Link to home
Start Free TrialLog in
Avatar of brittonv
brittonvFlag for United States of America

asked on

Oracle Database loosing connecting over Cisco VPN

My Site to Site Tunnel keeps loosing its connection.  Outlook will periodically loose its connection to the Exchange server with Outlook is trying to reconnect.. but thats fine as the client is smart enough to handle it.  Oracle on the other hand&.  If we run a long query or a big insert.  The connection fails in the middle and we have to clean it up.  

Our VPN consists of a HA Pair of Cisco 525 Firewall/VPN [PIX Version 7.0(6)] endpoints tunneled to a Cisco ASA5510 [PIX Version 7.0(5)].    The servers are behind the PIX Firewalls with the client's behind the ASA.  

We replaced a Symantec Enterprise Firewall with this solution.  We never had this problem with the Symantec, but we started having the timeout problems the day the Cisco was installed.

I tried engaging Cisco Support but that was more aggravating then anything else.  I would imagine there is something fundamentally wrong with my setup.  Not a try changing this useless setting and call me in the morning.  

For the record the PIX Firewalls are not failing over, FYI.

Here are my santitized running-configs:
Cisco ASA Firewall

asdm image disk0:/asdm505.bin
asdm location XXX.XXX.XXX.0 255.255.255.0 External
asdm location 192.168.3.0 255.255.255.0 External
asdm location 192.168.10.240 255.255.255.240 External
asdm location XXX.XXX.138..161 255.255.255.255 DMZ
asdm location XXX.XXX.138..162 255.255.255.255 DMZ
asdm location XXX.XXX.138..163 255.255.255.255 DMZ
asdm location XXX.XXX.138..202 255.255.255.255 DMZ
asdm location XXX.XXX.138..160 255.255.255.255 DMZ
asdm location XXX.XXX.138..201 255.255.255.255 DMZ
asdm location wizrac01tmp 255.255.255.255 Internal
asdm location wizrac02tmp 255.255.255.255 Internal
asdm location Wiz03DC 255.255.255.255 Internal
asdm group NTP_Out Internal
asdm group Torrent_Hosts Internal
asdm group Torrent_Hosts_ref External reference Torrent_Hosts
no asdm history enable
: Saved
:
ASA Version 7.0(5)
!
hostname ciscoasa
domain-name domain.com
enable password XXXXXXXXXXXXX encrypted
names
name XXX.XXX.XXX.111 wizrac02tmp
name XXX.XXX.XXX.110 wizrac01tmp
name XXX.XXX.XXX.4 Wiz03DC
dns-guard
!
interface Ethernet0/0
 nameif External
 security-level 0
 ip address XXX.XXX.192.71 255.255.255.0
!
interface Ethernet0/1
 nameif Internal
 security-level 75
 ip address XXX.XXX.XXX.1 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 10
 ip address XXX.XXX.138..1 255.255.255.0
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
passwd 2xxxxxxxxxxxxxx encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group network NTP_Out
 network-object wizrac01tmp 255.255.255.255
 network-object wizrac02tmp 255.255.255.255
 network-object Wiz03DC 255.255.255.255
object-group service Torrent tcp-udp
 port-object eq 17207
 port-object eq 21333
object-group network Torrent_Hosts
 network-object XXX.XXX.XXX.102 255.255.255.255
 network-object XXX.XXX.XXX.204 255.255.255.255
object-group network Torrent_Hosts_ref
 network-object XXX.XXX.192.102 255.255.255.255
 network-object XXX.XXX.192.204 255.255.255.255
object-group service web_Domain tcp-udp
 port-object eq www
 port-object eq domain
object-group service Web_Domain tcp
 port-object eq www
 port-object eq domain
 port-object eq https
access-list Internal_nat0_outbound extended permit ip XXX.XXX.XXX.0 255.255.255.0 192.168.10.240 255.255.255.240
access-list Internal_nat0_outbound extended permit ip XXX.XXX.XXX.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list Internal_nat0_outbound extended permit ip XXX.XXX.XXX.0 255.255.255.0 XXX.XXX.XXX.0 255.255.255.0
access-list Internal_nat0_outbound extended permit ip XXX.XXX.XXX.0 255.255.255.0 XXX.XXX.138..0 255.255.255.0
access-list External_cryptomap_20 extended permit ip XXX.XXX.XXX.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list External_cryptomap_20 extended permit ip XXX.XXX.XXX.0 255.255.255.0 XXX.XXX.XXX.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip XXX.XXX.138..0 255.255.255.0 192.168.10.240 255.255.255.240
access-list Internal_access_in extended permit ip XXX.XXX.XXX.0 255.255.255.0 any
access-list Internal_access_in extended permit tcp XXX.XXX.XXX.0 255.255.255.0 XXX.XXX.138..0 255.255.255.0
access-list Internal_access_in extended permit icmp XXX.XXX.XXX.0 255.255.255.0 XXX.XXX.138..0 255.255.255.0
access-list Internal_access_in extended permit udp object-group NTP_Out any eq ntp
access-list DMZ_access_in extended permit ip XXX.XXX.138..0 255.255.255.0 XXX.XXX.XXX.0 255.255.255.0
access-list DMZ_access_in extended permit icmp XXX.XXX.138..0 255.255.255.0 XXX.XXX.XXX.0 255.255.255.0
access-list DMZ_access_in extended permit tcp host XXX.XXX.138..127 any object-group Web_Domain
access-list DMZ_access_in extended permit tcp host XXX.XXX.138..160 any
access-list DMZ_access_in extended permit tcp host XXX.XXX.138..127 any eq smtp
access-list External_access_in extended permit tcp any host XXX.XXX.138..161 eq ssh
access-list External_access_in extended permit tcp any host XXX.XXX.138..161 eq www
access-list External_access_in extended permit tcp any host XXX.XXX.138..162 eq ssh
access-list External_access_in extended permit tcp any host XXX.XXX.138..162 eq www
access-list External_access_in extended permit tcp any host XXX.XXX.138..163 eq ssh
access-list External_access_in extended permit tcp any host XXX.XXX.138..163 eq www
access-list External_access_in extended permit tcp 65.15.33.16 255.255.255.240 host XXX.XXX.138..202
access-list External_access_in extended permit tcp 65.15.33.16 255.255.255.240 host XXX.XXX.138..201 eq telnet
access-list External_access_in extended permit tcp any host XXX.XXX.138..160 eq https
access-list External_access_in extended permit tcp any host XXX.XXX.138..160 eq www
access-list External_access_in extended permit tcp host 68.153.207.50 host XXX.XXX.138..160 eq ssh
access-list External_access_in extended permit tcp any object-group Torrent_Hosts_ref object-group Torrent
access-list External_access_in extended permit tcp any host XXX.XXX.138..160 eq ftp
access-list External_access_in extended permit tcp any host XXX.XXX.138..160 eq ftp-data
access-list External_access_in extended permit tcp 207.182.207.0 255.255.255.0 host XXX.XXX.192.102 eq ftp
access-list External_access_in extended permit icmp any host XXX.XXX.192.102 unreachable
access-list External_access_in extended permit icmp any host XXX.XXX.192.102 time-exceeded
access-list External_access_in extended permit icmp any host XXX.XXX.192.102 echo-reply
access-list split standard permit XXX.XXX.138..0 255.255.255.0
access-list split standard permit XXX.XXX.XXX.0 255.255.255.0
access-list capin extended permit icmp host XXX.XXX.XXX.102 any
access-list capin extended permit icmp any host XXX.XXX.XXX.102
access-list capdmz extended permit icmp any any
access-list viatunnel extended permit ip XXX.XXX.XXX.0 255.255.255.0 XXX.XXX.XXX.0 255.255.255.0
access-list viatunnel extended permit ip XXX.XXX.XXX.0 255.255.255.0 XXX.XXX.XXX.0 255.255.255.0
access-list cpo extended permit ip host XXX.XXX.XXX.102 host XXX.XXX.XXX.155
access-list cpo extended permit ip host XXX.XXX.XXX.155 host XXX.XXX.XXX.102
!
tcp-map fortunnel
  exceed-mss allow
  queue-limit 250
!
pager lines 25
logging enable
logging monitor debugging
logging asdm warnings
mtu External 1500
mtu Internal 1500
mtu DMZ 1500
mtu management 1500
ip local pool ippool 192.168.10.240-192.168.10.250 mask 255.255.255.0
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (External) 40 interface
nat (Internal) 0 access-list Internal_nat0_outbound
nat (Internal) 40 XXX.XXX.XXX.0 255.255.255.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
static (Internal,External) XXX.XXX.192.102 XXX.XXX.XXX.102 netmask 255.255.255.255
static (Internal,External) XXX.XXX.192.204 XXX.XXX.XXX.204 netmask 255.255.255.255
access-group External_access_in in interface External
access-group Internal_access_in in interface Internal
access-group DMZ_access_in in interface DMZ
route External 0.0.0.0 0.0.0.0 XXX.XXX.192.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 50
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy Remote internal
group-policy Remote attributes
 wins-server value XXX.XXX.XXX.4
 dns-server value XXX.XXX.XXX.4
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value domain.com
 client-firewall none
 webvpn
username user1 password XXXXXXXXX encrypted
username user2 password xxxxxxxxx encrypted privilege 15
username user2 attributes
 vpn-group-policy Remote
 webvpn
username user3 password xxxxxxxxxx encrypted
username user4 password xxxxxxxxxx encrypted
username mark attributes
 vpn-group-policy Remote
 webvpn
aaa authentication ssh console LOCAL
http server enable
http 68.209.105.239 255.255.255.255 External
http 0.0.0.0 0.0.0.0 External
http XXX.XXX.XXX.102 255.255.255.255 Internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear-df Internal
crypto dynamic-map External_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map External_map 20 match address External_cryptomap_20
crypto map External_map 20 set peer 12.129.87.36
crypto map External_map 20 set transform-set ESP-DES-SHA
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
crypto map External_map interface External
isakmp enable External
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal  20
isakmp ipsec-over-tcp port 10000
tunnel-group 12.129.87.36 type ipsec-l2l
tunnel-group 12.129.87.36 ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
tunnel-group Remote type ipsec-ra
tunnel-group Remote general-attributes
 address-pool ippool
 default-group-policy Remote
tunnel-group Remote ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 3600
telnet timeout 5
ssh XXX.XXX.XXX.102 255.255.255.255 Internal
ssh timeout 60
ssh version 1
console timeout 0
management-access Internal
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map totunnel
 match access-list viatunnel
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 2048
  inspect ftp
  inspect sqlnet
 class totunnel
  set connection advanced-options fortunnel
!
service-policy global_policy global
ntp server 198.72.72.10 source External prefer
ntp server 71.40.128.148 source External
ntp server 209.184.112.199 source External
Cryptochecksum:6lksdjflgkjsdfglkjsdfglkj
: end

HA Pix Cluster:

asdm image flash:/asdm-506.bin
asdm location XXX,.XXX.1.102 255.255.255.255 inside
asdm location XXX,.XXX.3.52 255.255.255.255 Private
asdm location XXX,.XXX.1.85 255.255.255.255 inside
asdm location XXX,.XXX.1.4 255.255.255.255 inside
asdm location XXX,.XXX.1.10 255.255.255.255 inside
asdm location EMC_SP_B 255.255.255.255 Private
asdm location EMC_Switch 255.255.255.255 Private
asdm location WizRAC01 255.255.255.255 inside
asdm location WizRAC02 255.255.255.255 inside
asdm location DataProcATL08 255.255.255.255 inside
asdm location XXX,.XXX.1.33 255.255.255.255 inside
asdm group EMC_Equipment Private
asdm group App_Servers inside
asdm group RAC_Servers inside
asdm group NTP_Servers inside
asdm group HTTP.HTTPS_access_out inside
asdm group FTP_Out inside
asdm group Private_HTTP-HTTPS_out Private
asdm group Services inside
no asdm history enable
: Saved
:
PIX Version 7.0(6)
!
hostname PIX
domain-name domain.com
enable password G0b9g6G4De8LlhD/ encrypted
names
name XXX,.XXX.1.69 dell
name XXX,.XXX.3.15 EMC_SP_A
name XXX,.XXX.3.17 EMC_Switch
name XXX,.XXX.3.16 EMC_SP_B
name XXX,.XXX.1.155 WizRAC02
name XXX,.XXX.1.156 WizRAC01
name XXX,.XXX.1.166 DataProcATL08
name XXX,.XXX.1.12 subversion
name XXX,.XXX.1.128 wizvm01
dns-guard
!
interface Ethernet0
 speed 100
 duplex full
 nameif external
 security-level 0
 ip address XXX.XXX.87.36 255.255.255.240 standby XXX.XXX.87.37
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 50
 ip address XXX,.XXX.1.1 255.255.255.0 standby XXX,.XXX.1.2
!
interface Ethernet2
 speed 100
 duplex full
 nameif Private
 security-level 100
 ip address XXX,.XXX.3.1 255.255.255.0 standby XXX,.XXX.3.3
!
interface Ethernet3
 speed 100
 duplex full
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0
 description STATE Failover Interface
!
passwd xxxxxxxxx encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service dell tcp
 port-object eq www
object-group service mail-http-https tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
object-group service http-https tcp
 port-object eq www
 port-object eq https
object-group network EMC_Equipment
 network-object EMC_SP_A 255.255.255.255
 network-object EMC_SP_B 255.255.255.255
 network-object EMC_Switch 255.255.255.255
object-group network App_Servers
 network-object XXX,.XXX.1.111 255.255.255.255
 network-object XXX,.XXX.1.112 255.255.255.255
 network-object XXX,.XXX.1.114 255.255.255.255
object-group network RAC_Servers
 network-object WizRAC02 255.255.255.255
 network-object WizRAC01 255.255.255.255
object-group network NTP_Servers
 network-object XXX,.XXX.1.11 255.255.255.255
 network-object XXX,.XXX.1.102 255.255.255.255
object-group network HTTP.HTTPS_access_out
 description Machines in the inside network with access to the internet
 network-object subversion 255.255.255.255
 network-object wizvm01 255.255.255.255
object-group network FTP_Out
 description Servers with FTP access Out
 network-object XXX,.XXX.1.169 255.255.255.255
object-group network Private_HTTP-HTTPS_out
 network-object XXX,.XXX.3.52 255.255.255.255
object-group network Services
 description Servers that send out domain Services
 network-object XXX,.XXX.1.231 255.255.255.255
 network-object XXX,.XXX.1.232 255.255.255.255
 network-object XXX,.XXX.1.233 255.255.255.255
 network-object XXX,.XXX.1.234 255.255.255.255
 network-object XXX,.XXX.1.151 255.255.255.255
 network-object XXX,.XXX.1.169 255.255.255.255
 network-object XXX,.XXX.1.163 255.255.255.255
 network-object XXX,.XXX.1.160 255.255.255.255
 network-object XXX,.XXX.1.161 255.255.255.255
access-list internal_access_in extended permit ip any any
access-list internal_access_in extended permit icmp any any
access-list internal_access_in extended permit udp host XXX,.XXX.1.85 any
access-list internal_access_in extended permit tcp host XXX,.XXX.1.85 any
access-list internal_access_in extended permit tcp host XXX,.XXX.1.4 host XXX,.XXX.3.52
access-list internal_access_in extended permit udp host XXX,.XXX.1.4 host XXX,.XXX.3.52
access-list internal_access_in extended permit tcp object-group App_Servers any eq 8080
access-list internal_access_in extended permit tcp object-group RAC_Servers object-group EMC_Equipment eq 6389
access-list internal_access_in extended permit udp object-group NTP_Servers any eq ntp
access-list internal_access_in extended permit tcp object-group HTTP.HTTPS_access_out any object-group http-https
access-list internal_access_in extended permit tcp object-group RAC_Servers any object-group http-https
access-list external_access_in extended permit tcp any host 207.182.207.10 object-group http-https
access-list external_access_in extended permit tcp any host 207.182.207.50 eq domain
access-list external_access_in extended permit udp any host 207.182.207.10 eq domain
access-list external_access_in extended permit tcp any host 207.182.207.4 object-group mail-http-https
access-list external_access_in extended permit tcp any host 207.182.207.105 object-group mail-http-https
access-list external_access_in extended permit udp any host 207.182.207.50 eq domain
access-list external_access_in extended permit tcp any host 207.182.207.21 object-group http-https
access-list external_access_in extended permit tcp any host 207.182.207.22 object-group http-https
access-list external_access_in extended permit tcp any host 207.182.207.10 eq ftp
access-list external_access_in extended permit tcp any host 207.182.207.153 object-group http-https
access-list external_access_in extended permit tcp any host 207.182.207.10 eq domain
access-list external_access_in extended permit tcp any host 207.182.207.113 object-group http-https
access-list external_access_in extended permit tcp any host 207.182.207.169 eq ftp
access-list external_access_in extended permit tcp any host 207.182.207.33 object-group http-https
access-list external_access_in extended permit icmp any host 207.182.208.11 unreachable
access-list external_access_in extended permit icmp any host 207.182.208.11 time-exceeded
access-list beenged extended permit ip any host 207.182.207.4
access-list beenged extended permit ip host 207.182.207.4 any
access-list beenged extended permit ip any any
access-list kieenged extended permit ip any host XXX,.XXX.1.4
access-list kieenged extended permit ip host XXX,.XXX.1.4 any
access-list Private_access_in extended permit tcp XXX,.XXX.3.0 255.255.255.0 any
access-list Private_access_in extended permit tcp XXX,.XXX.3.0 255.255.255.0 host XXX,.XXX.1.85 eq domain
access-list Private_access_in extended permit udp XXX,.XXX.3.0 255.255.255.0 host XXX,.XXX.1.85 eq domain
access-list Private_access_in extended permit tcp host XXX,.XXX.3.52 host XXX,.XXX.1.4
access-list Private_access_in extended permit udp host XXX,.XXX.3.52 host XXX,.XXX.1.4
access-list Private_access_in remark Rule to allow the SP's to send email notifications via the exchange server
access-list Private_access_in extended permit tcp object-group EMC_Equipment host XXX,.XXX.1.4 eq smtp
access-list Private_access_in extended permit tcp object-group EMC_Equipment object-group RAC_Servers eq 6389
access-list Private_access_in extended permit udp object-group EMC_Equipment object-group RAC_Servers
access-list inside_nat0_outbound extended permit ip XXX,.XXX.3.0 255.255.255.0 XXX.XXX.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip XXX,.XXX.1.0 255.255.255.0 XXX.XXX.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip XXX,.XXX.1.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list Private_nat0_outbound extended permit ip XXX,.XXX.3.0 255.255.255.0 XXX.XXX.2.0 255.255.255.0
access-list Private_nat0_outbound extended permit ip XXX,.XXX.3.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list Private_nat0_outbound extended permit ip XXX,.XXX.3.0 255.255.255.0 XXX,.XXX.1.0 255.255.255.0
access-list inside_cryptomap_20 extended permit ip XXX,.XXX.1.0 255.255.255.0 XXX.XXX.2.0 255.255.255.0
access-list inside_cryptomap_20 extended permit ip XXX,.XXX.3.0 255.255.255.0 XXX.XXX.2.0 255.255.255.0
access-list split standard permit XXX,.XXX.1.0 255.255.255.0
access-list split standard permit XXX,.XXX.3.0 255.255.255.0
access-list RemoteMail_splitTunnelAcl standard permit host XXX,.XXX.1.85
access-list viatunnel extended permit ip XXX.XXX.2.0 255.255.255.0 XXX,.XXX.1.0 255.255.255.0
access-list viatunnel extended permit ip XXX,.XXX.1.0 255.255.255.0 XXX.XXX.2.0 255.255.255.0
access-list cpi extended permit ip host XXX.XXX.2.102 host WizRAC02
access-list cpi extended permit ip host WizRAC02 host XXX.XXX.2.102
!
tcp-map fortunnel
  exceed-mss allow
!
pager lines 25
logging enable
logging console errors
logging monitor debugging
logging trap errors
logging asdm warnings
mtu external 1500
mtu inside 1500
mtu Private 1500
ip local pool ippool 172.16.2.245-172.16.2.250 mask 255.255.255.0
failover
failover replication http
failover link state GigabitEthernet0
failover interface ip state 192.168.150.1 255.255.255.0 standby 192.168.150.2
monitor-interface external
monitor-interface inside
monitor-interface Private
asdm image flash:/asdm-506.bin
no asdm history enable
arp timeout 14400
global (external) 100 207.182.207.200-207.182.207.250
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 subversion 255.255.255.255
nat (inside) 100 XXX,.XXX.1.111 255.255.255.255
nat (inside) 100 XXX,.XXX.1.112 255.255.255.255
nat (inside) 100 XXX,.XXX.1.127 255.255.255.255
nat (inside) 100 wizvm01 255.255.255.255
nat (inside) 100 WizRAC02 255.255.255.255
nat (inside) 100 WizRAC01 255.255.255.255
nat (inside) 100 XXX,.XXX.1.165 255.255.255.255
nat (inside) 100 DataProcATL08 255.255.255.255
nat (inside) 100 XXX,.XXX.1.190 255.255.255.255
nat (Private) 0 access-list Private_nat0_outbound
nat (Private) 100 XXX,.XXX.3.52 255.255.255.255
static (inside,external) 207.182.207.69 dell netmask 255.255.255.255
static (inside,external) 207.182.207.10 XXX,.XXX.1.10 netmask 255.255.255.255
static (inside,external) 207.182.207.50 XXX,.XXX.1.50 netmask 255.255.255.255
static (inside,external) 207.182.207.4 XXX,.XXX.1.4 netmask 255.255.255.255
static (inside,external) 207.182.207.105 XXX,.XXX.1.105 netmask 255.255.255.255
static (inside,external) 207.182.207.71 XXX,.XXX.1.71 netmask 255.255.255.255
static (inside,external) 207.182.207.160 XXX,.XXX.1.160 netmask 255.255.255.255
static (inside,external) 207.182.207.161 XXX,.XXX.1.161 netmask 255.255.255.255
static (inside,external) 207.182.207.151 XXX,.XXX.1.151 netmask 255.255.255.255
static (inside,external) 207.182.207.164 XXX,.XXX.1.164 netmask 255.255.255.255
static (inside,external) 207.182.207.21 XXX,.XXX.1.21 netmask 255.255.255.255
static (inside,external) 207.182.207.22 XXX,.XXX.1.22 netmask 255.255.255.255
static (inside,external) 207.182.207.163 XXX,.XXX.1.163 netmask 255.255.255.255
static (inside,external) 207.182.207.153 XXX,.XXX.1.153 netmask 255.255.255.255
static (inside,external) 207.182.207.85 XXX,.XXX.1.85 netmask 255.255.255.255
static (inside,external) 207.182.207.152 XXX,.XXX.1.152 netmask 255.255.255.255
static (inside,external) 207.182.207.169 XXX,.XXX.1.169 netmask 255.255.255.255
static (inside,external) 207.182.207.113 XXX,.XXX.1.113 netmask 255.255.255.255
static (inside,external) 207.182.208.11 XXX,.XXX.1.11 netmask 255.255.255.255
static (inside,external) 207.182.207.33 XXX,.XXX.1.33 netmask 255.255.255.255
static (inside,external) 207.182.207.114 XXX,.XXX.1.114 netmask 255.255.255.255
static (inside,external) 207.182.207.231 XXX,.XXX.1.231 netmask 255.255.255.255
static (inside,external) 207.182.207.232 XXX,.XXX.1.232 netmask 255.255.255.255
static (inside,external) 207.182.207.233 XXX,.XXX.1.233 netmask 255.255.255.255
static (inside,external) 207.182.207.234 XXX,.XXX.1.234 netmask 255.255.255.255
access-group external_access_in in interface external
access-group internal_access_in in interface inside
access-group Private_access_in in interface Private
route external 0.0.0.0 0.0.0.0 XXX.XXX.87.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 50
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
group-policy RemoteMail internal
group-policy RemoteMail attributes
 wins-server value XXX,.XXX.1.85
 dns-server value XXX,.XXX.1.85
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteMail_splitTunnelAcl
 default-domain value domain.com
group-policy Remote internal
group-policy Remote attributes
 dns-server value XXX,.XXX.1.10 XXX,.XXX.1.50
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
username User1 password xxxxxxxxxx encrypted
username User1 attributes
 vpn-group-policy Remote
username user2 password xxxxxxxxxxx encrypted
username user3 password xxxxxxxxxx  encrypted privilege 0
username user4 attributes
 vpn-group-policy RemoteMail
username user5 password xxxxxxxxxxxx encrypted
username user5 attributes
 vpn-group-policy Remote
username user6 password fxxxxxxxxxxxxxx encrypted
username user6 attributes
 vpn-group-policy DfltGrpPolicy
username mark password xxxxxx encrypted privilege 0
username mark attributes
 vpn-group-policy UserTunnel
aaa authentication ssh console LOCAL
http server enable
http XXX.xxx.192.102 255.255.255.255 external
http dell 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1250
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec df-bit clear-df inside
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map external_dyn_map 20 set transform-set ESP-DES-MD5
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto map external_map 20 match address inside_cryptomap_20
crypto map external_map 20 set peer xxx.xxx.192..71
crypto map external_map 20 set transform-set ESP-DES-SHA
crypto map external_map 65535 ipsec-isakmp dynamic external_dyn_map
crypto map external_map interface external
isakmp identity address
isakmp enable external
isakmp enable inside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal  20
isakmp ipsec-over-tcp port 10000
tunnel-group Remote type ipsec-ra
tunnel-group Remote general-attributes
 address-pool ippool
 default-group-policy Remote
tunnel-group Remote ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 3600
tunnel-group RemoteMail type ipsec-ra
tunnel-group RemoteMail general-attributes
 address-pool ippool
 default-group-policy RemoteMail
tunnel-group RemoteMail ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.192..71 type ipsec-l2l
tunnel-group xxx.xxx.192..71 ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
telnet timeout 5
ssh 68.209.105.239 255.255.255.255 external
ssh 171.68.225.213 255.255.255.255 external
ssh 171.68.225.0 255.255.255.0 external
ssh dell 255.255.255.255 inside
ssh timeout 60
console timeout 0
management-access Private
!
class-map totunnel
 match access-list viatunnel
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 2048
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
 class totunnel
  set connection advanced-options fortunnel
!
service-policy global_policy global
ntp authenticate
ntp server 198.72.72.10 source external prefer
ntp server 71.140.128.148 source external
ntp server 209.184.112.199 source external
Cryptochecksum:00bca43cc1eaa63f50912607f1a08d85
: end


Avatar of oleggold
oleggold
Flag of United States of America image

ASKER CERTIFIED SOLUTION
Avatar of sohannin
sohannin
Flag of Finland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial