[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.6

ASA 5505 IPSec VPN issue

Asked by rgonser in Cisco PIX Firewall, Virtual Private Networking (VPN), Networking Hardware Firewalls

Tags: IPSec, VPN, ASA

Hello All,

I'm having problems here is what I need:

I have someone at "XO comm" that runs a program that needs to access my 172.16.9.0/24 network, they do not need access to my 192.168.1.0/24 network. However I created an IPsec vpn for that, and it doesn't allow me to talk to the 172 network?? Any ideas? Sorry for my bad art, thought the diagram would explain it better!

THANK YOU!


1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:
437:
438:
439:
440:
441:
442:
443:
444:
445:
446:
447:
448:
449:
450:
451:
452:
453:
454:
455:
456:

ASA Version 8.0(4) 
!
names
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 7.1.4.6 255.255.255.248 
!
interface Vlan3
 description Connects to the Shell Robot PLC
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 172.16.9.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner login AUTHORIZED ACCESS ONLY
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.6
 domain-name KCI.COM
object-group service WebServices tcp
 description DNS, HTTP, HTTPS, FTP
 port-object eq ftp
 port-object eq www
 port-object eq https
object-group service iMacServices tcp
 port-object eq aol
 port-object eq 587
 port-object eq 995
 port-object eq 26002
 port-object eq 5678
 port-object eq 465
object-group service VNC tcp
 port-object range 5800 5900
object-group service DM_INLINE_TCP_2 tcp
 port-object eq pop3
 port-object eq smtp
object-group service DM_INLINE_TCP_3 tcp
 port-object eq pop3
 port-object eq smtp
access-list outside_access_in extended permit icmp any 67.91.154.104 255.255.255.248 
access-list outside_access_in remark Allows only MXLogic to be able to connect to our email server.
access-list outside_access_in extended permit tcp 208.65.144.0 255.255.248.0 interface outside eq smtp 
access-list outside_access_in remark Allows MXLogic Server to Connect
access-list outside_access_in extended permit tcp host 208.65.144.245 interface outside eq smtp 
access-list KovatchCastings_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 172.16.9.0 255.255.255.0 10.254.254.0 255.255.255.240 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.254.254.0 255.255.255.240 
access-list inside_nat0_outbound extended permit ip any 172.16.9.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 10.254.254.0 255.255.255.240 
access-list inside_access_in remark Allows ONLY KCI-FNP to transmit outbound email (blackberry)
access-list inside_access_in extended permit tcp host 192.168.1.2 any eq smtp 
access-list inside_access_in remark Allows ONLY AS/400 to transmit outbound email
access-list inside_access_in extended permit tcp host 192.168.1.1 any eq smtp 
access-list inside_access_in extended permit udp any eq domain 192.168.1.0 255.255.255.0 
access-list inside_access_in remark Allows WebServices (HTTP, HTTPS, and FTP)
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any object-group WebServices 
access-list inside_access_in remark Required for FileSrvG2 to operate with BlackBerry SRP
access-list inside_access_in extended permit tcp host 192.168.1.2 any eq 3101 
access-list inside_access_in remark Allows KCI to make DNS queries to Internet servers
access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any eq domain 
access-list inside_access_in remark Allows Rob Gonser to pull/send RoadRunner email
access-list inside_access_in extended permit tcp host 192.168.1.125 75.180.132.0 255.255.255.0 object-group DM_INLINE_TCP_2 
access-list inside_access_in remark John Kleinhenz Outlook Windstream (email)
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 166.102.165.0 255.255.255.0 object-group DM_INLINE_TCP_3 
access-list inside_access_in extended permit tcp host 192.168.1.10 any object-group iMacServices 
access-list inside_access_in extended permit udp host 192.168.1.10 any 
access-list inside_access_in remark Allow outbound access to FlashMail
access-list inside_access_in extended permit tcp any host 131.123.247.97 eq 8008 
access-list inside_access_in remark BettsIND.com
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 host 65.110.96.32 
access-list IPSEC-USERS_splitTunnelAcl standard permit any 
pager lines 24
logging enable
logging asdm informational
logging from-address cisco-asa@kovatchcastings.com
logging recipient-address david.mathis@kovatchcastings.com level critical
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNPool 10.254.254.1-10.254.254.10 mask 255.255.255.0
ip local pool RobotVPN-Pool 172.16.9.100-172.16.9.110 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-615.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.1 smtp netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.91.154.105 1
route dmz 172.16.9.0 255.255.255.0 172.16.9.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server FileSrvG4 protocol ldap
aaa-server FileSrvG4 (inside) host 192.168.1.6
 server-type auto-detect
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA TRANS_ESP_DES_SHA ESP-DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map robotplc_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map robotplc_map interface dmz
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 fqdn vpn.kovatchcastings.com
 email tech.support@kovatchcastings.com
 subject-name CN=vpn.kovatchcastings.com,OU=MIS,O=Kovatch Castings Inc,C=US,St=Ohio,L=Uniontown,EA=tech.support@kovatchcastings.com
 ip-address 65.116.196.139
 keypair kovatch-asa
 no client-types
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 fqdn Kovatch-ASA
 subject-name CN=kcastings.skylan.net
 no client-types
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment terminal
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 5e4dcee845004e479117b93b90eaf197
    308203ab 30820314 a0030201 0202105e 4dcee845 004e4791 17b93b90 eaf19730 
    0d06092a 864886f7 0d010105 05003081 c4310b30 09060355 04061302 5a413115 
    30130603 55040813 0c576573 7465726e 20436170 65311230 10060355 04071309 
    43617065 20546f77 6e311d30 1b060355 040a1314 54686177 74652043 6f6e7375 
    6c74696e 67206363 31283026 06035504 0b131f43 65727469 66696361 74696f6e 
    20536572 76696365 73204469 76697369 6f6e3119 30170603 55040313 10546861 
    77746520 53657276 65722043 41312630 2406092a 864886f7 0d010901 16177365 
    72766572 2d636572 74734074 68617774 652e636f 6d301e17 0d303830 31313030 
    30303030 305a170d 31313031 30393233 35393539 5a3081c0 3120301e 06035504 
    0a131776 706e2e6b 6f766174 63686361 7374696e 67732e63 6f6d313b 30390603 
    55040b13 32476f20 746f2068 74747073 3a2f2f77 77772e74 68617774 652e636f 
    6d2f7265 706f7369 746f7279 2f696e64 65782e68 746d6c31 22302006 0355040b 
    13195468 61777465 2053534c 31323320 63657274 69666963 61746531 19301706 
    0355040b 1310446f 6d61696e 2056616c 69646174 65643120 301e0603 55040313 
    1776706e 2e6b6f76 61746368 63617374 696e6773 2e636f6d 30819f30 0d06092a 
    864886f7 0d010101 05000381 8d003081 89028181 00852945 95e56e88 23e369d2 
    19a2172a 7f5c0ace 890a19e2 70218ff2 5a2753b1 14a88a6c ed7b0765 d9f3fae8 
    e23b7970 621983f8 ac2707f4 29a2c603 b6c607a0 c40096a8 b159134e ff24872e 
    61caab25 5db5ac2f 29f9092e d9e46480 15f5d763 cee671bb 2c32acbe 9a9c6028 
    d3c7f4a1 b99c0ba0 70a9e254 6ebdd5aa bfae74c0 a1020301 0001a381 9f30819c 
    300c0603 551d1301 01ff0402 30003039 0603551d 1f043230 30302ea0 2ca02a86 
    28687474 703a2f2f 63726c2e 74686177 74652e63 6f6d2f54 68617774 65536572 
    76657243 412e6372 6c301d06 03551d25 04163014 06082b06 01050507 03010608 
    2b060105 05070302 30320608 2b060105 05070101 04263024 30220608 2b060105 
    05073001 86166874 74703a2f 2f6f6373 702e7468 61777465 2e636f6d 300d0609 
    2a864886 f70d0101 05050003 81810072 e88850e9 2c0dfdc9 0f6680b7 33666d82 
    a236cf6c 471eddce 969bcd79 348c6eb7 104c06c9 dc1772bd cfa060eb c20284a5 
    24e83b32 0b8ff030 12944930 f7e4965f 13e4b5a3 8ea3854c 771f50de 9e2d9a0c 
    4c11469e caa41e1e 7600e088 1defc653 5ba19672 ceb9f59b b4c40960 0c7ec0e5 
    5face4df 831652ba 4de35bb7 1f7b03
  quit
crypto ca certificate chain ASDM_TrustPoint2
 certificate ca 01
    30820313 3082027c a0030201 02020101 300d0609 2a864886 f70d0101 04050030 
    81c4310b 30090603 55040613 025a4131 15301306 03550408 130c5765 73746572 
    6e204361 70653112 30100603 55040713 09436170 6520546f 776e311d 301b0603 
    55040a13 14546861 77746520 436f6e73 756c7469 6e672063 63312830 26060355 
    040b131f 43657274 69666963 6174696f 6e205365 72766963 65732044 69766973 
    696f6e31 19301706 03550403 13105468 61777465 20536572 76657220 43413126 
    30240609 2a864886 f70d0109 01161773 65727665 722d6365 72747340 74686177 
    74652e63 6f6d301e 170d3936 30383031 30303030 30305a17 0d323031 32333132 
    33353935 395a3081 c4310b30 09060355 04061302 5a413115 30130603 55040813 
    0c576573 7465726e 20436170 65311230 10060355 04071309 43617065 20546f77 
    6e311d30 1b060355 040a1314 54686177 74652043 6f6e7375 6c74696e 67206363 
    31283026 06035504 0b131f43 65727469 66696361 74696f6e 20536572 76696365 
    73204469 76697369 6f6e3119 30170603 55040313 10546861 77746520 53657276 
    65722043 41312630 2406092a 864886f7 0d010901 16177365 72766572 2d636572 
    74734074 68617774 652e636f 6d30819f 300d0609 2a864886 f70d0101 01050003 
    818d0030 81890281 8100d3a4 506ec8ff 566be6cf 5db6ea0c 687547a2 aac2da84 
    25fca8f4 4751da85 b5207494 861e0f75 c9e90861 f5066d30 6e151902 e952c062 
    db4d999e e26a0c44 38cdfebe e3640970 c5feb16b 29b62f49 c83bd427 04251097 
    2fe7906d c0284299 d74c43de c3f5216d 549f5dc3 58e1c0e4 d95bb0b8 dcb47bdf 
    363ac2b5 662212d6 870d0203 010001a3 13301130 0f060355 1d130101 ff040530 
    030101ff 300d0609 2a864886 f70d0101 04050003 81810007 fa4c695c fb95cc46 
    ee85834d 21308eca d9a86f49 1ae6da51 e360706c 846111a1 1ac8483e 59437d4f 
    953da18b b70b6298 7a758add 884e4e9e 40dba8cc 3274b96f 0dc6e3b3 440bd98a 
    6f9a299b 9918283b d1e34028 9a5a3cd5 b5e7201b 8bcaa4ab 8de951d9 e24c2c59 
    a9dab9b2 751bf642 f2efc7f2 18f989bc a3ff8a23 2e7047
  quit
crypto isakmp identity address 
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable dmz
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 5
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable inside
 enable outside
 csd image disk0:/securedesktop-asa-3.2.0.136-k9.pkg
 svc image disk0:/sslclient-win-1.1.4.176.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.1.0148-k9.pkg 2
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.1.2
 dns-server value 192.168.1.6
 vpn-simultaneous-logins 7
 default-domain value KCI.COM
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value VPNPool
 webvpn
  homepage value http://CITRIX1.KCI.COM/Citrix/MetaFrame/auth/login.aspx
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  customization value DfltCustomization
group-policy VendorGrpPolicy internal
group-policy VendorGrpPolicy attributes
 banner none
 wins-server value 192.168.1.2
 dns-server value 192.168.1.6
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 7
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain value KCI.COM
 split-dns none
 intercept-dhcp disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 msie-proxy pac-url none
 vlan none
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value VPNPool
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  url-list none
  filter none
  homepage value http://CITRIX1.KCI.COM/Citrix/MetaFrame/auth/login.aspx
  port-forward name Application Access
  mapi disable
  http-proxy disable
  sso-server none
  svc dtls enable
  svc mtu 1406
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  svc modules none
  svc profiles none
  svc ask none default webvpn
  customization value DfltCustomization
  keep-alive-ignore 4
  http-comp gzip
  user-storage none
  storage-objects value cookies,credentials
  storage-key none
  hidden-shares none
  smart-tunnel disable
  activex-relay enable
  file-entry enable
  file-browsing enable
  url-entry enable
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
  smart-tunnel auto-signon disable
username terrar password yXn4/Pxlf9JDDXON encrypted
username barbk password DwL.ixm5YMfXTQj2 encrypted
username frankl password BCXjIvSQaufm9syt encrypted
username admin password HMZXO7wYcE4p3Kzr encrypted privilege 15
username davide password rFQXvjXaXW6ysS/5 encrypted
username johnkl password GlZCaTHHbRIzL1EX encrypted
username darren.ash password B.LahK4jiYLMYj66 encrypted
username darren.ash attributes
 webvpn
  customization value DfltCustomization
username dmathis password qQgzr2DrB2ZBFwQk4OOLHQ== nt-encrypted
username dougk password smrpSjpJUMHc5W2c encrypted
username markb password gJOhbxp7tL26QGi2 encrypted
username mattn password H2QFHNn1YzVJHSfJ encrypted
username markn password f5zr1g7SK2.iu0QO encrypted
username bobbieb password P13K1Mwodcquao4F encrypted
username bobbic password rkwTQaT0k6xRXLj/ encrypted
username robg password Orw.iGJpy97RpMMa encrypted
username bobe password 0wasy/MlZmdIBpJY encrypted
username nancyc password HZqEoSmwgeF3.V8G encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool (inside) RobotVPN-Pool
 address-pool (outside) RobotVPN-Pool
 address-pool VPNPool
 authentication-server-group (inside) LOCAL
 authentication-server-group (outside) LOCAL
 strip-realm
 strip-group
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key test
 peer-id-validate nocheck
 isakmp keepalive disable
 isakmp ikev1-user-authentication none
tunnel-group KCI-VPN type remote-access
tunnel-group KCI-VPN general-attributes
 address-pool VPNPool
tunnel-group KCI-VPN ipsec-attributes
 pre-shared-key pezz!fu$!
tunnel-group KCI-VENDOR type remote-access
tunnel-group KCI-VENDOR general-attributes
 address-pool VPNPool
 default-group-policy VendorGrpPolicy
tunnel-group KCI-VENDOR ipsec-attributes
 pre-shared-key tabs3743kova!
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
no tunnel-group-map enable peer-ip
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
smtp-server 192.168.1.1
prompt hostname context 
Cryptochecksum:092a3262df8f014ac9041a5c33ab745b
: end
Attachments:
 
diagram.pdf (11 KB) (File Type Details) 
Digram of my network setup
 
[+][-]08/06/09 06:39 AM, ID: 25033150Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: Cisco PIX Firewall, Virtual Private Networking (VPN), Networking Hardware Firewalls
Tags: IPSec, VPN, ASA
Sign Up Now!
Solution Provided By: Jay_Gridley
Participating Experts: 3
Solution Grade: A
 
[+][-]08/05/09 01:13 PM, ID: 25027613Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08/05/09 01:24 PM, ID: 25027734Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08/06/09 03:00 AM, ID: 25031566Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08/06/09 05:03 AM, ID: 25032229Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08/06/09 06:52 AM, ID: 25033303Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08/06/09 07:03 AM, ID: 25033451Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08/06/09 07:37 AM, ID: 25033882Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08/06/09 07:59 AM, ID: 25034189Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08/06/09 08:05 AM, ID: 25034273Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08/07/09 01:38 PM, ID: 25046701Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08/10/09 05:01 AM, ID: 25059058Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08/10/09 07:31 AM, ID: 25060217Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08/10/09 11:11 AM, ID: 25062413Assisted Solution

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 30-day free trial to view this Assisted Solution or ask the Experts your question.

 
 
Loading Advertisement...
20091118-EE-VQP-93 - Hierarchy / EE_QW_3_20080625