hang10z
asked on
ASA VPN Clients cannot access internal Resources
I cannot for the life of me get my ssl vpn clients to connect to the internal lan...
I can only ping the internal interface ip...
Take a look at my config.....
I can only ping the internal interface ip...
Take a look at my config.....
ASA Version 8.0(3)20
!
hostname MiamiASA
domain-name ds.searchspace.com
enable password ueqWIdHlIJVgMhwP encrypted
passwd gnNNsG1Vtmbanky2 encrypted
names
name 10.129.2.0 VPNRULE
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 63.xxx.xxx.170 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.129.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 10.128.2.13
domain-name ds.searchspace.com
access-list acl_outside extended permit icmp any any
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq smtp
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq www
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq https
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq pop3
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq 135
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq pptp
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq 593
access-list acl_outside extended permit tcp any any eq 52311
access-list acl_outside extended permit udp any any eq 52311
access-list acl_outside extended permit tcp any any eq 4899
access-list acl_outside extended permit tcp any any eq 3389
access-list acl_outside extended permit tcp any any eq 3330
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq 444
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq 4125
access-list acl_outside extended permit tcp any eq 1001 any eq 1001
access-list acl_outside extended permit tcp any host 63.xxx.xxx.172 eq www
access-list acl_outside extended permit tcp any host 63.xxx.xxx.172
access-list acl_outside extended permit tcp any eq 5900 host 63.139.138.172 eq 5900
access-list acl_outside extended permit tcp any eq 5800 host 63.139.138.172 eq 5800
access-list acl_outside extended permit tcp any host 63.xxx.xxx.171
access-list acl_outside extended permit tcp any host 63.xxx.xxx.172 eq ftp
access-list acl_outside extended permit tcp any host 63.xxx.xxx.172 eq ftp-data
access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended permit icmp any any source-quench
access-list acl_outside extended permit icmp any any unreachable
access-list acl_outside extended permit icmp any any time-exceeded
access-list 110 extended permit ip 10.128.0.0 255.255.0.0 10.48.0.0 255.255.0.0
access-list 110 extended permit ip 10.129.1.0 255.255.255.0 10.48.0.0 255.255.0.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.64.0.0 255.255.0.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.52.1.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.52.2.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.30.76.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.30.77.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.2.1.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.56.0.0 255.255.0.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.64.0.0 255.255.0.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.52.2.0 255.255.255.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.30.76.0 255.255.255.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.30.77.0 255.255.255.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.2.1.0 255.255.255.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.56.0.0 255.255.0.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.52.1.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.48.0.0 255.255.0.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.48.0.0 255.255.0.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.96.0.0 255.255.0.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.96.0.0 255.255.0.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.128.131.0 255.255.255.0
access-list acl_inside extended permit icmp 10.128.0.0 255.255.0.0 any
access-list acl_inside extended permit icmp 10.129.0.0 255.255.0.0 any
access-list acl_inside extended permit tcp 10.128.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq smtp
access-list acl_inside extended permit tcp 10.129.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq smtp
access-list acl_inside extended permit tcp 10.128.0.0 255.255.0.0 any eq smtp
access-list acl_inside extended permit tcp 10.129.0.0 255.255.0.0 any eq smtp
access-list acl_inside extended permit ip 10.128.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list acl_inside extended permit ip 10.129.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list acl_inside extended permit ip 10.128.0.0 255.255.0.0 any
access-list acl_inside extended permit ip 10.129.0.0 255.255.0.0 any
access-list 120 extended permit ip 10.128.0.0 255.255.0.0 10.64.0.0 255.255.0.0
access-list 120 extended permit ip 10.129.1.0 255.255.255.0 10.64.0.0 255.255.0.0
access-list 130 extended permit ip 10.128.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list 130 extended permit ip 10.128.0.0 255.255.0.0 10.30.76.0 255.255.255.0
access-list 130 extended permit ip 10.128.0.0 255.255.0.0 10.30.77.0 255.255.255.0
access-list 130 extended permit ip 10.129.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list 130 extended permit ip 10.129.1.0 255.255.255.0 10.30.76.0 255.255.255.0
access-list 130 extended permit ip 10.129.1.0 255.255.255.0 10.30.77.0 255.255.255.0
access-list 140 extended permit ip 10.128.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list 140 extended permit ip 10.129.1.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 150 extended permit ip 10.128.0.0 255.255.0.0 10.2.1.0 255.255.255.0
access-list 150 extended permit ip 10.129.1.0 255.255.255.0 10.2.1.0 255.255.255.0
access-list 160 extended permit ip 10.128.0.0 255.255.0.0 10.52.1.0 255.255.255.0
access-list 160 extended permit ip 10.128.0.0 255.255.0.0 10.52.2.0 255.255.255.0
access-list 160 extended permit ip 10.129.1.0 255.255.255.0 10.52.1.0 255.255.255.0
access-list 160 extended permit ip 10.129.1.0 255.255.255.0 10.52.2.0 255.255.255.0
access-list 170 extended permit ip 10.128.0.0 255.255.0.0 10.56.0.0 255.255.0.0
access-list 170 extended permit ip 10.129.1.0 255.255.255.0 10.56.0.0 255.255.0.0
access-list 180 extended permit ip 10.128.0.0 255.255.0.0 10.96.0.0 255.255.0.0
access-list 180 extended permit ip 10.129.1.0 255.255.255.0 10.96.0.0 255.255.0.0
access-list MiamiTestPlit standard permit 10.129.1.0 255.255.255.0
access-list MiamiTestPlit standard permit 10.0.0.0 255.0.0.0
access-list MiamiTestPlit standard permit 10.128.0.0 255.255.0.0
access-list MiamiContractor_splitTunnelAcl remark Permit access to Miami Only
access-list MiamiContractor_splitTunnelAcl standard permit 10.128.0.0 255.255.0.0
access-list Outside_nat0_outbound extended permit ip VPNRULE 255.255.255.0 10.129.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool MiamiPool 10.129.2.1-10.129.2.254 mask 255.255.255.0
ip verify reverse-path interface Outside
ip audit name IPAudit attack action alarm
ip audit name IPAuditInfo info action alarm
ip audit interface Outside IPAuditInfo
ip audit interface Outside IPAudit
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Outside) 0 access-list Outside_nat0_outbound
nat (Inside) 0 access-list nonat
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) 63.xxx.xxx.174 10.129.1.2 netmask 255.255.255.255 dns
static (Inside,Outside) 63.xxx.xxx.173 10.129.1.3 netmask 255.255.255.255 dns
static (Inside,Outside) 63.xxx.xxx.172 10.129.1.6 netmask 255.255.255.255 dns
static (Inside,Outside) 63.xxx.xxx.171 10.129.1.5 netmask 255.255.255.255 dns
access-group acl_outside in interface Outside
route Outside 0.0.0.0 0.0.0.0 63.xxx.xxx.169 1
route Inside 10.10.0.0 255.255.0.0 10.128.1.1 1
route Inside 10.30.0.0 255.255.0.0 10.128.1.1 1
route Inside 10.128.0.0 255.255.0.0 10.129.1.10 1
timeout xlate 3:00:00
timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
ldap attribute-map CiscoMap
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=Miami_Contractors,CN=Users,DC=ds,DC=searchspace,DC=com " MiamiContractor
map-value memberOf "CN=Miami_Employees,CN=Users,DC=ds,DC=searchspace.com,DC=com " MiamiEmployee
dynamic-access-policy-record DfltAccessPolicy
aaa-server Miami_authen_grp protocol kerberos
aaa-server Miami_authen_grp (Inside) host 10.128.2.13
kerberos-realm DS.SEARCHSPACE.COM
aaa-server Miami_author_grp protocol ldap
aaa-server Miami_author_grp (Inside) host 10.128.2.13
ldap-base-dn dc=ds, dc=searchspace, dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=websense,OU=Miami Special Accounts,OU=Miami,DC=ds,dc=searchspace,dc=com
server-type microsoft
ldap-attribute-map CiscoMap
http server enable
http 0.0.0.0 0.0.0.0 Outside
http 10.0.0.0 255.0.0.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FortentVPN esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set netscreen esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Miami 5 match address 110
crypto map Miami 5 set peer 208.105.76.74
crypto map Miami 5 set transform-set FortentVPN
crypto map Miami 5 set security-association lifetime seconds 86400
crypto map Miami 5 set security-association lifetime kilobytes 4608000
crypto map Miami 9 match address 160
crypto map Miami 9 set peer 64.88.168.35
crypto map Miami 9 set transform-set FortentVPN
crypto map Miami 9 set security-association lifetime seconds 28800
crypto map Miami 9 set security-association lifetime kilobytes 4608000
crypto map Miami 10 set security-association lifetime seconds 28800
crypto map Miami 10 set security-association lifetime kilobytes 4608000
crypto map Miami 20 match address 120
crypto map Miami 20 set peer 66.187.186.170
crypto map Miami 20 set transform-set FortentVPN
crypto map Miami 20 set security-association lifetime seconds 86400
crypto map Miami 20 set security-association lifetime kilobytes 4608000
crypto map Miami 30 match address 130
crypto map Miami 30 set peer 66.28.233.2
crypto map Miami 30 set transform-set netscreen
crypto map Miami 30 set security-association lifetime seconds 28800
crypto map Miami 30 set security-association lifetime kilobytes 4608000
crypto map Miami 40 match address 140
crypto map Miami 40 set peer 83.244.135.110
crypto map Miami 40 set transform-set FortentVPN
crypto map Miami 40 set security-association lifetime seconds 28800
crypto map Miami 40 set security-association lifetime kilobytes 4608000
crypto map Miami 50 match address 150
crypto map Miami 50 set peer 89.151.100.100
crypto map Miami 50 set transform-set FortentVPN
crypto map Miami 50 set security-association lifetime seconds 28800
crypto map Miami 50 set security-association lifetime kilobytes 4608000
crypto map Miami 70 match address 170
crypto map Miami 70 set peer 85.159.105.90
crypto map Miami 70 set transform-set FortentVPN
crypto map Miami 70 set security-association lifetime seconds 28800
crypto map Miami 70 set security-association lifetime kilobytes 4608000
crypto map Miami 80 match address 180
crypto map Miami 80 set peer 202.228.200.234
crypto map Miami 80 set transform-set FortentVPN
crypto map Miami 80 set security-association lifetime seconds 28800
crypto map Miami 80 set security-association lifetime kilobytes 4608000
crypto map Miami 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Miami interface Outside
crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Inside_map interface Inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn MiamiASA
subject-name CN=ds.searchspace.com
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
308201e0 30820149 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
36311b30 19060355 04031312 64732e73 65617263 68737061 63652e63 6f6d3117
30150609 2a864886 f70d0109 0216084d 69616d69 41534130 1e170d30 38313130
37323030 3432305a 170d3138 31313035 32303034 32305a30 36311b30 19060355
04031312 64732e73 65617263 68737061 63652e63 6f6d3117 30150609 2a864886
f70d0109 0216084d 69616d69 41534130 819f300d 06092a86 4886f70d 01010105
0003818d 00308189 02818100 93703cd6 7c812e7a 3d366ade 285ed545 583a5c60
c1ff2cb2 97c138e9 a2787654 b2030854 a121ec7e 6568c15a 0b5c0504 0215fe2e
d12781c6 2af55cb8 b76d55f3 7ea83dff 2a591ab8 16e7220a 5a73a6dd dfe08867
7820f14f d61341cc c60b0525 e37f55a0 c79eea80 bc45d538 223a01b4 3f191c10
d4020e67 94e00fa0 09e118a9 02030100 01300d06 092a8648 86f70d01 01040500
03818100 312d5051 86da8a5f e43864c3 785aa9f1 84d8d1d1 8c26eee5 d8c39e93
7f6d7cf2 9b87e5a9 3431bbab ed0f49e9 42e79e7d 7ae2ea1d 473b0103 a184d84b
a251f392 9c0953ff d0b635b5 087d0f47 70cc0137 75425d4a b0e2fbfe 017d9cce
0deb17e1 01cac69c e9bcdc30 18faf6d2 92e69889 6e9c64da 34dbe5b2 69ae97cd a279e88d
quit
crypto isakmp identity hostname
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-addr-assign local reuse-delay 5
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 30
console timeout 0
management-access Inside
dhcpd dns 10.128.1.13
dhcpd wins 10.128.1.13
dhcpd option 33 ip 10.128.0.0 10.129.1.10
!
vpn load-balancing
interface lbpublic Inside
interface lbprivate Inside
threat-detection basic-threat
threat-detection statistics access-list
ntp server 10.128.2.13 source Inside prefer
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy MiamiContractor internal
group-policy MiamiContractor attributes
banner value Welcome Miami Contractor
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MiamiContractor_splitTunnelAcl
group-policy MiamiEmployee internal
group-policy MiamiEmployee attributes
banner value Welcome Miami Employee
wins-server value 10.128.2.13
dns-server value 10.129.1.1 10.128.2.13
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MiamiTestPlit
default-domain value ds.searchspace.com
msie-proxy method no-proxy
address-pools value MiamiPool
webvpn
svc dtls enable
svc ask none default webvpn
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group Miami_authen_grp
default-group-policy MiamiEmployee
tunnel-group 208.105.76.74 type ipsec-l2l
tunnel-group 208.105.76.74 ipsec-attributes
pre-shared-key *
tunnel-group 66.187.186.170 type ipsec-l2l
tunnel-group 66.187.186.170 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 4
tunnel-group 66.28.233.2 type ipsec-l2l
tunnel-group 66.28.233.2 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 4
tunnel-group 83.244.135.110 type ipsec-l2l
tunnel-group 83.244.135.110 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 4
tunnel-group 89.151.100.100 type ipsec-l2l
tunnel-group 89.151.100.100 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 4
tunnel-group 64.88.168.35 type ipsec-l2l
tunnel-group 64.88.168.35 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 4
tunnel-group 85.159.105.90 type ipsec-l2l
tunnel-group 85.159.105.90 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 4
tunnel-group 202.228.200.234 type ipsec-l2l
tunnel-group 202.228.200.234 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 4
tunnel-group Miami type remote-access
tunnel-group Miami general-attributes
address-pool MiamiPool
authentication-server-group Miami_authen_grp
authentication-server-group (Inside) Miami_authen_grp
authentication-server-group (Outside) Miami_authen_grp
authorization-server-group Miami_author_grp
authorization-server-group (Inside) Miami_author_grp
authorization-server-group (Outside) Miami_author_grp
default-group-policy MiamiEmployee
dhcp-server 10.128.2.13
password-management
authorization-required
tunnel-group Miami webvpn-attributes
radius-reject-message
proxy-auth sdi
tunnel-group Miami ipsec-attributes
pre-shared-key *
tunnel-group Miami ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
webvpn
enable Outside
enable Inside
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
svc enable
smtp-server 10.10.2.15
prompt hostname context
Cryptochecksum:68cf6251e94fa5e8192
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I got an error for the first one..
"access-list Outside_nat0_outbound not bound nat 0"
but the second one went through and now I can access my 10.128.0.0 subnet.. but nothing else...
if you notice in my config I have a whole bunch of subnets in my network... all connected via site to site ipsec vpn asa to asa. 10.128.1.1 is a linux firewall that connects the one office that does not have a asa yet...
"access-list Outside_nat0_outbound not bound nat 0"
but the second one went through and now I can access my 10.128.0.0 subnet.. but nothing else...
if you notice in my config I have a whole bunch of subnets in my network... all connected via site to site ipsec vpn asa to asa. 10.128.1.1 is a linux firewall that connects the one office that does not have a asa yet...
Try adding a NAT exemption for local traffic to the VPN client IP subnet. A global 10.0.0.0 covers all remote sites, too.
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.129.2.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.129.2.0 255.255.255.0
>I can access my 10.128.0.0 subnet.. but nothing else...
>access-list MiamiContractor_splitTunne lAcl standard permit 10.128.0.0 255.255.0.0
Are you connecting as a Contractor to test?
>access-list MiamiContractor_splitTunne
Are you connecting as a Contractor to test?
ASKER
Irmoore - That actually got me back to square one.. now I cannot access anything internal again....
NO I am connecting as MiamiEMployee... which has a acl to permit to 10.0.0.0 /8
NO I am connecting as MiamiEMployee... which has a acl to permit to 10.0.0.0 /8
try adding
crypto isakmp nat-traversal 25
crypto isakmp nat-traversal 25
ASKER
already have that...
I don't see it in the posted config..
>crypto isakmp identity hostname
Change this to address.
crypto isakmp identity address
>crypto isakmp identity hostname
Change this to address.
crypto isakmp identity address
ASKER
Here is my updated Config...
Irmoore, will this affect my ipsec tunnels to the other sites??
Irmoore, will this affect my ipsec tunnels to the other sites??
Result of the command: "show running-config"
: Saved
:
ASA Version 8.0(3)20
!
hostname MiamiASA
domain-name ds.searchspace.com
enable password ueqWIdHlIJVgMhwP encrypted
passwd gnNNsG1Vtmbanky2 encrypted
names
name 10.129.2.0 VPNRULE
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 63.139.138.170 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.129.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 10.128.2.13
domain-name ds.searchspace.com
object-group network DM_INLINE_NETWORK_1
network-object 10.128.0.0 255.255.0.0
network-object 10.129.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_2
network-object 10.10.0.0 255.255.0.0
network-object 10.30.76.0 255.255.255.0
network-object 10.30.77.0 255.255.255.0
network-object 10.48.0.0 255.255.0.0
access-list acl_outside extended permit icmp any any
access-list acl_outside extended permit tcp any host 63.139.138.174 eq smtp
access-list acl_outside extended permit tcp any host 63.139.138.174 eq www
access-list acl_outside extended permit tcp any host 63.139.138.174 eq https
access-list acl_outside extended permit tcp any host 63.139.138.174 eq pop3
access-list acl_outside extended permit tcp any host 63.139.138.174 eq 135
access-list acl_outside extended permit tcp any host 63.139.138.174 eq pptp
access-list acl_outside extended permit tcp any host 63.139.138.174 eq 593
access-list acl_outside extended permit tcp any any eq 52311
access-list acl_outside extended permit udp any any eq 52311
access-list acl_outside extended permit tcp any any eq 4899
access-list acl_outside extended permit tcp any any eq 3389
access-list acl_outside extended permit tcp any any eq 3330
access-list acl_outside extended permit tcp any host 63.139.138.174 eq 444
access-list acl_outside extended permit tcp any host 63.139.138.174 eq 4125
access-list acl_outside extended permit tcp any eq 1001 any eq 1001
access-list acl_outside extended permit tcp any host 63.139.138.172 eq www
access-list acl_outside extended permit tcp any host 63.139.138.172
access-list acl_outside extended permit tcp any eq 5900 host 63.139.138.172 eq 5900
access-list acl_outside extended permit tcp any eq 5800 host 63.139.138.172 eq 5800
access-list acl_outside extended permit tcp any host 63.139.138.171
access-list acl_outside extended permit tcp any host 63.139.138.172 eq ftp
access-list acl_outside extended permit tcp any host 63.139.138.172 eq ftp-data
access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended permit icmp any any source-quench
access-list acl_outside extended permit icmp any any unreachable
access-list acl_outside extended permit icmp any any time-exceeded
access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.64.0.0 255.255.0.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.52.1.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.52.2.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.30.76.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.30.77.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.2.1.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.56.0.0 255.255.0.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.64.0.0 255.255.0.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.52.2.0 255.255.255.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.30.76.0 255.255.255.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.30.77.0 255.255.255.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.2.1.0 255.255.255.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.56.0.0 255.255.0.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.52.1.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.48.0.0 255.255.0.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.48.0.0 255.255.0.0
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.96.0.0 255.255.0.0
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.96.0.0 255.255.0.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.128.131.0 255.255.255.0
access-list nonat extended permit ip any VPNRULE 255.255.255.0
access-list nonat extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list acl_inside extended permit icmp 10.128.0.0 255.255.0.0 any
access-list acl_inside extended permit icmp 10.129.0.0 255.255.0.0 any
access-list acl_inside extended permit tcp 10.128.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq smtp
access-list acl_inside extended permit tcp 10.129.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq smtp
access-list acl_inside extended permit tcp 10.128.0.0 255.255.0.0 any eq smtp
access-list acl_inside extended permit tcp 10.129.0.0 255.255.0.0 any eq smtp
access-list acl_inside extended permit ip 10.128.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list acl_inside extended permit ip 10.129.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list acl_inside extended permit ip 10.128.0.0 255.255.0.0 any
access-list acl_inside extended permit ip 10.129.0.0 255.255.0.0 any
access-list 120 extended permit ip 10.128.0.0 255.255.0.0 10.64.0.0 255.255.0.0
access-list 120 extended permit ip 10.129.1.0 255.255.255.0 10.64.0.0 255.255.0.0
access-list 130 extended permit ip 10.128.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list 130 extended permit ip 10.128.0.0 255.255.0.0 10.30.76.0 255.255.255.0
access-list 130 extended permit ip 10.128.0.0 255.255.0.0 10.30.77.0 255.255.255.0
access-list 130 extended permit ip 10.129.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list 130 extended permit ip 10.129.1.0 255.255.255.0 10.30.76.0 255.255.255.0
access-list 130 extended permit ip 10.129.1.0 255.255.255.0 10.30.77.0 255.255.255.0
access-list 140 extended permit ip 10.128.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list 140 extended permit ip 10.129.1.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 150 extended permit ip 10.128.0.0 255.255.0.0 10.2.1.0 255.255.255.0
access-list 150 extended permit ip 10.129.1.0 255.255.255.0 10.2.1.0 255.255.255.0
access-list 160 extended permit ip 10.128.0.0 255.255.0.0 10.52.1.0 255.255.255.0
access-list 160 extended permit ip 10.128.0.0 255.255.0.0 10.52.2.0 255.255.255.0
access-list 160 extended permit ip 10.129.1.0 255.255.255.0 10.52.1.0 255.255.255.0
access-list 160 extended permit ip 10.129.1.0 255.255.255.0 10.52.2.0 255.255.255.0
access-list 170 extended permit ip 10.128.0.0 255.255.0.0 10.56.0.0 255.255.0.0
access-list 170 extended permit ip 10.129.1.0 255.255.255.0 10.56.0.0 255.255.0.0
access-list 180 extended permit ip 10.128.0.0 255.255.0.0 10.96.0.0 255.255.0.0
access-list 180 extended permit ip 10.129.1.0 255.255.255.0 10.96.0.0 255.255.0.0
access-list MiamiTestPlit standard permit 10.129.1.0 255.255.255.0
access-list MiamiTestPlit standard permit 10.0.0.0 255.0.0.0
access-list MiamiTestPlit standard permit 10.128.0.0 255.255.0.0
access-list MiamiContractor_splitTunnelAcl remark Permit access to Miami Only
access-list MiamiContractor_splitTunnelAcl standard permit 10.128.0.0 255.255.0.0
access-list capout extended permit ip host 208.105.76.74 host 63.139.138.170
access-list capout extended permit ip host 63.139.138.170 host 208.105.76.74
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool MiamiPool 10.129.2.1-10.129.2.254 mask 255.255.255.0
ip verify reverse-path interface Outside
ip audit name IPAudit attack action alarm
ip audit name IPAuditInfo info action alarm
ip audit interface Outside IPAuditInfo
ip audit interface Outside IPAudit
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) 63.139.138.174 10.129.1.2 netmask 255.255.255.255 dns
static (Inside,Outside) 63.139.138.173 10.129.1.3 netmask 255.255.255.255 dns
static (Inside,Outside) 63.139.138.172 10.129.1.6 netmask 255.255.255.255 dns
static (Inside,Outside) 63.139.138.171 10.129.1.5 netmask 255.255.255.255 dns
access-group acl_outside in interface Outside
route Outside 0.0.0.0 0.0.0.0 63.139.138.169 1
route Inside 10.10.0.0 255.255.0.0 10.128.1.1 1
route Inside 10.30.0.0 255.255.0.0 10.128.1.1 1
route Inside 10.128.0.0 255.255.0.0 10.129.1.10 1
timeout xlate 3:00:00
timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
ldap attribute-map CiscoMap
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=Miami_Contractors,CN=Users,DC=ds,DC=searchspace,DC=com " MiamiContractor
map-value memberOf "CN=Miami_Employees,CN=Users,DC=ds,DC=searchspace.com,DC=com " MiamiEmployee
dynamic-access-policy-record DfltAccessPolicy
aaa-server Miami_authen_grp protocol kerberos
aaa-server Miami_authen_grp (Inside) host 10.128.2.13
kerberos-realm DS.SEARCHSPACE.COM
aaa-server Miami_author_grp protocol ldap
aaa-server Miami_author_grp (Inside) host 10.128.2.13
ldap-base-dn dc=ds, dc=searchspace, dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=websense,OU=Miami Special Accounts,OU=Miami,DC=ds,dc=searchspace,dc=com
server-type microsoft
ldap-attribute-map CiscoMap
http server enable
http 0.0.0.0 0.0.0.0 Outside
http 10.0.0.0 255.0.0.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FortentVPN esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set netscreen esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Miami 1 match address Outside_1_cryptomap
crypto map Miami 1 set peer 208.105.76.74
crypto map Miami 1 set transform-set ESP-3DES-SHA
crypto map Miami 1 set security-association lifetime seconds 28800
crypto map Miami 1 set security-association lifetime kilobytes 4608000
crypto map Miami 9 match address 160
crypto map Miami 9 set peer 64.88.168.35
crypto map Miami 9 set transform-set FortentVPN
crypto map Miami 9 set security-association lifetime seconds 28800
crypto map Miami 9 set security-association lifetime kilobytes 4608000
crypto map Miami 10 set security-association lifetime seconds 28800
crypto map Miami 10 set security-association lifetime kilobytes 4608000
crypto map Miami 20 match address 120
crypto map Miami 20 set peer 66.187.186.170
crypto map Miami 20 set transform-set FortentVPN
crypto map Miami 20 set security-association lifetime seconds 86400
crypto map Miami 20 set security-association lifetime kilobytes 4608000
crypto map Miami 30 match address 130
crypto map Miami 30 set peer 66.28.233.2
crypto map Miami 30 set transform-set netscreen
crypto map Miami 30 set security-association lifetime seconds 28800
crypto map Miami 30 set security-association lifetime kilobytes 4608000
crypto map Miami 40 match address 140
crypto map Miami 40 set peer 83.244.135.110
crypto map Miami 40 set transform-set FortentVPN
crypto map Miami 40 set security-association lifetime seconds 28800
crypto map Miami 40 set security-association lifetime kilobytes 4608000
crypto map Miami 50 match address 150
crypto map Miami 50 set peer 89.151.100.100
crypto map Miami 50 set transform-set FortentVPN
crypto map Miami 50 set security-association lifetime seconds 28800
crypto map Miami 50 set security-association lifetime kilobytes 4608000
crypto map Miami 70 match address 170
crypto map Miami 70 set peer 85.159.105.90
crypto map Miami 70 set transform-set FortentVPN
crypto map Miami 70 set security-association lifetime seconds 28800
crypto map Miami 70 set security-association lifetime kilobytes 4608000
crypto map Miami 80 match address 180
crypto map Miami 80 set peer 202.228.200.234
crypto map Miami 80 set transform-set FortentVPN
crypto map Miami 80 set security-association lifetime seconds 28800
crypto map Miami 80 set security-association lifetime kilobytes 4608000
crypto map Miami 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Miami interface Outside
crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Inside_map interface Inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn MiamiASA
subject-name CN=ds.searchspace.com
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
308201e0 30820149 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
36311b30 19060355 04031312 64732e73 65617263 68737061 63652e63 6f6d3117
30150609 2a864886 f70d0109 0216084d 69616d69 41534130 1e170d30 38313130
37323030 3432305a 170d3138 31313035 32303034 32305a30 36311b30 19060355
04031312 64732e73 65617263 68737061 63652e63 6f6d3117 30150609 2a864886
f70d0109 0216084d 69616d69 41534130 819f300d 06092a86 4886f70d 01010105
0003818d 00308189 02818100 93703cd6 7c812e7a 3d366ade 285ed545 583a5c60
c1ff2cb2 97c138e9 a2787654 b2030854 a121ec7e 6568c15a 0b5c0504 0215fe2e
d12781c6 2af55cb8 b76d55f3 7ea83dff 2a591ab8 16e7220a 5a73a6dd dfe08867
7820f14f d61341cc c60b0525 e37f55a0 c79eea80 bc45d538 223a01b4 3f191c10
d4020e67 94e00fa0 09e118a9 02030100 01300d06 092a8648 86f70d01 01040500
03818100 312d5051 86da8a5f e43864c3 785aa9f1 84d8d1d1 8c26eee5 d8c39e93
7f6d7cf2 9b87e5a9 3431bbab ed0f49e9 42e79e7d 7ae2ea1d 473b0103 a184d84b
a251f392 9c0953ff d0b635b5 087d0f47 70cc0137 75425d4a b0e2fbfe 017d9cce
0deb17e1 01cac69c e9bcdc30 18faf6d2 92e69889 6e9c64da 34dbe5b2 69ae97cd a279e88d
quit
crypto isakmp identity hostname
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 25
vpn-addr-assign local reuse-delay 5
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 30
console timeout 0
management-access Inside
dhcpd dns 10.128.1.13
dhcpd wins 10.128.1.13
dhcpd option 33 ip 10.128.0.0 10.129.1.10
!
vpn load-balancing
interface lbpublic Inside
interface lbprivate Inside
threat-detection basic-threat
threat-detection statistics access-list
ntp server 10.128.2.13 source Inside prefer
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy MiamiContractor internal
group-policy MiamiContractor attributes
banner value Welcome Miami Contractor
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MiamiContractor_splitTunnelAcl
group-policy MiamiEmployee internal
group-policy MiamiEmployee attributes
banner value Welcome Miami Employee
wins-server value 10.128.2.13
dns-server value 10.128.2.13
dhcp-network-scope 10.128.0.0
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MiamiTestPlit
default-domain value ds.searchspace.com
msie-proxy method no-proxy
address-pools value MiamiPool
webvpn
svc dtls enable
svc ask none default webvpn
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group Miami_authen_grp
default-group-policy MiamiEmployee
tunnel-group 208.105.76.74 type ipsec-l2l
tunnel-group 208.105.76.74 ipsec-attributes
pre-shared-key *
tunnel-group 66.187.186.170 type ipsec-l2l
tunnel-group 66.187.186.170 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 4
tunnel-group 66.28.233.2 type ipsec-l2l
tunnel-group 66.28.233.2 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 4
tunnel-group 83.244.135.110 type ipsec-l2l
tunnel-group 83.244.135.110 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 4
tunnel-group 89.151.100.100 type ipsec-l2l
tunnel-group 89.151.100.100 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 4
tunnel-group 64.88.168.35 type ipsec-l2l
tunnel-group 64.88.168.35 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 4
tunnel-group 85.159.105.90 type ipsec-l2l
tunnel-group 85.159.105.90 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 4
tunnel-group 202.228.200.234 type ipsec-l2l
tunnel-group 202.228.200.234 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 4
tunnel-group Miami type remote-access
tunnel-group Miami general-attributes
authentication-server-group Miami_authen_grp
authentication-server-group (Inside) Miami_authen_grp
authentication-server-group (Outside) Miami_authen_grp
authorization-server-group Miami_author_grp
authorization-server-group (Inside) Miami_author_grp
authorization-server-group (Outside) Miami_author_grp
default-group-policy MiamiEmployee
dhcp-server 10.128.2.13
password-management
authorization-required
tunnel-group Miami webvpn-attributes
radius-reject-message
proxy-auth sdi
tunnel-group Miami ipsec-attributes
pre-shared-key *
tunnel-group Miami ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
webvpn
enable Outside
enable Inside
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
svc enable
smtp-server 10.10.2.15
prompt hostname context
Cryptochecksum:68cf6251e94fa5e81927cfc8fee50f56
: end
>crypto isakmp identity hostname <== still hostname and not address. No, it won't affect existing vpns
>crypto isakmp enable Inside <== Are you testing from an inside PC or actually from Outside?
>crypto isakmp enable Inside <== Are you testing from an inside PC or actually from Outside?
ASKER
No I am testing from the outside....
I made the change... will test later tonight...
I made the change... will test later tonight...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER