m_clarkson
asked on
Cisco ASA 5510 + 5 * Cisco 877 VPN routing issue
Hi
I have 1 * Cisco ASA 5510 with VPN's to 5 * Cisco 877 routers in a hub and spoke arrangement.
IP subnets are as follows
ASA5510 = 10.10.100.0/24 (hub)
877 #1 = 10.10.101.0/24
877 #1 = 10.10.102.0/24
877 #1 = 10.10.103.0/24
877 #1 = 10.10.104.0/24
877 #1 = 10.10.105.0/24
The ASA5510 (hub) is able to ping every site, but each of the spoke sites can only communicate with the hub site.
How can I enable full vpn routing so that each spoke site is able to communicate with the other spoke sites (ie have 10.10.101.1 ping 10.10.102.1 routing via the hub)?
I have tried playing with the local/remote subnet definitions of the VPN tunnels
(ie - setting the remote lan subnet on each spoke router = 10.10.0.0/16 and matching it on the ASA)
but this seems to have no effect.
I suspect the issue is with either the NAT rules or the Access rules, but I am not sure.
I have attached the config from the ASA5510 and one of the 877 spoke routers.
Any help would be greatly appreciated.
regards
Mike
Cisco 877 Spoke Config
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret *****
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone PCTime 12
clock summer-time PCTime date Mar 16 2003 3:00 Oct 5 2003 2:00
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name *****
!
!
crypto pki trustpoint TP-self-signed-2465651109
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certifi
 revocation-check none
 rsakeypair TP-self-signed-2465651109
!
!
crypto pki certificate chain TP-self-signed-2465651109
 certificate self-signed 01
 *****
 quit
!
!
username ***** privilege 15 view root secret *****
!
!
!
crypto isakmp policy 2
 encr aes
 authentication pre-share
 group 2
crypto isakmp key ***** address *****
!
!
crypto ipsec transform-set ESP_AES128_SHA esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to hub
 set peer *****
 set security-association lifetime kilobytes 10240000
 set security-association lifetime seconds 86400
 set transform-set ESP_AES128_SHA
 set pfs group2
 match address 100
 reverse-route
!
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no snmp trap link-status
 pvc 0/100
 encapsulation aal5mux ppp dialer
 dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-
 ip address 10.10.105.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username ***** password *****
 crypto map SDM_CMAP_1
!
!
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip flow-top-talkers
 top 200
 sort-by bytes
 cache-timeout 60000
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.10.105.10 3389 interface Dialer0 3389
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.105.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.10.105.0 0.0.0.255
access-list 2 deny  any
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.10.105.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny  ip 10.10.105.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 permit ip 10.10.105.0 0.0.0.255 any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.10.105.0 0.0.0.255 any
access-list 102 deny  ip any any
dialer-list 1 protocol ip permit
snmp-server community ***** RO
snmp-server location *****
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
control-plane
!
banner login ^C************************
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
**************************
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 10.10.100.10 prefer
end
Cisco ASA5510 Hub Config
ASA Version 8.0(2)
!
hostname *****
domain-name *****
enable password km/8fxAASy.D7Aeu encrypted
names
name ***** CRM-Public description CRM Server 10.10.100.13
name ***** DC-Public description Domain Controller 10.10.100.10
name ***** EXCHANGE-Public description Exchange Server 10.10.100.11
name ***** SQL-Public description SQL Server 10.10.100.12
name 10.10.100.13 CRM-Private description CRM Server Internal Address
name 10.10.100.10 DC-Private description Domain Controller Internal Address
name 10.10.100.11 EXCHANGE-Private description Exchange Server Internal Address
name 10.10.100.12 SQL-Private description SQL Server Internal Address
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address ***** *****
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd ***** encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
dns server-group DefaultDNS
 domain-name *****
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network *****
 description 10.10.104.0/24
 network-object 10.10.104.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_20_cryptomap extended permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 172.30.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 10.10.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 10.10.102.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 10.10.104.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 10.10.103.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 10.10.105.0 255.255.255.0
access-list outside_access_in extended permit tcp any host DC-Public eq 3389
access-list outside_access_in extended permit tcp any host EXCHANGE-Public eq www
access-list outside_access_in extended permit tcp any host EXCHANGE-Public eq https
access-list outside_access_in extended permit tcp any host EXCHANGE-Public eq smtp
access-list RemoteAccess_splitTunnelAc
access-list outside_40_cryptomap extended permit ip 10.10.100.0 255.255.255.0 10.10.101.0 255.255.255.0
access-list outside_80_cryptomap extended permit ip 10.10.100.0 255.255.255.0 10.10.102.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.100.0 255.255.255.0 10.10.104.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 10.10.100.0 255.255.255.0 10.10.104.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.10.100.0 255.255.255.0 10.10.103.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 10.10.0.0 255.255.0.0 10.10.105.0 255.255.255.0
pager lines 24
logging enable
logging list vpn_debug level informational class vpn
logging asdm emergencies
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool RemoteAccess 10.10.100.200-10.10.100.25
ip local pool RA_Test 172.30.30.100-172.30.30.20
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any management
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
global (outside) 10 interface
global (outside) 11 DC-Public netmask 255.255.255.0
global (outside) 12 EXCHANGE-Public netmask 255.255.255.0
global (outside) 13 SQL-Public netmask 255.255.255.0
global (outside) 14 CRM-Public netmask 255.255.255.0
global (inside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) DC-Public DC-Private netmask 255.255.255.255
static (inside,outside) EXCHANGE-Public EXCHANGE-Private netmask 255.255.255.255
static (inside,outside) SQL-Public SQL-Private netmask 255.255.255.255
static (inside,outside) CRM-Public CRM-Private netmask 255.255.255.255
access-group outside_access_in in interface outside
!
route outside 0.0.0.0 0.0.0.0 ***** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
aaa-server Active_Directory protocol nt
 max-failed-attempts 5
aaa-server Active_Directory host DC-Private
 timeout 5
 nt-auth-domain-controller *****
nac-policy DfltGrpPolicy-nac-framewor
 reval-period 36000
 sq-period 300
http server enable
http 10.10.100.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
snmp-server host inside DC-Private poll community *****
snmp-server location *****
snmp-server contact administrator
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer *****
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 1 set security-association lifetime kilobytes 10240000
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer *****
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 set security-association lifetime seconds 86400
crypto map outside_map 2 set security-association lifetime kilobytes 10240000
crypto map outside_map 2 set reverse-route
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer ****
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map 3 set security-association lifetime seconds 86400
crypto map outside_map 3 set security-association lifetime kilobytes 10240000
crypto map outside_map 3 set reverse-route
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer *****
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_40_cryptomap
crypto map outside_map 40 set pfs
crypto map outside_map 40 set peer *****
crypto map outside_map 40 set transform-set ESP-AES-128-SHA
crypto map outside_map 40 set security-association lifetime seconds 86400
crypto map outside_map 40 set security-association lifetime kilobytes 10240000
crypto map outside_map 40 set reverse-route
crypto map outside_map 80 match address outside_80_cryptomap
crypto map outside_map 80 set pfs
crypto map outside_map 80 set peer *****
crypto map outside_map 80 set transform-set ESP-AES-128-SHA
crypto map outside_map 80 set security-association lifetime seconds 86400
crypto map outside_map 80 set security-association lifetime kilobytes 10240000
crypto map outside_map 80 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet DC-Private 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect rsh
 inspect rtsp
 inspect esmtp
 inspect sqlnet
 inspect skinny Â
 inspect sunrpc
 inspect xdmcp
 inspect sip Â
 inspect netbios
 inspect tftp
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 10
 nac-settings value DfltGrpPolicy-nac-framewor
 webvpn
 svc dpd-interval client none
 svc dpd-interval gateway none
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
 dns-server value 10.10.100.10
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteAccess_splitTunnelAc
 default-domain value *****
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 60 retry 5
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold infinite
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
 address-pool RA_Test
 authentication-server-grou
 default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
 pre-shared-key *
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 60 retry 5
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 60 retry 5
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 60 retry 5
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 60 retry 5
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 60 retry 5
smtp-server 10.10.100.11
prompt hostname context
Cryptochecksum:11027bd3f08
: end
asdm image disk0:/asdm-602.bin
asdm history enable
I have 1 * Cisco ASA 5510 with VPN's to 5 * Cisco 877 routers in a hub and spoke arrangement.
IP subnets are as follows
ASA5510 = 10.10.100.0/24 (hub)
877 #1 = 10.10.101.0/24
877 #1 = 10.10.102.0/24
877 #1 = 10.10.103.0/24
877 #1 = 10.10.104.0/24
877 #1 = 10.10.105.0/24
The ASA5510 (hub) is able to ping every site, but each of the spoke sites can only communicate with the hub site.
How can I enable full vpn routing so that each spoke site is able to communicate with the other spoke sites (ie have 10.10.101.1 ping 10.10.102.1 routing via the hub)?
I have tried playing with the local/remote subnet definitions of the VPN tunnels
(ie - setting the remote lan subnet on each spoke router = 10.10.0.0/16 and matching it on the ASA)
but this seems to have no effect.
I suspect the issue is with either the NAT rules or the Access rules, but I am not sure.
I have attached the config from the ASA5510 and one of the 877 spoke routers.
Any help would be greatly appreciated.
regards
Mike
Cisco 877 Spoke Config
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret *****
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone PCTime 12
clock summer-time PCTime date Mar 16 2003 3:00 Oct 5 2003 2:00
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name *****
!
!
crypto pki trustpoint TP-self-signed-2465651109
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certifi
 revocation-check none
 rsakeypair TP-self-signed-2465651109
!
!
crypto pki certificate chain TP-self-signed-2465651109
 certificate self-signed 01
 *****
 quit
!
!
username ***** privilege 15 view root secret *****
!
!
!
crypto isakmp policy 2
 encr aes
 authentication pre-share
 group 2
crypto isakmp key ***** address *****
!
!
crypto ipsec transform-set ESP_AES128_SHA esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to hub
 set peer *****
 set security-association lifetime kilobytes 10240000
 set security-association lifetime seconds 86400
 set transform-set ESP_AES128_SHA
 set pfs group2
 match address 100
 reverse-route
!
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no snmp trap link-status
 pvc 0/100
 encapsulation aal5mux ppp dialer
 dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-
 ip address 10.10.105.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username ***** password *****
 crypto map SDM_CMAP_1
!
!
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip flow-top-talkers
 top 200
 sort-by bytes
 cache-timeout 60000
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.10.105.10 3389 interface Dialer0 3389
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.105.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.10.105.0 0.0.0.255
access-list 2 deny  any
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.10.105.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny  ip 10.10.105.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 permit ip 10.10.105.0 0.0.0.255 any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.10.105.0 0.0.0.255 any
access-list 102 deny  ip any any
dialer-list 1 protocol ip permit
snmp-server community ***** RO
snmp-server location *****
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
control-plane
!
banner login ^C************************
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
**************************
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 10.10.100.10 prefer
end
Cisco ASA5510 Hub Config
ASA Version 8.0(2)
!
hostname *****
domain-name *****
enable password km/8fxAASy.D7Aeu encrypted
names
name ***** CRM-Public description CRM Server 10.10.100.13
name ***** DC-Public description Domain Controller 10.10.100.10
name ***** EXCHANGE-Public description Exchange Server 10.10.100.11
name ***** SQL-Public description SQL Server 10.10.100.12
name 10.10.100.13 CRM-Private description CRM Server Internal Address
name 10.10.100.10 DC-Private description Domain Controller Internal Address
name 10.10.100.11 EXCHANGE-Private description Exchange Server Internal Address
name 10.10.100.12 SQL-Private description SQL Server Internal Address
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address ***** *****
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd ***** encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
dns server-group DefaultDNS
 domain-name *****
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network *****
 description 10.10.104.0/24
 network-object 10.10.104.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_20_cryptomap extended permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 172.30.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 10.10.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 10.10.102.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 10.10.104.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 10.10.103.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 10.10.105.0 255.255.255.0
access-list outside_access_in extended permit tcp any host DC-Public eq 3389
access-list outside_access_in extended permit tcp any host EXCHANGE-Public eq www
access-list outside_access_in extended permit tcp any host EXCHANGE-Public eq https
access-list outside_access_in extended permit tcp any host EXCHANGE-Public eq smtp
access-list RemoteAccess_splitTunnelAc
access-list outside_40_cryptomap extended permit ip 10.10.100.0 255.255.255.0 10.10.101.0 255.255.255.0
access-list outside_80_cryptomap extended permit ip 10.10.100.0 255.255.255.0 10.10.102.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.100.0 255.255.255.0 10.10.104.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 10.10.100.0 255.255.255.0 10.10.104.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.10.100.0 255.255.255.0 10.10.103.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 10.10.0.0 255.255.0.0 10.10.105.0 255.255.255.0
pager lines 24
logging enable
logging list vpn_debug level informational class vpn
logging asdm emergencies
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool RemoteAccess 10.10.100.200-10.10.100.25
ip local pool RA_Test 172.30.30.100-172.30.30.20
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any management
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
global (outside) 10 interface
global (outside) 11 DC-Public netmask 255.255.255.0
global (outside) 12 EXCHANGE-Public netmask 255.255.255.0
global (outside) 13 SQL-Public netmask 255.255.255.0
global (outside) 14 CRM-Public netmask 255.255.255.0
global (inside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) DC-Public DC-Private netmask 255.255.255.255
static (inside,outside) EXCHANGE-Public EXCHANGE-Private netmask 255.255.255.255
static (inside,outside) SQL-Public SQL-Private netmask 255.255.255.255
static (inside,outside) CRM-Public CRM-Private netmask 255.255.255.255
access-group outside_access_in in interface outside
!
route outside 0.0.0.0 0.0.0.0 ***** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
aaa-server Active_Directory protocol nt
 max-failed-attempts 5
aaa-server Active_Directory host DC-Private
 timeout 5
 nt-auth-domain-controller *****
nac-policy DfltGrpPolicy-nac-framewor
 reval-period 36000
 sq-period 300
http server enable
http 10.10.100.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
snmp-server host inside DC-Private poll community *****
snmp-server location *****
snmp-server contact administrator
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer *****
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 1 set security-association lifetime kilobytes 10240000
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer *****
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 set security-association lifetime seconds 86400
crypto map outside_map 2 set security-association lifetime kilobytes 10240000
crypto map outside_map 2 set reverse-route
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer ****
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map 3 set security-association lifetime seconds 86400
crypto map outside_map 3 set security-association lifetime kilobytes 10240000
crypto map outside_map 3 set reverse-route
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer *****
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_40_cryptomap
crypto map outside_map 40 set pfs
crypto map outside_map 40 set peer *****
crypto map outside_map 40 set transform-set ESP-AES-128-SHA
crypto map outside_map 40 set security-association lifetime seconds 86400
crypto map outside_map 40 set security-association lifetime kilobytes 10240000
crypto map outside_map 40 set reverse-route
crypto map outside_map 80 match address outside_80_cryptomap
crypto map outside_map 80 set pfs
crypto map outside_map 80 set peer *****
crypto map outside_map 80 set transform-set ESP-AES-128-SHA
crypto map outside_map 80 set security-association lifetime seconds 86400
crypto map outside_map 80 set security-association lifetime kilobytes 10240000
crypto map outside_map 80 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet DC-Private 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect rsh
 inspect rtsp
 inspect esmtp
 inspect sqlnet
 inspect skinny Â
 inspect sunrpc
 inspect xdmcp
 inspect sip Â
 inspect netbios
 inspect tftp
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 10
 nac-settings value DfltGrpPolicy-nac-framewor
 webvpn
 svc dpd-interval client none
 svc dpd-interval gateway none
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
 dns-server value 10.10.100.10
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteAccess_splitTunnelAc
 default-domain value *****
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 60 retry 5
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold infinite
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
 address-pool RA_Test
 authentication-server-grou
 default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
 pre-shared-key *
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 60 retry 5
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 60 retry 5
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 60 retry 5
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 60 retry 5
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 60 retry 5
smtp-server 10.10.100.11
prompt hostname context
Cryptochecksum:11027bd3f08
: end
asdm image disk0:/asdm-602.bin
asdm history enable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.