?
Solved

Need to connect via vpn client, with site to site vpn already configured.

Posted on 2007-10-08
9
Medium Priority
?
315 Views
Last Modified: 2010-04-09
I have 3 sites that are connected via pix site to site vpn over 501, 6.3(3) at all 3 locations. I need to allow remote clients to access the local network via vpn client 4.7 and IAS on Server 2003. I have attatched a sanitized config. Any assistance would be appreciated. The site to site vpn is working fine and has worked for over a year. When i connect with the vpn client, after entering the group name and password it get challenged for a username and password. Once i enter it, the client disconnects.

---BEGIN CONFIG----
dcvpn.COMPANYA.com(config)# show config
: Saved
: Written by enable_15 at 12:24:17.826 UTC Thu Sep 27 2007
PIX Version 6.3(3)
interface ethernet0 100basetx
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXX encrypted
passwd XXXX encrypted
hostname dcvpn.COMPANYA.com
domain-name COMPANYA.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside-list-in permit tcp any any eq 3389
access-list outside-list-in permit tcp any host AAA.156.BBB.206 eq 3389
access-list outside-list-in permit tcp any host AAA.156.BBB.206 eq www
access-list outside-list-in permit tcp any host 192.168.3.2 eq 3268
access-list outside-list-in permit tcp any host 192.168.3.2 eq 3269
access-list outside-list-in permit tcp any host CCC.207.DDD.5 eq 3389
access-list outside-list-in permit tcp any host CCC.207.DDD.5 eq www
access-list inside-list-in permit icmp host 192.168.4.2 host 192.168.5.2
access-list inside-list-in permit icmp host 192.168.4.2 host 192.168.3.2
access-list inside-list-in permit ip host 192.168.4.2 host 192.168.5.2
access-list inside-list-in permit ip host 192.168.4.2 host 192.168.3.2
access-list inside-list-in permit udp any any eq domain
access-list inside-list-in permit tcp any any eq domain
access-list inside-list-in permit tcp any any eq 445
access-list inside-list-in permit tcp any any eq 135
access-list inside-list-in permit udp any any eq 135
access-list inside-list-in permit udp any any eq 445
access-list inside-list-in permit tcp any any eq www
access-list inside-list-in permit tcp any any eq https
access-list inside-list-in permit tcp any any eq smtp
access-list inside-list-in permit tcp any any eq pop3
access-list inside-list-in permit tcp any any eq 5050
access-list inside-list-in permit tcp any host EEE.246.68.145 eq 1498
access-list inside-list-in permit udp any host EEE.246.68.145 eq 1604
access-list inside-list-in permit tcp any eq 1498 host EEE.246.68.145
access-list inside-list-in permit udp any eq 1604 host EEE.246.68.145
access-list inside-list-in permit tcp any any eq 38292
access-list inside-list-in permit udp any any eq 38293
access-list inside-list-in permit udp any any eq 38037
access-list inside-list-in permit udp any any eq 2967
access-list inside-list-in permit tcp any any eq citrix-ica
access-list inside-list-in permit udp any any eq 1494
access-list inside-list-in permit tcp any any eq 1604
access-list inside-list-in permit udp any any eq 1604
access-list inside-list-in permit tcp any any eq 2040
access-list inside-list-in permit udp any any eq 2040
access-list inside-list-in permit udp any any eq 2048
access-list inside-list-in permit tcp any any eq 2048
access-list inside-list-in permit tcp any any eq ftp
access-list inside-list-in permit tcp any any range 2048 4248
access-list inside-list-in permit icmp host 192.168.4.2 host 192.168.3.7
access-list inside-list-in permit tcp any any eq 2000
access-list inside-list-in permit udp any any eq 2000
access-list inside-list-in permit tcp any eq 2000 host FFF.30.120.42
access-list inside-list-in permit udp any eq 2000 host FFF.30.120.42
access-list inside-list-in permit tcp any eq 20080 host FFF.30.120.27
access-list inside-list-in permit udp any eq 20080 host FFF.30.120.27
access-list inside-list-in permit tcp any eq 20080 host FFF.30.120.41
access-list inside-list-in permit udp any eq 20080 host FFF.30.120.41
access-list inside-list-in permit tcp any eq 20080 host FFF.30.120.42
access-list inside-list-in permit udp any eq 20080 host FFF.30.120.42
access-list inside-list-in permit tcp any eq 20080 host FFF.30.120.43
access-list inside-list-in permit udp any eq 20080 host FFF.30.120.43
access-list inside-list-in permit tcp any host FFF.30.120.27 eq 20080
access-list inside-list-in permit udp any host FFF.30.120.27 eq 20080
access-list inside-list-in permit tcp any host FFF.30.120.41 eq 20080
access-list inside-list-in permit udp any host FFF.30.120.41 eq 20080
access-list inside-list-in permit tcp any host FFF.30.120.42 eq 20080
access-list inside-list-in permit udp any host FFF.30.120.42 eq 20080
access-list inside-list-in permit tcp any host FFF.30.120.43 eq 20080
access-list inside-list-in permit udp any host FFF.30.120.43 eq 20080
access-list inside-list-in permit tcp any host 12.167.172.25 eq 5177
access-list inside-list-in permit tcp any host 12.167.172.25 eq 5178
access-list REMSITEA permit icmp host 192.168.4.2 host 192.168.3.2
access-list REMSITEA permit ip host 192.168.4.2 host 192.168.3.2
access-list REMSITEA permit tcp 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.
0 eq 135
access-list REMSITEA permit tcp 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.
0 eq 445
access-list REMSITEA permit tcp 192.168.4.0 255.255.255.0 eq 135 192.168.3.0 255.2
55.255.0
access-list REMSITEA permit tcp 192.168.4.0 255.255.255.0 eq 445 192.168.3.0 255.2
55.255.0
access-list REMSITEA permit udp 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.
0 eq 135
access-list REMSITEA permit udp 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.
0 eq 445
access-list REMSITEA permit udp 192.168.4.0 255.255.255.0 eq 135 192.168.3.0 255.2
55.255.0
access-list REMSITEA permit udp 192.168.4.0 255.255.255.0 eq 445 192.168.3.0 255.2
55.255.0
access-list REMSITEA permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list REMSITEA permit tcp 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.
0 range 135 netbios-ssn
access-list REMSITEA permit udp 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.
0 range 135 1DDD
access-list REMSITEB permit icmp host 192.168.4.2 host 192.168.5.2
access-list REMSITEB permit ip host 192.168.4.2 host 192.168.5.2
access-list REMSITEB permit tcp 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255
.0 eq 135
access-list REMSITEB permit tcp 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255
.0 eq 445
access-list REMSITEB permit tcp 192.168.4.0 255.255.255.0 eq 135 192.168.5.0 255.
255.255.0
access-list REMSITEB permit tcp 192.168.4.0 255.255.255.0 eq 445 192.168.5.0 255.
255.255.0
access-list REMSITEB permit udp 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255
.0 eq 135
access-list REMSITEB permit udp 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255
.0 eq 445
access-list REMSITEB permit udp 192.168.4.0 255.255.255.0 eq 135 192.168.5.0 255.
255.255.0
access-list REMSITEB permit udp 192.168.4.0 255.255.255.0 eq 445 192.168.5.0 255.
255.255.0
access-list nonat permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list nonat permit ip 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat permit ip any 192.168.4.0 255.255.255.0
access-list TOLANDESK permit icmp host 192.168.4.2 host 192.168.3.7
access-list PRIVATEA permit udp any host EEE.246.68.145 eq 1604
access-list PRIVATEA permit tcp any eq 1498 host EEE.246.68.145
access-list PRIVATEA permit udp any eq 1604 host EEE.246.68.145
access-list PRIVATEA permit tcp any host EEE.246.68.145 eq 1498
access-list PRIVATEA permit udp any eq 1494 host EEE.246.68.145
access-list PRIVATEA permit tcp any host EEE.246.68.145 eq citrix-ica
access-list PRIVATEA permit udp any host EEE.246.68.145 eq 1494
access-list PRIVATEA permit tcp any eq citrix-ica host EEE.246.68.145
access-list PRIVATEB permit tcp any host GGG.174.55.245 eq 2040
access-list PRIVATEB permit tcp any eq 2040 host GGG.174.55.245
access-list PRIVATEB permit udp any host GGG.174.55.245 eq 2040
access-list PRIVATEB permit udp any eq 2040 host GGG.174.55.245
access-list PRIVATEB permit udp any host GGG.174.55.245 eq 2048
access-list PRIVATEB permit udp any eq 2048 host GGG.174.55.245
access-list PRIVATEB permit tcp any host GGG.174.55.245 eq 2048
access-list PRIVATEB permit tcp any eq 2048 host GGG.174.55.245
access-list PRIVATEB permit tcp any host GGG.174.55.245 range 2048 4248
access-list PRIVATEB permit tcp any range 2048 4248 host GGG.174.55.245
access-list PRIVATEB permit tcp any host GGG.174.55.245 range 2048 5500
access-list PRIVATEB permit tcp any range 2048 5500 host GGG.174.55.245
access-list PRIVATEC permit tcp any host FFF.30.120.42 eq 2000
access-list PRIVATEC permit tcp any eq 2000 host FFF.30.120.42
access-list PRIVATEC permit udp any host FFF.30.120.42 eq 2000
access-list PRIVATEC permit udp any eq 2000 host FFF.30.120.42
access-list PRIVATEC permit tcp any host FFF.30.120.27 eq 20080
access-list PRIVATEC permit tcp any eq 20080 host FFF.30.120.27
access-list PRIVATEC permit udp any host FFF.30.120.27 eq 20080
access-list PRIVATEC permit udp any eq 20080 host FFF.30.120.27
access-list PRIVATEC permit tcp any host FFF.30.120.41 eq 20080
access-list PRIVATEC permit tcp any eq 20080 host FFF.30.120.41
access-list PRIVATEC permit udp any host FFF.30.120.41 eq 20080
access-list PRIVATEC permit udp any eq 20080 host FFF.30.120.41
access-list PRIVATEC permit tcp any host FFF.30.120.42 eq 20080
access-list PRIVATEC permit tcp any eq 20080 host FFF.30.120.42
access-list PRIVATEC permit udp any host FFF.30.120.42 eq 20080
access-list PRIVATEC permit udp any eq 20080 host FFF.30.120.42
access-list PRIVATEC permit tcp any host FFF.30.120.43 eq 20080
access-list PRIVATEC permit tcp any eq 20080 host FFF.30.120.43
access-list PRIVATEC permit udp any host FFF.30.120.43 eq 20080
access-list PRIVATEC permit udp any eq 20080 host FFF.30.120.43
access-list REMSITEAIMSERVER permit tcp 192.168.4.0 255.255.255.0 eq 5177 host XXX.XXX.172.25
access-list REMSITEAIMSERVER permit tcp 192.168.4.0 255.255.255.0 eq 5178 host XXX.XXX.172.25
access-list REMSITEAIMSERVER permit tcp 192.168.4.0 255.255.255.0 host XXX.XXX.172.25 eq 5177
access-list REMSITEAIMSERVER permit tcp 192.168.4.0 255.255.255.0 host XXX.XXX.172.25 eq 5178
pager lines 24
logging on
logging trap debugging
logging host inside 192.168.4.2
logging host inside 127.0.0.1
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside CCC.207.DDD.2 255.255.255.248
ip address inside 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 10.16.20.1-10.16.20.25
pdm location 192.168.4.2 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 CCC.207.DDD.4
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) CCC.207.DDD.6 192.168.4.6 netmask 255.255.255.255 0 0
static (inside,outside) CCC.207.DDD.5 192.168.4.4 netmask 255.255.255.255 0 0
access-group outside-list-in in interface outside
access-group inside-list-in in interface inside
route outside 0.0.0.0 0.0.0.0 CCC.207.DDD.1 1
timeout xlate 0:45:00
timeout conn 0:45:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server WASHDC1 protocol radius
aaa-server WASHDC1 (inside) host 192.168.4.2 secret timeout 5
aaa-server COMPANYADC protocol radius
aaa-server COMPANYADC (inside) host 192.168.4.4 pr3v1s0r timeout 10
http server enable
http 192.168.4.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address REMSITEA
crypto map newmap 10 set peer XX.98.223.34
crypto map newmap 10 set peer 216.17.75.90
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address REMSITEB
crypto map newmap 20 set peer XX.14.69.186
crypto map newmap 20 set transform-set myset
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address TOLANDESK
crypto map newmap 30 set peer 192.168.3.7
crypto map newmap 30 set transform-set myset
crypto map vpnset 10 ipsec-isakmp dynamic dynmap
crypto map vpnset client authentication COMPANYADC
crypto map vpnset interface outside
isakmp enable outside
isakmp key ******** address XX.98.223.34 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address XX.14.69.186 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address XX.17.75.90 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpnCOMPANYA address-pool vpnpool
vpngroup vpnCOMPANYA dns-server 192.168.4.2
vpngroup vpnCOMPANYA default-domain COMPANYA.com
vpngroup vpnCOMPANYA idle-time 1800
vpngroup vpnCOMPANYA password ********
telnet 192.168.4.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 64.73.34.100 255.255.255.255 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:86436b5b0cc15140d0a714f856e47c5d
dcvpn.COMPANYA.com(config)#
0
Comment
Question by:spankygregg
  • 4
  • 4
8 Comments
 

Author Comment

by:spankygregg
ID: 20034148
I should add that the server 2003 IAS server is a domain controller.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20034590
   Make sure user is member of RADIUS group.
0
 

Author Comment

by:spankygregg
ID: 20034626
where is that found.
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 2016 total points
ID: 20034788
   *Start>Run>dsa.msc>find your user, right-click>properties>Member of>add RADIUS
0
 

Author Comment

by:spankygregg
ID: 20035051
ok now i can get a vpn connection but i cant browse the local network. I dont want to enable split tunnelling as the users will not need to surf the internet while connected.
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 2016 total points
ID: 20036995
access-list nonat permit ip yourvpnpool yourinsidenetwork 255.255.255.0
do the permit for vpnpool in your access-list also
0
 

Author Comment

by:spankygregg
ID: 20079880
OK here is my config.....I currently can connect with VPN client 5.0 with split tunnelling enabled. I can browse the internet and local lan of my laptop, but. I cannot browse the corporate lan behind the firewall.
 the config has been sanitized. thanks

PIX Version 6.3(3)
interface ethernet0 100basetx
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXX encrypted
passwd XXXXXXX encrypted
hostname dcvpn.myco.com
domain-name myco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside-list-in permit tcp any any eq 3389
access-list outside-list-in permit tcp any host 10.1.1.206 eq 3389
access-list outside-list-in permit tcp any host 10.1.1.206 eq www
access-list outside-list-in permit tcp any host 192.168.3.2 eq 3268
access-list outside-list-in permit tcp any host 192.168.3.2 eq 3269
access-list outside-list-in permit tcp any host 10.10.100.5 eq 3389
access-list outside-list-in permit tcp any host 10.10.100.5 eq www
access-list inside-list-in permit icmp host 192.168.4.2 host 192.168.5.2
access-list inside-list-in permit icmp host 192.168.4.2 host 192.168.3.2
access-list inside-list-in permit ip host 192.168.4.2 host 192.168.5.2
access-list inside-list-in permit ip host 192.168.4.2 host 192.168.3.2
access-list inside-list-in permit udp any any eq domain
access-list inside-list-in permit tcp any any eq domain
access-list inside-list-in permit tcp any any eq 445
access-list inside-list-in permit tcp any any eq 135
access-list inside-list-in permit udp any any eq 135
access-list inside-list-in permit udp any any eq 445
access-list inside-list-in permit tcp any any eq www
access-list inside-list-in permit tcp any any eq https
access-list inside-list-in permit tcp any any eq smtp
access-list inside-list-in permit tcp any any eq pop3
access-list inside-list-in permit tcp any any eq 5050
access-list inside-list-in permit tcp any host 10.1.2.145 eq 1498
access-list inside-list-in permit udp any host 10.1.2.145 eq 1604
access-list inside-list-in permit tcp any eq 1498 host 10.1.2.145
access-list inside-list-in permit udp any eq 1604 host 10.1.2.145
access-list inside-list-in permit tcp any any eq 38292
access-list inside-list-in permit udp any any eq 38293
access-list inside-list-in permit udp any any eq 38037
access-list inside-list-in permit udp any any eq 2967
access-list inside-list-in permit tcp any any eq citrix-ica
access-list inside-list-in permit udp any any eq 1494
access-list inside-list-in permit tcp any any eq 1604
access-list inside-list-in permit udp any any eq 1604
access-list inside-list-in permit tcp any any eq 2040
access-list inside-list-in permit udp any any eq 2040
access-list inside-list-in permit udp any any eq 2048
access-list inside-list-in permit tcp any any eq 2048
access-list inside-list-in permit tcp any any eq ftp
access-list inside-list-in permit tcp any any range 2048 4248
access-list inside-list-in permit icmp host 192.168.4.2 host 192.168.3.7
access-list inside-list-in permit tcp any any eq 2000
access-list inside-list-in permit udp any any eq 2000
access-list inside-list-in permit tcp any eq 2000 host 10.1.3.42
access-list inside-list-in permit udp any eq 2000 host 10.1.3.42
access-list inside-list-in permit tcp any eq 20080 host 10.1.3.27
access-list inside-list-in permit udp any eq 20080 host 10.1.3.27
access-list inside-list-in permit tcp any eq 20080 host 10.1.3.41
access-list inside-list-in permit udp any eq 20080 host 10.1.3.41
access-list inside-list-in permit tcp any eq 20080 host 10.1.3.42
access-list inside-list-in permit udp any eq 20080 host 10.1.3.42
access-list inside-list-in permit tcp any eq 20080 host 10.1.3.43
access-list inside-list-in permit udp any eq 20080 host 10.1.3.43
access-list inside-list-in permit tcp any host 10.1.3.27 eq 20080
access-list inside-list-in permit udp any host 10.1.3.27 eq 20080
access-list inside-list-in permit tcp any host 10.1.3.41 eq 20080
access-list inside-list-in permit udp any host 10.1.3.41 eq 20080
access-list inside-list-in permit tcp any host 10.1.3.42 eq 20080
access-list inside-list-in permit udp any host 10.1.3.42 eq 20080
access-list inside-list-in permit tcp any host 10.1.3.43 eq 20080
access-list inside-list-in permit udp any host 10.1.3.43 eq 20080
access-list inside-list-in permit tcp any host 10.1.4.25 eq 5177
access-list inside-list-in permit tcp any host 10.1.4.25 eq 5178
access-list TOMPLS permit icmp host 192.168.4.2 host 192.168.3.2
access-list TOMPLS permit ip host 192.168.4.2 host 192.168.3.2
access-list TOMPLS permit tcp 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.
0 eq 135
access-list TOMPLS permit tcp 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.
0 eq 445
access-list TOMPLS permit tcp 192.168.4.0 255.255.255.0 eq 135 192.168.3.0 255.2
55.255.0
access-list TOMPLS permit tcp 192.168.4.0 255.255.255.0 eq 445 192.168.3.0 255.2
55.255.0
access-list TOMPLS permit udp 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.
0 eq 135
access-list TOMPLS permit udp 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.
0 eq 445
access-list TOMPLS permit udp 192.168.4.0 255.255.255.0 eq 135 192.168.3.0 255.2
55.255.0
access-list TOMPLS permit udp 192.168.4.0 255.255.255.0 eq 445 192.168.3.0 255.2
55.255.0
access-list TOMPLS permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list TOMPLS permit tcp 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.
0 range 135 netbios-ssn
access-list TOMPLS permit udp 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.
0 range 135 139
access-list TOTAMPA permit icmp host 192.168.4.2 host 192.168.5.2
access-list TOTAMPA permit ip host 192.168.4.2 host 192.168.5.2
access-list TOTAMPA permit tcp 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255
.0 eq 135
access-list TOTAMPA permit tcp 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255
.0 eq 445
access-list TOTAMPA permit tcp 192.168.4.0 255.255.255.0 eq 135 192.168.5.0 255.
255.255.0
access-list TOTAMPA permit tcp 192.168.4.0 255.255.255.0 eq 445 192.168.5.0 255.
255.255.0
access-list TOTAMPA permit udp 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255
.0 eq 135
access-list TOTAMPA permit udp 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255
.0 eq 445
access-list TOTAMPA permit udp 192.168.4.0 255.255.255.0 eq 135 192.168.5.0 255.
255.255.0
access-list TOTAMPA permit udp 192.168.4.0 255.255.255.0 eq 445 192.168.5.0 255.
255.255.0
access-list nonat permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list nonat permit ip 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat permit ip 192.168.4.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list TOLANDESK permit icmp host 192.168.4.2 host 192.168.3.7
access-list TOAIR permit udp any host 10.1.2.145 eq 1604
access-list TOAIR permit tcp any eq 1498 host 10.1.2.145
access-list TOAIR permit udp any eq 1604 host 10.1.2.145
access-list TOAIR permit tcp any host 10.1.2.145 eq 1498
access-list TOAIR permit udp any eq 1494 host 10.1.2.145
access-list TOAIR permit tcp any host 10.1.2.145 eq citrix-ica
access-list TOAIR permit udp any host 10.1.2.145 eq 1494
access-list TOAIR permit tcp any eq citrix-ica host 208.246.68.145
access-list GMUEDU permit tcp any host 10.1.5.245 eq 2040
access-list GMUEDU permit tcp any eq 2040 host 10.1.5.245
access-list GMUEDU permit udp any host 10.1.5.245 eq 2040
access-list GMUEDU permit udp any eq 2040 host 10.1.5.245
access-list GMUEDU permit udp any host 10.1.5.245 eq 2048
access-list GMUEDU permit udp any eq 2048 host 10.1.5.245
access-list GMUEDU permit tcp any host 10.1.5.245 eq 2048
access-list GMUEDU permit tcp any eq 2048 host 10.1.5.245
access-list GMUEDU permit tcp any host 10.1.5.245 range 2048 4248
access-list GMUEDU permit tcp any range 2048 4248 host 10.1.5.245
access-list GMUEDU permit tcp any host 10.1.5.245 range 2048 5500
access-list GMUEDU permit tcp any range 2048 5500 host 10.1.5.245
access-list OHIOEDU permit tcp any host 10.1.3.42 eq 2000
access-list OHIOEDU permit tcp any eq 2000 host 10.1.3.42
access-list OHIOEDU permit udp any host 10.1.3.42 eq 2000
access-list OHIOEDU permit udp any eq 2000 host 10.1.3.42
access-list OHIOEDU permit tcp any host 10.1.3.27 eq 20080
access-list OHIOEDU permit tcp any eq 20080 host 10.1.3.27
access-list OHIOEDU permit udp any host 10.1.3.27 eq 20080
access-list OHIOEDU permit udp any eq 20080 host 10.1.3.27
access-list OHIOEDU permit tcp any host 10.1.3.41 eq 20080
access-list OHIOEDU permit tcp any eq 20080 host 10.1.3.41
access-list OHIOEDU permit udp any host 10.1.3.41 eq 20080
access-list OHIOEDU permit udp any eq 20080 host 10.1.3.41
access-list OHIOEDU permit tcp any host 10.1.3.42 eq 20080
access-list OHIOEDU permit tcp any eq 20080 host 10.1.3.42
access-list OHIOEDU permit udp any host 10.1.3.42 eq 20080
access-list OHIOEDU permit udp any eq 20080 host 10.1.3.42
access-list OHIOEDU permit tcp any host 10.1.3.43 eq 20080
access-list OHIOEDU permit tcp any eq 20080 host 10.1.3.43
access-list OHIOEDU permit udp any host 10.1.3.43 eq 20080
access-list OHIOEDU permit udp any eq 20080 host 10.1.3.43
access-list TOMPLSIMSERVER permit tcp 192.168.4.0 255.255.255.0 eq 5177 host 12.
167.172.25
access-list TOMPLSIMSERVER permit tcp 192.168.4.0 255.255.255.0 eq 5178 host 12.
167.172.25
access-list TOMPLSIMSERVER permit tcp 192.168.4.0 255.255.255.0 host 10.1.4.
25 eq 5177
access-list TOMPLSIMSERVER permit tcp 192.168.4.0 255.255.255.0 host 10.1.4.
25 eq 5178
access-list VPNCLIENT permit ip 192.168.4.0 255.255.255.0 192.168.6.0 255.255.25
5.0
access-list VPNCLIENT permit udp 192.168.4.0 255.255.255.0 192.168.6.0 255.255.2
55.0
access-list VPNCLIENT permit icmp 192.168.4.0 255.255.255.0 192.168.6.0 255.255.
255.0
access-list VPNCLIENT permit ip 192.168.6.0 255.255.255.0 192.168.4.0 255.255.25
5.0
access-list VPNCLIENT permit udp 192.168.6.0 255.255.255.0 192.168.4.0 255.255.2
55.0
access-list VPNCLIENT permit icmp 192.168.6.0 255.255.255.0 192.168.4.0 255.255.
255.0
access-list VPNNONAT permit ip 192.168.4.0 255.255.255.0 192.168.6.0 255.255.255
.0
pager lines 24
logging on
logging trap debugging
logging host inside 192.168.4.2
logging host inside 127.0.0.1
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 10.10.100.2 255.255.255.248
ip address inside 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.6.1-192.168.6.254
pdm location 192.168.4.2 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 10.10.100.4
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.10.100.6 192.168.4.6 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.100.5 192.168.4.4 netmask 255.255.255.255 0 0
access-group outside-list-in in interface outside
access-group inside-list-in in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.100.1 1
route inside 192.168.6.0 255.255.255.0 192.168.4.1 1
timeout xlate 0:45:00
timeout conn 0:45:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server mycodcvpnserver protocol radius
aaa-server mycodcvpnserver (inside) host 192.168.4.4 XXXXXX timeout 5
http server enable
http 192.168.4.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address TOMPLS
crypto map newmap 10 set peer 10.70.10.34
crypto map newmap 10 set peer 10.80.10.90
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address TOTAMPA
crypto map newmap 20 set peer 10.90.10.186
crypto map newmap 20 set transform-set myset
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address TOLANDESK
crypto map newmap 30 set peer 192.168.3.7
crypto map newmap 30 set transform-set myset
crypto map newmap 50 ipsec-isakmp dynamic dynmap
crypto map newmap client authentication mycodcvpnserver
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 10.70.10.34 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address 10.90.10.186 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address 10.80.10.90 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash sha
isakmp policy 50 group 1
isakmp policy 50 lifetime 86400
vpngroup mycodcvpn address-pool vpnpool
vpngroup mycodcvpn dns-server 192.168.4.4 192.168.4.2
vpngroup mycodcvpn default-domain myco.com
vpngroup mycodcvpn split-tunnel VPNNONAT
vpngroup mycodcvpn split-dns myco.com
vpngroup mycodcvpn idle-time 1800
vpngroup mycodcvpn authentication-server mycodcvpnserver
vpngroup mycodcvpn password ********
vpngroup timeout idle-time 6000
telnet 192.168.4.0 255.255.255.0 inside
telnet 192.168.3.0 255.255.255.0 inside
telnet 192.168.5.0 255.255.255.0 inside
telnet 192.168.6.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.110.10.100 255.255.255.255 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:f41d85cd5f29edb83abf6e3654b51750
dcvpn.myco.com(config)#
0
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 2016 total points
ID: 20172321
no access-list nonat permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0
no access-list nonat permit ip 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255.0
no access-list nonat permit ip 192.168.4.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.4.0 255.255.255.0

if above does not work, go on adding following
access-list outside_cryptomap_dyn_40 permit ip 192.168.4.0 255.255.255.0 192.168.6.0 255.255.255.0
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set myset
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800 kilobytes 4608000
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question