Site to Site / Client VPN w/Pix & ASA - Same Subnet - Routing issues
I have a client who is wanting to adjust their VPN settings. The currently have a VPN site to site established and also a client VPN. They use the same subnet at both locations and just use different parts of the IP. When at either location they can get to both sides of the VPN but when someone uses a client into the ASA they can only access the ASA site and not the other site with the PIX.
They want to be able to get to both sides of the S2S VPN while using the client. At this time chaning the IP address is not an option.
Also if any blatant cmd line errors pointed out would be appreciated. Thanks.
Here is the PIX config:
pdx-pix# sh config
: Saved
: Written by enable_15 at 12:49:22.982 UTC Wed Nov 7 2007
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list No-Nat-Inside permit ip 172.16.200.128 255.255.255.128 172.16.200.0 255.255.255.128
access-list No-Nat-Inside permit ip 172.16.200.128 255.255.255.128 172.16.201.0 255.255.255.192
access-list No-Nat-Inside permit ip any 172.16.200.128 255.255.255.128
access-list No-Nat-Inside remark General Match
access-list Hermiston permit ip 172.16.200.128 255.255.255.128 172.16.200.0 255.255.255.128
access-list Hermiston permit ip 172.16.200.128 255.255.255.128 172.16.201.0 255.255.255.192
access-list Hermiston remark Match for Hermiston
access-list Hermiston permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list Hermiston permit ip 172.16.0.0 255.255.0.0 any
access-list Hermiston permit ip 192.168.250.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list outside_cryptomap_dyn_20 permit ip any 172.16.200.128 255.255.255.128
pager lines 24
logging on
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.206.121 255.255.255.248
ip address inside 172.16.200.129 255.255.255.128
ip audit info action alarm
ip audit attack action alarm
pdm location xx.xx.214.2 255.255.255.255 outside
pdm location 172.16.201.2 255.255.255.255 inside
pdm location 172.16.200.0 255.255.255.128 outside
pdm location 172.16.201.0 255.255.255.192 outside
pdm location xx.xx.214.0 255.255.255.224 outside
pdm location 172.16.200.128 255.255.255.128 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list No-Nat-Inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.126 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.16.200.128 255.255.255.128 inside
snmp-server host inside 172.16.201.2
snmp-server location Portland
snmp-server contact
snmp-server community tnx483z
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set Hermiston-set esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set Hermiston-set
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address Hermiston
crypto map newmap 10 set peer xx.xx.xx.18
crypto map newmap 10 set transform-set Hermiston-set
crypto map newmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address xx.xx.xx.18 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 172.16.200.128 255.255.255.128 inside
telnet timeout 10
ssh xx.xx.xx.0 255.255.255.224 outside
ssh xx.xx.xx.120 255.255.255.248 outside
ssh xx.xx.xx.0 255.255.255.0 outside
ssh 172.16.200.128 255.255.255.128 inside
ssh timeout 30
console timeout 0
username password encrypted privilege 15
terminal width 80
banner motd #
Cryptochecksum:52406d921de
pdx-pix#
Here is the ASA:
office-fw# sh config
: Saved
: Written by enable_15 at 16:26:56.702 PST Wed Nov 7 2007
!
ASA Version 7.0(4)
!
hostname office-fw
enable password *********** encrypted
no names
name xx.xx.xx.38 Molokia-pix
name xx.xx.xx.51 WCVWiFi-pix
!
interface GigabitEthernet0/0
description office-fw-outside.ezwirele
speed 1000
duplex full
nameif outside
security-level 0
ip address xx.xx.xx.18 255.255.255.224
!
interface GigabitEthernet0/1
description office-fw-inside.ezwireles
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.14
description office-inside.ezwireless.l
vlan 14
nameif inside
security-level 100
ip address 172.16.200.1 255.255.255.128
!
interface GigabitEthernet0/2
description office-dmz.ezwireless.loca
speed 100
duplex full
nameif dmz
security-level 50
ip address 172.16.201.1 255.255.255.192
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
passwd **************** encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.128 172.16.10.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.128 192.168.250.192 255.255.255.192
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.128 172.16.100.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.201.0 255.255.255.192 172.16.10.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.201.0 255.255.255.192 172.16.200.128 255.255.255.128
access-list No-Nat extended permit ip 172.16.201.0 255.255.255.192 172.16.100.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.128 172.16.201.0 255.255.255.192
access-list No-Nat extended permit ip 172.19.0.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.201.0 255.255.255.192 172.16.200.0 255.255.255.128
access-list No-Nat remark General Non-Nat ACL
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.128 172.16.200.128 255.255.255.128
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.0 192.168.250.192 255.255.255.192
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.0 172.16.201.0 255.255.255.192
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.0 172.16.200.128 255.255.255.128
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 192.168.250.192 255.255.255.192
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 172.16.201.0 255.255.255.192
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 172.16.200.128 255.255.255.128
access-list No-Nat extended permit ip 172.16.200.128 255.255.255.128 any
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 172.16.200.0 255.255.255.0
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 any
access-list Molokia extended permit ip 172.16.200.0 255.255.255.128 172.16.10.0 255.255.255.0
access-list Molokia extended permit ip 172.16.201.0 255.255.255.192 172.16.10.0 255.255.255.0
access-list Molokia remark Molokia Site ACL
access-list split1 standard permit 172.16.200.0 255.255.255.128
access-list split1 remark VPN Client Split Group
access-list split1 standard permit 172.16.0.0 255.255.0.0
access-list split1 standard permit any
access-list WCVWiFi extended permit ip 172.16.200.0 255.255.255.128 172.16.100.0 255.255.255.0
access-list WCVWiFi extended permit ip 172.16.201.0 255.255.255.192 172.16.100.0 255.255.255.0
access-list WCVWiFi extended permit ip 172.19.0.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list WCVWiFi remark WillowCreak Valley Site ACL
access-list ezWlocal extended permit tcp any host xx.xx.xx.13 eq www
access-list ezWlocal extended permit tcp any host xx.xx.xx.22 eq smtp
access-list ezWlocal extended permit tcp any host xx.xx.xx.22 eq https
access-list ezWlocal extended permit tcp any host xx.xx.xx.22 eq 993
access-list ezWlocal extended permit tcp any host xx.xx.xx.22 eq 995
access-list ezWlocal extended permit tcp any host xx.xx.xx.13 eq https
access-list PDX extended permit ip 172.16.200.0 255.255.255.128 172.16.200.128 255.255.255.128
access-list PDX extended permit ip 172.16.201.0 255.255.255.192 172.16.200.128 255.255.255.128
access-list PDX remark PDX-Office Site ACL
access-list PDX extended permit ip 192.168.250.0 255.255.255.0 any
access-list inside_cryptomap_12 extended permit ip 172.16.200.128 255.255.255.128 172.16.200.0 255.255.255.0
access-list inside_cryptomap_12 extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool ClientPool 192.168.250.193-192.168.25
no failover
icmp permit any unreachable outside
icmp permit any inside
icmp permit any echo-reply inside
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xx.xx.xx.21
nat (inside) 0 access-list No-Nat
nat (inside) 1 172.16.200.0 255.255.255.128
nat (dmz) 0 access-list No-Nat
static (inside,outside) tcp xx.xx.xx.13 www 172.16.200.20 www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.22 smtp 172.16.200.4 smtp netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.22 https 172.16.200.4 https netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.13 https 172.16.200.20 https netmask 255.255.255.255
access-group ezWlocal in interface outside
route outside 0.0.0.0 0.0.0.0 216.110.214.1 1
route dmz 172.19.0.0 255.255.255.0 172.16.201.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ezWireless internal
group-policy ezWireless attributes
dns-server value 172.16.200.2
vpn-idle-timeout 180
vpn-session-timeout 180
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split1
webvpn
username ****** password ********* encrypted privilege 15
username *********** password ********* encrypted privilege 15
username ************* password ************* encrypted privilege 15
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.16.0.0 255.255.0.0 management
snmp-server host dmz 172.16.201.2 community tnx483z version 2c
snmp-server host outside 216.110.214.12 community wireless version 2c
snmp-server location Hermiston
snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Molokia-set esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set WCVWiFi-set esp-3des esp-md5-hmac
crypto ipsec transform-set PDX-set esp-3des esp-md5-hmac
crypto dynamic-map dynmap 90 set transform-set myset
crypto map newmap 10 match address Molokia
crypto map newmap 10 set peer xx.xx.xx.38
crypto map newmap 10 set transform-set Molokia-set
crypto map newmap 11 match address WCVWiFi
crypto map newmap 11 set peer xx.xx.xx.51
crypto map newmap 11 set transform-set WCVWiFi-set
crypto map newmap 12 match address PDX
crypto map newmap 12 set peer xx.xx.xx.121
crypto map newmap 12 set transform-set PDX-set
crypto map newmap 90 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
crypto map outside 12 match address inside_cryptomap_12
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou
tunnel-group ezWireless type ipsec-ra
tunnel-group ezWireless general-attributes
address-pool Clientpool
authentication-server-grou
default-group-policy ezWireless
tunnel-group ezWireless ipsec-attributes
pre-shared-key *
tunnel-group xx.xx.xx.38 type ipsec-l2l
tunnel-group xx.xx.xx.38 ipsec-attributes
pre-shared-key *
tunnel-group xx.xx.xx.51 type ipsec-l2l
tunnel-group xx.xx.xx.51 ipsec-attributes
pre-shared-key *
tunnel-group xx.xx.xx.121 type ipsec-l2l
tunnel-group xx.xx.xx.121 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh xx.xx.xx.0 255.255.255.0 outside
ssh xx.xx.xx.0 255.255.255.0 outside
ssh xx.xx.xx.120 255.255.255.248 outside
ssh xx.xx.xx.120 255.255.255.252 outside
ssh xx.xx.xx.0 255.255.255.0 outside
ssh 172.16.0.0 255.255.0.0 inside
ssh 172.16.200.0 255.255.255.128 inside
ssh 172.16.200.128 255.255.255.128 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect pptp
inspect icmp error
!
service-policy global_policy global
ntp server 216.110.214.9 source outside prefer
Cryptochecksum:0ea1879c0c8
office-fw#
They want to be able to get to both sides of the S2S VPN while using the client. At this time chaning the IP address is not an option.
Also if any blatant cmd line errors pointed out would be appreciated. Thanks.
Here is the PIX config:
pdx-pix# sh config
: Saved
: Written by enable_15 at 12:49:22.982 UTC Wed Nov 7 2007
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list No-Nat-Inside permit ip 172.16.200.128 255.255.255.128 172.16.200.0 255.255.255.128
access-list No-Nat-Inside permit ip 172.16.200.128 255.255.255.128 172.16.201.0 255.255.255.192
access-list No-Nat-Inside permit ip any 172.16.200.128 255.255.255.128
access-list No-Nat-Inside remark General Match
access-list Hermiston permit ip 172.16.200.128 255.255.255.128 172.16.200.0 255.255.255.128
access-list Hermiston permit ip 172.16.200.128 255.255.255.128 172.16.201.0 255.255.255.192
access-list Hermiston remark Match for Hermiston
access-list Hermiston permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list Hermiston permit ip 172.16.0.0 255.255.0.0 any
access-list Hermiston permit ip 192.168.250.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list outside_cryptomap_dyn_20 permit ip any 172.16.200.128 255.255.255.128
pager lines 24
logging on
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.206.121 255.255.255.248
ip address inside 172.16.200.129 255.255.255.128
ip audit info action alarm
ip audit attack action alarm
pdm location xx.xx.214.2 255.255.255.255 outside
pdm location 172.16.201.2 255.255.255.255 inside
pdm location 172.16.200.0 255.255.255.128 outside
pdm location 172.16.201.0 255.255.255.192 outside
pdm location xx.xx.214.0 255.255.255.224 outside
pdm location 172.16.200.128 255.255.255.128 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list No-Nat-Inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.126 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.16.200.128 255.255.255.128 inside
snmp-server host inside 172.16.201.2
snmp-server location Portland
snmp-server contact
snmp-server community tnx483z
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set Hermiston-set esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set Hermiston-set
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address Hermiston
crypto map newmap 10 set peer xx.xx.xx.18
crypto map newmap 10 set transform-set Hermiston-set
crypto map newmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address xx.xx.xx.18 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 172.16.200.128 255.255.255.128 inside
telnet timeout 10
ssh xx.xx.xx.0 255.255.255.224 outside
ssh xx.xx.xx.120 255.255.255.248 outside
ssh xx.xx.xx.0 255.255.255.0 outside
ssh 172.16.200.128 255.255.255.128 inside
ssh timeout 30
console timeout 0
username password encrypted privilege 15
terminal width 80
banner motd #
Cryptochecksum:52406d921de
pdx-pix#
Here is the ASA:
office-fw# sh config
: Saved
: Written by enable_15 at 16:26:56.702 PST Wed Nov 7 2007
!
ASA Version 7.0(4)
!
hostname office-fw
enable password *********** encrypted
no names
name xx.xx.xx.38 Molokia-pix
name xx.xx.xx.51 WCVWiFi-pix
!
interface GigabitEthernet0/0
description office-fw-outside.ezwirele
speed 1000
duplex full
nameif outside
security-level 0
ip address xx.xx.xx.18 255.255.255.224
!
interface GigabitEthernet0/1
description office-fw-inside.ezwireles
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.14
description office-inside.ezwireless.l
vlan 14
nameif inside
security-level 100
ip address 172.16.200.1 255.255.255.128
!
interface GigabitEthernet0/2
description office-dmz.ezwireless.loca
speed 100
duplex full
nameif dmz
security-level 50
ip address 172.16.201.1 255.255.255.192
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
passwd **************** encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.128 172.16.10.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.128 192.168.250.192 255.255.255.192
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.128 172.16.100.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.201.0 255.255.255.192 172.16.10.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.201.0 255.255.255.192 172.16.200.128 255.255.255.128
access-list No-Nat extended permit ip 172.16.201.0 255.255.255.192 172.16.100.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.128 172.16.201.0 255.255.255.192
access-list No-Nat extended permit ip 172.19.0.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.201.0 255.255.255.192 172.16.200.0 255.255.255.128
access-list No-Nat remark General Non-Nat ACL
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.128 172.16.200.128 255.255.255.128
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.0 192.168.250.192 255.255.255.192
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.0 172.16.201.0 255.255.255.192
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.0 172.16.200.128 255.255.255.128
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 192.168.250.192 255.255.255.192
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 172.16.201.0 255.255.255.192
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 172.16.200.128 255.255.255.128
access-list No-Nat extended permit ip 172.16.200.128 255.255.255.128 any
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 172.16.200.0 255.255.255.0
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 any
access-list Molokia extended permit ip 172.16.200.0 255.255.255.128 172.16.10.0 255.255.255.0
access-list Molokia extended permit ip 172.16.201.0 255.255.255.192 172.16.10.0 255.255.255.0
access-list Molokia remark Molokia Site ACL
access-list split1 standard permit 172.16.200.0 255.255.255.128
access-list split1 remark VPN Client Split Group
access-list split1 standard permit 172.16.0.0 255.255.0.0
access-list split1 standard permit any
access-list WCVWiFi extended permit ip 172.16.200.0 255.255.255.128 172.16.100.0 255.255.255.0
access-list WCVWiFi extended permit ip 172.16.201.0 255.255.255.192 172.16.100.0 255.255.255.0
access-list WCVWiFi extended permit ip 172.19.0.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list WCVWiFi remark WillowCreak Valley Site ACL
access-list ezWlocal extended permit tcp any host xx.xx.xx.13 eq www
access-list ezWlocal extended permit tcp any host xx.xx.xx.22 eq smtp
access-list ezWlocal extended permit tcp any host xx.xx.xx.22 eq https
access-list ezWlocal extended permit tcp any host xx.xx.xx.22 eq 993
access-list ezWlocal extended permit tcp any host xx.xx.xx.22 eq 995
access-list ezWlocal extended permit tcp any host xx.xx.xx.13 eq https
access-list PDX extended permit ip 172.16.200.0 255.255.255.128 172.16.200.128 255.255.255.128
access-list PDX extended permit ip 172.16.201.0 255.255.255.192 172.16.200.128 255.255.255.128
access-list PDX remark PDX-Office Site ACL
access-list PDX extended permit ip 192.168.250.0 255.255.255.0 any
access-list inside_cryptomap_12 extended permit ip 172.16.200.128 255.255.255.128 172.16.200.0 255.255.255.0
access-list inside_cryptomap_12 extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool ClientPool 192.168.250.193-192.168.25
no failover
icmp permit any unreachable outside
icmp permit any inside
icmp permit any echo-reply inside
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xx.xx.xx.21
nat (inside) 0 access-list No-Nat
nat (inside) 1 172.16.200.0 255.255.255.128
nat (dmz) 0 access-list No-Nat
static (inside,outside) tcp xx.xx.xx.13 www 172.16.200.20 www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.22 smtp 172.16.200.4 smtp netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.22 https 172.16.200.4 https netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.13 https 172.16.200.20 https netmask 255.255.255.255
access-group ezWlocal in interface outside
route outside 0.0.0.0 0.0.0.0 216.110.214.1 1
route dmz 172.19.0.0 255.255.255.0 172.16.201.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ezWireless internal
group-policy ezWireless attributes
dns-server value 172.16.200.2
vpn-idle-timeout 180
vpn-session-timeout 180
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split1
webvpn
username ****** password ********* encrypted privilege 15
username *********** password ********* encrypted privilege 15
username ************* password ************* encrypted privilege 15
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.16.0.0 255.255.0.0 management
snmp-server host dmz 172.16.201.2 community tnx483z version 2c
snmp-server host outside 216.110.214.12 community wireless version 2c
snmp-server location Hermiston
snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Molokia-set esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set WCVWiFi-set esp-3des esp-md5-hmac
crypto ipsec transform-set PDX-set esp-3des esp-md5-hmac
crypto dynamic-map dynmap 90 set transform-set myset
crypto map newmap 10 match address Molokia
crypto map newmap 10 set peer xx.xx.xx.38
crypto map newmap 10 set transform-set Molokia-set
crypto map newmap 11 match address WCVWiFi
crypto map newmap 11 set peer xx.xx.xx.51
crypto map newmap 11 set transform-set WCVWiFi-set
crypto map newmap 12 match address PDX
crypto map newmap 12 set peer xx.xx.xx.121
crypto map newmap 12 set transform-set PDX-set
crypto map newmap 90 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
crypto map outside 12 match address inside_cryptomap_12
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou
tunnel-group ezWireless type ipsec-ra
tunnel-group ezWireless general-attributes
address-pool Clientpool
authentication-server-grou
default-group-policy ezWireless
tunnel-group ezWireless ipsec-attributes
pre-shared-key *
tunnel-group xx.xx.xx.38 type ipsec-l2l
tunnel-group xx.xx.xx.38 ipsec-attributes
pre-shared-key *
tunnel-group xx.xx.xx.51 type ipsec-l2l
tunnel-group xx.xx.xx.51 ipsec-attributes
pre-shared-key *
tunnel-group xx.xx.xx.121 type ipsec-l2l
tunnel-group xx.xx.xx.121 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh xx.xx.xx.0 255.255.255.0 outside
ssh xx.xx.xx.0 255.255.255.0 outside
ssh xx.xx.xx.120 255.255.255.248 outside
ssh xx.xx.xx.120 255.255.255.252 outside
ssh xx.xx.xx.0 255.255.255.0 outside
ssh 172.16.0.0 255.255.0.0 inside
ssh 172.16.200.0 255.255.255.128 inside
ssh 172.16.200.128 255.255.255.128 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect pptp
inspect icmp error
!
service-policy global_policy global
ntp server 216.110.214.9 source outside prefer
Cryptochecksum:0ea1879c0c8
office-fw#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER