel-group iPhone ipsec-attributes
 pre-shared-key *
!
class-map ips
 match access-list ips
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
 class ips
  ips inline fail-open
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:96eac25b09b117063bec2294cc9faa5c
: end
[+][-]10.15.2008 at 02:19PM PDT, ID: 22726023

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 14-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]10.15.2008 at 02:51PM PDT, ID: 22726346

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 14-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]10.15.2008 at 03:01PM PDT, ID: 22726435

View this solution now by starting your 14-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Cisco PIX Firewall, Miscellaneous Networking
Tags: Cisco, ASA, 5520, VPN to WAN Routing with Cisco ASA
Sign Up Now!
Solution Provided By: lrmoore
Participating Experts: 1
Solution Grade: A
 
 
[+][-]10.17.2008 at 10:51AM PDT, ID: 22743376

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 14-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]10.28.2008 at 06:12AM PDT, ID: 22821330

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 14-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20081112-EE-VQP-43 - Hierarchy / EE_QW_2_20070628