Solved

Cisco ASA VPN users can't access DMZ

Posted on 2008-09-29
15
965 Views
Last Modified: 2012-06-21
I have a few VPN sites that I need to connect to my DMZ.  I am testing out only one for now.  I have attached the ASA config.  The office that I am trying to connect right now is the one named cwoffice which has the network id 172.29.37.0.

DMZ = 172.29.70.0
VPN = 172.29.37.0
Inside = 172.29.1.0

I created my access-list and applied it to my nat 0 statement.  I'm not sure what else I might be missing.  I appreciate your time in looking this over.

access-list vpntodmz extended permit ip 172.29.70.0 255.255.255.192 172.29.1.0 255.255.255.0
nat (dmz) 0 access-list vpntodmz
interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address xxx.xxx.xxx.xxx 255.255.255.0 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 172.29.1.3 255.255.255.192 

!

interface Ethernet0/2

 nameif dmz

 security-level 50

 ip address 172.29.70.3 255.255.255.192 

!

interface Ethernet0/3

 no nameif

 no security-level

 ip address 192.168.251.6 255.255.255.252 

!

interface Management0/0

 no nameif

 no security-level

 ip address 192.168.251.2 255.255.255.252 

!
 

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 192.168.100.1

 

same-security-traffic permit intra-interface

object-group network trustedVpn

 network-object 172.25.0.0 255.255.240.0

 network-object 172.28.1.0 255.255.255.0

 network-object 172.29.0.0 255.255.224.0

 network-object 172.29.1.0 255.255.255.0

 network-object 172.29.130.0 255.255.255.0

 network-object 172.29.15.0 255.255.255.0

 network-object 172.29.3.0 255.255.255.0

 network-object 172.29.30.0 255.255.255.0

 network-object 172.29.31.0 255.255.255.0

 network-object 172.29.32.0 255.255.255.0

 network-object 172.29.33.0 255.255.255.0

 network-object 192.168.1.0 255.255.255.0

 network-object 192.168.100.0 255.255.255.0

 network-object 192.168.199.0 255.255.255.0

 network-object 192.168.251.0 255.255.255.252

 network-object 192.168.251.4 255.255.255.252

 network-object 192.168.99.0 255.255.255.0

 network-object 10.0.0.0 255.255.255.0

 network-object 172.29.34.0 255.255.255.0

 network-object 172.29.37.0 255.255.255.0

 network-object 172.29.70.0 255.255.255.192

object-group service DSI_TCP tcp

 port-object range 2332 2332

 port-object range 5004 5004

object-group service DSI_UDP udp

 port-object range 17335 17335

 port-object range 22334 22335

 port-object range 2332 2332

 port-object range 5004 5004

access-list 2010 extended permit udp any host xxx.xxx.238.6 eq isakmp log 

access-list 2010 extended permit esp any host xxx.xxx.238.6 log 

access-list 2010 extended permit ip host xxx.xxx.156.164 xxx.xxx.238.0 255.255.255.0 log 

access-list 2010 extended permit ip 172.29.15.0 255.255.255.0 192.168.100.0 255.255.255.0 log 

access-list 2010 extended permit ip 192.168.100.0 255.255.255.0 172.29.15.0 255.255.255.0 log 

access-list 2010 extended permit ip 192.168.100.0 255.255.255.0 172.29.33.0 255.255.255.0 

access-list 2010 extended permit ip 172.29.33.0 255.255.255.0 192.168.100.0 255.255.255.0 

access-list 2010 extended permit icmp host xxx.xxx.74.142 192.168.100.0 255.255.255.0 echo-reply 

access-list 2010 extended permit tcp any object-group DSI_TCP host xxx.xxx.252.85 

access-list 2010 extended permit udp any object-group DSI_UDP host xxx.xxx.252.85 

access-list 2010 extended deny ip any any inactive 

access-list 2010 extended permit icmp host xxx.xxx.74.142 192.168.100.0 255.255.255.0 

access-list 2010 extended permit icmp host xxx.xxx.74.142 172.29.1.0 255.255.255.0 

access-list 2010 extended permit icmp host xxx.xxx.74.142 172.29.1.0 255.255.255.0 echo-reply 

access-list 2020 extended permit ip any any 

access-list Admin_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0 

access-list Admin_splitTunnelAcl standard permit 172.25.0.0 255.255.240.0 

access-list Admin_splitTunnelAcl standard permit 172.29.0.0 255.255.224.0 

access-list Admin_splitTunnelAcl standard permit 172.29.70.0 255.255.255.192 

access-list nonat extended permit ip 172.25.0.0 255.255.240.0 172.29.0.0 255.255.224.0 

access-list nonat extended permit ip 172.29.0.0 255.255.224.0 172.25.0.0 255.255.240.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.25.0.0 255.255.240.0 

access-list nonat extended permit ip 172.25.0.0 255.255.240.0 192.168.100.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.0.0 255.255.224.0 

access-list nonat extended permit ip 172.29.0.0 255.255.224.0 192.168.100.0 255.255.255.0 

access-list nonat extended permit ip 172.29.0.0 255.255.224.0 172.29.0.0 255.255.224.0 

access-list nonat extended permit ip 172.29.30.0 255.255.255.0 any 

access-list nonat extended permit ip any 172.29.3.0 255.255.255.0 

access-list nonat extended permit ip 172.29.30.0 255.255.255.0 192.168.100.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.30.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.28.1.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.15.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.130.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.199.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.31.0 255.255.255.0 

access-list nonat extended permit ip 172.29.31.0 255.255.255.0 any 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.32.0 255.255.255.0 

access-list nonat extended permit ip 172.29.32.0 255.255.255.0 192.168.100.0 255.255.255.0 

access-list nonat extended permit ip 172.29.32.0 255.255.255.0 any 

access-list nonat extended permit ip 172.29.1.0 255.255.255.0 172.29.32.0 255.255.255.0 

access-list nonat extended permit ip 172.29.33.0 255.255.255.0 any 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.33.0 255.255.255.0 

access-list nonat extended permit ip 172.29.33.0 255.255.255.0 192.168.100.0 255.255.255.0 

access-list nonat extended permit ip 172.29.33.0 255.255.255.0 172.29.1.0 255.255.255.0 

access-list nonat extended permit ip any 172.29.33.0 255.255.255.0 

access-list nonat extended permit ip host xxx.xxx.178.83 host xxx.xxx.238.6 

access-list nonat extended permit ip host 172.29.0.0 host xxx.xxx.238.6 

access-list nonat extended permit ip host xxx.xxx.74.142 hostxxx.xxx.238.6 

access-list nonat extended permit ip 10.0.0.0 255.255.255.0 any 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0 

access-list nonat extended permit ip 172.29.34.0 255.255.255.0 any 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.34.0 255.255.255.0 

access-list nonat extended permit ip 172.29.35.0 255.255.255.0 any 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.35.0 255.255.255.0 

access-list nonat extended permit ip 172.29.36.0 255.255.255.0 any 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.36.0 255.255.255.0 

access-list nonat extended permit ip 172.29.37.0 255.255.255.0 any 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.37.0 255.255.255.0 

access-list BREA extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0 

access-list BREA extended permit ip 172.25.0.0 255.255.240.0 192.168.99.0 255.255.255.0 

access-list BREA extended permit ip 172.29.0.0 255.255.224.0 192.168.99.0 255.255.255.0 

access-list BREA extended permit ip 192.168.100.0 255.255.255.0 172.29.30.0 255.255.255.0 

access-list BREA extended permit ip 172.25.0.0 255.255.240.0 172.29.30.0 255.255.255.0 

access-list BREA extended permit ip 172.29.0.0 255.255.224.0 172.29.30.0 255.255.255.0 

access-list Outside_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 172.29.15.0 255.255.255.0 

access-list Test01 standard permit 192.168.100.0 255.255.255.0 

access-list Brian extended permit ip 192.168.100.0 255.255.255.0 172.29.15.0 255.255.255.0 

access-list Brian extended permit ip 172.25.0.0 255.255.240.0 172.29.15.0 255.255.255.0 

access-list Brian extended permit ip 172.29.0.0 255.255.224.0 172.29.15.0 255.255.255.0 

access-list Outside_40_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0 

access-list TEST extended permit ip 192.168.100.0 255.255.255.0 192.168.199.0 255.255.255.0 

access-list TEST extended permit ip 172.25.0.0 255.255.240.0 192.168.199.0 255.255.255.0 

access-list TEST extended permit ip 172.29.0.0 255.255.224.0 192.168.199.0 255.255.255.0 

access-list TEST extended permit ip 192.168.100.0 255.255.255.0 172.29.130.0 255.255.255.0 

access-list TEST extended permit ip 172.25.0.0 255.255.240.0 172.29.130.0 255.255.255.0 

access-list TEST extended permit ip 172.29.0.0 255.255.224.0 172.29.130.0 255.255.255.0 

access-list GST-LA extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list GST-LA extended permit ip 172.25.0.0 255.255.240.0 192.168.1.0 255.255.255.0 

access-list GST-LA extended permit ip 172.29.0.0 255.255.224.0 192.168.1.0 255.255.255.0 

access-list GST-LA extended permit ip 192.168.100.0 255.255.255.0 172.29.31.0 255.255.255.0 

access-list GST-LA extended permit ip 172.25.0.0 255.255.240.0 172.29.31.0 255.255.255.0 

access-list GST-LA extended permit ip 172.29.0.0 255.255.224.0 172.29.31.0 255.255.255.0 

access-list GST extended permit ip 192.168.100.0 255.255.255.0 172.29.32.0 255.255.255.0 

access-list GST extended permit ip 172.25.0.0 255.255.240.0 172.29.32.0 255.255.255.0 

access-list GST extended permit ip 172.29.0.0 255.255.224.0 172.29.32.0 255.255.255.0 

access-list RUNSPRGS extended permit ip 192.168.100.0 255.255.255.0 172.29.33.0 255.255.255.0 

access-list RUNSPRGS extended permit ip 172.25.0.0 255.255.240.0 172.29.33.0 255.255.255.0 

access-list RUNSPRGS extended permit ip 172.29.0.0 255.255.224.0 172.29.33.0 255.255.255.0 

access-list inside_20_cryptomap extended permit ip host xxx.xxx.178.83 host xxx.xxx.238.6 

access-list Outside_100_cryptomap extended permit ip host xxx.xxx.178.83 host xxx.xxx.238.6 

access-list Outside_120_cryptomap extended permit ip host 172.29.0.0 host xxx.xxx.238.6 

access-list Outside_140_cryptomap extended permit ip host xxx.xxx.74.142 host xxx.xxx.238.6 

access-list TCT extended permit ip 192.168.100.0 255.255.255.0 172.29.34.0 255.255.255.0 

access-list TCT extended permit ip 172.25.0.0 255.255.240.0 172.29.34.0 255.255.255.0 

access-list TCT extended permit ip 172.29.0.0 255.255.224.0 172.29.34.0 255.255.255.0 

access-list TCT extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0 

access-list TCT extended permit ip 172.29.0.0 255.255.224.0 10.0.0.0 255.255.255.0 

access-list TCT extended permit ip 172.25.0.0 255.255.240.0 10.0.0.0 255.255.255.0 

access-list extended extended permit ip 10.0.0.0 255.255.255.0 any 

access-list extended extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0 

access-list LR extended permit ip 172.29.0.0 255.255.192.0 172.29.36.0 255.255.255.0 

access-list LR extended permit ip 172.25.0.0 255.255.240.0 172.29.36.0 255.255.255.0 

access-list LR extended permit ip 192.168.100.0 255.255.255.0 172.29.36.0 255.255.255.0 

access-list TESTNET extended permit ip 192.168.100.0 255.255.255.0 172.29.35.0 255.255.255.0 

access-list TESTNET extended permit ip 172.25.0.0 255.255.240.0 172.29.35.0 255.255.255.0 

access-list TESTNET extended permit ip 172.29.0.0 255.255.192.0 172.29.35.0 255.255.255.0 

access-list cwoffice extended permit ip 192.168.100.0 255.255.255.0 172.29.37.0 255.255.255.0 

access-list cwoffice extended permit ip 172.25.0.0 255.255.240.0 172.29.37.0 255.255.255.0 

access-list cwoffice extended permit ip 172.29.0.0 255.255.192.0 172.29.37.0 255.255.255.0 

access-list cwoffice extended permit ip 172.29.70.0 255.255.255.192 172.29.37.0 255.255.255.0 

access-list vpntodmz extended permit ip 172.29.70.0 255.255.255.192 172.29.1.0 255.255.255.0 

pager lines 24

logging enable

logging timestamp

logging standby

logging emblem

logging console alerts

logging monitor alerts

logging buffered informational

logging asdm informational

mtu Outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool Admin-VPN-Pool-1 172.29.3.1-172.29.3.254 mask 255.255.255.0

ip verify reverse-path interface Outside

no failover

failover lan unit primary

no monitor-interface Outside

no monitor-interface inside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside

icmp permit any inside

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (Outside) 1 172.29.0.0 255.255.224.0

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list vpntodmz

access-group 2010 in interface Outside

access-group 2020 out interface inside

route Outside 0.0.0.0 0.0.0.0 xxx.xxx.238.1 1

route inside 192.168.100.0 255.255.255.0 172.29.1.9 1

route inside 172.25.0.0 255.255.240.0 172.29.1.9 1

route inside 172.29.0.0 255.255.255.0 172.29.1.9 1

route inside 172.29.1.0 255.255.255.0 172.29.1.9 1

route inside 172.29.2.0 255.255.255.0 172.29.1.9 1

route inside 172.29.3.0 255.255.255.0 172.29.1.9 1

route inside 172.29.4.0 255.255.255.0 172.29.1.9 1

route inside 172.29.5.0 255.255.255.0 172.29.1.9 1

route inside 172.29.6.0 255.255.255.0 172.29.1.9 1

route inside 172.29.7.0 255.255.255.0 172.29.1.9 1

route inside 172.29.8.0 255.255.255.0 172.29.1.9 1

route inside 172.29.9.0 255.255.255.0 172.29.1.9 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server xxx.xxx protocol radius

aaa-server xxx.xxx host 192.168.100.7

 key xxx.xxx

 authentication-port 1812

 accounting-port 1813

aaa-server DisSDI protocol sdi

aaa-server DisSDI host 192.168.100.7

group-policy xxx.xxx.96.248 internal

group-policy xxx.xxx.96.248 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy xxx.xxx.20.185 internal

group-policy xxx.xxx.20.185 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy xxx.xxx.198.192 internal

group-policy xxx.xxx.198.192 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy xxx.xxx.74.142 internal

group-policy xxx.xxx.74.142 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy xxx.xxx.178.83 internal

group-policy xxx.xxx.178.83 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy xxx.xxx.97.250 internal

group-policy xxx.xxx.97.250 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy xxx.xxx.106.234 internal

group-policy xxx.xxx.106.234 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy BGTEST internal

group-policy BGTEST attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy Admin-Policy internal

group-policy Admin-Policy attributes

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value Admin_splitTunnelAcl

group-policy xxx.xxx.89.106 internal

group-policy xxx.xxx.89.106 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy RemoteSupport internal

group-policy RemoteSupport attributes

 vpn-tunnel-protocol IPSec 

group-policy Dispatch internal

group-policy Dispatch attributes

 wins-server value 192.168.100.1 192.168.100.8

 dns-server value 192.168.100.1 192.168.100.8

 vpn-tunnel-protocol IPSec 

 

aaa authentication ssh console LOCAL 

http server enable

http 192.168.100.0 255.255.255.0 inside

http 172.29.0.0 255.255.224.0 inside
 

no snmp-server location

no snmp-server contact

snmp-server community xxx.xxx

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map Outside_dyn_map 20 set pfs 

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 40 set pfs 

crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 60 set pfs 

crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto map Outside_map 40 match address BREA

crypto map Outside_map 40 set peer xxx.xxx.106.234 

crypto map Outside_map 40 set transform-set ESP-3DES-SHA

crypto map Outside_map 50 match address GST-LA

crypto map Outside_map 50 set peer xxx.xxx.89.106 

crypto map Outside_map 50 set transform-set ESP-3DES-SHA

crypto map Outside_map 60 match address GST

crypto map Outside_map 60 set peer xxx.xxx.74.142 

crypto map Outside_map 60 set transform-set ESP-3DES-SHA

crypto map Outside_map 70 match address GST-LA

crypto map Outside_map 70 set peer xxx.xxx.178.83 

crypto map Outside_map 70 set transform-set ESP-3DES-SHA

crypto map Outside_map 80 match address RUNSPRGS

crypto map Outside_map 80 set peer xxx.xxx.96.248 

crypto map Outside_map 80 set transform-set ESP-3DES-SHA

crypto map Outside_map 100 match address Outside_100_cryptomap

crypto map Outside_map 100 set pfs 

crypto map Outside_map 100 set peer xxx.xxx.178.83 

crypto map Outside_map 100 set transform-set ESP-3DES-SHA

crypto map Outside_map 120 match address Outside_120_cryptomap

crypto map Outside_map 120 set pfs 

crypto map Outside_map 120 set peer xxx.xxx.238.6 

crypto map Outside_map 120 set transform-set ESP-3DES-SHA

crypto map Outside_map 140 match address Outside_140_cryptomap

crypto map Outside_map 140 set pfs 

crypto map Outside_map 140 set peer xxx.xxx.74.142 

crypto map Outside_map 140 set transform-set ESP-3DES-SHA

crypto map Outside_map 150 match address TCT

crypto map Outside_map 150 set peer xxx.xxx.97.250 

crypto map Outside_map 150 set transform-set ESP-3DES-SHA

crypto map Outside_map 160 match address TESTNET

crypto map Outside_map 160 set peer xxx.xxx.89.106 

crypto map Outside_map 160 set transform-set ESP-3DES-SHA

crypto map Outside_map 170 match address LR

crypto map Outside_map 170 set peer xxx.xxx.198.192 

crypto map Outside_map 170 set transform-set ESP-3DES-SHA

crypto map Outside_map 180 match address cwoffice

crypto map Outside_map 180 set peer xxx.xxx.20.185 

crypto map Outside_map 180 set transform-set ESP-3DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

crypto map inside_map 20 match address inside_20_cryptomap

crypto map inside_map 20 set pfs 

crypto map inside_map 20 set peer xxx.xxx.238.6 

crypto map inside_map 20 set transform-set ESP-3DES-SHA

crypto map inside_map interface inside

crypto isakmp enable Outside

crypto isakmp enable inside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

tunnel-group xxx.xxx.74.142 type ipsec-l2l

tunnel-group xxx.xxx.74.142 general-attributes

 default-group-policy xxx.xxx.74.142

tunnel-group xxx.xxx.74.142 ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group Admin type ipsec-ra

tunnel-group Admin general-attributes

 address-pool Admin-VPN-Pool-1

 default-group-policy Admin-Policy

tunnel-group Admin ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx.106.234 type ipsec-l2l

tunnel-group xxx.xxx.106.234 general-attributes

 default-group-policy xxx.xxx.106.234

tunnel-group xxx.xxx.106.234 ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx type ipsec-ra

tunnel-group xxx.xxx general-attributes

 address-pool Admin-VPN-Pool-1

 authentication-server-group DisSDI

 default-group-policy xxx.xxx

tunnel-group Dispatch ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx.89.106 type ipsec-l2l

tunnel-group xxx.xxx.89.106 general-attributes

 default-group-policy xxx.xxx.89.106

tunnel-group xxx.xxx.89.106 ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx.96.248 type ipsec-l2l

tunnel-group xxx.xxx.96.248 general-attributes

 default-group-policy xxx.xxx.96.248

tunnel-group xxx.xxx.96.248 ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group RemoteSupport type ipsec-ra

tunnel-group RemoteSupport general-attributes

 address-pool Admin-VPN-Pool-1

 default-group-policy RemoteSupport

tunnel-group RemoteSupport ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx.238.6 type ipsec-l2l

tunnel-group xxx.xxx.238.6 ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx.178.83 type ipsec-l2l

tunnel-group xxx.xxx.178.83 general-attributes

 default-group-policy xxx.xxx.96.248

tunnel-group xxx.xxx.178.83 ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx.97.250 type ipsec-l2l

tunnel-group xxx.xxx.97.250 general-attributes

 default-group-policy xxx.xxx.97.250

tunnel-group xxx.xxx.97.250 ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx.198.192 type ipsec-l2l

tunnel-group xxx.xxx.198.192 general-attributes

 default-group-policy xxx.xxx.198.192

tunnel-group xxx.xxx.198.192 ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx.20.185 type ipsec-l2l

tunnel-group xxx.xxx.20.185 general-attributes

 default-group-policy xxx.xxx.20.185

tunnel-group xxx.xxx.20.185 ipsec-attributes

 pre-shared-key xxx.xxx

telnet 192.168.100.0 255.255.255.0 inside

telnet timeout 5

ssh 172.29.0.0 255.255.224.0 inside

ssh 192.168.100.0 255.255.255.0 inside

ssh timeout 15

ssh version 2

console timeout 60

management-access inside

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny 

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip 

  inspect xdmcp 

!

service-policy global_policy global

ntp authenticate

prompt hostname context 

: end

Open in new window

0
Comment
Question by:Swarley
  • 9
  • 6
15 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
You got the NAT exemption right for the inside interface, but try adding this to enable it for VPN clients:
nat (dmz) 1 0.0.0.0 0.0.0.0
access-list vpntodmz extended permit ip 172.29.70.0 255.255.255.192 172.29.37.0 255.255.255.0
0
 

Author Comment

by:Swarley
Comment Utility
I added both entries but I the VPN users still can't see the DMZ.
0
 

Author Comment

by:Swarley
Comment Utility
Would it matter the the servers on the DMZ do not use this ASA as it's gateway?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Yes it does. :-) Do they have public IP addresses?
0
 

Author Comment

by:Swarley
Comment Utility
The servers themselves do not have public addresses.  They are mapped from the firewall.  Here is a quick little layout.

http://i316.photobucket.com/albums/mm354/Swarl3y/Layout-1.jpg

0
 

Author Comment

by:Swarley
Comment Utility
Even if the servers aren't using the VPN ASA as a gateway, shouldn't still be able to contact that dmz interface?

Also, what would be the best way for me to have the VPN users get to the DMZ servers?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
So the ASA is not handling the VPN? You have a seperate device?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Swarley
Comment Utility
I have 2 ASAs.  One as a firewall and one for VPN.  They're both in the diagram in the link above.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
That could be the problem - can you please post the configs for both of them in separate posts so I can analyze them?
0
 

Author Comment

by:Swarley
Comment Utility
Firewall
interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address xxx.xxx.238.4 255.255.255.0 standby xxx.xxx.238.5 

!

interface Ethernet0/1

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/1.2

 vlan 2

 nameif inside

 security-level 100

 ip address 172.29.1.1 255.255.255.192 standby 172.29.1.2 

!

interface Ethernet0/1.179

 description Network Managers

 vlan 179

 nameif Mgt-Network-VL179

 security-level 100

 ip address 10.1.179.11 255.255.255.0 standby 10.1.179.12 

!

interface Ethernet0/2

 description DMZ Interface

 nameif dmz

 security-level 50

 ip address 172.29.70.1 255.255.255.192 standby 172.29.70.2 

!

interface Ethernet0/3

 description STATE Failover Interface

!

interface Management0/0

 description LAN Failover Interface

!
 

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

 

same-security-traffic permit intra-interface

object-group service Mail-Servers tcp

 description Mail-Servers

 port-object eq www

 port-object eq https

 port-object eq smtp

 port-object range 995 995

 port-object eq pop3

object-group service Video-Cameras tcp

 description Video-Cameras

 port-object eq www

 port-object eq https

object-group service DSI_Servers_TCP tcp

 port-object eq 5004

 port-object eq 2332

 port-object eq 22335

 port-object eq 22334

 port-object eq 17335

object-group service DSI_Servers_Tc tcp

object-group service DSI_Servers_T tcp

 port-object eq 5004

 port-object eq 2332

 port-object range 3389 3389

object-group service DSI_Servers_U udp

 port-object eq 22335

 port-object eq 22334

 port-object eq 17335

 port-object eq 2332

 port-object eq 5004

access-list 2010 extended permit tcp any host xxx.xxx.252.82 object-group Mail-Servers log 

access-list 2010 extended permit tcp any host xxx.xxx.252.83 eq www log 

access-list 2010 extended permit tcp any host xxx.xxx.252.83 eq https 

access-list 2010 extended permit tcp any host xxx.xxx.238.30 object-group Video-Cameras log 

access-list 2010 extended permit udp any host xxx.xxx.238.20 eq tftp inactive 

access-list 2010 extended permit icmp any host xxx.xxx.252.82 echo log inactive 

access-list 2010 extended permit icmp any any log 

access-list 2010 extended permit ip host xxx.xxx.156.164 76.204.238.0 255.255.255.0 log 

access-list 2010 extended permit tcp any host xxx.xxx.252.85 object-group DSI_Servers_T log 

access-list 2010 extended permit udp any host xxx.xxx.252.85 object-group DSI_Servers_U log 

access-list 2010 extended permit tcp any host xxx.xxx.238.31 eq ftp 

access-list 2010 extended permit tcp any host xxx.xxx.238.45 eq 3389 

access-list 2010 extended permit tcp any host xxx.xxx.238.46 eq 5900 inactive 

access-list 2010 extended permit tcp any host xxx.xxx.238.47 object-group Mail-Servers 

access-list 2010 extended permit tcp xxx.xxx 255.255.255.240 host xxx.xxx.238.48 eq 5900 

access-list 2010 extended permit tcp any host xxx.xxx.238.49 eq www 

access-list 2010 extended permit tcp any host xxx.xxx.238.49 eq citrix-ica 

access-list 2010 extended permit tcp any host xxx.xxx.238.49 eq 3389 

access-list 2010 extended permit tcp any host xxx.xxx.238.49 eq https 

access-list 2010 extended permit tcp any host xxx.xxx.238.50 eq ssh 

access-list 2010 extended permit udp any host xxx.xxx.238.45 eq tftp inactive 

access-list 2010 extended permit tcp any host xxx.xxx.238.60 eq www 

access-list 2020 extended permit ip any any 

access-list 2030 extended permit ip any any 

access-list nonat extended permit ip 172.25.0.0 255.255.240.0 172.29.0.0 255.255.224.0 

access-list nonat extended permit ip 172.29.0.0 255.255.224.0 172.25.0.0 255.255.240.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.25.0.0 255.255.240.0 

access-list nonat extended permit ip 172.25.0.0 255.255.240.0 192.168.100.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.0.0 255.255.224.0 

access-list nonat extended permit ip 172.29.0.0 255.255.224.0 192.168.100.0 255.255.255.0 

access-list nonat extended permit ip 172.25.0.0 255.255.240.0 172.25.0.0 255.255.240.0 

access-list nonat extended permit ip 172.29.32.0 255.255.255.0 172.29.1.0 255.255.255.0 

access-list nonat extended permit ip 172.29.1.0 255.255.255.0 172.29.32.0 255.255.255.0 

access-list nonat extended permit ip 172.29.32.0 255.255.255.0 any 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.32.0 255.255.255.0 

access-list Mgt-VPN-VL72_access_in extended permit ip 172.29.1.0 255.255.255.192 xxx.xxx.72.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip any 10.1.0.0 255.255.0.0 

access-list dmztoin remark Web Service

access-list dmztoin extended permit tcp host 172.29.70.10 host 172.29.70.11 eq 8080 

access-list dmztoin remark SQL Server

access-list dmztoin extended permit tcp host 172.29.70.10 host 172.29.70.12 eq 1433 

access-list dmztoin remark SQL Probe

access-list dmztoin extended permit udp host 172.29.70.10 host 172.29.70.12 eq 1434 

access-list dmztoin extended deny ip 172.29.70.0 255.255.255.192 host 172.29.70.11 

access-list dmztoin extended deny ip 172.29.70.0 255.255.255.192 host 172.29.70.12 

access-list dmztoin extended permit ip any any 

pager lines 24

logging enable

logging standby

logging emblem

logging buffer-size 104856

logging buffered debugging

logging asdm informational

mtu Outside 1500

mtu inside 1500

mtu Mgt-Network-VL179 1500

mtu dmz 1500

ip verify reverse-path interface Outside

failover

failover lan interface LAN-Failover Management0/0

failover link State Ethernet0/3

failover interface ip LAN-Failover 192.168.250.1 255.255.255.252 standby 192.168.250.2

failover interface ip State 192.168.250.5 255.255.255.252 standby 192.168.250.6

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside

icmp permit any inside

asdm image disk0:/asdm-522.bin

asdm location 0.0.0.0 0.0.0.0 Outside

asdm history enable

arp timeout 14400

global (Outside) 1 interface

global (dmz) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 0 access-list inside_nat0_outbound outside

nat (inside) 1 172.29.3.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

nat (Mgt-Network-VL179) 1 10.1.179.0 255.255.255.0

nat (dmz) 1 172.29.70.0 255.255.255.192

static (inside,Outside) xxx.xxx.252.82 xxx.xxx netmask 255.255.255.255 

static (inside,Outside) xxx.xxx.238.30 192.168.100.84 netmask 255.255.255.255 

static (inside,Outside) xxx.xxx.252.85 xxx.xxx netmask 255.255.255.255 

static (inside,Outside) xxx.xxx.238.31 xxx.xxx netmask 255.255.255.255 

static (inside,Outside) xxx.xxx.238.45 xxx.xxx netmask 255.255.255.255 

static (inside,Outside) xxx.xxx.238.46 xxx.xxx netmask 255.255.255.255 

static (inside,Outside) xxx.xxx.238.47 xxx.xxx netmask 255.255.255.255 

static (inside,Outside) xxx.xxx.238.48 xxx.xxx netmask 255.255.255.255 

static (inside,Outside) xxx.xxx.238.49 xxx.xxx netmask 255.255.255.255 

static (inside,Outside) xxx.xxx.238.50 192.168.100.93 netmask 255.255.255.255 

static (inside,dmz) 172.29.70.11 xxx.xxx netmask 255.255.255.255 

static (inside,dmz) 172.29.70.12 192.168.100.91 netmask 255.255.255.255 

static (dmz,Outside) xxx.xxx.252.83 172.29.70.10 netmask 255.255.255.255 

access-group 2010 in interface Outside

access-group dmztoin in interface dmz

route Outside 0.0.0.0 0.0.0.0 xxx.xxx.238.1 1

route inside 192.168.100.0 255.255.255.0 172.29.1.9 1

route inside 172.29.3.0 255.255.255.0 172.29.1.9 1

route inside 172.29.0.0 255.255.224.0 172.29.1.9 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.100.0 255.255.255.0 inside

http 172.29.0.0 255.255.224.0 inside

http 10.1.179.0 255.255.255.0 Mgt-Network-VL179

http 172.29.3.0 255.255.255.0 inside

snmp-server host inside 172.29.2.10 community foryourEYEsONLY2$@

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.100.0 255.255.255.0 inside

telnet timeout 5

ssh scopy enable

ssh 172.29.0.0 255.255.224.0 inside

ssh 192.168.100.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 30

management-access inside

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip 

  inspect xdmcp 

  inspect pptp 

!

service-policy global_policy global

ntp authenticate

ntp server xxx.xxx.233.4 source Outside prefer

smtp-server 192.168.100.9

prompt hostname context 

Cryptochecksum:d978aeedbdc9356b557a4e3989812965

: end

Open in new window

0
 

Author Comment

by:Swarley
Comment Utility
VPN with changes from above
interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address xxx.xxx.xxx.xxx 255.255.255.0 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 172.29.1.3 255.255.255.192 

!

interface Ethernet0/2

 nameif dmz

 security-level 50

 ip address 172.29.70.3 255.255.255.192 

!

interface Ethernet0/3

 no nameif

 no security-level

 ip address 192.168.251.6 255.255.255.252 

!

interface Management0/0

 no nameif

 no security-level

 ip address 192.168.251.2 255.255.255.252 

!
 

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 192.168.100.1

 

same-security-traffic permit intra-interface

object-group network trustedVpn

 network-object 172.25.0.0 255.255.240.0

 network-object 172.28.1.0 255.255.255.0

 network-object 172.29.0.0 255.255.224.0

 network-object 172.29.1.0 255.255.255.0

 network-object 172.29.130.0 255.255.255.0

 network-object 172.29.15.0 255.255.255.0

 network-object 172.29.3.0 255.255.255.0

 network-object 172.29.30.0 255.255.255.0

 network-object 172.29.31.0 255.255.255.0

 network-object 172.29.32.0 255.255.255.0

 network-object 172.29.33.0 255.255.255.0

 network-object 192.168.1.0 255.255.255.0

 network-object 192.168.100.0 255.255.255.0

 network-object 192.168.199.0 255.255.255.0

 network-object 192.168.251.0 255.255.255.252

 network-object 192.168.251.4 255.255.255.252

 network-object 192.168.99.0 255.255.255.0

 network-object 10.0.0.0 255.255.255.0

 network-object 172.29.34.0 255.255.255.0

 network-object 172.29.37.0 255.255.255.0

 network-object 172.29.70.0 255.255.255.192

object-group service DSI_TCP tcp

 port-object range 2332 2332

 port-object range 5004 5004

object-group service DSI_UDP udp

 port-object range 17335 17335

 port-object range 22334 22335

 port-object range 2332 2332

 port-object range 5004 5004

access-list 2010 extended permit udp any host xxx.xxx.238.6 eq isakmp log 

access-list 2010 extended permit esp any host xxx.xxx.238.6 log 

access-list 2010 extended permit ip host xxx.xxx.156.164 xxx.xxx.238.0 255.255.255.0 log 

access-list 2010 extended permit ip 172.29.15.0 255.255.255.0 192.168.100.0 255.255.255.0 log 

access-list 2010 extended permit ip 192.168.100.0 255.255.255.0 172.29.15.0 255.255.255.0 log 

access-list 2010 extended permit ip 192.168.100.0 255.255.255.0 172.29.33.0 255.255.255.0 

access-list 2010 extended permit ip 172.29.33.0 255.255.255.0 192.168.100.0 255.255.255.0 

access-list 2010 extended permit icmp host xxx.xxx.74.142 192.168.100.0 255.255.255.0 echo-reply 

access-list 2010 extended permit tcp any object-group DSI_TCP host xxx.xxx.252.85 

access-list 2010 extended permit udp any object-group DSI_UDP host xxx.xxx.252.85 

access-list 2010 extended deny ip any any inactive 

access-list 2010 extended permit icmp host xxx.xxx.74.142 192.168.100.0 255.255.255.0 

access-list 2010 extended permit icmp host xxx.xxx.74.142 172.29.1.0 255.255.255.0 

access-list 2010 extended permit icmp host xxx.xxx.74.142 172.29.1.0 255.255.255.0 echo-reply 

access-list 2020 extended permit ip any any 

access-list Admin_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0 

access-list Admin_splitTunnelAcl standard permit 172.25.0.0 255.255.240.0 

access-list Admin_splitTunnelAcl standard permit 172.29.0.0 255.255.224.0 

access-list Admin_splitTunnelAcl standard permit 172.29.70.0 255.255.255.192 

access-list nonat extended permit ip 172.25.0.0 255.255.240.0 172.29.0.0 255.255.224.0 

access-list nonat extended permit ip 172.29.0.0 255.255.224.0 172.25.0.0 255.255.240.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.25.0.0 255.255.240.0 

access-list nonat extended permit ip 172.25.0.0 255.255.240.0 192.168.100.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.0.0 255.255.224.0 

access-list nonat extended permit ip 172.29.0.0 255.255.224.0 192.168.100.0 255.255.255.0 

access-list nonat extended permit ip 172.29.0.0 255.255.224.0 172.29.0.0 255.255.224.0 

access-list nonat extended permit ip 172.29.30.0 255.255.255.0 any 

access-list nonat extended permit ip any 172.29.3.0 255.255.255.0 

access-list nonat extended permit ip 172.29.30.0 255.255.255.0 192.168.100.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.30.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.28.1.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.15.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.130.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.199.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.31.0 255.255.255.0 

access-list nonat extended permit ip 172.29.31.0 255.255.255.0 any 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.32.0 255.255.255.0 

access-list nonat extended permit ip 172.29.32.0 255.255.255.0 192.168.100.0 255.255.255.0 

access-list nonat extended permit ip 172.29.32.0 255.255.255.0 any 

access-list nonat extended permit ip 172.29.1.0 255.255.255.0 172.29.32.0 255.255.255.0 

access-list nonat extended permit ip 172.29.33.0 255.255.255.0 any 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.33.0 255.255.255.0 

access-list nonat extended permit ip 172.29.33.0 255.255.255.0 192.168.100.0 255.255.255.0 

access-list nonat extended permit ip 172.29.33.0 255.255.255.0 172.29.1.0 255.255.255.0 

access-list nonat extended permit ip any 172.29.33.0 255.255.255.0 

access-list nonat extended permit ip host xxx.xxx.178.83 host xxx.xxx.238.6 

access-list nonat extended permit ip host 172.29.0.0 host xxx.xxx.238.6 

access-list nonat extended permit ip host xxx.xxx.74.142 hostxxx.xxx.238.6 

access-list nonat extended permit ip 10.0.0.0 255.255.255.0 any 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0 

access-list nonat extended permit ip 172.29.34.0 255.255.255.0 any 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.34.0 255.255.255.0 

access-list nonat extended permit ip 172.29.35.0 255.255.255.0 any 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.35.0 255.255.255.0 

access-list nonat extended permit ip 172.29.36.0 255.255.255.0 any 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.36.0 255.255.255.0 

access-list nonat extended permit ip 172.29.37.0 255.255.255.0 any 

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.29.37.0 255.255.255.0 

access-list BREA extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0 

access-list BREA extended permit ip 172.25.0.0 255.255.240.0 192.168.99.0 255.255.255.0 

access-list BREA extended permit ip 172.29.0.0 255.255.224.0 192.168.99.0 255.255.255.0 

access-list BREA extended permit ip 192.168.100.0 255.255.255.0 172.29.30.0 255.255.255.0 

access-list BREA extended permit ip 172.25.0.0 255.255.240.0 172.29.30.0 255.255.255.0 

access-list BREA extended permit ip 172.29.0.0 255.255.224.0 172.29.30.0 255.255.255.0 

access-list Outside_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 172.29.15.0 255.255.255.0 

access-list Test01 standard permit 192.168.100.0 255.255.255.0 

access-list Brian extended permit ip 192.168.100.0 255.255.255.0 172.29.15.0 255.255.255.0 

access-list Brian extended permit ip 172.25.0.0 255.255.240.0 172.29.15.0 255.255.255.0 

access-list Brian extended permit ip 172.29.0.0 255.255.224.0 172.29.15.0 255.255.255.0 

access-list Outside_40_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0 

access-list TEST extended permit ip 192.168.100.0 255.255.255.0 192.168.199.0 255.255.255.0 

access-list TEST extended permit ip 172.25.0.0 255.255.240.0 192.168.199.0 255.255.255.0 

access-list TEST extended permit ip 172.29.0.0 255.255.224.0 192.168.199.0 255.255.255.0 

access-list TEST extended permit ip 192.168.100.0 255.255.255.0 172.29.130.0 255.255.255.0 

access-list TEST extended permit ip 172.25.0.0 255.255.240.0 172.29.130.0 255.255.255.0 

access-list TEST extended permit ip 172.29.0.0 255.255.224.0 172.29.130.0 255.255.255.0 

access-list GST-LA extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list GST-LA extended permit ip 172.25.0.0 255.255.240.0 192.168.1.0 255.255.255.0 

access-list GST-LA extended permit ip 172.29.0.0 255.255.224.0 192.168.1.0 255.255.255.0 

access-list GST-LA extended permit ip 192.168.100.0 255.255.255.0 172.29.31.0 255.255.255.0 

access-list GST-LA extended permit ip 172.25.0.0 255.255.240.0 172.29.31.0 255.255.255.0 

access-list GST-LA extended permit ip 172.29.0.0 255.255.224.0 172.29.31.0 255.255.255.0 

access-list GST extended permit ip 192.168.100.0 255.255.255.0 172.29.32.0 255.255.255.0 

access-list GST extended permit ip 172.25.0.0 255.255.240.0 172.29.32.0 255.255.255.0 

access-list GST extended permit ip 172.29.0.0 255.255.224.0 172.29.32.0 255.255.255.0 

access-list RUNSPRGS extended permit ip 192.168.100.0 255.255.255.0 172.29.33.0 255.255.255.0 

access-list RUNSPRGS extended permit ip 172.25.0.0 255.255.240.0 172.29.33.0 255.255.255.0 

access-list RUNSPRGS extended permit ip 172.29.0.0 255.255.224.0 172.29.33.0 255.255.255.0 

access-list inside_20_cryptomap extended permit ip host xxx.xxx.178.83 host xxx.xxx.238.6 

access-list Outside_100_cryptomap extended permit ip host xxx.xxx.178.83 host xxx.xxx.238.6 

access-list Outside_120_cryptomap extended permit ip host 172.29.0.0 host xxx.xxx.238.6 

access-list Outside_140_cryptomap extended permit ip host xxx.xxx.74.142 host xxx.xxx.238.6 

access-list TCT extended permit ip 192.168.100.0 255.255.255.0 172.29.34.0 255.255.255.0 

access-list TCT extended permit ip 172.25.0.0 255.255.240.0 172.29.34.0 255.255.255.0 

access-list TCT extended permit ip 172.29.0.0 255.255.224.0 172.29.34.0 255.255.255.0 

access-list TCT extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0 

access-list TCT extended permit ip 172.29.0.0 255.255.224.0 10.0.0.0 255.255.255.0 

access-list TCT extended permit ip 172.25.0.0 255.255.240.0 10.0.0.0 255.255.255.0 

access-list extended extended permit ip 10.0.0.0 255.255.255.0 any 

access-list extended extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0 

access-list LR extended permit ip 172.29.0.0 255.255.192.0 172.29.36.0 255.255.255.0 

access-list LR extended permit ip 172.25.0.0 255.255.240.0 172.29.36.0 255.255.255.0 

access-list LR extended permit ip 192.168.100.0 255.255.255.0 172.29.36.0 255.255.255.0 

access-list TESTNET extended permit ip 192.168.100.0 255.255.255.0 172.29.35.0 255.255.255.0 

access-list TESTNET extended permit ip 172.25.0.0 255.255.240.0 172.29.35.0 255.255.255.0 

access-list TESTNET extended permit ip 172.29.0.0 255.255.192.0 172.29.35.0 255.255.255.0 

access-list cwoffice extended permit ip 192.168.100.0 255.255.255.0 172.29.37.0 255.255.255.0 

access-list cwoffice extended permit ip 172.25.0.0 255.255.240.0 172.29.37.0 255.255.255.0 

access-list cwoffice extended permit ip 172.29.0.0 255.255.192.0 172.29.37.0 255.255.255.0 

access-list vpntodmz extended permit ip 172.29.70.0 255.255.255.192 172.29.1.0 255.255.255.0 

access-list vpntodmz extended permit ip 172.29.70.0 255.255.255.192 172.29.37.0 255.255.255.0 

pager lines 24

logging enable

logging timestamp

logging standby

logging emblem

logging console alerts

logging monitor alerts

logging buffered informational

logging asdm informational

mtu Outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool Admin-VPN-Pool-1 172.29.3.1-172.29.3.254 mask 255.255.255.0

ip verify reverse-path interface Outside

no failover

failover lan unit primary

no monitor-interface Outside

no monitor-interface inside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside

icmp permit any inside

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (Outside) 1 172.29.0.0 255.255.224.0

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list vpntodmz

nat (dmz) 1 0.0.0.0 0.0.0.0

access-group 2010 in interface Outside

access-group 2020 out interface inside

route Outside 0.0.0.0 0.0.0.0 xxx.xxx.238.1 1

route inside 192.168.100.0 255.255.255.0 172.29.1.9 1

route inside 172.25.0.0 255.255.240.0 172.29.1.9 1

route inside 172.29.0.0 255.255.255.0 172.29.1.9 1

route inside 172.29.1.0 255.255.255.0 172.29.1.9 1

route inside 172.29.2.0 255.255.255.0 172.29.1.9 1

route inside 172.29.3.0 255.255.255.0 172.29.1.9 1

route inside 172.29.4.0 255.255.255.0 172.29.1.9 1

route inside 172.29.5.0 255.255.255.0 172.29.1.9 1

route inside 172.29.6.0 255.255.255.0 172.29.1.9 1

route inside 172.29.7.0 255.255.255.0 172.29.1.9 1

route inside 172.29.8.0 255.255.255.0 172.29.1.9 1

route inside 172.29.9.0 255.255.255.0 172.29.1.9 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server xxx.xxx protocol radius

aaa-server xxx.xxx host 192.168.100.7

 key xxx.xxx

 authentication-port 1812

 accounting-port 1813

aaa-server DisSDI protocol sdi

aaa-server DisSDI host 192.168.100.7

group-policy xxx.xxx.96.248 internal

group-policy xxx.xxx.96.248 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy xxx.xxx.20.185 internal

group-policy xxx.xxx.20.185 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy xxx.xxx.198.192 internal

group-policy xxx.xxx.198.192 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy xxx.xxx.74.142 internal

group-policy xxx.xxx.74.142 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy xxx.xxx.178.83 internal

group-policy xxx.xxx.178.83 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy xxx.xxx.97.250 internal

group-policy xxx.xxx.97.250 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy xxx.xxx.106.234 internal

group-policy xxx.xxx.106.234 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy BGTEST internal

group-policy BGTEST attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy Admin-Policy internal

group-policy Admin-Policy attributes

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value Admin_splitTunnelAcl

group-policy xxx.xxx.89.106 internal

group-policy xxx.xxx.89.106 attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

group-policy RemoteSupport internal

group-policy RemoteSupport attributes

 vpn-tunnel-protocol IPSec 

group-policy Dispatch internal

group-policy Dispatch attributes

 wins-server value 192.168.100.1 192.168.100.8

 dns-server value 192.168.100.1 192.168.100.8

 vpn-tunnel-protocol IPSec 

 

aaa authentication ssh console LOCAL 

http server enable

http 192.168.100.0 255.255.255.0 inside

http 172.29.0.0 255.255.224.0 inside
 

no snmp-server location

no snmp-server contact

snmp-server community xxx.xxx

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map Outside_dyn_map 20 set pfs 

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 40 set pfs 

crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 60 set pfs 

crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto map Outside_map 40 match address BREA

crypto map Outside_map 40 set peer xxx.xxx.106.234 

crypto map Outside_map 40 set transform-set ESP-3DES-SHA

crypto map Outside_map 50 match address GST-LA

crypto map Outside_map 50 set peer xxx.xxx.89.106 

crypto map Outside_map 50 set transform-set ESP-3DES-SHA

crypto map Outside_map 60 match address GST

crypto map Outside_map 60 set peer xxx.xxx.74.142 

crypto map Outside_map 60 set transform-set ESP-3DES-SHA

crypto map Outside_map 70 match address GST-LA

crypto map Outside_map 70 set peer xxx.xxx.178.83 

crypto map Outside_map 70 set transform-set ESP-3DES-SHA

crypto map Outside_map 80 match address RUNSPRGS

crypto map Outside_map 80 set peer xxx.xxx.96.248 

crypto map Outside_map 80 set transform-set ESP-3DES-SHA

crypto map Outside_map 100 match address Outside_100_cryptomap

crypto map Outside_map 100 set pfs 

crypto map Outside_map 100 set peer xxx.xxx.178.83 

crypto map Outside_map 100 set transform-set ESP-3DES-SHA

crypto map Outside_map 120 match address Outside_120_cryptomap

crypto map Outside_map 120 set pfs 

crypto map Outside_map 120 set peer xxx.xxx.238.6 

crypto map Outside_map 120 set transform-set ESP-3DES-SHA

crypto map Outside_map 140 match address Outside_140_cryptomap

crypto map Outside_map 140 set pfs 

crypto map Outside_map 140 set peer xxx.xxx.74.142 

crypto map Outside_map 140 set transform-set ESP-3DES-SHA

crypto map Outside_map 150 match address TCT

crypto map Outside_map 150 set peer xxx.xxx.97.250 

crypto map Outside_map 150 set transform-set ESP-3DES-SHA

crypto map Outside_map 160 match address TESTNET

crypto map Outside_map 160 set peer xxx.xxx.89.106 

crypto map Outside_map 160 set transform-set ESP-3DES-SHA

crypto map Outside_map 170 match address LR

crypto map Outside_map 170 set peer xxx.xxx.198.192 

crypto map Outside_map 170 set transform-set ESP-3DES-SHA

crypto map Outside_map 180 match address cwoffice

crypto map Outside_map 180 set peer xxx.xxx.20.185 

crypto map Outside_map 180 set transform-set ESP-3DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

crypto map inside_map 20 match address inside_20_cryptomap

crypto map inside_map 20 set pfs 

crypto map inside_map 20 set peer xxx.xxx.238.6 

crypto map inside_map 20 set transform-set ESP-3DES-SHA

crypto map inside_map interface inside

crypto isakmp enable Outside

crypto isakmp enable inside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

tunnel-group xxx.xxx.74.142 type ipsec-l2l

tunnel-group xxx.xxx.74.142 general-attributes

 default-group-policy xxx.xxx.74.142

tunnel-group xxx.xxx.74.142 ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group Admin type ipsec-ra

tunnel-group Admin general-attributes

 address-pool Admin-VPN-Pool-1

 default-group-policy Admin-Policy

tunnel-group Admin ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx.106.234 type ipsec-l2l

tunnel-group xxx.xxx.106.234 general-attributes

 default-group-policy xxx.xxx.106.234

tunnel-group xxx.xxx.106.234 ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx type ipsec-ra

tunnel-group xxx.xxx general-attributes

 address-pool Admin-VPN-Pool-1

 authentication-server-group DisSDI

 default-group-policy xxx.xxx

tunnel-group Dispatch ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx.89.106 type ipsec-l2l

tunnel-group xxx.xxx.89.106 general-attributes

 default-group-policy xxx.xxx.89.106

tunnel-group xxx.xxx.89.106 ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx.96.248 type ipsec-l2l

tunnel-group xxx.xxx.96.248 general-attributes

 default-group-policy xxx.xxx.96.248

tunnel-group xxx.xxx.96.248 ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group RemoteSupport type ipsec-ra

tunnel-group RemoteSupport general-attributes

 address-pool Admin-VPN-Pool-1

 default-group-policy RemoteSupport

tunnel-group RemoteSupport ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx.238.6 type ipsec-l2l

tunnel-group xxx.xxx.238.6 ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx.178.83 type ipsec-l2l

tunnel-group xxx.xxx.178.83 general-attributes

 default-group-policy xxx.xxx.96.248

tunnel-group xxx.xxx.178.83 ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx.97.250 type ipsec-l2l

tunnel-group xxx.xxx.97.250 general-attributes

 default-group-policy xxx.xxx.97.250

tunnel-group xxx.xxx.97.250 ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx.198.192 type ipsec-l2l

tunnel-group xxx.xxx.198.192 general-attributes

 default-group-policy xxx.xxx.198.192

tunnel-group xxx.xxx.198.192 ipsec-attributes

 pre-shared-key xxx.xxx

tunnel-group xxx.xxx.20.185 type ipsec-l2l

tunnel-group xxx.xxx.20.185 general-attributes

 default-group-policy xxx.xxx.20.185

tunnel-group xxx.xxx.20.185 ipsec-attributes

 pre-shared-key xxx.xxx

telnet 192.168.100.0 255.255.255.0 inside

telnet timeout 5

ssh 172.29.0.0 255.255.224.0 inside

ssh 192.168.100.0 255.255.255.0 inside

ssh timeout 15

ssh version 2

console timeout 60

management-access inside

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny 

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip 

  inspect xdmcp 

!

service-policy global_policy global

ntp authenticate

prompt hostname context 

: end

Open in new window

0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
So the way it's setup is that the VPN ASA and the Firewall ASA don't connect to the DMZ through the same line? I guess they both go into a DMZ switch or something?
I don't usually see things setup this way... Most of the time all VPN and firewall functions are handled on the same ASA or a failover team. Back when the separate VPN Concentrators were used, that was the proper topology, but now that the PIX and VPN contentrator are a unifies platform (ASA), I'm not exactly sure it should be setup that way.
If this is not possible let me know - but I think you should consider putting the ASAs in a failover team (A/A) and unify previously separate functions (VPN and FW) with that team.
Having two ASAs separated like that is no longer considered best practice.
 
0
 

Author Comment

by:Swarley
Comment Utility
That is correct. They both lead into a switch used only for that DMZ.

I do agree with you that the same device should have been used for both purposes but that was implemented beforeI arrived and I don't believe changing that right now is an option.

We already have the Firewall ASA in an Active/Passive scenario with another ASA as a failover.  Again I would love to unify both of these or just move the VPN over to the firewall but I won't be able to do that right now.

Do you see any possibilites to this scenario?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Hmmm... as far as allowing traffic into the DMZ let me do some quick snooping of your configs and I'll let you know.
0
 

Accepted Solution

by:
Swarley earned 0 total points
Comment Utility
Since there hasn't been a response in quite some time I will close it.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now