Question

VNC through ASA 5520

Asked by: hoshie329

I am trying to allow VNC through my ASA,

i have a policy that allows traffic full access to both the local and remote networks.

everytime i try to vnc to one of the machines i get the following error

6 Oct 22 2009 08:54:58 109025 10.165.165.238 4663 10.165.180.20 5900 Authorization denied (acl=Texas_Users) for user '<unknown>' from 10.165.165.238/4663 to 10.165.180.20/5900 on interface Inside using TCP

if i change the ACE to IP instead of TCP/5900 it works, But my boss want it more restricted

i have the access list attached

access-list ibttxspartner_splitTunnelAcl standard permit vlan165 255.255.255.0 
access-list ibttxspartner_splitTunnelAcl remark Permits access to the network server, restrictions applied by group policy Texas_Users
 
access-list Texas_Users extended permit icmp any any echo 
access-list Texas_Users extended permit icmp any any echo-reply 
access-list Texas_Users extended permit icmp any any traceroute 
access-list Texas_Users extended permit icmp any any time-exceeded 
access-list Texas_Users extended permit icmp any any unreachable 
access-list Texas_Users extended permit object-group TCPUDP 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900 
access-list Texas_Users extended permit object-group DM_INLINE_SERVICE_1 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 
access-list Texas_Users remark HTTP
access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0 eq www 
access-list Texas_Users remark HTTPS
access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0 eq https 
access-list Texas_Users remark FTP Access
access-list Texas_Users extended permit tcp 10.165.180.0 255.255.255.0 host 10.165.165.98 eq ftp 
access-list Texas_Users remark Ftp Access
access-list Texas_Users extended permit tcp 10.165.180.0 255.255.255.0 host 10.165.165.98 eq ftp-data 
access-list Texas_Users extended permit tcp host 10.165.165.98 10.165.180.0 255.255.255.0 eq ftp 
access-list Texas_Users extended permit tcp host 10.165.165.98 10.165.180.0 255.255.255.0 eq ftp-data 
access-list Texas_Users remark SNF .47 Access
access-list Texas_Users extended permit ip 10.165.180.0 255.255.255.0 host 10.165.165.47 
access-list Texas_Users remark Snf .48 Access
access-list Texas_Users extended permit ip 10.165.180.0 255.255.255.0 host 10.165.165.48 
access-list Texas_Users remark SNF .49 Access
access-list Texas_Users extended permit ip 10.165.180.0 255.255.255.0 host 10.165.165.49 
access-list Texas_Users extended deny ip any any

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:

Select all Open in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

Plus...

30 Day FREE access, no risk, no obligation
Collaborate with the world's top tech experts
Unlimited access to our exclusive solution database
Never be left without tech help again

Subscribe Now

Asked On: 2009-10-22 at 07:11:33ID24834567
Tags: VNC
,; ASA
Topics: VNC Remote Access Software
,; Cisco PIX Firewall
Participating Experts: 3
Points: 0
Comments: 27

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

"The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
"Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
"Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Free Tech Articles

WARNING: 5 Reasons why you should NEVER fix a computer for free.
It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
SCCM OSD Basic troubleshooting
SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
Create a Win7 Gadget
This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
Outlook continually prompting for username and password
There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
Backup Exchange 2010 Information Store using Windows Backup
There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

Avoiding Bugs in Microsoft Access
Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
Top 10 Best New Features in Visio 2010
Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
IT Consultant Business Secrets Revealed
Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
Disaster Recovery and Business Continuity
Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
Organize Your Visio Diagrams with Containers and Lists
Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
How to Us Objects, Properties, Events and Methods in Microsoft Access
Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Watch More

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

by: rsivanandanPosted on 2009-10-22 at 08:37:57ID: 25635461

Instead of that object-group have you tried just with tcp/5900 ?

When you put in that acl, can you try to do this;

telnet <remote-ip> 5900 and hit enter,

Cheers,
rsivanandan

by: hoshie329Posted on 2009-10-22 at 09:02:06ID: 25635754

Yes, i have tried it both ways... i just tried it again anf the tried to use the telent command above
tellent returns message could not open connection to host....

The ASA log is showing

Authorization denied (acl=Texas_Users) for user '<unknown>' from 10.165.165.238/1368 to 10.165.180.20/5900 on interface Inside using TCP

by: PeteLongPosted on 2009-10-22 at 09:16:28ID: 25635900

The VNC client uses TCP port 5900 - but it your using the "VNC web client" then it can use 5800 to 5899 AND 5900

by: Grape_SodaPosted on 2009-10-22 at 09:19:51ID: 25635941

When you say you tried it both ways did you make a separate statement for TCP and UDP or only make a statement for TCP. So your above config has

access-list Texas_Users extended permit object-group TCPUDP 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900

Have you tried

access-list Texas_Users extended permit object-group TCP 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900

access-list Texas_Users extended permit object-group UDP 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900

or did you just try

access-list Texas_Users extended permit object-group TCP 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900

Many applications will initiate using UDP and then traverse to TCP....An IP statement would include both.

Hope this helps!

by: Grape_SodaPosted on 2009-10-22 at 09:23:57ID: 25635995

Sorry meant to edit out the object-group and just write it as

access-list Texas_Users extended permit TCP 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900

access-list Texas_Users extended permit UDP 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900

by: hoshie329Posted on 2009-10-22 at 09:32:17ID: 25636079

I tried the second configuration of the option above.

I just put in both the TCP and UDP statmets copied from the last post.

I am still getting the same error message

thanks for looking at this,

by: rsivanandanPosted on 2009-10-22 at 09:56:31ID: 25636328

Can you post your complete configuration here?

Cheers,
rsivanandan

by: hoshie329Posted on 2009-10-22 at 10:18:13ID: 25636576

i have attached the configuration,

ASA Version 8.0(4) 
!
hostname SpfldASA
domain-name l1esd.com
 
 
name 10.165.160.0 vlan160 description Front Fingerprint Room
name 10.165.161.0 vlan161 description IBT Management
name 10.165.162.0 vlan162 description Springfield VPN
name 10.165.163.0 vlan163 description Tx VPN
name 10.165.164.0 vlan164 description Phone Operators
name 10.165.165.0 vlan165 description Core Systems;ASA Management Access
name 10.165.166.0 vlan166 description Financial Servers
name 10.165.169.0 vlan169 description Test Zone
name 10.165.170.0 vlan170 description Conf Room vlan
name 192.168.0.0 vlan192 description WebServer Farm
name 172.19.70.80 A-172.19.70.80 description Pearson WI
name 192.168.117.32 A-192.168.117.32 description Pearson WI
name 192.168.119.224 A-192.168.119.224 description Pearson WI
name 192.168.119.32 A-192.168.119.32 description Pearson WI
name 192.168.120.128 A-192.168.120.128 description Pearson WI
name 192.168.122.250 A-192.168.122.250 description Pearson WI
name 192.168.123.192 A-192.168.123.192 description Pearson WI
name 192.168.123.224 A-192.168.123.224 description Pearson WI
name 192.168.123.37 A-192.168.123.37 description Pearson WI
name 192.168.126.160 A-192.168.126.160 description Pearson WI
name 172.19.0.0 A-172.19.0.0 description Pearson WI
dns-guard
!
interface GigabitEthernet0/0
 description Connects to Semi-Trusted remote VPN Switch
 nameif RemoteVPN
 security-level 0
 ip address 10.50.0.1 255.255.0.0 
!
interface GigabitEthernet0/1
 description Local Internet traffic
 nameif OutsideInet
 security-level 0
 ip address 2xx.xx.xx.xxx 255.255.255.248 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 description Local Access
 nameif Inside
 security-level 100
 ip address 10.165.181.3 255.255.255.0 
!
interface Management0/0
 shutdown
 nameif management
 security-level 0
 no ip address
 
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
 name-server 10.165.165.250
 domain-name l1esd.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_3
 network-object 10.165.180.0 255.255.255.0
 network-object 10.165.181.0 255.255.255.0
object-group service DM_INLINE_TCP_4 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_0
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp eq ftp 
 service-object tcp eq ftp-data 
object-group network DM_INLINE_NETWORK_4
 network-object 10.165.180.0 255.255.255.0
 network-object 10.165.181.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_1
 network-object 10.165.180.0 255.255.255.0
 network-object 10.165.181.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object vlan165 255.255.255.0
 network-object 10.165.180.0 255.255.255.0
 network-object 10.165.181.0 255.255.255.0
 
object-group service DM_INLINE_TCP_0 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_2
 service-object tcp eq 445 
 service-object tcp eq netbios-ssn 
 service-object tcp eq smtp 
 service-object udp eq netbios-dgm 
 service-object udp eq netbios-ns 
object-group service DM_INLINE_SERVICE_3
 service-object tcp eq 445 
 service-object tcp eq netbios-ssn 
 service-object tcp eq smtp 
 service-object udp eq netbios-dgm 
 service-object udp eq netbios-ns 
object-group service DM_INLINE_SERVICE_4
 service-object tcp eq 445 
 service-object tcp eq netbios-ssn 
 service-object tcp eq smtp 
 service-object udp eq netbios-dgm 
 service-object udp eq netbios-ns 
access-list Inside_mpc extended permit tcp vlan165 255.255.255.0 any object-group DM_INLINE_TCP_2 inactive 
access-list OutsideInet_1_cryptomap extended permit ip vlan165 255.255.255.0 172.16.32.0 255.255.240.0 
access-list OutsideInet_1_cryptomap extended permit ip 192.168.130.0 255.255.255.0 172.16.32.0 255.255.240.0 
access-list OutsideInet_1_cryptomap extended permit ip host 2xx.xx.1xx.2xx2 172.16.32.0 255.255.240.0 
access-list OutsideInet_1_cryptomap extended permit ip vlan165 255.255.255.0 192.168.130.0 255.255.255.0 
access-list OutsideInet_1_cryptomap extended permit ip 10.165.181.0 255.255.255.0 172.16.32.0 255.255.240.0 
access-list OutsideInet_access_in extended permit tcp any host 209.254.135.10 object-group DM_INLINE_TCP_0 inactive 
access-list OutsideInet_access_in remark Allow Public Access to Internal FTP Server
access-list OutsideInet_access_in extended permit object-group DM_INLINE_SERVICE_0 any host xxx.2xx.xx.xx0 
access-list OutsideInet_access_in extended permit icmp any any echo 
access-list OutsideInet_access_in extended permit icmp any any echo-reply 
access-list OutsideInet_access_in extended permit icmp any any traceroute 
access-list OutsideInet_access_in extended permit icmp any any time-exceeded 
access-list OutsideInet_access_in extended permit icmp any any unreachable 
access-list OutsideInet_access_in extended permit ip 10.165.181.0 255.255.255.0 vlan165 255.255.255.0 
access-list OutsideInet_access_in extended permit ip 172.16.32.0 255.255.240.0 object-group DM_INLINE_NETWORK_1 
access-list OutsideInet_access_in extended permit ip 172.16.32.0 255.255.240.0 vlan165 255.255.255.0 
access-list OutsideInet_access_in extended permit ip 192.168.130.0 255.255.255.0 vlan165 255.255.255.0 
access-list OutsideInet_access_in extended permit ip 192.168.130.0 255.255.255.0 172.16.32.0 255.255.240.0 
access-list OutsideInet_access_in remark Remote extranet web access
access-list OutsideInet_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 10.165.165.35 object-group DM_INLINE_TCP_4 
access-list OutsideInet_access_in remark Remote Access from TX users to FTP
access-list OutsideInet_access_in extended permit ip 10.165.180.0 255.255.255.0 host 10.165.165.98 
access-list L1ITSpfld_splitTunnelAcl remark Internet Access
access-list L1ITSpfld_splitTunnelAcl standard permit host xxx.xxx.xxx.xxx 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan160 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan161 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan162 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan163 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan164 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan165 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan166 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan169 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan170 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan192 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard deny any 
access-list L1ManSpfld_splitTunnelAcl standard permit vlan161 255.255.255.0 
access-list L1ManSpfld_splitTunnelAcl standard permit vlan165 255.255.255.0 
access-list L1ManSpfld_splitTunnelAcl standard deny any 
access-list L1ManSpfldInet_splitTunnelAcl remark Internet Access
access-list L1ManSpfldInet_splitTunnelAcl standard permit host xxx.xxx.xxx.xxx 
access-list L1ManSpfldInet_splitTunnelAcl standard permit vlan165 255.255.255.0 
access-list L1ManSpfldInet_splitTunnelAcl standard deny any 
access-list Inside_access_out extended permit icmp any any echo 
access-list Inside_access_out extended permit icmp any any echo-reply 
access-list Inside_access_out extended permit icmp any any traceroute 
access-list Inside_access_out extended permit icmp any any time-exceeded 
access-list Inside_access_out extended permit icmp any any unreachable 
access-list Inside_access_out extended permit ip any vlan165 255.255.255.0 
access-list Inside_access_out extended permit ip vlan165 255.255.255.0 any 
access-list Inside_access_out extended permit ip any 10.165.180.0 255.255.255.0 inactive 
access-list InsidePublic_access_in extended permit icmp any any echo 
access-list InsidePublic_access_in extended permit icmp any any echo-reply 
access-list InsidePublic_access_in extended permit icmp any any traceroute 
access-list InsidePublic_access_in extended permit icmp any any time-exceeded 
access-list InsidePublic_access_in extended permit icmp any any unreachable 
access-list vpn extended permit ip vlan165 255.255.255.0 172.16.32.0 255.255.240.0 
access-list vpn extended permit ip vlan165 255.255.255.0 host xxx.xxx.xxx.xxx 
access-list vpn extended permit ip vlan165 255.255.255.0 xxx.xxx.xxx.xx 255.255.255.0 
access-list vpn extended permit ip vlan165 255.255.255.0 192.168.130.0 255.255.255.0 
access-list vpn extended permit ip vlan165 255.255.255.0 vlan162 255.255.255.0 
access-list vpn extended permit ip any 10.165.180.0 255.255.255.0 inactive 
access-list OutsideInet_access_in_1 extended permit ip 10.165.181.0 255.255.255.0 any 
access-list OutsideInet_access_in_1 extended permit udp host xxx.xxx.xxx.xxx 10.165.180.0 255.255.255.0 eq ntp 
access-list OutsideInet_access_in_1 extended permit ip 172.16.32.0 255.255.240.0 vlan165 255.255.255.0 
access-list Inside_access_in extended permit ip vlan165 255.255.255.0 any 
access-list Inside_access_in extended permit ip 10.165.181.0 255.255.255.0 any 
access-list Inside_access_in extended permit ip 10.165.180.0 255.255.255.0 any inactive 
access-list global_mpc_2 extended permit ip host 172.16.32.50 host 10.165.165.75 
access-list global_mpc_1 extended permit ip host 172.16.32.50 host 10.165.165.107 
access-list global_mpc_3 extended permit ip host 10.165.165.75 host 172.16.32.50 
access-list global_mpc extended permit ip host 10.165.165.107 host 172.16.32.50 
access-list ibttxspartner_splitTunnelAcl standard permit vlan165 255.255.255.0 
access-list ibttxspartner_splitTunnelAcl remark Permits access to the network server, restrictions applied by ACL Texas_Users
access-list Inside_nat0_outbound extended permit ip vlan165 255.255.255.0 vlan165 255.255.255.0 
access-list Inside_nat0_outbound_1 extended permit ip vlan165 255.255.255.0 vlan165 255.255.255.0 
access-list Internal_nat0_outbound extended permit ip host xxx.xxx.xxx.xxx 172.16.32.0 255.255.240.0 
access-list OutsideInet_nat0_outbound extended permit ip vlan165 255.255.255.0 172.16.32.0 255.255.240.0 
access-list OutsideInet_nat0_outbound extended permit ip vlan165 255.255.255.0 192.168.130.0 255.255.255.0 
access-list test extended permit ip 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 
access-list test remark allows .180 to see Vlan 165
access-list test extended permit ip vlan165 255.255.255.0 10.165.180.0 255.255.255.0 
access-list test remark allows .181 to see Vlan 165
access-list test extended permit ip vlan165 255.255.255.0 10.165.181.0 255.255.255.0 
access-list test remark allows .181 to see Vlan 162
access-list test extended permit ip vlan162 255.255.255.0 10.165.181.0 255.255.255.0 
access-list test remark allows .181 to see Vlan 161
access-list test extended permit ip vlan161 255.255.255.0 10.165.181.0 255.255.255.0 
access-list test remark Local network Access to Florida
access-list test extended permit ip 172.16.32.0 255.255.240.0 vlan165 255.255.255.0 
access-list test remark Allows florida access to .180
access-list test extended permit ip 172.16.32.0 255.255.240.0 10.165.180.0 255.255.255.0 
access-list test remark Allows florida access to .181
access-list test extended permit ip 172.16.32.0 255.255.240.0 10.165.181.0 255.255.255.0 
access-list test remark Copied from Concentrator
access-list test extended permit ip host xxx.xxx.xxx.xxx 172.16.32.0 255.255.240.0 
access-list test remark Copied from Concentrator
access-list test extended permit ip xxx.xxx.xxx.xxx 255.255.255.0 172.16.32.0 255.255.240.0 
access-list test remark allows access to Richmond Virgina
access-list test extended permit ip 192.168.130.0 255.255.255.0 vlan165 255.255.255.0 
access-list test remark allows .181 to access remote .181
access-list test extended permit ip 10.165.181.0 255.255.255.0 10.165.181.0 255.255.255.0 
access-list test extended permit ip vlan165 255.255.255.0 10.2.20.0 255.255.255.0 
access-list test extended permit ip host xxx.xxx.xxx.xxx vlan165 255.255.255.0 
access-list test remark Allows florida access to Richmond Virginia
access-list test extended permit ip 192.168.130.0 255.255.255.0 172.16.32.0 255.255.240.0 
access-list test extended permit ip host xxx.xxxx.xxx.xxx 172.16.32.0 255.255.240.0 
access-list test remark allows access to Virginia, Richmond
access-list test extended permit ip vlan165 255.255.255.0 192.168.130.0 255.255.255.0 
access-list test remark allows florida access to .181
access-list test extended permit ip 10.165.181.0 255.255.255.0 172.16.32.0 255.255.240.0 
access-list test remark allows florida access to Vlan 165
access-list test extended permit ip vlan165 255.255.255.0 172.16.32.0 255.255.240.0 
access-list test remark Pearson VPN Access
access-list test extended permit ip vlan165 255.255.255.0 A-172.19.0.0 255.255.0.0 
access-list test extended permit ip host A-xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx 
access-list OutsideInet_2_cryptomap extended permit ip vlan165 255.255.255.0 A-172.19.0.0 255.255.0.0 
access-list OutsideInet_3_cryptomap extended permit ip host A-xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx 
access-list Texas_Users extended permit icmp any any echo 
access-list Texas_Users extended permit icmp any any echo-reply 
access-list Texas_Users extended permit icmp any any traceroute 
access-list Texas_Users extended permit icmp any any time-exceeded 
access-list Texas_Users extended permit icmp any any unreachable 
access-list Texas_Users remark Allows Techs to use VNC
access-list Texas_Users extended permit tcp 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900 
access-list Texas_Users remark HTTP
access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0 eq www 
access-list Texas_Users remark HTTPS
access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0 eq https 
access-list Texas_Users remark SNF .47 Access
access-list Texas_Users extended permit object-group DM_INLINE_SERVICE_2 10.165.180.0 255.255.255.0 host 10.165.165.47 
access-list Texas_Users remark Snf .48 Access
access-list Texas_Users extended permit object-group DM_INLINE_SERVICE_3 10.165.180.0 255.255.255.0 host 10.165.165.48 
access-list Texas_Users remark SNF .49 Access
access-list Texas_Users extended permit object-group DM_INLINE_SERVICE_4 10.165.180.0 255.255.255.0 host 10.165.165.49 
access-list Texas_Users extended deny ip any any 
access-list Texas_Users extended permit udp 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900 
pager lines 25
logging enable
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm informational
logging device-id hostname
logging host Inside 10.165.165.238
mtu RemoteVPN 1500
mtu OutsideInet 1500
mtu Inside 1500
mtu management 1500
ip local pool tx 10.2.20.2-10.2.20.255 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo OutsideInet
icmp permit any echo-reply OutsideInet
icmp permit any time-exceeded OutsideInet
icmp permit any unreachable OutsideInet
icmp permit any echo Inside
icmp permit any echo-reply Inside
icmp permit any time-exceeded Inside
icmp permit any unreachable Inside
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (OutsideInet) 1 xxx.xxx.xxx.xxx netmask 255.255.255.248
global (OutsideInet) 2 xxx.xxx.xxx.xxx netmask 255.0.0.0
global (OutsideInet) 1 interface
global (OutsideInet) 3 A-xxx.xxx.xxx.xxx netmask 255.255.255.0
global (Inside) 2 10.165.165.238 netmask 255.0.0.0
nat (OutsideInet) 0 access-list OutsideInet_nat0_outbound
nat (Inside) 0 access-list test
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,OutsideInet) A-xxx.xxx.xxx.xxx 10.165.165.56 netmask 255.255.255.255 
static (Inside,OutsideInet) xxx.xxx.xxx.xxx 10.165.165.98 netmask 255.255.255.255 
access-group InsidePublic_access_in in interface RemoteVPN
access-group OutsideInet_access_in_1 in interface OutsideInet control-plane
access-group OutsideInet_access_in in interface OutsideInet
access-group Inside_access_in in interface Inside control-plane
route OutsideInet 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route Inside vlan162 255.255.255.0 10.165.181.1 1
route Inside vlan165 255.255.255.0 10.165.181.1 1
route OutsideInet 172.16.32.0 255.255.255.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server SpfldRadius protocol radius
aaa-server SpfldRadius (Inside) host 10.165.165.254
 key ccccccccc
 radius-common-pw cccccccc
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
aaa authorization command LOCAL 
http server enable
http 10.165.181.0 255.255.255.0 OutsideInet
http 10.165.181.0 255.255.255.0 Inside
http vlan165 255.255.255.0 Inside
snmp-server host Inside 10.165.165.137 community meth0d version 2c
snmp-server host Inside 10.165.165.180 community meth0d version 2c
snmp-server location Spfld
no snmp-server contact
snmp-server community meth0d
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
sysopt connection tcpmss 1250
sysopt connection reclassify-vpn
auth-prompt prompt This system is intended for the use of authorized users only. All activities of individuals using this computing system with or without authority or in excess of their authority may 
auth-prompt accept This system is intended for the use of authorized users only. All activities of individuals using this computing system with or without authority or in excess of their authority may 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Internal_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Internal_map interface Inside
crypto map Public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OutsideInet_map 1 match address OutsideInet_1_cryptomap
crypto map OutsideInet_map 1 set peer xxx.xxx.xxx.xxx 
crypto map OutsideInet_map 1 set transform-set ESP-3DES-MD5
crypto map OutsideInet_map 1 set security-association lifetime seconds 86400
crypto map OutsideInet_map 1 set security-association lifetime kilobytes 4608000
crypto map OutsideInet_map 1 set reverse-route
crypto map OutsideInet_map 2 match address OutsideInet_2_cryptomap
crypto map OutsideInet_map 2 set peer xxx.xxx.xxx.xxx 
crypto map OutsideInet_map 2 set transform-set ESP-3DES-SHA
crypto map OutsideInet_map 2 set security-association lifetime seconds 28800
crypto map OutsideInet_map 2 set security-association lifetime kilobytes 4608000
crypto map OutsideInet_map 3 match address OutsideInet_3_cryptomap
crypto map OutsideInet_map 3 set peer xxx.xxx.xxx.xxx 
crypto map OutsideInet_map 3 set transform-set ESP-3DES-SHA
crypto map OutsideInet_map 3 set security-association lifetime seconds 28800
crypto map OutsideInet_map 3 set security-association lifetime kilobytes 4608000
crypto map OutsideInet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OutsideInet_map interface OutsideInet
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment self
 email Savart@l1id.com
 subject-name CN=SpfldASA
 serial-number
 ip-address 10.165.165.240
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment self
 subject-name CN=l1id.local
 crl configure
crypto isakmp identity address 
crypto isakmp enable OutsideInet
crypto isakmp enable Inside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 
no vpn-addr-assign aaa
no vpn-addr-assign local
telnet vlan165 255.255.255.0 Inside
telnet 10.165.165.254 255.255.255.255 Inside
telnet timeout 60
ssh 10.165.181.0 255.255.255.0 OutsideInet
ssh vlan165 255.255.255.0 Inside
ssh 10.165.181.0 255.255.255.0 Inside
ssh timeout 60
console timeout 0
management-access Inside
dhcprelay timeout 60
priority-queue OutsideInet
priority-queue Inside
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authentication-key 1 md5 *
ntp trusted-key 1
ntp server 10.165.165.180 key 1 source Inside prefer
ssl trust-point ASDM_TrustPoint2 OutsideInet
webvpn
 enable OutsideInet
 svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
 svc image disk0:/anyconnect-linux-2.3.2016-k9.pkg 2
 svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 3
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec 
 msie-proxy local-bypass enable
group-policy SpfldToFla internal
group-policy SpfldToFla attributes
 vpn-filter value SpfldToFla_ACL
group-policy ibttxspartner internal
group-policy ibttxspartner attributes
 wins-server value 10.165.165.254
 dns-server value 10.165.165.250
 dhcp-network-scope 10.165.180.0
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter value Texas_Users
 vpn-tunnel-protocol IPSec svc 
 group-lock value ibttxspartner
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ibttxspartner_splitTunnelAcl
 msie-proxy server value 127.0.0.1:80
 msie-proxy method use-server
 msie-proxy except-list value ibtfingerprint.com;identix.com;l1enrollment.com;l1id.com;www.microsoft.com;windowsupdate.microsoft.com;download.windowsupdate.com;update.microsoft.com;sditx.com;www.symantec.com;symantecliveupdate.com;security.symantec.com;searchg.symantec.com
group-policy L1ManSpfld internal
group-policy L1ManSpfld attributes
 wins-server value 10.165.165.254
 dns-server value 10.165.165.250
 dhcp-network-scope 10.165.181.20
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec svc 
 ip-comp disable
 group-lock value L1ManSpfld
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value L1ManSpfld_splitTunnelAcl
 default-domain value l1id.local
 msie-proxy server value 127.0.0.1:80
 msie-proxy method use-server
 msie-proxy except-list value www.l1id.com;mail.l1id.com;www.google.com;extranet.ibtfingerprint.com;techinline.net
 msie-proxy local-bypass enable
group-policy L1ManSpfldInet internal
group-policy L1ManSpfldInet attributes
 wins-server value 10.165.165.254
 dns-server value 10.165.165.250
 dhcp-network-scope 10.165.181.20
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec svc 
 group-lock value L1ManSpfldInet
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value L1ManSpfldInet_splitTunnelAcl
 default-domain value l1id.local
group-policy L1ITSpfld internal
group-policy L1ITSpfld attributes
 wins-server value 10.165.165.254
 dns-server value 10.165.165.250
 dhcp-network-scope 10.165.181.3
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec svc 
 ip-comp disable
 group-lock value L1ITSpfld
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value L1ITSpfld_splitTunnelAcl
 default-domain value l1id.local
 webvpn
  url-list none
username savart password sibqx.qfK3R7ksKK encrypted privilege 15
username savart attributes
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
username admin password G0HaQRS2/699sgc7 encrypted privilege 15
username admin attributes
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
username jburford password aNgJaaTQyCGmtsGz encrypted privilege 15
username HelpDesk password DRlz4RoK5bc30m1j encrypted privilege 5
username HelpDesk attributes
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group L1ITSpfld type remote-access
tunnel-group L1ITSpfld general-attributes
 authentication-server-group SpfldRadius
 default-group-policy L1ITSpfld
 dhcp-server 10.165.165.254
tunnel-group L1ITSpfld webvpn-attributes
 group-alias L1ITSpfld enable
tunnel-group L1ITSpfld ipsec-attributes
 pre-shared-key *
tunnel-group L1ITSpfld ppp-attributes
 authentication ms-chap-v2
tunnel-group L1ManSpfld type remote-access
tunnel-group L1ManSpfld general-attributes
 authentication-server-group SpfldRadius
 default-group-policy L1ManSpfld
 dhcp-server 10.165.165.254
tunnel-group L1ManSpfld webvpn-attributes
 group-alias L1ManSpfld enable
tunnel-group L1ManSpfld ipsec-attributes
 pre-shared-key *
tunnel-group L1ManSpfldInet type remote-access
tunnel-group L1ManSpfldInet general-attributes
 authentication-server-group SpfldRadius
 default-group-policy L1ManSpfldInet
 dhcp-server 10.165.165.254
tunnel-group L1ManSpfldInet webvpn-attributes
 group-alias L1ManSpfldInet enable
tunnel-group L1ManSpfldInet ipsec-attributes
 pre-shared-key *
tunnel-group ibttxspartner type remote-access
tunnel-group ibttxspartner general-attributes
 authentication-server-group SpfldRadius
 default-group-policy ibttxspartner
 dhcp-server 10.165.165.254
tunnel-group ibttxspartner ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match access-list global_mpc
class-map inspection_default
 match default-inspection-traffic
class-map global-class1
 match access-list global_mpc_1
class-map global-class2
 match access-list global_mpc_2
class-map global-class3
 match access-list global_mpc_3
class-map Inside-class
 match access-list Inside_mpc
!
!
policy-map type inspect http Vlan165_BadSites
 parameters
  protocol-violation action drop-connection
 match request uri regex Myspace
  reset log
policy-map Vlan165
 class Inside-class
  inspect http Vlan165_BadSites 
policy-map global_policy
 class inspection_default
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect tftp 
  inspect pptp 
  inspect icmp 
 class global-class
  priority
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00 
 class global-class1
  priority
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00 
 class global-class2
  priority
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00 
 class global-class3
  priority
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00 
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
!
service-policy global_policy global
service-policy Vlan165 interface Inside
-server
prompt hostname context 
Cryptochecksum:b46bccc094d5851b739413293f7bf399
: end

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:
437:
438:
439:
440:
441:
442:
443:
444:
445:
446:
447:
448:
449:
450:
451:
452:
453:
454:
455:
456:
457:
458:
459:
460:
461:
462:
463:
464:
465:
466:
467:
468:
469:
470:
471:
472:
473:
474:
475:
476:
477:
478:
479:
480:
481:
482:
483:
484:
485:
486:
487:
488:
489:
490:
491:
492:
493:
494:
495:
496:
497:
498:
499:
500:
501:
502:
503:
504:
505:
506:
507:
508:
509:
510:
511:
512:
513:
514:
515:
516:
517:
518:
519:
520:
521:
522:
523:
524:
525:
526:
527:
528:
529:
530:
531:
532:
533:
534:
535:
536:
537:
538:
539:
540:
541:
542:
543:
544:
545:
546:
547:
548:
549:
550:
551:
552:
553:
554:
555:
556:
557:
558:
559:
560:
561:
562:
563:
564:
565:
566:
567:
568:
569:
570:
571:
572:
573:
574:
575:
576:
577:
578:
579:
580:
581:
582:
583:
584:
585:
586:
587:
588:
589:
590:
591:
592:
593:
594:
595:
596:
597:
598:
599:
600:
601:
602:
603:
604:
605:
606:
607:
608:
609:
610:
611:
612:
613:
614:
615:
616:
617:
618:
619:
620:
621:
622:
623:
624:
625:
626:
627:
628:
629:
630:
631:
632:
633:
634:

Select all Open in new window

by: Grape_SodaPosted on 2009-10-22 at 12:08:38ID: 25637814

This should be a straight forward problem and so I thought I would just do a cold boot on my brain and start all over. So I went back to the beginning and looked at your error message again.

From the message it would appear that 10.165.165.238 talking on port 4663 is being denied access to 10.165.180.20 listening on port 5900 by the Access List Texas_Users.

OK established that we are having problems getting 10.165.165.0 to 10.165.180.0 on port 5900

Wait a minute. Your access list is for traffic coming from the 10.165.180.0 and going to the 10.165.165.0 network on port 5900..AHA

so let's remove the

access-list Texas_Users extended permit tcp 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900

and the

access-list Texas_Users extended permit udp 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900

and instead do

access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0 eq 5900

no need to worry about UDP I have since found out that VNC does not use UDP what-so-ever

by: hoshie329Posted on 2009-10-22 at 12:17:20ID: 25637898

i followed the steps above ond i am still getting the same error

by: Grape_SodaPosted on 2009-10-22 at 16:08:14ID: 25639994

OK....couple more questions.

Are you initiating the VNC session from your machine on vlan165 to the 10.165.180.0 subnet...what subnet does the person initiating the connection sit on and what subnet does the machine listening on port 5900 sit on. From you errors it appears that the connection is being initiated from vlan165 and is going to connect to a machine on 10.165.180.0....correct?

by: hoshie329Posted on 2009-10-23 at 05:52:11ID: 25643841

the VNC session will always be initialized from Vlan 165 (this is the local network) our techs use VNC to assist remote clients.

Local machines on 10.165.165.0/24 will always be the initiating machines

The remote host will always be on 10.165.180.0/24 listening on port 5900

Yes, your last statment is correct....

I have also found that if i configure the ACL to use tcp with no port assigned this will work, still leaves the network open too much.

by: Grape_SodaPosted on 2009-10-23 at 08:21:21ID: 25645284

Can you log the traffic for the connection while it is unrestricted by port and post that here.

THanks

by: hoshie329Posted on 2009-10-23 at 09:42:12ID: 25646099

I have added the lines from the log, I connected to the VNC client and while connected i opened a network share.

I have also added a small wireshark capture file on this connection

6|Oct 23 2009|11:38:22|109025|10.165.180.22|137|10.165.165.254|137|Authorization denied (acl=Texas_Users) for user 'jburford' from 10.165.180.22/137 to 10.165.165.254/137 on interface OutsideInet using UDP
6|Oct 23 2009|11:38:21|109025|10.165.180.22|137|10.165.165.254|137|Authorization denied (acl=Texas_Users) for user 'jburford' from 10.165.180.22/137 to 10.165.165.254/137 on interface OutsideInet using UDP
6|Oct 23 2009|11:38:16|302014|10.165.180.22|5900|10.165.165.238|2200|Teardown TCP connection 36670 for OutsideInet:10.165.180.22/5900 to Inside:10.165.165.238/2200 duration 0:01:14 bytes 124266 TCP Reset-I
6|Oct 23 2009|11:38:14|109025|10.165.180.22|137|10.165.165.254|137|Authorization denied (acl=Texas_Users) for user 'jburford' from 10.165.180.22/137 to 10.165.165.254/137 on interface OutsideInet using UDP
6|Oct 23 2009|11:38:13|109025|10.165.180.22|137|10.165.165.254|137|Authorization denied (acl=Texas_Users) for user 'jburford' from 10.165.180.22/137 to 10.165.165.254/137 on interface OutsideInet using UDP
6|Oct 23 2009|11:38:12|109025|10.165.180.22|137|10.165.165.254|137|Authorization denied (acl=Texas_Users) for user 'jburford' from 10.165.180.22/137 to 10.165.165.254/137 on interface OutsideInet using UDP
6|Oct 23 2009|11:38:05|109025|10.165.180.22|137|10.165.165.254|137|Authorization denied (acl=Texas_Users) for user 'jburford' from 10.165.180.22/137 to 10.165.165.254/137 on interface OutsideInet using UDP
6|Oct 23 2009|11:38:04|109025|10.165.180.22|137|10.165.165.254|137|Authorization denied (acl=Texas_Users) for user 'jburford' from 10.165.180.22/137 to 10.165.165.254/137 on interface OutsideInet using UDP
6|Oct 23 2009|11:38:02|109025|10.165.180.22|137|10.165.165.254|137|Authorization denied (acl=Texas_Users) for user 'jburford' from 10.165.180.22/137 to 10.165.165.254/137 on interface OutsideInet using UDP
6|Oct 23 2009|11:38:02|302014|10.165.180.22|1810|10.165.165.47|445|Teardown TCP connection 36818 for OutsideInet:10.165.180.22/1810 to Inside:10.165.165.47/445 duration 0:00:12 bytes 13558 TCP FINs (jburford)
6|Oct 23 2009|11:37:50|302014|10.165.180.22|1812|10.165.165.47|139|Teardown TCP connection 36819 for OutsideInet:10.165.180.22/1812 to Inside:10.165.165.47/139 duration 0:00:00 bytes 0 TCP Reset-O (jburford)
6|Oct 23 2009|11:37:50|302013|10.165.180.22|1812|10.165.165.47|139|Built inbound TCP connection 36819 for OutsideInet:10.165.180.22/1812 (10.165.180.22/1812) to Inside:10.165.165.47/139 (10.165.165.47/139) (jburford)
6|Oct 23 2009|11:37:50|302013|10.165.180.22|1810|10.165.165.47|445|Built inbound TCP connection 36818 for OutsideInet:10.165.180.22/1810 (10.165.180.22/1810) to Inside:10.165.165.47/445 (10.165.165.47/445) (jburford)
6|Oct 23 2009|11:37:01|302013|10.165.180.22|5900|10.165.165.238|2200|Built outbound TCP connection 36670 for OutsideInet:10.165.180.22/5900 (10.165.180.22/5900) to Inside:10.165.165.238/2200 (10.165.165.238/2200)

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:

Select all Open in new window

5900-log
- 2 KB
WireShark File

by: Grape_SodaPosted on 2009-10-23 at 11:41:27ID: 25647122

OK...I think I might know what is happening here. The remote side is connecting via a remote vpn connection to your network. You are trying to initiate a VNC connection from your side while the remote vpn is connected. When you specify the port address in the VPN Filter ACL for Texas_Users then it will not allow you to send traffic to their subnet because your traffic doesn't match the port filter...you send out on a non specific port each time. SO I think you have to leave the

access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0

and then add (right after the above statement)

access-list Texas_Users extended permit tcp 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 5900

I believe that will allow you to send on any non specific port and restrict their communications to port 5900

You can test this by a telnet session from their machine to a local machine on your subnet on port 5901

by: hoshie329Posted on 2009-10-23 at 13:18:10ID: 25648153

i configured it the way you have above and i am still getting the error.

by: Grape_SodaPosted on 2009-10-23 at 13:49:27ID: 25648429

Can you repost your ACL statments again since making these additions etc. I'll keep trying to figure this out till we get it to work right.

by: hoshie329Posted on 2009-10-23 at 14:12:02ID: 25648672

This is the current config minus public IP's

ASA Version 8.0(4)
!
hostname SpfldASA
domain-name l1esd.com
enable password Gre encrypted
passwd Gre encrypted
names
name 10.165.160.0 vlan160 description Front Fingerprint Room
name 10.165.161.0 vlan161 description IBT Management
name 10.165.162.0 vlan162 description Springfield VPN
name 10.165.163.0 vlan163 description Tx VPN
name 10.165.164.0 vlan164 description Phone Operators
name 10.165.165.0 vlan165 description Core Systems;ASA Management Access
name 10.165.166.0 vlan166 description Financial Servers
name 10.165.169.0 vlan169 description Test Zone
name 10.165.170.0 vlan170 description Conf Room vlan
name 192.168.0.0 vlan192 description WebServer Farm
name 172.19.70.80 A-172.19.70.80 description Pearson WI
name 192.168.117.32 A-192.168.117.32 description Pearson WI
name 192.168.119.224 A-192.168.119.224 description Pearson WI
name 192.168.119.32 A-192.168.119.32 description Pearson WI
name 192.168.120.128 A-192.168.120.128 description Pearson WI
name 192.168.122.250 A-192.168.122.250 description Pearson WI
name 192.168.123.192 A-192.168.123.192 description Pearson WI
name 192.168.123.224 A-192.168.123.224 description Pearson WI
name 192.168.123.37 A-192.168.123.37 description Pearson WI
name 192.168.126.160 A-192.168.126.160 description Pearson WI
name 172.19.0.0 A-172.19.0.0 description Pearson WI
name xxx.xxx.xxx.xxx A-xxx.xxx.xxx.xxx description Nat Address for 10.165.165.56 WA
dns-guard
!
interface GigabitEthernet0/0
 description Connects to Semi-Trusted remote VPN Switch
 nameif RemoteVPN
 security-level 0
 ip address 10.50.0.1 255.255.0.0
!
interface GigabitEthernet0/1
 description Local Internet traffic
 nameif OutsideInet
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 description Local Access
 nameif Inside
 security-level 100
 ip address 10.165.181.3 255.255.255.0
!
interface Management0/0
 shutdown
 nameif management
 security-level 0
 no ip address
!
 
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
 name-server 10.165.165.250
 domain-name l1esd.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_3
 network-object 10.165.180.0 255.255.255.0
 network-object 10.165.181.0 255.255.255.0
object-group service DM_INLINE_TCP_4 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_0
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp eq ftp
 service-object tcp eq ftp-data
object-group network DM_INLINE_NETWORK_4
 network-object 10.165.180.0 255.255.255.0
 network-object 10.165.181.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_1
 network-object 10.165.180.0 255.255.255.0
 network-object 10.165.181.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object vlan165 255.255.255.0
 network-object 10.165.180.0 255.255.255.0
 network-object 10.165.181.0 255.255.255.0
object-group service DM_INLINE_TCP_0 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_2
 service-object tcp eq 445
 service-object tcp eq netbios-ssn
 service-object tcp eq smtp
 service-object udp eq netbios-dgm
 service-object udp eq netbios-ns
object-group service DM_INLINE_SERVICE_3
 service-object tcp eq 445
 service-object tcp eq netbios-ssn
 service-object tcp eq smtp
 service-object udp eq netbios-dgm
 service-object udp eq netbios-ns
object-group service DM_INLINE_SERVICE_4
 service-object tcp eq 445
 service-object tcp eq netbios-ssn
 service-object tcp eq smtp
 service-object udp eq netbios-dgm
 service-object udp eq netbios-ns
access-list Inside_mpc extended permit tcp vlan165 255.255.255.0 any object-group DM_INLINE_TCP_2 inactive
access-list OutsideInet_1_cryptomap extended permit ip vlan165 255.255.255.0 172.16.32.0 255.255.240.0
access-list OutsideInet_1_cryptomap extended permit ip 192.168.130.0 255.255.255.0 172.16.32.0 255.255.240.0
access-list OutsideInet_1_cryptomap extended permit ip host xxx.xxx.xxx.xxx 172.16.32.0 255.255.240.0
access-list OutsideInet_1_cryptomap extended permit ip vlan165 255.255.255.0 192.168.130.0 255.255.255.0
access-list OutsideInet_1_cryptomap extended permit ip 10.165.181.0 255.255.255.0 172.16.32.0 255.255.240.0
access-list OutsideInet_access_in extended permit tcp any host xxx.xxx.xxx.xxx object-group DM_INLINE_TCP_0 inactive
access-list OutsideInet_access_in remark Allow Public Access to Internal FTP Server
access-list OutsideInet_access_in extended permit object-group DM_INLINE_SERVICE_0 any host xxx.xxx.xxx.xxx
access-list OutsideInet_access_in extended permit icmp any any echo
access-list OutsideInet_access_in extended permit icmp any any echo-reply
access-list OutsideInet_access_in extended permit icmp any any traceroute
access-list OutsideInet_access_in extended permit icmp any any time-exceeded
access-list OutsideInet_access_in extended permit icmp any any unreachable
access-list OutsideInet_access_in extended permit ip 10.165.181.0 255.255.255.0 vlan165 255.255.255.0
access-list OutsideInet_access_in extended permit ip 172.16.32.0 255.255.240.0 object-group DM_INLINE_NETWORK_1
access-list OutsideInet_access_in extended permit ip 172.16.32.0 255.255.240.0 vlan165 255.255.255.0
access-list OutsideInet_access_in extended permit ip 192.168.130.0 255.255.255.0 vlan165 255.255.255.0
access-list OutsideInet_access_in extended permit ip 192.168.130.0 255.255.255.0 172.16.32.0 255.255.240.0
access-list OutsideInet_access_in remark Remote extranet web access
access-list OutsideInet_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 10.165.165.35 object-group DM_INLINE_TCP_4
access-list OutsideInet_access_in remark Remote Access from TX users to FTP
access-list OutsideInet_access_in extended permit ip 10.165.180.0 255.255.255.0 host 10.165.165.98
access-list OutsideInet_access_in extended permit ip 10.165.180.0 255.255.255.0 vlan165 255.255.255.0
access-list OutsideInet_access_in extended permit ip vlan165 255.255.255.0 10.165.180.0 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl remark Internet Access
access-list L1ITSpfld_splitTunnelAcl standard permit host xxx.xxx.xxx.xxx
access-list L1ITSpfld_splitTunnelAcl standard permit vlan160 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan161 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan162 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan163 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan164 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan165 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan166 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan169 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan170 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan192 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard deny any
access-list L1ManSpfld_splitTunnelAcl standard permit vlan161 255.255.255.0
access-list L1ManSpfld_splitTunnelAcl standard permit vlan165 255.255.255.0
access-list L1ManSpfld_splitTunnelAcl standard deny any
access-list L1ManSpfldInet_splitTunnelAcl remark Internet Access
access-list L1ManSpfldInet_splitTunnelAcl standard permit host xxx.xxx.xxx.xxx
access-list L1ManSpfldInet_splitTunnelAcl standard permit vlan165 255.255.255.0
access-list L1ManSpfldInet_splitTunnelAcl standard deny any
access-list Inside_access_out extended permit icmp any any echo
access-list Inside_access_out extended permit icmp any any echo-reply
access-list Inside_access_out extended permit icmp any any traceroute
access-list Inside_access_out extended permit icmp any any time-exceeded
access-list Inside_access_out extended permit icmp any any unreachable
access-list Inside_access_out extended permit ip any vlan165 255.255.255.0
access-list Inside_access_out extended permit ip vlan165 255.255.255.0 any
access-list Inside_access_out extended permit ip any 10.165.180.0 255.255.255.0 inactive
access-list InsidePublic_access_in extended permit icmp any any echo
access-list InsidePublic_access_in extended permit icmp any any echo-reply
access-list InsidePublic_access_in extended permit icmp any any traceroute
access-list InsidePublic_access_in extended permit icmp any any time-exceeded
access-list InsidePublic_access_in extended permit icmp any any unreachable
access-list vpn extended permit ip vlan165 255.255.255.0 172.16.32.0 255.255.240.0
access-list vpn extended permit ip vlan165 255.255.255.0 host xxx.xxx.xxx.xxx
access-list vpn extended permit ip vlan165 255.255.255.0 xxx.xxx.xxx.xxx 255.255.255.0
access-list vpn extended permit ip vlan165 255.255.255.0 192.168.130.0 255.255.255.0
access-list vpn extended permit ip vlan165 255.255.255.0 vlan162 255.255.255.0
access-list vpn extended permit ip any 10.165.180.0 255.255.255.0 inactive
access-list SpfldToFla_ACL extended permit icmp any any echo
access-list SpfldToFla_ACL extended permit icmp any any echo-reply
access-list SpfldToFla_ACL extended permit icmp any any traceroute
access-list SpfldToFla_ACL extended permit icmp any any time-exceeded
access-list SpfldToFla_ACL extended permit icmp any any unreachable
access-list SpfldToFla_ACL remark Remote Administration
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan165 255.255.255.0 eq 3389
access-list SpfldToFla_ACL remark Remote Administration
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan165 255.255.255.0 eq 5900
access-list SpfldToFla_ACL remark File Shares fo DSP to Livescan
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 host 10.165.165.35 eq 445
access-list SpfldToFla_ACL remark Radius Authentication (Host)
access-list SpfldToFla_ACL extended permit tcp host 172.16.32.1 host 10.165.165.254 eq 1645
access-list SpfldToFla_ACL remark HTTP Access
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan161 255.255.255.0 eq www
access-list SpfldToFla_ACL remark HTTP Access
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan162 255.255.255.0 eq www
access-list SpfldToFla_ACL remark HTTP Access
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan164 255.255.255.0 eq www
access-list SpfldToFla_ACL remark HTTP Access
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan165 255.255.255.0 eq www
access-list SpfldToFla_ACL remark HTTPS Access
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan161 255.255.255.0 eq https
access-list SpfldToFla_ACL remark HTTPS Access
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan162 255.255.255.0 eq https
access-list SpfldToFla_ACL remark HTTPS Access
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan164 255.255.255.0 eq https
access-list SpfldToFla_ACL remark HTTPS Access
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan165 255.255.255.0 eq https
access-list SpfldToFla_ACL extended permit ip 192.168.130.0 255.255.255.0 172.16.32.0 255.255.240.0
access-list OutsideInet_access_in_1 extended permit ip 10.165.181.0 255.255.255.0 any
access-list OutsideInet_access_in_1 extended permit udp host xxx.xxx.xxx.xxx 10.165.180.0 255.255.255.0 eq ntp
access-list OutsideInet_access_in_1 extended permit ip 172.16.32.0 255.255.240.0 vlan165 255.255.255.0
access-list Inside_access_in extended permit ip vlan165 255.255.255.0 any
access-list Inside_access_in extended permit ip 10.165.181.0 255.255.255.0 any
access-list Inside_access_in extended permit ip 10.165.180.0 255.255.255.0 any inactive
access-list global_mpc_2 extended permit ip host 172.16.32.50 host 10.165.165.75
access-list global_mpc_1 extended permit ip host 172.16.32.50 host 10.165.165.107
access-list global_mpc_3 extended permit ip host 10.165.165.75 host 172.16.32.50
access-list global_mpc extended permit ip host 10.165.165.107 host 172.16.32.50
access-list ibttxspartner_splitTunnelAcl standard permit vlan165 255.255.255.0
access-list ibttxspartner_splitTunnelAcl standard deny any
access-list ibttxspartner_splitTunnelAcl remark Permits access to the network server, restrictions applied by ACL Texas_Users
access-list Inside_nat0_outbound extended permit ip vlan165 255.255.255.0 vlan165 255.255.255.0
access-list Inside_nat0_outbound_1 extended permit ip vlan165 255.255.255.0 vlan165 255.255.255.0
access-list Internal_nat0_outbound extended permit ip host xxx.xxx.xxx.xxx 172.16.32.0 255.255.240.0
access-list OutsideInet_nat0_outbound extended permit ip vlan165 255.255.255.0 172.16.32.0 255.255.240.0
access-list OutsideInet_nat0_outbound extended permit ip vlan165 255.255.255.0 192.168.130.0 255.255.255.0
access-list test extended permit ip 10.165.180.0 255.255.255.0 vlan165 255.255.255.0
access-list test remark allows .180 to see Vlan 165
access-list test extended permit ip vlan165 255.255.255.0 10.165.180.0 255.255.255.0
access-list test remark allows .181 to see Vlan 165
access-list test extended permit ip vlan165 255.255.255.0 10.165.181.0 255.255.255.0
access-list test remark allows .181 to see Vlan 162
access-list test extended permit ip vlan162 255.255.255.0 10.165.181.0 255.255.255.0
access-list test remark allows .181 to see Vlan 161
access-list test extended permit ip vlan161 255.255.255.0 10.165.181.0 255.255.255.0
access-list test remark Local network Access to Florida
access-list test extended permit ip 172.16.32.0 255.255.240.0 vlan165 255.255.255.0
access-list test remark Allows florida access to .180
access-list test extended permit ip 172.16.32.0 255.255.240.0 10.165.180.0 255.255.255.0
access-list test remark Allows florida access to .181
access-list test extended permit ip 172.16.32.0 255.255.240.0 10.165.181.0 255.255.255.0
access-list test remark Copied from Concentrator
access-list test extended permit ip host xxx.xxx.xxx.xxx 172.16.32.0 255.255.240.0
access-list test remark Copied from Concentrator
access-list test extended permit ip xxx.xxx.xxx.xxx 255.255.255.0 172.16.32.0 255.255.240.0
access-list test remark allows access to Richmond Virgina
access-list test extended permit ip 192.168.130.0 255.255.255.0 vlan165 255.255.255.0
access-list test remark allows .181 to access remote .181
access-list test extended permit ip 10.165.181.0 255.255.255.0 10.165.181.0 255.255.255.0
access-list test extended permit ip vlan165 255.255.255.0 10.2.20.0 255.255.255.0
access-list test extended permit ip host xxx.xxx.xxx.xxx vlan165 255.255.255.0
access-list test remark Allows florida access to Richmond Virginia
access-list test extended permit ip 192.168.130.0 255.255.255.0 172.16.32.0 255.255.240.0
access-list test extended permit ip host xxx.xxx.xxx.xxx 172.16.32.0 255.255.240.0
access-list test remark allows access to Virginia, Richmond
access-list test extended permit ip vlan165 255.255.255.0 192.168.130.0 255.255.255.0
access-list test remark allows florida access to .181
access-list test extended permit ip 10.165.181.0 255.255.255.0 172.16.32.0 255.255.240.0
access-list test remark allows florida access to Vlan 165
access-list test extended permit ip vlan165 255.255.255.0 172.16.32.0 255.255.240.0
access-list test remark Pearson VPN Access
access-list test extended permit ip vlan165 255.255.255.0 A-xxx.xxx.xxx.xxx 255.255.0.0
access-list test extended permit ip host A-xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
access-list OutsideInet_2_cryptomap extended permit ip vlan165 255.255.255.0 A-xxx.xxx.xxx.xxx 255.255.0.0
access-list OutsideInet_3_cryptomap extended permit ip host A-xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0
access-list Texas_Users extended permit tcp 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900
access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0 range 2000 2999
access-list Texas_Users extended permit icmp any any echo
access-list Texas_Users extended permit icmp any any echo-reply
access-list Texas_Users extended permit icmp any any traceroute
access-list Texas_Users extended permit icmp any any time-exceeded
access-list Texas_Users extended permit icmp any any unreachable
access-list Texas_Users remark HTTP
access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0 eq www
access-list Texas_Users remark HTTPS
access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0 eq https
access-list Texas_Users remark SNF .47 Access
access-list Texas_Users extended permit object-group DM_INLINE_SERVICE_2 10.165.180.0 255.255.255.0 host 10.165.165.47
access-list Texas_Users remark Snf .48 Access
access-list Texas_Users extended permit object-group DM_INLINE_SERVICE_3 10.165.180.0 255.255.255.0 host 10.165.165.48
access-list Texas_Users remark SNF .49 Access
access-list Texas_Users extended permit object-group DM_INLINE_SERVICE_4 10.165.180.0 255.255.255.0 host 10.165.165.49
access-list Texas_Users extended deny ip any any
pager lines 25
logging enable
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm informational
logging device-id hostname
mtu RemoteVPN 1500
mtu OutsideInet 1500
mtu Inside 1500
mtu management 1500
ip local pool tx 10.2.20.2-10.2.20.255 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo OutsideInet
icmp permit any echo-reply OutsideInet
icmp permit any time-exceeded OutsideInet
icmp permit any unreachable OutsideInet
icmp permit any echo Inside
icmp permit any echo-reply Inside
icmp permit any time-exceeded Inside
icmp permit any unreachable Inside
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (OutsideInet) 1 xxx.xxx.xxx.xxx netmask 255.255.255.248
global (OutsideInet) 2 xxx.xxx.xxx.xxx netmask 255.0.0.0
global (OutsideInet) 1 interface
global (OutsideInet) 3 A-xxx.xxx.xxx.xxx netmask 255.255.255.0
global (Inside) 2 10.165.165.238 netmask 255.0.0.0
nat (OutsideInet) 0 access-list OutsideInet_nat0_outbound
nat (Inside) 0 access-list test
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,OutsideInet) A-xxx.xxx.xxx.xxx 10.165.165.56 netmask 255.255.255.255
static (Inside,OutsideInet) xxx.xxx.xxx.xxx 10.165.165.98 netmask 255.255.255.255
access-group InsidePublic_access_in in interface RemoteVPN
access-group OutsideInet_access_in_1 in interface OutsideInet control-plane
access-group OutsideInet_access_in in interface OutsideInet
access-group Inside_access_in in interface Inside control-plane
route OutsideInet 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route Inside vlan162 255.255.255.0 10.165.181.1 1
route Inside vlan165 255.255.255.0 10.165.181.1 1
route OutsideInet 172.16.32.0 255.255.255.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server SpfldRadius protocol radius
aaa-server SpfldRadius (Inside) host 10.165.165.254
 key cccccccccccc
 radius-common-pw ccccccccccc
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http vlan165 255.255.255.0 Inside
http 10.165.181.0 255.255.255.0 Inside
http 10.165.181.0 255.255.255.0 OutsideInet
snmp-server host Inside 10.165.165.137 community meth0d version 2c
snmp-server host Inside 10.165.165.180 community meth0d version 2c
snmp-server location Spfld
no snmp-server contact
snmp-server community mmmmmmmm
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
sysopt connection tcpmss 1250
sysopt connection reclassify-vpn
auth-prompt prompt This system is intended for the use of authorized users only. All activities of individuals using this computing system with or without authority or in excess of their authority may
auth-prompt accept This system is intended for the use of authorized users only. All activities of individuals using this computing system with or without authority or in excess of their authority may
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Internal_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Internal_map interface Inside
crypto map Public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OutsideInet_map 1 match address OutsideInet_1_cryptomap
crypto map OutsideInet_map 1 set peer xxx.xxx.xxx.xxx
crypto map OutsideInet_map 1 set transform-set ESP-3DES-MD5
crypto map OutsideInet_map 1 set security-association lifetime seconds 86400
crypto map OutsideInet_map 1 set security-association lifetime kilobytes 4608000
crypto map OutsideInet_map 1 set reverse-route
crypto map OutsideInet_map 2 match address OutsideInet_2_cryptomap
crypto map OutsideInet_map 2 set peer xxx.xxx.xxx.xxx
crypto map OutsideInet_map 2 set transform-set ESP-3DES-SHA
crypto map OutsideInet_map 2 set security-association lifetime seconds 28800
crypto map OutsideInet_map 2 set security-association lifetime kilobytes 4608000
crypto map OutsideInet_map 3 match address OutsideInet_3_cryptomap
crypto map OutsideInet_map 3 set peer xxx.xxx.xxx.xxx
crypto map OutsideInet_map 3 set transform-set ESP-3DES-SHA
crypto map OutsideInet_map 3 set security-association lifetime seconds 28800
crypto map OutsideInet_map 3 set security-association lifetime kilobytes 4608000
crypto map OutsideInet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OutsideInet_map interface OutsideInet
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment self
 email Savart@l1id.com
 subject-name CN=SpfldASA
 serial-number
 ip-address 10.165.165.240
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment self
 subject-name CN=l1id.local
 crl configure
crypto isakmp identity address
crypto isakmp enable OutsideInet
crypto isakmp enable Inside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
no vpn-addr-assign aaa
no vpn-addr-assign local
telnet vlan165 255.255.255.0 Inside
telnet 10.165.165.254 255.255.255.255 Inside
telnet timeout 60
ssh 10.165.181.0 255.255.255.0 OutsideInet
ssh vlan165 255.255.255.0 Inside
ssh 10.165.181.0 255.255.255.0 Inside
ssh timeout 60
console timeout 0
management-access Inside
dhcprelay timeout 60
priority-queue OutsideInet
priority-queue Inside
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authentication-key 1 md5 *
ntp trusted-key 1
ntp server 10.165.165.180 key 1 source Inside prefer
ssl trust-point ASDM_TrustPoint2 OutsideInet
webvpn
 enable OutsideInet
 svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
 svc image disk0:/anyconnect-linux-2.3.2016-k9.pkg 2
 svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 3
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec
 msie-proxy local-bypass enable
group-policy SpfldToFla internal
group-policy SpfldToFla attributes
 vpn-filter value SpfldToFla_ACL
group-policy ibttxspartner internal
group-policy ibttxspartner attributes
 wins-server value 10.165.165.254
 dns-server value 10.165.165.250
 dhcp-network-scope 10.165.180.0
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter value Texas_Users
 vpn-tunnel-protocol IPSec svc
 group-lock value ibttxspartner
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ibttxspartner_splitTunnelAcl
 msie-proxy server value 127.0.0.1:80
 msie-proxy method use-server
 msie-proxy except-list value ibtfingerprint.com;identix.com;l1enrollment.com;l1id.com;www.microsoft.com;windowsupdate.microsoft.com;download.windowsupdate.com;update.microsoft.com;sditx.com;www.symantec.com;symantecliveupdate.com;security.symantec.com;searchg.symantec.com
group-policy L1ManSpfld internal
group-policy L1ManSpfld attributes
 wins-server value 10.165.165.254
 dns-server value 10.165.165.250
 dhcp-network-scope 10.165.181.20
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec svc
 ip-comp disable
 group-lock value L1ManSpfld
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value L1ManSpfld_splitTunnelAcl
 default-domain value l1id.local
 msie-proxy server value 127.0.0.1:80
 msie-proxy method use-server
 msie-proxy except-list value www.l1id.com;mail.l1id.com;www.google.com;extranet.ibtfingerprint.com;techinline.net
 msie-proxy local-bypass enable
group-policy L1ManSpfldInet internal
group-policy L1ManSpfldInet attributes
 wins-server value 10.165.165.254
 dns-server value 10.165.165.250
 dhcp-network-scope 10.165.181.20
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec svc
 group-lock value L1ManSpfldInet
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value L1ManSpfldInet_splitTunnelAcl
 default-domain value l1id.local
group-policy L1ITSpfld internal
group-policy L1ITSpfld attributes
 wins-server value 10.165.165.254
 dns-server value 10.165.165.250
 dhcp-network-scope 10.165.181.3
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec svc
 ip-comp disable
 group-lock value L1ITSpfld
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value L1ITSpfld_splitTunnelAcl
 default-domain value l1id.local
 webvpn
  url-list none
username savart password sibqx.ksKK encrypted privilege 15
username savart attributes
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
username admin password G0HaQRS2gc7 encrypted privilege 15
username admin attributes
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
username jburford password aNgJaaTsGz encrypted privilege 15
username HelpDesk password DRlz4m1j encrypted privilege 5
username HelpDesk attributes
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group L1ITSpfld type remote-access
tunnel-group L1ITSpfld general-attributes
 authentication-server-group SpfldRadius
 default-group-policy L1ITSpfld
 dhcp-server 10.165.165.254
tunnel-group L1ITSpfld webvpn-attributes
 group-alias L1ITSpfld enable
tunnel-group L1ITSpfld ipsec-attributes
 pre-shared-key *
tunnel-group L1ITSpfld ppp-attributes
 authentication ms-chap-v2
tunnel-group L1ManSpfld type remote-access
tunnel-group L1ManSpfld general-attributes
 authentication-server-group SpfldRadius
 default-group-policy L1ManSpfld
 dhcp-server 10.165.165.254
tunnel-group L1ManSpfld webvpn-attributes
 group-alias L1ManSpfld enable
tunnel-group L1ManSpfld ipsec-attributes
 pre-shared-key *
tunnel-group L1ManSpfldInet type remote-access
tunnel-group L1ManSpfldInet general-attributes
 authentication-server-group SpfldRadius
 default-group-policy L1ManSpfldInet
 dhcp-server 10.165.165.254
tunnel-group L1ManSpfldInet webvpn-attributes
 group-alias L1ManSpfldInet enable
tunnel-group L1ManSpfldInet ipsec-attributes
 pre-shared-key *
tunnel-group ibttxspartner type remote-access
tunnel-group ibttxspartner general-attributes
 authentication-server-group SpfldRadius
 default-group-policy ibttxspartner
 dhcp-server 10.165.165.254
tunnel-group ibttxspartner ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match access-list global_mpc
class-map inspection_default
 match default-inspection-traffic
class-map global-class1
 match access-list global_mpc_1
class-map global-class2
 match access-list global_mpc_2
class-map global-class3
 match access-list global_mpc_3
class-map Inside-class
 match access-list Inside_mpc
!
!
policy-map type inspect http Vlan165_BadSites
 parameters
  protocol-violation action drop-connection
 match request uri regex Myspace
  reset log
policy-map Vlan165
 class Inside-class
  inspect http Vlan165_BadSites
policy-map global_policy
 class inspection_default
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect tftp
  inspect pptp
  inspect icmp
 class global-class
  priority
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00
 class global-class1
  priority
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00
 class global-class2
  priority
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00
 class global-class3
  priority
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
!
service-policy global_policy global
service-policy Vlan165 interface Inside

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:
437:
438:
439:
440:
441:
442:
443:
444:
445:
446:
447:
448:
449:
450:
451:
452:
453:
454:
455:
456:
457:
458:
459:
460:
461:
462:
463:
464:
465:
466:
467:
468:
469:
470:
471:
472:
473:
474:
475:
476:
477:
478:
479:
480:
481:
482:
483:
484:
485:
486:
487:
488:
489:
490:
491:
492:
493:
494:
495:
496:
497:
498:
499:
500:
501:
502:
503:
504:
505:
506:
507:
508:
509:
510:
511:
512:
513:
514:
515:
516:
517:
518:
519:
520:
521:
522:
523:
524:
525:
526:
527:
528:
529:
530:
531:
532:
533:
534:
535:
536:
537:
538:
539:
540:
541:
542:
543:
544:
545:
546:
547:
548:
549:
550:
551:
552:
553:
554:
555:
556:
557:
558:
559:
560:
561:
562:
563:
564:
565:
566:
567:
568:
569:
570:
571:
572:
573:
574:
575:
576:
577:
578:
579:
580:
581:
582:
583:
584:
585:
586:
587:
588:
589:
590:
591:
592:
593:
594:
595:
596:
597:
598:
599:
600:
601:
602:
603:
604:
605:
606:
607:
608:
609:
610:
611:
612:
613:
614:
615:
616:
617:
618:
619:
620:
621:
622:
623:
624:
625:
626:
627:
628:
629:
630:
631:
632:
633:
634:
635:
636:
637:
638:
639:
640:
641:
642:
643:
644:
645:
646:
647:
648:
649:
650:
651:
652:
653:
654:
655:
656:
657:
658:
659:
660:
661:
662:
663:
664:

Select all Open in new window

by: Grape_SodaPosted on 2009-10-23 at 16:05:29ID: 25649522

remove the access list that contains the port range 2000 2999

by: hoshie329Posted on 2009-10-26 at 06:20:25ID: 25661922

I removed the ACL and tried to connect via VNC I received the same error

by: Grape_SodaPosted on 2009-10-26 at 07:24:39ID: 25662526

I think the problem is that the connection is being initiated from your end of the tunnel and the ACL is applied as a VPN Filter that is subject to Authentication....normally that error message is indicative of an "unauthorized" user trying to use a connection they have not authenticated to. However the confusing issue is that it will work if there are no port restrictions, which really shouldn't make a difference with regards to "Authorization" I wonder if it is feasible for you to have the connection initiated on their end. Example. User has problem, user calls help desk, help desk walks user through remote connection to help desk VNC listening viewer or server. Even as a test, just to see if it would work with port restrictions it may be telling. Otherwise I think you might have to initiate a vpn connection to their network or setup a site to site vpn connection ...since vpn connection will only encrypt "interesting" traffic you could even set it up for only VNC connections from your site to theirs. Otherwise I am stumped as to why it works without port restrictions but will not work with them.

by: hoshie329Posted on 2009-10-27 at 08:34:38ID: 25673574

I am not able to initiate a VNC session from our client machines, the machines only have the server portion of the software installed. i have also opened a trouble ticket with Cisco...They are also stumped

by: rsivanandanPosted on 2009-10-27 at 09:01:38ID: 25673990

Weird but still, have you tried rebooting the firewall once?

Cheers,
rsivanandan

by: hoshie329Posted on 2009-10-27 at 09:03:09ID: 25674018

yes, i have rebooted it a few times

by: Grape_SodaPosted on 2009-10-27 at 09:25:52ID: 25674351

Here take a look at this link. It will kind of explain a little further what I meant by them initiating the connection. Make sure and take note that the connection uses a different port...5500 I believe. You will need to allow that port in the ACL instead of 5900. Lots of people use this just as the forum describes, to access a computer behind a firewall they do not control. In this case it is to access a computer behind a firewall that isn't behaving. Anyway just an idea.

http://faq.gotomyvnc.com/fom-serve/cache/88.html

by: hoshie329Posted on 2009-10-30 at 10:44:50ID: 25705255

I got the answer from Cisco, it has to do with where the eq 5900 is placed. below is the correct syntax for what I need to do.

access-list Texas_Users extended permit tcp 10.165.180.0 255.255.255.0 eq 5900 10.165.165.0 255.255.255.0

1:

Select all Open in new window

by: hoshie329Posted on 2009-10-30 at 10:45:11ID: 25705259

Thanks to all who offered support

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

For individual users
Instant access to solutions
Ask your tech questions
Start your 30-day Free Trial

Business Accounts

Perfect for organizations
Multiple users
Save over 36%
Create a Business Account

Answer for Membership

Earn free access
Showcase your knowledge
No credit card required
Sign Up to Answer

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...

Question

VNC through ASA 5520

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

VNC

ASA

VNC Remote Access Software

Cisco PIX Firewall

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Need individual assistance?

Our experts are ready to help.

Want to learn from the best?

Read articles from industry experts.

Working on a long term project?

Store your work and research.

What Makes Experts Exchange Unique?

Trusted by the world's most respected brands.

Faithfully serving IT professionals since 1996.

Related Solutions

Free Tech Articles

Cloud Class Webinars

Join the Community

Give a Little. Get a Lot.

Answers

3 Ways to Join

The Experts

The Experts

Testimonials

Testimonials

Testimonials

Business Clients

Business Clients

In the Press

In the Press

In the Press