?
Solved

ASA VPN Clients cannot access internal Resources

Posted on 2008-11-09
13
Medium Priority
?
484 Views
Last Modified: 2012-05-05
I cannot for the life of me get my ssl vpn clients to connect to the internal lan...  

I can only ping the internal interface ip...

Take a look at my config.....
ASA Version 8.0(3)20 
!
hostname MiamiASA
domain-name ds.searchspace.com
enable password ueqWIdHlIJVgMhwP encrypted
passwd gnNNsG1Vtmbanky2 encrypted
names
name 10.129.2.0 VPNRULE
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 63.xxx.xxx.170 255.255.255.248 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 10.129.1.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 10.128.2.13
 domain-name ds.searchspace.com
access-list acl_outside extended permit icmp any any 
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq smtp 
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq www 
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq https 
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq pop3 
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq 135 
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq pptp 
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq 593 
access-list acl_outside extended permit tcp any any eq 52311 
access-list acl_outside extended permit udp any any eq 52311 
access-list acl_outside extended permit tcp any any eq 4899 
access-list acl_outside extended permit tcp any any eq 3389 
access-list acl_outside extended permit tcp any any eq 3330 
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq 444 
access-list acl_outside extended permit tcp any host 63.xxx.xxx.174 eq 4125 
access-list acl_outside extended permit tcp any eq 1001 any eq 1001 
access-list acl_outside extended permit tcp any host 63.xxx.xxx.172 eq www 
access-list acl_outside extended permit tcp any host 63.xxx.xxx.172 
access-list acl_outside extended permit tcp any eq 5900 host 63.139.138.172 eq 5900 
access-list acl_outside extended permit tcp any eq 5800 host 63.139.138.172 eq 5800 
access-list acl_outside extended permit tcp any host 63.xxx.xxx.171 
access-list acl_outside extended permit tcp any host 63.xxx.xxx.172 eq ftp 
access-list acl_outside extended permit tcp any host 63.xxx.xxx.172 eq ftp-data 
access-list acl_outside extended permit icmp any any echo-reply 
access-list acl_outside extended permit icmp any any source-quench 
access-list acl_outside extended permit icmp any any unreachable 
access-list acl_outside extended permit icmp any any time-exceeded 
access-list 110 extended permit ip 10.128.0.0 255.255.0.0 10.48.0.0 255.255.0.0 
access-list 110 extended permit ip 10.129.1.0 255.255.255.0 10.48.0.0 255.255.0.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.64.0.0 255.255.0.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.10.0.0 255.255.0.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.52.1.0 255.255.255.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.52.2.0 255.255.255.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.30.76.0 255.255.255.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.30.77.0 255.255.255.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.2.1.0 255.255.255.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.56.0.0 255.255.0.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.64.0.0 255.255.0.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.10.0.0 255.255.0.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.52.2.0 255.255.255.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.30.76.0 255.255.255.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.30.77.0 255.255.255.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.2.1.0 255.255.255.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.56.0.0 255.255.0.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.52.1.0 255.255.255.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.1.0.0 255.255.0.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.1.0.0 255.255.0.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.48.0.0 255.255.0.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.48.0.0 255.255.0.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.96.0.0 255.255.0.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.96.0.0 255.255.0.0 
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.128.131.0 255.255.255.0 
access-list acl_inside extended permit icmp 10.128.0.0 255.255.0.0 any 
access-list acl_inside extended permit icmp 10.129.0.0 255.255.0.0 any 
access-list acl_inside extended permit tcp 10.128.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq smtp 
access-list acl_inside extended permit tcp 10.129.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq smtp 
access-list acl_inside extended permit tcp 10.128.0.0 255.255.0.0 any eq smtp 
access-list acl_inside extended permit tcp 10.129.0.0 255.255.0.0 any eq smtp 
access-list acl_inside extended permit ip 10.128.0.0 255.255.0.0 10.0.0.0 255.0.0.0 
access-list acl_inside extended permit ip 10.129.0.0 255.255.0.0 10.0.0.0 255.0.0.0 
access-list acl_inside extended permit ip 10.128.0.0 255.255.0.0 any 
access-list acl_inside extended permit ip 10.129.0.0 255.255.0.0 any 
access-list 120 extended permit ip 10.128.0.0 255.255.0.0 10.64.0.0 255.255.0.0 
access-list 120 extended permit ip 10.129.1.0 255.255.255.0 10.64.0.0 255.255.0.0 
access-list 130 extended permit ip 10.128.0.0 255.255.0.0 10.10.0.0 255.255.0.0 
access-list 130 extended permit ip 10.128.0.0 255.255.0.0 10.30.76.0 255.255.255.0 
access-list 130 extended permit ip 10.128.0.0 255.255.0.0 10.30.77.0 255.255.255.0 
access-list 130 extended permit ip 10.129.1.0 255.255.255.0 10.10.0.0 255.255.0.0 
access-list 130 extended permit ip 10.129.1.0 255.255.255.0 10.30.76.0 255.255.255.0 
access-list 130 extended permit ip 10.129.1.0 255.255.255.0 10.30.77.0 255.255.255.0 
access-list 140 extended permit ip 10.128.0.0 255.255.0.0 10.1.0.0 255.255.0.0 
access-list 140 extended permit ip 10.129.1.0 255.255.255.0 10.1.0.0 255.255.0.0 
access-list 150 extended permit ip 10.128.0.0 255.255.0.0 10.2.1.0 255.255.255.0 
access-list 150 extended permit ip 10.129.1.0 255.255.255.0 10.2.1.0 255.255.255.0 
access-list 160 extended permit ip 10.128.0.0 255.255.0.0 10.52.1.0 255.255.255.0 
access-list 160 extended permit ip 10.128.0.0 255.255.0.0 10.52.2.0 255.255.255.0 
access-list 160 extended permit ip 10.129.1.0 255.255.255.0 10.52.1.0 255.255.255.0 
access-list 160 extended permit ip 10.129.1.0 255.255.255.0 10.52.2.0 255.255.255.0 
access-list 170 extended permit ip 10.128.0.0 255.255.0.0 10.56.0.0 255.255.0.0 
access-list 170 extended permit ip 10.129.1.0 255.255.255.0 10.56.0.0 255.255.0.0 
access-list 180 extended permit ip 10.128.0.0 255.255.0.0 10.96.0.0 255.255.0.0 
access-list 180 extended permit ip 10.129.1.0 255.255.255.0 10.96.0.0 255.255.0.0 
access-list MiamiTestPlit standard permit 10.129.1.0 255.255.255.0 
access-list MiamiTestPlit standard permit 10.0.0.0 255.0.0.0 
access-list MiamiTestPlit standard permit 10.128.0.0 255.255.0.0 
access-list MiamiContractor_splitTunnelAcl remark Permit access to Miami Only
access-list MiamiContractor_splitTunnelAcl standard permit 10.128.0.0 255.255.0.0 
access-list Outside_nat0_outbound extended permit ip VPNRULE 255.255.255.0 10.129.1.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool MiamiPool 10.129.2.1-10.129.2.254 mask 255.255.255.0
ip verify reverse-path interface Outside
ip audit name IPAudit attack action alarm
ip audit name IPAuditInfo info action alarm
ip audit interface Outside IPAuditInfo
ip audit interface Outside IPAudit
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Outside) 0 access-list Outside_nat0_outbound
nat (Inside) 0 access-list nonat
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) 63.xxx.xxx.174 10.129.1.2 netmask 255.255.255.255 dns 
static (Inside,Outside) 63.xxx.xxx.173 10.129.1.3 netmask 255.255.255.255 dns 
static (Inside,Outside) 63.xxx.xxx.172 10.129.1.6 netmask 255.255.255.255 dns 
static (Inside,Outside) 63.xxx.xxx.171 10.129.1.5 netmask 255.255.255.255 dns 
access-group acl_outside in interface Outside
route Outside 0.0.0.0 0.0.0.0 63.xxx.xxx.169 1
route Inside 10.10.0.0 255.255.0.0 10.128.1.1 1
route Inside 10.30.0.0 255.255.0.0 10.128.1.1 1
route Inside 10.128.0.0 255.255.0.0 10.129.1.10 1
timeout xlate 3:00:00
timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
ldap attribute-map CiscoMap
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=Miami_Contractors,CN=Users,DC=ds,DC=searchspace,DC=com " MiamiContractor
  map-value memberOf "CN=Miami_Employees,CN=Users,DC=ds,DC=searchspace.com,DC=com " MiamiEmployee
dynamic-access-policy-record DfltAccessPolicy
aaa-server Miami_authen_grp protocol kerberos
aaa-server Miami_authen_grp (Inside) host 10.128.2.13
 kerberos-realm DS.SEARCHSPACE.COM
aaa-server Miami_author_grp protocol ldap
aaa-server Miami_author_grp (Inside) host 10.128.2.13
 ldap-base-dn dc=ds, dc=searchspace, dc=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *
 ldap-login-dn CN=websense,OU=Miami Special Accounts,OU=Miami,DC=ds,dc=searchspace,dc=com
 server-type microsoft
 ldap-attribute-map CiscoMap
http server enable
http 0.0.0.0 0.0.0.0 Outside
http 10.0.0.0 255.0.0.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FortentVPN esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set netscreen esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Miami 5 match address 110
crypto map Miami 5 set peer 208.105.76.74 
crypto map Miami 5 set transform-set FortentVPN
crypto map Miami 5 set security-association lifetime seconds 86400
crypto map Miami 5 set security-association lifetime kilobytes 4608000
crypto map Miami 9 match address 160
crypto map Miami 9 set peer 64.88.168.35 
crypto map Miami 9 set transform-set FortentVPN
crypto map Miami 9 set security-association lifetime seconds 28800
crypto map Miami 9 set security-association lifetime kilobytes 4608000
crypto map Miami 10 set security-association lifetime seconds 28800
crypto map Miami 10 set security-association lifetime kilobytes 4608000
crypto map Miami 20 match address 120
crypto map Miami 20 set peer 66.187.186.170 
crypto map Miami 20 set transform-set FortentVPN
crypto map Miami 20 set security-association lifetime seconds 86400
crypto map Miami 20 set security-association lifetime kilobytes 4608000
crypto map Miami 30 match address 130
crypto map Miami 30 set peer 66.28.233.2 
crypto map Miami 30 set transform-set netscreen
crypto map Miami 30 set security-association lifetime seconds 28800
crypto map Miami 30 set security-association lifetime kilobytes 4608000
crypto map Miami 40 match address 140
crypto map Miami 40 set peer 83.244.135.110 
crypto map Miami 40 set transform-set FortentVPN
crypto map Miami 40 set security-association lifetime seconds 28800
crypto map Miami 40 set security-association lifetime kilobytes 4608000
crypto map Miami 50 match address 150
crypto map Miami 50 set peer 89.151.100.100 
crypto map Miami 50 set transform-set FortentVPN
crypto map Miami 50 set security-association lifetime seconds 28800
crypto map Miami 50 set security-association lifetime kilobytes 4608000
crypto map Miami 70 match address 170
crypto map Miami 70 set peer 85.159.105.90 
crypto map Miami 70 set transform-set FortentVPN
crypto map Miami 70 set security-association lifetime seconds 28800
crypto map Miami 70 set security-association lifetime kilobytes 4608000
crypto map Miami 80 match address 180
crypto map Miami 80 set peer 202.228.200.234 
crypto map Miami 80 set transform-set FortentVPN
crypto map Miami 80 set security-association lifetime seconds 28800
crypto map Miami 80 set security-association lifetime kilobytes 4608000
crypto map Miami 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Miami interface Outside
crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Inside_map interface Inside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn MiamiASA
 subject-name CN=ds.searchspace.com
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 31
    308201e0 30820149 a0030201 02020131 300d0609 2a864886 f70d0101 04050030 
    36311b30 19060355 04031312 64732e73 65617263 68737061 63652e63 6f6d3117 
    30150609 2a864886 f70d0109 0216084d 69616d69 41534130 1e170d30 38313130 
    37323030 3432305a 170d3138 31313035 32303034 32305a30 36311b30 19060355 
    04031312 64732e73 65617263 68737061 63652e63 6f6d3117 30150609 2a864886 
    f70d0109 0216084d 69616d69 41534130 819f300d 06092a86 4886f70d 01010105 
    0003818d 00308189 02818100 93703cd6 7c812e7a 3d366ade 285ed545 583a5c60 
    c1ff2cb2 97c138e9 a2787654 b2030854 a121ec7e 6568c15a 0b5c0504 0215fe2e 
    d12781c6 2af55cb8 b76d55f3 7ea83dff 2a591ab8 16e7220a 5a73a6dd dfe08867 
    7820f14f d61341cc c60b0525 e37f55a0 c79eea80 bc45d538 223a01b4 3f191c10 
    d4020e67 94e00fa0 09e118a9 02030100 01300d06 092a8648 86f70d01 01040500 
    03818100 312d5051 86da8a5f e43864c3 785aa9f1 84d8d1d1 8c26eee5 d8c39e93 
    7f6d7cf2 9b87e5a9 3431bbab ed0f49e9 42e79e7d 7ae2ea1d 473b0103 a184d84b 
    a251f392 9c0953ff d0b635b5 087d0f47 70cc0137 75425d4a b0e2fbfe 017d9cce 
    0deb17e1 01cac69c e9bcdc30 18faf6d2 92e69889 6e9c64da 34dbe5b2 69ae97cd a279e88d
  quit
crypto isakmp identity hostname 
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 15
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
vpn-addr-assign local reuse-delay 5
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 30
console timeout 0
management-access Inside
dhcpd dns 10.128.1.13
dhcpd wins 10.128.1.13
dhcpd option 33 ip 10.128.0.0 10.129.1.10
!
vpn load-balancing 
 interface lbpublic Inside
 interface lbprivate Inside
threat-detection basic-threat
threat-detection statistics access-list
ntp server 10.128.2.13 source Inside prefer
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy MiamiContractor internal
group-policy MiamiContractor attributes
 banner value Welcome Miami Contractor
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value MiamiContractor_splitTunnelAcl
group-policy MiamiEmployee internal
group-policy MiamiEmployee attributes
 banner value Welcome Miami Employee
 wins-server value 10.128.2.13
 dns-server value 10.129.1.1 10.128.2.13
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value MiamiTestPlit
 default-domain value ds.searchspace.com
 msie-proxy method no-proxy
 address-pools value MiamiPool
 webvpn
  svc dtls enable
  svc ask none default webvpn
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group Miami_authen_grp
 default-group-policy MiamiEmployee
tunnel-group 208.105.76.74 type ipsec-l2l
tunnel-group 208.105.76.74 ipsec-attributes
 pre-shared-key *
tunnel-group 66.187.186.170 type ipsec-l2l
tunnel-group 66.187.186.170 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 4
tunnel-group 66.28.233.2 type ipsec-l2l
tunnel-group 66.28.233.2 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 4
tunnel-group 83.244.135.110 type ipsec-l2l
tunnel-group 83.244.135.110 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 4
tunnel-group 89.151.100.100 type ipsec-l2l
tunnel-group 89.151.100.100 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 4
tunnel-group 64.88.168.35 type ipsec-l2l
tunnel-group 64.88.168.35 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 4
tunnel-group 85.159.105.90 type ipsec-l2l
tunnel-group 85.159.105.90 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 4
tunnel-group 202.228.200.234 type ipsec-l2l
tunnel-group 202.228.200.234 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 4
tunnel-group Miami type remote-access
tunnel-group Miami general-attributes
 address-pool MiamiPool
 authentication-server-group Miami_authen_grp
 authentication-server-group (Inside) Miami_authen_grp
 authentication-server-group (Outside) Miami_authen_grp
 authorization-server-group Miami_author_grp
 authorization-server-group (Inside) Miami_author_grp
 authorization-server-group (Outside) Miami_author_grp
 default-group-policy MiamiEmployee
 dhcp-server 10.128.2.13
 password-management
 authorization-required
tunnel-group Miami webvpn-attributes
 radius-reject-message
 proxy-auth sdi
tunnel-group Miami ipsec-attributes
 pre-shared-key *
tunnel-group Miami ppp-attributes
 authentication pap
 authentication ms-chap-v2
 authentication eap-proxy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
webvpn
 enable Outside
 enable Inside
 svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
 svc enable
smtp-server 10.10.2.15
prompt hostname context 
Cryptochecksum:68cf6251e94fa5e8192

Open in new window

0
Comment
Question by:hang10z
  • 6
  • 6
13 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 195 total points
ID: 22917256
Try this:

no nat (Outside) 0 access-list Outside_nat0_outbound
access-list nonat permit ip any 10.129.2.0 255.255.255.0
0
 

Author Comment

by:hang10z
ID: 22917365
What does that do exactly?  This firewall is in a production environment I just want to be completely clear what those commands do... :)
0
 

Author Comment

by:hang10z
ID: 22917598
I got an error for the first one..

"access-list Outside_nat0_outbound not bound nat 0"

but the second one went through and now I can access my 10.128.0.0 subnet.. but nothing else...

if you notice in my config I have a whole bunch of subnets in my network... all connected via site to site ipsec vpn asa to asa.  10.128.1.1 is a linux firewall that connects the one office that does not have a asa yet...
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
LVL 79

Expert Comment

by:lrmoore
ID: 22917713
Try adding a NAT exemption for local traffic to the VPN client IP subnet. A global 10.0.0.0 covers all remote sites, too.
 access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.129.2.0 255.255.255.0
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22917728
>I can access my 10.128.0.0 subnet.. but nothing else...
>access-list MiamiContractor_splitTunnelAcl standard permit 10.128.0.0 255.255.0.0
Are you connecting as a Contractor to test?
0
 

Author Comment

by:hang10z
ID: 22917807
Irmoore - That actually got me back to square one.. now I cannot access anything internal again....

NO I am connecting as MiamiEMployee... which has a acl to permit to 10.0.0.0 /8

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22917852
try adding
  crypto isakmp nat-traversal 25
0
 

Author Comment

by:hang10z
ID: 22918058
already have that...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22918209
I don't see it in the posted config..

>crypto isakmp identity hostname
Change this to address.
 crypto isakmp identity address

0
 

Author Comment

by:hang10z
ID: 22918490
Here is my updated Config...

Irmoore, will this affect my ipsec tunnels to the other sites??  
Result of the command: "show running-config"
 
: Saved
:
ASA Version 8.0(3)20 
!
hostname MiamiASA
domain-name ds.searchspace.com
enable password ueqWIdHlIJVgMhwP encrypted
passwd gnNNsG1Vtmbanky2 encrypted
names
name 10.129.2.0 VPNRULE
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 63.139.138.170 255.255.255.248 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 10.129.1.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 10.128.2.13
 domain-name ds.searchspace.com
object-group network DM_INLINE_NETWORK_1
 network-object 10.128.0.0 255.255.0.0
 network-object 10.129.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_2
 network-object 10.10.0.0 255.255.0.0
 network-object 10.30.76.0 255.255.255.0
 network-object 10.30.77.0 255.255.255.0
 network-object 10.48.0.0 255.255.0.0
access-list acl_outside extended permit icmp any any 
access-list acl_outside extended permit tcp any host 63.139.138.174 eq smtp 
access-list acl_outside extended permit tcp any host 63.139.138.174 eq www 
access-list acl_outside extended permit tcp any host 63.139.138.174 eq https 
access-list acl_outside extended permit tcp any host 63.139.138.174 eq pop3 
access-list acl_outside extended permit tcp any host 63.139.138.174 eq 135 
access-list acl_outside extended permit tcp any host 63.139.138.174 eq pptp 
access-list acl_outside extended permit tcp any host 63.139.138.174 eq 593 
access-list acl_outside extended permit tcp any any eq 52311 
access-list acl_outside extended permit udp any any eq 52311 
access-list acl_outside extended permit tcp any any eq 4899 
access-list acl_outside extended permit tcp any any eq 3389 
access-list acl_outside extended permit tcp any any eq 3330 
access-list acl_outside extended permit tcp any host 63.139.138.174 eq 444 
access-list acl_outside extended permit tcp any host 63.139.138.174 eq 4125 
access-list acl_outside extended permit tcp any eq 1001 any eq 1001 
access-list acl_outside extended permit tcp any host 63.139.138.172 eq www 
access-list acl_outside extended permit tcp any host 63.139.138.172 
access-list acl_outside extended permit tcp any eq 5900 host 63.139.138.172 eq 5900 
access-list acl_outside extended permit tcp any eq 5800 host 63.139.138.172 eq 5800 
access-list acl_outside extended permit tcp any host 63.139.138.171 
access-list acl_outside extended permit tcp any host 63.139.138.172 eq ftp 
access-list acl_outside extended permit tcp any host 63.139.138.172 eq ftp-data 
access-list acl_outside extended permit icmp any any echo-reply 
access-list acl_outside extended permit icmp any any source-quench 
access-list acl_outside extended permit icmp any any unreachable 
access-list acl_outside extended permit icmp any any time-exceeded 
access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.64.0.0 255.255.0.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.10.0.0 255.255.0.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.52.1.0 255.255.255.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.52.2.0 255.255.255.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.30.76.0 255.255.255.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.30.77.0 255.255.255.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.2.1.0 255.255.255.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.56.0.0 255.255.0.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.64.0.0 255.255.0.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.10.0.0 255.255.0.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.52.2.0 255.255.255.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.30.76.0 255.255.255.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.30.77.0 255.255.255.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.2.1.0 255.255.255.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.56.0.0 255.255.0.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.52.1.0 255.255.255.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.1.0.0 255.255.0.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.1.0.0 255.255.0.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.48.0.0 255.255.0.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.48.0.0 255.255.0.0 
access-list nonat extended permit ip 10.128.0.0 255.255.0.0 10.96.0.0 255.255.0.0 
access-list nonat extended permit ip 10.129.1.0 255.255.255.0 10.96.0.0 255.255.0.0 
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.128.131.0 255.255.255.0 
access-list nonat extended permit ip any VPNRULE 255.255.255.0 
access-list nonat extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 
access-list acl_inside extended permit icmp 10.128.0.0 255.255.0.0 any 
access-list acl_inside extended permit icmp 10.129.0.0 255.255.0.0 any 
access-list acl_inside extended permit tcp 10.128.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq smtp 
access-list acl_inside extended permit tcp 10.129.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq smtp 
access-list acl_inside extended permit tcp 10.128.0.0 255.255.0.0 any eq smtp 
access-list acl_inside extended permit tcp 10.129.0.0 255.255.0.0 any eq smtp 
access-list acl_inside extended permit ip 10.128.0.0 255.255.0.0 10.0.0.0 255.0.0.0 
access-list acl_inside extended permit ip 10.129.0.0 255.255.0.0 10.0.0.0 255.0.0.0 
access-list acl_inside extended permit ip 10.128.0.0 255.255.0.0 any 
access-list acl_inside extended permit ip 10.129.0.0 255.255.0.0 any 
access-list 120 extended permit ip 10.128.0.0 255.255.0.0 10.64.0.0 255.255.0.0 
access-list 120 extended permit ip 10.129.1.0 255.255.255.0 10.64.0.0 255.255.0.0 
access-list 130 extended permit ip 10.128.0.0 255.255.0.0 10.10.0.0 255.255.0.0 
access-list 130 extended permit ip 10.128.0.0 255.255.0.0 10.30.76.0 255.255.255.0 
access-list 130 extended permit ip 10.128.0.0 255.255.0.0 10.30.77.0 255.255.255.0 
access-list 130 extended permit ip 10.129.1.0 255.255.255.0 10.10.0.0 255.255.0.0 
access-list 130 extended permit ip 10.129.1.0 255.255.255.0 10.30.76.0 255.255.255.0 
access-list 130 extended permit ip 10.129.1.0 255.255.255.0 10.30.77.0 255.255.255.0 
access-list 140 extended permit ip 10.128.0.0 255.255.0.0 10.1.0.0 255.255.0.0 
access-list 140 extended permit ip 10.129.1.0 255.255.255.0 10.1.0.0 255.255.0.0 
access-list 150 extended permit ip 10.128.0.0 255.255.0.0 10.2.1.0 255.255.255.0 
access-list 150 extended permit ip 10.129.1.0 255.255.255.0 10.2.1.0 255.255.255.0 
access-list 160 extended permit ip 10.128.0.0 255.255.0.0 10.52.1.0 255.255.255.0 
access-list 160 extended permit ip 10.128.0.0 255.255.0.0 10.52.2.0 255.255.255.0 
access-list 160 extended permit ip 10.129.1.0 255.255.255.0 10.52.1.0 255.255.255.0 
access-list 160 extended permit ip 10.129.1.0 255.255.255.0 10.52.2.0 255.255.255.0 
access-list 170 extended permit ip 10.128.0.0 255.255.0.0 10.56.0.0 255.255.0.0 
access-list 170 extended permit ip 10.129.1.0 255.255.255.0 10.56.0.0 255.255.0.0 
access-list 180 extended permit ip 10.128.0.0 255.255.0.0 10.96.0.0 255.255.0.0 
access-list 180 extended permit ip 10.129.1.0 255.255.255.0 10.96.0.0 255.255.0.0 
access-list MiamiTestPlit standard permit 10.129.1.0 255.255.255.0 
access-list MiamiTestPlit standard permit 10.0.0.0 255.0.0.0 
access-list MiamiTestPlit standard permit 10.128.0.0 255.255.0.0 
access-list MiamiContractor_splitTunnelAcl remark Permit access to Miami Only
access-list MiamiContractor_splitTunnelAcl standard permit 10.128.0.0 255.255.0.0 
access-list capout extended permit ip host 208.105.76.74 host 63.139.138.170 
access-list capout extended permit ip host 63.139.138.170 host 208.105.76.74 
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool MiamiPool 10.129.2.1-10.129.2.254 mask 255.255.255.0
ip verify reverse-path interface Outside
ip audit name IPAudit attack action alarm
ip audit name IPAuditInfo info action alarm
ip audit interface Outside IPAuditInfo
ip audit interface Outside IPAudit
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) 63.139.138.174 10.129.1.2 netmask 255.255.255.255 dns 
static (Inside,Outside) 63.139.138.173 10.129.1.3 netmask 255.255.255.255 dns 
static (Inside,Outside) 63.139.138.172 10.129.1.6 netmask 255.255.255.255 dns 
static (Inside,Outside) 63.139.138.171 10.129.1.5 netmask 255.255.255.255 dns 
access-group acl_outside in interface Outside
route Outside 0.0.0.0 0.0.0.0 63.139.138.169 1
route Inside 10.10.0.0 255.255.0.0 10.128.1.1 1
route Inside 10.30.0.0 255.255.0.0 10.128.1.1 1
route Inside 10.128.0.0 255.255.0.0 10.129.1.10 1
timeout xlate 3:00:00
timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
ldap attribute-map CiscoMap
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=Miami_Contractors,CN=Users,DC=ds,DC=searchspace,DC=com " MiamiContractor
  map-value memberOf "CN=Miami_Employees,CN=Users,DC=ds,DC=searchspace.com,DC=com " MiamiEmployee
dynamic-access-policy-record DfltAccessPolicy
aaa-server Miami_authen_grp protocol kerberos
aaa-server Miami_authen_grp (Inside) host 10.128.2.13
 kerberos-realm DS.SEARCHSPACE.COM
aaa-server Miami_author_grp protocol ldap
aaa-server Miami_author_grp (Inside) host 10.128.2.13
 ldap-base-dn dc=ds, dc=searchspace, dc=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *
 ldap-login-dn CN=websense,OU=Miami Special Accounts,OU=Miami,DC=ds,dc=searchspace,dc=com
 server-type microsoft
 ldap-attribute-map CiscoMap
http server enable
http 0.0.0.0 0.0.0.0 Outside
http 10.0.0.0 255.0.0.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FortentVPN esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set netscreen esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Miami 1 match address Outside_1_cryptomap
crypto map Miami 1 set peer 208.105.76.74 
crypto map Miami 1 set transform-set ESP-3DES-SHA
crypto map Miami 1 set security-association lifetime seconds 28800
crypto map Miami 1 set security-association lifetime kilobytes 4608000
crypto map Miami 9 match address 160
crypto map Miami 9 set peer 64.88.168.35 
crypto map Miami 9 set transform-set FortentVPN
crypto map Miami 9 set security-association lifetime seconds 28800
crypto map Miami 9 set security-association lifetime kilobytes 4608000
crypto map Miami 10 set security-association lifetime seconds 28800
crypto map Miami 10 set security-association lifetime kilobytes 4608000
crypto map Miami 20 match address 120
crypto map Miami 20 set peer 66.187.186.170 
crypto map Miami 20 set transform-set FortentVPN
crypto map Miami 20 set security-association lifetime seconds 86400
crypto map Miami 20 set security-association lifetime kilobytes 4608000
crypto map Miami 30 match address 130
crypto map Miami 30 set peer 66.28.233.2 
crypto map Miami 30 set transform-set netscreen
crypto map Miami 30 set security-association lifetime seconds 28800
crypto map Miami 30 set security-association lifetime kilobytes 4608000
crypto map Miami 40 match address 140
crypto map Miami 40 set peer 83.244.135.110 
crypto map Miami 40 set transform-set FortentVPN
crypto map Miami 40 set security-association lifetime seconds 28800
crypto map Miami 40 set security-association lifetime kilobytes 4608000
crypto map Miami 50 match address 150
crypto map Miami 50 set peer 89.151.100.100 
crypto map Miami 50 set transform-set FortentVPN
crypto map Miami 50 set security-association lifetime seconds 28800
crypto map Miami 50 set security-association lifetime kilobytes 4608000
crypto map Miami 70 match address 170
crypto map Miami 70 set peer 85.159.105.90 
crypto map Miami 70 set transform-set FortentVPN
crypto map Miami 70 set security-association lifetime seconds 28800
crypto map Miami 70 set security-association lifetime kilobytes 4608000
crypto map Miami 80 match address 180
crypto map Miami 80 set peer 202.228.200.234 
crypto map Miami 80 set transform-set FortentVPN
crypto map Miami 80 set security-association lifetime seconds 28800
crypto map Miami 80 set security-association lifetime kilobytes 4608000
crypto map Miami 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Miami interface Outside
crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Inside_map interface Inside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn MiamiASA
 subject-name CN=ds.searchspace.com
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 31
    308201e0 30820149 a0030201 02020131 300d0609 2a864886 f70d0101 04050030 
    36311b30 19060355 04031312 64732e73 65617263 68737061 63652e63 6f6d3117 
    30150609 2a864886 f70d0109 0216084d 69616d69 41534130 1e170d30 38313130 
    37323030 3432305a 170d3138 31313035 32303034 32305a30 36311b30 19060355 
    04031312 64732e73 65617263 68737061 63652e63 6f6d3117 30150609 2a864886 
    f70d0109 0216084d 69616d69 41534130 819f300d 06092a86 4886f70d 01010105 
    0003818d 00308189 02818100 93703cd6 7c812e7a 3d366ade 285ed545 583a5c60 
    c1ff2cb2 97c138e9 a2787654 b2030854 a121ec7e 6568c15a 0b5c0504 0215fe2e 
    d12781c6 2af55cb8 b76d55f3 7ea83dff 2a591ab8 16e7220a 5a73a6dd dfe08867 
    7820f14f d61341cc c60b0525 e37f55a0 c79eea80 bc45d538 223a01b4 3f191c10 
    d4020e67 94e00fa0 09e118a9 02030100 01300d06 092a8648 86f70d01 01040500 
    03818100 312d5051 86da8a5f e43864c3 785aa9f1 84d8d1d1 8c26eee5 d8c39e93 
    7f6d7cf2 9b87e5a9 3431bbab ed0f49e9 42e79e7d 7ae2ea1d 473b0103 a184d84b 
    a251f392 9c0953ff d0b635b5 087d0f47 70cc0137 75425d4a b0e2fbfe 017d9cce 
    0deb17e1 01cac69c e9bcdc30 18faf6d2 92e69889 6e9c64da 34dbe5b2 69ae97cd a279e88d
  quit
crypto isakmp identity hostname 
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 15
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 25
vpn-addr-assign local reuse-delay 5
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 30
console timeout 0
management-access Inside
dhcpd dns 10.128.1.13
dhcpd wins 10.128.1.13
dhcpd option 33 ip 10.128.0.0 10.129.1.10
!
vpn load-balancing 
 interface lbpublic Inside
 interface lbprivate Inside
threat-detection basic-threat
threat-detection statistics access-list
ntp server 10.128.2.13 source Inside prefer
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy MiamiContractor internal
group-policy MiamiContractor attributes
 banner value Welcome Miami Contractor
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value MiamiContractor_splitTunnelAcl
group-policy MiamiEmployee internal
group-policy MiamiEmployee attributes
 banner value Welcome Miami Employee
 wins-server value 10.128.2.13
 dns-server value 10.128.2.13
 dhcp-network-scope 10.128.0.0
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value MiamiTestPlit
 default-domain value ds.searchspace.com
 msie-proxy method no-proxy
 address-pools value MiamiPool
 webvpn
  svc dtls enable
  svc ask none default webvpn
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group Miami_authen_grp
 default-group-policy MiamiEmployee
tunnel-group 208.105.76.74 type ipsec-l2l
tunnel-group 208.105.76.74 ipsec-attributes
 pre-shared-key *
tunnel-group 66.187.186.170 type ipsec-l2l
tunnel-group 66.187.186.170 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 4
tunnel-group 66.28.233.2 type ipsec-l2l
tunnel-group 66.28.233.2 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 4
tunnel-group 83.244.135.110 type ipsec-l2l
tunnel-group 83.244.135.110 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 4
tunnel-group 89.151.100.100 type ipsec-l2l
tunnel-group 89.151.100.100 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 4
tunnel-group 64.88.168.35 type ipsec-l2l
tunnel-group 64.88.168.35 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 4
tunnel-group 85.159.105.90 type ipsec-l2l
tunnel-group 85.159.105.90 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 4
tunnel-group 202.228.200.234 type ipsec-l2l
tunnel-group 202.228.200.234 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 4
tunnel-group Miami type remote-access
tunnel-group Miami general-attributes
 authentication-server-group Miami_authen_grp
 authentication-server-group (Inside) Miami_authen_grp
 authentication-server-group (Outside) Miami_authen_grp
 authorization-server-group Miami_author_grp
 authorization-server-group (Inside) Miami_author_grp
 authorization-server-group (Outside) Miami_author_grp
 default-group-policy MiamiEmployee
 dhcp-server 10.128.2.13
 password-management
 authorization-required
tunnel-group Miami webvpn-attributes
 radius-reject-message
 proxy-auth sdi
tunnel-group Miami ipsec-attributes
 pre-shared-key *
tunnel-group Miami ppp-attributes
 authentication pap
 authentication ms-chap-v2
 authentication eap-proxy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
webvpn
 enable Outside
 enable Inside
 svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
 svc enable
smtp-server 10.10.2.15
prompt hostname context 
Cryptochecksum:68cf6251e94fa5e81927cfc8fee50f56
: end

Open in new window

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22921083
>crypto isakmp identity hostname  <== still hostname and not address. No, it won't affect existing vpns
>crypto isakmp enable Inside  <== Are you testing from an inside PC or actually from Outside?
0
 

Author Comment

by:hang10z
ID: 22923225
No I am testing from the outside....  

I made the change... will test later tonight...

0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 180 total points
ID: 22923575
You shouldn't need these applied to the Inside

crypto map Inside_map interface Inside
crypto isakmp enable Inside

I would remove them both

no crypto map Inside_map interface Inside
no crypto isakmp enable Inside
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question