VNC through ASA 5520

hoshie329
hoshie329 used Ask the Experts™
on
I am trying to allow VNC through my ASA,

i have a policy that allows traffic full access to both the local and remote networks.

everytime i try to vnc to one of the machines i get the following error

6      Oct 22 2009      08:54:58      109025      10.165.165.238      4663      10.165.180.20      5900      Authorization denied (acl=Texas_Users) for user '<unknown>' from 10.165.165.238/4663 to 10.165.180.20/5900 on interface Inside using TCP

if i change the ACE to IP instead of TCP/5900 it works, But my boss want it more restricted

i have the access list attached
access-list ibttxspartner_splitTunnelAcl standard permit vlan165 255.255.255.0 
access-list ibttxspartner_splitTunnelAcl remark Permits access to the network server, restrictions applied by group policy Texas_Users
 
access-list Texas_Users extended permit icmp any any echo 
access-list Texas_Users extended permit icmp any any echo-reply 
access-list Texas_Users extended permit icmp any any traceroute 
access-list Texas_Users extended permit icmp any any time-exceeded 
access-list Texas_Users extended permit icmp any any unreachable 
access-list Texas_Users extended permit object-group TCPUDP 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900 
access-list Texas_Users extended permit object-group DM_INLINE_SERVICE_1 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 
access-list Texas_Users remark HTTP
access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0 eq www 
access-list Texas_Users remark HTTPS
access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0 eq https 
access-list Texas_Users remark FTP Access
access-list Texas_Users extended permit tcp 10.165.180.0 255.255.255.0 host 10.165.165.98 eq ftp 
access-list Texas_Users remark Ftp Access
access-list Texas_Users extended permit tcp 10.165.180.0 255.255.255.0 host 10.165.165.98 eq ftp-data 
access-list Texas_Users extended permit tcp host 10.165.165.98 10.165.180.0 255.255.255.0 eq ftp 
access-list Texas_Users extended permit tcp host 10.165.165.98 10.165.180.0 255.255.255.0 eq ftp-data 
access-list Texas_Users remark SNF .47 Access
access-list Texas_Users extended permit ip 10.165.180.0 255.255.255.0 host 10.165.165.47 
access-list Texas_Users remark Snf .48 Access
access-list Texas_Users extended permit ip 10.165.180.0 255.255.255.0 host 10.165.165.48 
access-list Texas_Users remark SNF .49 Access
access-list Texas_Users extended permit ip 10.165.180.0 255.255.255.0 host 10.165.165.49 
access-list Texas_Users extended deny ip any any

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Instead of that object-group have you tried just with tcp/5900 ?

When you put in that acl, can you try to do this;

telnet <remote-ip> 5900 and hit enter,

Cheers,
rsivanandan

Author

Commented:
Yes, i have tried it both ways... i just tried it again anf the tried to use the telent command above
 tellent returns message could not open connection to host....

The ASA log is showing

Authorization denied (acl=Texas_Users) for user '<unknown>' from 10.165.165.238/1368 to 10.165.180.20/5900 on interface Inside using TCP
Pete LongTechnical Consultant

Commented:
The VNC client uses TCP port 5900 - but it your using the "VNC web client" then it can use 5800 to 5899 AND 5900
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

When you say you tried it both ways did you make a separate statement for TCP and UDP or only make a statement for TCP.  So your above config has

access-list Texas_Users extended permit object-group TCPUDP 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900

Have you tried

access-list Texas_Users extended permit object-group TCP 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900

access-list Texas_Users extended permit object-group UDP 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900

or did you just try

access-list Texas_Users extended permit object-group TCP 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900

Many applications will initiate using UDP and then traverse to TCP....An IP statement would include both.

Hope this helps!
Sorry meant to edit out the object-group and just write it as

access-list Texas_Users extended permit TCP 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900

access-list Texas_Users extended permit UDP 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900

Author

Commented:
I tried the second configuration of the option above.

I just put in both the TCP and UDP statmets copied from the last post.

I am still getting the same error message

thanks for looking at this,
Can you post your complete configuration here?

Cheers,
rsivanandan

Author

Commented:
i have attached the configuration,
ASA Version 8.0(4) 
!
hostname SpfldASA
domain-name l1esd.com
 
 
name 10.165.160.0 vlan160 description Front Fingerprint Room
name 10.165.161.0 vlan161 description IBT Management
name 10.165.162.0 vlan162 description Springfield VPN
name 10.165.163.0 vlan163 description Tx VPN
name 10.165.164.0 vlan164 description Phone Operators
name 10.165.165.0 vlan165 description Core Systems;ASA Management Access
name 10.165.166.0 vlan166 description Financial Servers
name 10.165.169.0 vlan169 description Test Zone
name 10.165.170.0 vlan170 description Conf Room vlan
name 192.168.0.0 vlan192 description WebServer Farm
name 172.19.70.80 A-172.19.70.80 description Pearson WI
name 192.168.117.32 A-192.168.117.32 description Pearson WI
name 192.168.119.224 A-192.168.119.224 description Pearson WI
name 192.168.119.32 A-192.168.119.32 description Pearson WI
name 192.168.120.128 A-192.168.120.128 description Pearson WI
name 192.168.122.250 A-192.168.122.250 description Pearson WI
name 192.168.123.192 A-192.168.123.192 description Pearson WI
name 192.168.123.224 A-192.168.123.224 description Pearson WI
name 192.168.123.37 A-192.168.123.37 description Pearson WI
name 192.168.126.160 A-192.168.126.160 description Pearson WI
name 172.19.0.0 A-172.19.0.0 description Pearson WI
dns-guard
!
interface GigabitEthernet0/0
 description Connects to Semi-Trusted remote VPN Switch
 nameif RemoteVPN
 security-level 0
 ip address 10.50.0.1 255.255.0.0 
!
interface GigabitEthernet0/1
 description Local Internet traffic
 nameif OutsideInet
 security-level 0
 ip address 2xx.xx.xx.xxx 255.255.255.248 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 description Local Access
 nameif Inside
 security-level 100
 ip address 10.165.181.3 255.255.255.0 
!
interface Management0/0
 shutdown
 nameif management
 security-level 0
 no ip address
 
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
 name-server 10.165.165.250
 domain-name l1esd.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_3
 network-object 10.165.180.0 255.255.255.0
 network-object 10.165.181.0 255.255.255.0
object-group service DM_INLINE_TCP_4 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_0
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp eq ftp 
 service-object tcp eq ftp-data 
object-group network DM_INLINE_NETWORK_4
 network-object 10.165.180.0 255.255.255.0
 network-object 10.165.181.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_1
 network-object 10.165.180.0 255.255.255.0
 network-object 10.165.181.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object vlan165 255.255.255.0
 network-object 10.165.180.0 255.255.255.0
 network-object 10.165.181.0 255.255.255.0
 
object-group service DM_INLINE_TCP_0 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_2
 service-object tcp eq 445 
 service-object tcp eq netbios-ssn 
 service-object tcp eq smtp 
 service-object udp eq netbios-dgm 
 service-object udp eq netbios-ns 
object-group service DM_INLINE_SERVICE_3
 service-object tcp eq 445 
 service-object tcp eq netbios-ssn 
 service-object tcp eq smtp 
 service-object udp eq netbios-dgm 
 service-object udp eq netbios-ns 
object-group service DM_INLINE_SERVICE_4
 service-object tcp eq 445 
 service-object tcp eq netbios-ssn 
 service-object tcp eq smtp 
 service-object udp eq netbios-dgm 
 service-object udp eq netbios-ns 
access-list Inside_mpc extended permit tcp vlan165 255.255.255.0 any object-group DM_INLINE_TCP_2 inactive 
access-list OutsideInet_1_cryptomap extended permit ip vlan165 255.255.255.0 172.16.32.0 255.255.240.0 
access-list OutsideInet_1_cryptomap extended permit ip 192.168.130.0 255.255.255.0 172.16.32.0 255.255.240.0 
access-list OutsideInet_1_cryptomap extended permit ip host 2xx.xx.1xx.2xx2 172.16.32.0 255.255.240.0 
access-list OutsideInet_1_cryptomap extended permit ip vlan165 255.255.255.0 192.168.130.0 255.255.255.0 
access-list OutsideInet_1_cryptomap extended permit ip 10.165.181.0 255.255.255.0 172.16.32.0 255.255.240.0 
access-list OutsideInet_access_in extended permit tcp any host 209.254.135.10 object-group DM_INLINE_TCP_0 inactive 
access-list OutsideInet_access_in remark Allow Public Access to Internal FTP Server
access-list OutsideInet_access_in extended permit object-group DM_INLINE_SERVICE_0 any host xxx.2xx.xx.xx0 
access-list OutsideInet_access_in extended permit icmp any any echo 
access-list OutsideInet_access_in extended permit icmp any any echo-reply 
access-list OutsideInet_access_in extended permit icmp any any traceroute 
access-list OutsideInet_access_in extended permit icmp any any time-exceeded 
access-list OutsideInet_access_in extended permit icmp any any unreachable 
access-list OutsideInet_access_in extended permit ip 10.165.181.0 255.255.255.0 vlan165 255.255.255.0 
access-list OutsideInet_access_in extended permit ip 172.16.32.0 255.255.240.0 object-group DM_INLINE_NETWORK_1 
access-list OutsideInet_access_in extended permit ip 172.16.32.0 255.255.240.0 vlan165 255.255.255.0 
access-list OutsideInet_access_in extended permit ip 192.168.130.0 255.255.255.0 vlan165 255.255.255.0 
access-list OutsideInet_access_in extended permit ip 192.168.130.0 255.255.255.0 172.16.32.0 255.255.240.0 
access-list OutsideInet_access_in remark Remote extranet web access
access-list OutsideInet_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 10.165.165.35 object-group DM_INLINE_TCP_4 
access-list OutsideInet_access_in remark Remote Access from TX users to FTP
access-list OutsideInet_access_in extended permit ip 10.165.180.0 255.255.255.0 host 10.165.165.98 
access-list L1ITSpfld_splitTunnelAcl remark Internet Access
access-list L1ITSpfld_splitTunnelAcl standard permit host xxx.xxx.xxx.xxx 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan160 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan161 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan162 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan163 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan164 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan165 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan166 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan169 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan170 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard permit vlan192 255.255.255.0 
access-list L1ITSpfld_splitTunnelAcl standard deny any 
access-list L1ManSpfld_splitTunnelAcl standard permit vlan161 255.255.255.0 
access-list L1ManSpfld_splitTunnelAcl standard permit vlan165 255.255.255.0 
access-list L1ManSpfld_splitTunnelAcl standard deny any 
access-list L1ManSpfldInet_splitTunnelAcl remark Internet Access
access-list L1ManSpfldInet_splitTunnelAcl standard permit host xxx.xxx.xxx.xxx 
access-list L1ManSpfldInet_splitTunnelAcl standard permit vlan165 255.255.255.0 
access-list L1ManSpfldInet_splitTunnelAcl standard deny any 
access-list Inside_access_out extended permit icmp any any echo 
access-list Inside_access_out extended permit icmp any any echo-reply 
access-list Inside_access_out extended permit icmp any any traceroute 
access-list Inside_access_out extended permit icmp any any time-exceeded 
access-list Inside_access_out extended permit icmp any any unreachable 
access-list Inside_access_out extended permit ip any vlan165 255.255.255.0 
access-list Inside_access_out extended permit ip vlan165 255.255.255.0 any 
access-list Inside_access_out extended permit ip any 10.165.180.0 255.255.255.0 inactive 
access-list InsidePublic_access_in extended permit icmp any any echo 
access-list InsidePublic_access_in extended permit icmp any any echo-reply 
access-list InsidePublic_access_in extended permit icmp any any traceroute 
access-list InsidePublic_access_in extended permit icmp any any time-exceeded 
access-list InsidePublic_access_in extended permit icmp any any unreachable 
access-list vpn extended permit ip vlan165 255.255.255.0 172.16.32.0 255.255.240.0 
access-list vpn extended permit ip vlan165 255.255.255.0 host xxx.xxx.xxx.xxx 
access-list vpn extended permit ip vlan165 255.255.255.0 xxx.xxx.xxx.xx 255.255.255.0 
access-list vpn extended permit ip vlan165 255.255.255.0 192.168.130.0 255.255.255.0 
access-list vpn extended permit ip vlan165 255.255.255.0 vlan162 255.255.255.0 
access-list vpn extended permit ip any 10.165.180.0 255.255.255.0 inactive 
access-list OutsideInet_access_in_1 extended permit ip 10.165.181.0 255.255.255.0 any 
access-list OutsideInet_access_in_1 extended permit udp host xxx.xxx.xxx.xxx 10.165.180.0 255.255.255.0 eq ntp 
access-list OutsideInet_access_in_1 extended permit ip 172.16.32.0 255.255.240.0 vlan165 255.255.255.0 
access-list Inside_access_in extended permit ip vlan165 255.255.255.0 any 
access-list Inside_access_in extended permit ip 10.165.181.0 255.255.255.0 any 
access-list Inside_access_in extended permit ip 10.165.180.0 255.255.255.0 any inactive 
access-list global_mpc_2 extended permit ip host 172.16.32.50 host 10.165.165.75 
access-list global_mpc_1 extended permit ip host 172.16.32.50 host 10.165.165.107 
access-list global_mpc_3 extended permit ip host 10.165.165.75 host 172.16.32.50 
access-list global_mpc extended permit ip host 10.165.165.107 host 172.16.32.50 
access-list ibttxspartner_splitTunnelAcl standard permit vlan165 255.255.255.0 
access-list ibttxspartner_splitTunnelAcl remark Permits access to the network server, restrictions applied by ACL Texas_Users
access-list Inside_nat0_outbound extended permit ip vlan165 255.255.255.0 vlan165 255.255.255.0 
access-list Inside_nat0_outbound_1 extended permit ip vlan165 255.255.255.0 vlan165 255.255.255.0 
access-list Internal_nat0_outbound extended permit ip host xxx.xxx.xxx.xxx 172.16.32.0 255.255.240.0 
access-list OutsideInet_nat0_outbound extended permit ip vlan165 255.255.255.0 172.16.32.0 255.255.240.0 
access-list OutsideInet_nat0_outbound extended permit ip vlan165 255.255.255.0 192.168.130.0 255.255.255.0 
access-list test extended permit ip 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 
access-list test remark allows .180 to see Vlan 165
access-list test extended permit ip vlan165 255.255.255.0 10.165.180.0 255.255.255.0 
access-list test remark allows .181 to see Vlan 165
access-list test extended permit ip vlan165 255.255.255.0 10.165.181.0 255.255.255.0 
access-list test remark allows .181 to see Vlan 162
access-list test extended permit ip vlan162 255.255.255.0 10.165.181.0 255.255.255.0 
access-list test remark allows .181 to see Vlan 161
access-list test extended permit ip vlan161 255.255.255.0 10.165.181.0 255.255.255.0 
access-list test remark Local network Access to Florida
access-list test extended permit ip 172.16.32.0 255.255.240.0 vlan165 255.255.255.0 
access-list test remark Allows florida access to .180
access-list test extended permit ip 172.16.32.0 255.255.240.0 10.165.180.0 255.255.255.0 
access-list test remark Allows florida access to .181
access-list test extended permit ip 172.16.32.0 255.255.240.0 10.165.181.0 255.255.255.0 
access-list test remark Copied from Concentrator
access-list test extended permit ip host xxx.xxx.xxx.xxx 172.16.32.0 255.255.240.0 
access-list test remark Copied from Concentrator
access-list test extended permit ip xxx.xxx.xxx.xxx 255.255.255.0 172.16.32.0 255.255.240.0 
access-list test remark allows access to Richmond Virgina
access-list test extended permit ip 192.168.130.0 255.255.255.0 vlan165 255.255.255.0 
access-list test remark allows .181 to access remote .181
access-list test extended permit ip 10.165.181.0 255.255.255.0 10.165.181.0 255.255.255.0 
access-list test extended permit ip vlan165 255.255.255.0 10.2.20.0 255.255.255.0 
access-list test extended permit ip host xxx.xxx.xxx.xxx vlan165 255.255.255.0 
access-list test remark Allows florida access to Richmond Virginia
access-list test extended permit ip 192.168.130.0 255.255.255.0 172.16.32.0 255.255.240.0 
access-list test extended permit ip host xxx.xxxx.xxx.xxx 172.16.32.0 255.255.240.0 
access-list test remark allows access to Virginia, Richmond
access-list test extended permit ip vlan165 255.255.255.0 192.168.130.0 255.255.255.0 
access-list test remark allows florida access to .181
access-list test extended permit ip 10.165.181.0 255.255.255.0 172.16.32.0 255.255.240.0 
access-list test remark allows florida access to Vlan 165
access-list test extended permit ip vlan165 255.255.255.0 172.16.32.0 255.255.240.0 
access-list test remark Pearson VPN Access
access-list test extended permit ip vlan165 255.255.255.0 A-172.19.0.0 255.255.0.0 
access-list test extended permit ip host A-xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx 
access-list OutsideInet_2_cryptomap extended permit ip vlan165 255.255.255.0 A-172.19.0.0 255.255.0.0 
access-list OutsideInet_3_cryptomap extended permit ip host A-xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx 
access-list Texas_Users extended permit icmp any any echo 
access-list Texas_Users extended permit icmp any any echo-reply 
access-list Texas_Users extended permit icmp any any traceroute 
access-list Texas_Users extended permit icmp any any time-exceeded 
access-list Texas_Users extended permit icmp any any unreachable 
access-list Texas_Users remark Allows Techs to use VNC
access-list Texas_Users extended permit tcp 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900 
access-list Texas_Users remark HTTP
access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0 eq www 
access-list Texas_Users remark HTTPS
access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0 eq https 
access-list Texas_Users remark SNF .47 Access
access-list Texas_Users extended permit object-group DM_INLINE_SERVICE_2 10.165.180.0 255.255.255.0 host 10.165.165.47 
access-list Texas_Users remark Snf .48 Access
access-list Texas_Users extended permit object-group DM_INLINE_SERVICE_3 10.165.180.0 255.255.255.0 host 10.165.165.48 
access-list Texas_Users remark SNF .49 Access
access-list Texas_Users extended permit object-group DM_INLINE_SERVICE_4 10.165.180.0 255.255.255.0 host 10.165.165.49 
access-list Texas_Users extended deny ip any any 
access-list Texas_Users extended permit udp 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900 
pager lines 25
logging enable
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm informational
logging device-id hostname
logging host Inside 10.165.165.238
mtu RemoteVPN 1500
mtu OutsideInet 1500
mtu Inside 1500
mtu management 1500
ip local pool tx 10.2.20.2-10.2.20.255 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo OutsideInet
icmp permit any echo-reply OutsideInet
icmp permit any time-exceeded OutsideInet
icmp permit any unreachable OutsideInet
icmp permit any echo Inside
icmp permit any echo-reply Inside
icmp permit any time-exceeded Inside
icmp permit any unreachable Inside
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (OutsideInet) 1 xxx.xxx.xxx.xxx netmask 255.255.255.248
global (OutsideInet) 2 xxx.xxx.xxx.xxx netmask 255.0.0.0
global (OutsideInet) 1 interface
global (OutsideInet) 3 A-xxx.xxx.xxx.xxx netmask 255.255.255.0
global (Inside) 2 10.165.165.238 netmask 255.0.0.0
nat (OutsideInet) 0 access-list OutsideInet_nat0_outbound
nat (Inside) 0 access-list test
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,OutsideInet) A-xxx.xxx.xxx.xxx 10.165.165.56 netmask 255.255.255.255 
static (Inside,OutsideInet) xxx.xxx.xxx.xxx 10.165.165.98 netmask 255.255.255.255 
access-group InsidePublic_access_in in interface RemoteVPN
access-group OutsideInet_access_in_1 in interface OutsideInet control-plane
access-group OutsideInet_access_in in interface OutsideInet
access-group Inside_access_in in interface Inside control-plane
route OutsideInet 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route Inside vlan162 255.255.255.0 10.165.181.1 1
route Inside vlan165 255.255.255.0 10.165.181.1 1
route OutsideInet 172.16.32.0 255.255.255.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server SpfldRadius protocol radius
aaa-server SpfldRadius (Inside) host 10.165.165.254
 key ccccccccc
 radius-common-pw cccccccc
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
aaa authorization command LOCAL 
http server enable
http 10.165.181.0 255.255.255.0 OutsideInet
http 10.165.181.0 255.255.255.0 Inside
http vlan165 255.255.255.0 Inside
snmp-server host Inside 10.165.165.137 community meth0d version 2c
snmp-server host Inside 10.165.165.180 community meth0d version 2c
snmp-server location Spfld
no snmp-server contact
snmp-server community meth0d
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
sysopt connection tcpmss 1250
sysopt connection reclassify-vpn
auth-prompt prompt This system is intended for the use of authorized users only. All activities of individuals using this computing system with or without authority or in excess of their authority may 
auth-prompt accept This system is intended for the use of authorized users only. All activities of individuals using this computing system with or without authority or in excess of their authority may 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Internal_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Internal_map interface Inside
crypto map Public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OutsideInet_map 1 match address OutsideInet_1_cryptomap
crypto map OutsideInet_map 1 set peer xxx.xxx.xxx.xxx 
crypto map OutsideInet_map 1 set transform-set ESP-3DES-MD5
crypto map OutsideInet_map 1 set security-association lifetime seconds 86400
crypto map OutsideInet_map 1 set security-association lifetime kilobytes 4608000
crypto map OutsideInet_map 1 set reverse-route
crypto map OutsideInet_map 2 match address OutsideInet_2_cryptomap
crypto map OutsideInet_map 2 set peer xxx.xxx.xxx.xxx 
crypto map OutsideInet_map 2 set transform-set ESP-3DES-SHA
crypto map OutsideInet_map 2 set security-association lifetime seconds 28800
crypto map OutsideInet_map 2 set security-association lifetime kilobytes 4608000
crypto map OutsideInet_map 3 match address OutsideInet_3_cryptomap
crypto map OutsideInet_map 3 set peer xxx.xxx.xxx.xxx 
crypto map OutsideInet_map 3 set transform-set ESP-3DES-SHA
crypto map OutsideInet_map 3 set security-association lifetime seconds 28800
crypto map OutsideInet_map 3 set security-association lifetime kilobytes 4608000
crypto map OutsideInet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OutsideInet_map interface OutsideInet
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment self
 email Savart@l1id.com
 subject-name CN=SpfldASA
 serial-number
 ip-address 10.165.165.240
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment self
 subject-name CN=l1id.local
 crl configure
crypto isakmp identity address 
crypto isakmp enable OutsideInet
crypto isakmp enable Inside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 
no vpn-addr-assign aaa
no vpn-addr-assign local
telnet vlan165 255.255.255.0 Inside
telnet 10.165.165.254 255.255.255.255 Inside
telnet timeout 60
ssh 10.165.181.0 255.255.255.0 OutsideInet
ssh vlan165 255.255.255.0 Inside
ssh 10.165.181.0 255.255.255.0 Inside
ssh timeout 60
console timeout 0
management-access Inside
dhcprelay timeout 60
priority-queue OutsideInet
priority-queue Inside
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authentication-key 1 md5 *
ntp trusted-key 1
ntp server 10.165.165.180 key 1 source Inside prefer
ssl trust-point ASDM_TrustPoint2 OutsideInet
webvpn
 enable OutsideInet
 svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
 svc image disk0:/anyconnect-linux-2.3.2016-k9.pkg 2
 svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 3
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec 
 msie-proxy local-bypass enable
group-policy SpfldToFla internal
group-policy SpfldToFla attributes
 vpn-filter value SpfldToFla_ACL
group-policy ibttxspartner internal
group-policy ibttxspartner attributes
 wins-server value 10.165.165.254
 dns-server value 10.165.165.250
 dhcp-network-scope 10.165.180.0
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter value Texas_Users
 vpn-tunnel-protocol IPSec svc 
 group-lock value ibttxspartner
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ibttxspartner_splitTunnelAcl
 msie-proxy server value 127.0.0.1:80
 msie-proxy method use-server
 msie-proxy except-list value ibtfingerprint.com;identix.com;l1enrollment.com;l1id.com;www.microsoft.com;windowsupdate.microsoft.com;download.windowsupdate.com;update.microsoft.com;sditx.com;www.symantec.com;symantecliveupdate.com;security.symantec.com;searchg.symantec.com
group-policy L1ManSpfld internal
group-policy L1ManSpfld attributes
 wins-server value 10.165.165.254
 dns-server value 10.165.165.250
 dhcp-network-scope 10.165.181.20
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec svc 
 ip-comp disable
 group-lock value L1ManSpfld
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value L1ManSpfld_splitTunnelAcl
 default-domain value l1id.local
 msie-proxy server value 127.0.0.1:80
 msie-proxy method use-server
 msie-proxy except-list value www.l1id.com;mail.l1id.com;www.google.com;extranet.ibtfingerprint.com;techinline.net
 msie-proxy local-bypass enable
group-policy L1ManSpfldInet internal
group-policy L1ManSpfldInet attributes
 wins-server value 10.165.165.254
 dns-server value 10.165.165.250
 dhcp-network-scope 10.165.181.20
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec svc 
 group-lock value L1ManSpfldInet
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value L1ManSpfldInet_splitTunnelAcl
 default-domain value l1id.local
group-policy L1ITSpfld internal
group-policy L1ITSpfld attributes
 wins-server value 10.165.165.254
 dns-server value 10.165.165.250
 dhcp-network-scope 10.165.181.3
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec svc 
 ip-comp disable
 group-lock value L1ITSpfld
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value L1ITSpfld_splitTunnelAcl
 default-domain value l1id.local
 webvpn
  url-list none
username savart password sibqx.qfK3R7ksKK encrypted privilege 15
username savart attributes
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
username admin password G0HaQRS2/699sgc7 encrypted privilege 15
username admin attributes
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
username jburford password aNgJaaTQyCGmtsGz encrypted privilege 15
username HelpDesk password DRlz4RoK5bc30m1j encrypted privilege 5
username HelpDesk attributes
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group L1ITSpfld type remote-access
tunnel-group L1ITSpfld general-attributes
 authentication-server-group SpfldRadius
 default-group-policy L1ITSpfld
 dhcp-server 10.165.165.254
tunnel-group L1ITSpfld webvpn-attributes
 group-alias L1ITSpfld enable
tunnel-group L1ITSpfld ipsec-attributes
 pre-shared-key *
tunnel-group L1ITSpfld ppp-attributes
 authentication ms-chap-v2
tunnel-group L1ManSpfld type remote-access
tunnel-group L1ManSpfld general-attributes
 authentication-server-group SpfldRadius
 default-group-policy L1ManSpfld
 dhcp-server 10.165.165.254
tunnel-group L1ManSpfld webvpn-attributes
 group-alias L1ManSpfld enable
tunnel-group L1ManSpfld ipsec-attributes
 pre-shared-key *
tunnel-group L1ManSpfldInet type remote-access
tunnel-group L1ManSpfldInet general-attributes
 authentication-server-group SpfldRadius
 default-group-policy L1ManSpfldInet
 dhcp-server 10.165.165.254
tunnel-group L1ManSpfldInet webvpn-attributes
 group-alias L1ManSpfldInet enable
tunnel-group L1ManSpfldInet ipsec-attributes
 pre-shared-key *
tunnel-group ibttxspartner type remote-access
tunnel-group ibttxspartner general-attributes
 authentication-server-group SpfldRadius
 default-group-policy ibttxspartner
 dhcp-server 10.165.165.254
tunnel-group ibttxspartner ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match access-list global_mpc
class-map inspection_default
 match default-inspection-traffic
class-map global-class1
 match access-list global_mpc_1
class-map global-class2
 match access-list global_mpc_2
class-map global-class3
 match access-list global_mpc_3
class-map Inside-class
 match access-list Inside_mpc
!
!
policy-map type inspect http Vlan165_BadSites
 parameters
  protocol-violation action drop-connection
 match request uri regex Myspace
  reset log
policy-map Vlan165
 class Inside-class
  inspect http Vlan165_BadSites 
policy-map global_policy
 class inspection_default
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect tftp 
  inspect pptp 
  inspect icmp 
 class global-class
  priority
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00 
 class global-class1
  priority
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00 
 class global-class2
  priority
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00 
 class global-class3
  priority
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00 
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
!
service-policy global_policy global
service-policy Vlan165 interface Inside
-server
prompt hostname context 
Cryptochecksum:b46bccc094d5851b739413293f7bf399
: end

Open in new window

This should be a straight forward problem and so I thought I would just do a cold boot on my brain and start all over.  So I went back to the beginning and looked at your error message again.  

From the message it would appear that 10.165.165.238 talking on port 4663 is being denied access to 10.165.180.20 listening on port 5900 by the Access List Texas_Users.

OK established that we are having problems getting 10.165.165.0 to 10.165.180.0 on port 5900

Wait a minute.  Your access list is for traffic coming from the 10.165.180.0 and going to the 10.165.165.0 network on port 5900..AHA

so let's remove the

access-list Texas_Users extended permit tcp 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900

and the

access-list Texas_Users extended permit udp 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900

and instead do

access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0 eq 5900

no need to worry about UDP I have since found out that VNC does not use UDP what-so-ever

Author

Commented:
i followed the steps above ond i am still getting the same error
OK....couple more questions.  

Are you initiating the VNC session from your machine on vlan165 to the 10.165.180.0 subnet...what subnet does the person initiating the connection sit on and what subnet does the machine listening on port 5900 sit on.  From you errors it appears that the connection is being initiated from vlan165 and is going to connect to a machine on 10.165.180.0....correct?

Author

Commented:
the VNC session will always be initialized from Vlan 165 (this is the local network) our techs use VNC to assist remote clients.

Local machines on 10.165.165.0/24 will always be the initiating machines

The remote host will always be on 10.165.180.0/24 listening on port 5900

Yes, your last statment is correct....

I have also found that if i configure the ACL to use tcp with no port assigned this will work, still leaves the network open too much.
Can you log the traffic for the connection while it is unrestricted by port and post that here.

THanks

Author

Commented:
I have added the lines from the log, I connected to the VNC client and while connected i opened a network share.

I have also added a small wireshark capture file on this connection
6|Oct 23 2009|11:38:22|109025|10.165.180.22|137|10.165.165.254|137|Authorization denied (acl=Texas_Users) for user 'jburford' from 10.165.180.22/137 to 10.165.165.254/137 on interface OutsideInet using UDP
6|Oct 23 2009|11:38:21|109025|10.165.180.22|137|10.165.165.254|137|Authorization denied (acl=Texas_Users) for user 'jburford' from 10.165.180.22/137 to 10.165.165.254/137 on interface OutsideInet using UDP
6|Oct 23 2009|11:38:16|302014|10.165.180.22|5900|10.165.165.238|2200|Teardown TCP connection 36670 for OutsideInet:10.165.180.22/5900 to Inside:10.165.165.238/2200 duration 0:01:14 bytes 124266 TCP Reset-I
6|Oct 23 2009|11:38:14|109025|10.165.180.22|137|10.165.165.254|137|Authorization denied (acl=Texas_Users) for user 'jburford' from 10.165.180.22/137 to 10.165.165.254/137 on interface OutsideInet using UDP
6|Oct 23 2009|11:38:13|109025|10.165.180.22|137|10.165.165.254|137|Authorization denied (acl=Texas_Users) for user 'jburford' from 10.165.180.22/137 to 10.165.165.254/137 on interface OutsideInet using UDP
6|Oct 23 2009|11:38:12|109025|10.165.180.22|137|10.165.165.254|137|Authorization denied (acl=Texas_Users) for user 'jburford' from 10.165.180.22/137 to 10.165.165.254/137 on interface OutsideInet using UDP
6|Oct 23 2009|11:38:05|109025|10.165.180.22|137|10.165.165.254|137|Authorization denied (acl=Texas_Users) for user 'jburford' from 10.165.180.22/137 to 10.165.165.254/137 on interface OutsideInet using UDP
6|Oct 23 2009|11:38:04|109025|10.165.180.22|137|10.165.165.254|137|Authorization denied (acl=Texas_Users) for user 'jburford' from 10.165.180.22/137 to 10.165.165.254/137 on interface OutsideInet using UDP
6|Oct 23 2009|11:38:02|109025|10.165.180.22|137|10.165.165.254|137|Authorization denied (acl=Texas_Users) for user 'jburford' from 10.165.180.22/137 to 10.165.165.254/137 on interface OutsideInet using UDP
6|Oct 23 2009|11:38:02|302014|10.165.180.22|1810|10.165.165.47|445|Teardown TCP connection 36818 for OutsideInet:10.165.180.22/1810 to Inside:10.165.165.47/445 duration 0:00:12 bytes 13558 TCP FINs (jburford)
6|Oct 23 2009|11:37:50|302014|10.165.180.22|1812|10.165.165.47|139|Teardown TCP connection 36819 for OutsideInet:10.165.180.22/1812 to Inside:10.165.165.47/139 duration 0:00:00 bytes 0 TCP Reset-O (jburford)
6|Oct 23 2009|11:37:50|302013|10.165.180.22|1812|10.165.165.47|139|Built inbound TCP connection 36819 for OutsideInet:10.165.180.22/1812 (10.165.180.22/1812) to Inside:10.165.165.47/139 (10.165.165.47/139) (jburford)
6|Oct 23 2009|11:37:50|302013|10.165.180.22|1810|10.165.165.47|445|Built inbound TCP connection 36818 for OutsideInet:10.165.180.22/1810 (10.165.180.22/1810) to Inside:10.165.165.47/445 (10.165.165.47/445) (jburford)
6|Oct 23 2009|11:37:01|302013|10.165.180.22|5900|10.165.165.238|2200|Built outbound TCP connection 36670 for OutsideInet:10.165.180.22/5900 (10.165.180.22/5900) to Inside:10.165.165.238/2200 (10.165.165.238/2200)

Open in new window

5900-log
OK...I think I might know what is happening here.  The remote side is connecting via a remote vpn connection to your network.  You are trying to initiate a VNC connection from your side while the remote vpn is connected.  When you specify the port address in the VPN Filter ACL for Texas_Users then it will not allow you to send traffic to their subnet because your traffic doesn't match the port filter...you send out on a non specific port each time.  SO  I think you have to leave the

access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0

and then add (right after the above statement)

access-list Texas_Users extended permit tcp 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 5900

I believe that will allow you to send on any non specific port and restrict their communications to port 5900

You can test this by a telnet session from their machine to a local machine on your subnet on port 5901

Author

Commented:
i configured it the way you have above and i am still getting the error.

Can you repost your ACL statments again since making these additions etc.  I'll keep trying to figure this out till we get it to work right.

Author

Commented:
This is the current config minus public IP's
ASA Version 8.0(4)
!
hostname SpfldASA
domain-name l1esd.com
enable password Gre encrypted
passwd Gre encrypted
names
name 10.165.160.0 vlan160 description Front Fingerprint Room
name 10.165.161.0 vlan161 description IBT Management
name 10.165.162.0 vlan162 description Springfield VPN
name 10.165.163.0 vlan163 description Tx VPN
name 10.165.164.0 vlan164 description Phone Operators
name 10.165.165.0 vlan165 description Core Systems;ASA Management Access
name 10.165.166.0 vlan166 description Financial Servers
name 10.165.169.0 vlan169 description Test Zone
name 10.165.170.0 vlan170 description Conf Room vlan
name 192.168.0.0 vlan192 description WebServer Farm
name 172.19.70.80 A-172.19.70.80 description Pearson WI
name 192.168.117.32 A-192.168.117.32 description Pearson WI
name 192.168.119.224 A-192.168.119.224 description Pearson WI
name 192.168.119.32 A-192.168.119.32 description Pearson WI
name 192.168.120.128 A-192.168.120.128 description Pearson WI
name 192.168.122.250 A-192.168.122.250 description Pearson WI
name 192.168.123.192 A-192.168.123.192 description Pearson WI
name 192.168.123.224 A-192.168.123.224 description Pearson WI
name 192.168.123.37 A-192.168.123.37 description Pearson WI
name 192.168.126.160 A-192.168.126.160 description Pearson WI
name 172.19.0.0 A-172.19.0.0 description Pearson WI
name xxx.xxx.xxx.xxx A-xxx.xxx.xxx.xxx description Nat Address for 10.165.165.56 WA
dns-guard
!
interface GigabitEthernet0/0
 description Connects to Semi-Trusted remote VPN Switch
 nameif RemoteVPN
 security-level 0
 ip address 10.50.0.1 255.255.0.0
!
interface GigabitEthernet0/1
 description Local Internet traffic
 nameif OutsideInet
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 description Local Access
 nameif Inside
 security-level 100
 ip address 10.165.181.3 255.255.255.0
!
interface Management0/0
 shutdown
 nameif management
 security-level 0
 no ip address
!
 
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
 name-server 10.165.165.250
 domain-name l1esd.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_3
 network-object 10.165.180.0 255.255.255.0
 network-object 10.165.181.0 255.255.255.0
object-group service DM_INLINE_TCP_4 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_0
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp eq ftp
 service-object tcp eq ftp-data
object-group network DM_INLINE_NETWORK_4
 network-object 10.165.180.0 255.255.255.0
 network-object 10.165.181.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_1
 network-object 10.165.180.0 255.255.255.0
 network-object 10.165.181.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object vlan165 255.255.255.0
 network-object 10.165.180.0 255.255.255.0
 network-object 10.165.181.0 255.255.255.0
object-group service DM_INLINE_TCP_0 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_2
 service-object tcp eq 445
 service-object tcp eq netbios-ssn
 service-object tcp eq smtp
 service-object udp eq netbios-dgm
 service-object udp eq netbios-ns
object-group service DM_INLINE_SERVICE_3
 service-object tcp eq 445
 service-object tcp eq netbios-ssn
 service-object tcp eq smtp
 service-object udp eq netbios-dgm
 service-object udp eq netbios-ns
object-group service DM_INLINE_SERVICE_4
 service-object tcp eq 445
 service-object tcp eq netbios-ssn
 service-object tcp eq smtp
 service-object udp eq netbios-dgm
 service-object udp eq netbios-ns
access-list Inside_mpc extended permit tcp vlan165 255.255.255.0 any object-group DM_INLINE_TCP_2 inactive
access-list OutsideInet_1_cryptomap extended permit ip vlan165 255.255.255.0 172.16.32.0 255.255.240.0
access-list OutsideInet_1_cryptomap extended permit ip 192.168.130.0 255.255.255.0 172.16.32.0 255.255.240.0
access-list OutsideInet_1_cryptomap extended permit ip host xxx.xxx.xxx.xxx 172.16.32.0 255.255.240.0
access-list OutsideInet_1_cryptomap extended permit ip vlan165 255.255.255.0 192.168.130.0 255.255.255.0
access-list OutsideInet_1_cryptomap extended permit ip 10.165.181.0 255.255.255.0 172.16.32.0 255.255.240.0
access-list OutsideInet_access_in extended permit tcp any host xxx.xxx.xxx.xxx object-group DM_INLINE_TCP_0 inactive
access-list OutsideInet_access_in remark Allow Public Access to Internal FTP Server
access-list OutsideInet_access_in extended permit object-group DM_INLINE_SERVICE_0 any host xxx.xxx.xxx.xxx
access-list OutsideInet_access_in extended permit icmp any any echo
access-list OutsideInet_access_in extended permit icmp any any echo-reply
access-list OutsideInet_access_in extended permit icmp any any traceroute
access-list OutsideInet_access_in extended permit icmp any any time-exceeded
access-list OutsideInet_access_in extended permit icmp any any unreachable
access-list OutsideInet_access_in extended permit ip 10.165.181.0 255.255.255.0 vlan165 255.255.255.0
access-list OutsideInet_access_in extended permit ip 172.16.32.0 255.255.240.0 object-group DM_INLINE_NETWORK_1
access-list OutsideInet_access_in extended permit ip 172.16.32.0 255.255.240.0 vlan165 255.255.255.0
access-list OutsideInet_access_in extended permit ip 192.168.130.0 255.255.255.0 vlan165 255.255.255.0
access-list OutsideInet_access_in extended permit ip 192.168.130.0 255.255.255.0 172.16.32.0 255.255.240.0
access-list OutsideInet_access_in remark Remote extranet web access
access-list OutsideInet_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 10.165.165.35 object-group DM_INLINE_TCP_4
access-list OutsideInet_access_in remark Remote Access from TX users to FTP
access-list OutsideInet_access_in extended permit ip 10.165.180.0 255.255.255.0 host 10.165.165.98
access-list OutsideInet_access_in extended permit ip 10.165.180.0 255.255.255.0 vlan165 255.255.255.0
access-list OutsideInet_access_in extended permit ip vlan165 255.255.255.0 10.165.180.0 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl remark Internet Access
access-list L1ITSpfld_splitTunnelAcl standard permit host xxx.xxx.xxx.xxx
access-list L1ITSpfld_splitTunnelAcl standard permit vlan160 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan161 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan162 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan163 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan164 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan165 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan166 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan169 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan170 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard permit vlan192 255.255.255.0
access-list L1ITSpfld_splitTunnelAcl standard deny any
access-list L1ManSpfld_splitTunnelAcl standard permit vlan161 255.255.255.0
access-list L1ManSpfld_splitTunnelAcl standard permit vlan165 255.255.255.0
access-list L1ManSpfld_splitTunnelAcl standard deny any
access-list L1ManSpfldInet_splitTunnelAcl remark Internet Access
access-list L1ManSpfldInet_splitTunnelAcl standard permit host xxx.xxx.xxx.xxx
access-list L1ManSpfldInet_splitTunnelAcl standard permit vlan165 255.255.255.0
access-list L1ManSpfldInet_splitTunnelAcl standard deny any
access-list Inside_access_out extended permit icmp any any echo
access-list Inside_access_out extended permit icmp any any echo-reply
access-list Inside_access_out extended permit icmp any any traceroute
access-list Inside_access_out extended permit icmp any any time-exceeded
access-list Inside_access_out extended permit icmp any any unreachable
access-list Inside_access_out extended permit ip any vlan165 255.255.255.0
access-list Inside_access_out extended permit ip vlan165 255.255.255.0 any
access-list Inside_access_out extended permit ip any 10.165.180.0 255.255.255.0 inactive
access-list InsidePublic_access_in extended permit icmp any any echo
access-list InsidePublic_access_in extended permit icmp any any echo-reply
access-list InsidePublic_access_in extended permit icmp any any traceroute
access-list InsidePublic_access_in extended permit icmp any any time-exceeded
access-list InsidePublic_access_in extended permit icmp any any unreachable
access-list vpn extended permit ip vlan165 255.255.255.0 172.16.32.0 255.255.240.0
access-list vpn extended permit ip vlan165 255.255.255.0 host xxx.xxx.xxx.xxx
access-list vpn extended permit ip vlan165 255.255.255.0 xxx.xxx.xxx.xxx 255.255.255.0
access-list vpn extended permit ip vlan165 255.255.255.0 192.168.130.0 255.255.255.0
access-list vpn extended permit ip vlan165 255.255.255.0 vlan162 255.255.255.0
access-list vpn extended permit ip any 10.165.180.0 255.255.255.0 inactive
access-list SpfldToFla_ACL extended permit icmp any any echo
access-list SpfldToFla_ACL extended permit icmp any any echo-reply
access-list SpfldToFla_ACL extended permit icmp any any traceroute
access-list SpfldToFla_ACL extended permit icmp any any time-exceeded
access-list SpfldToFla_ACL extended permit icmp any any unreachable
access-list SpfldToFla_ACL remark Remote Administration
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan165 255.255.255.0 eq 3389
access-list SpfldToFla_ACL remark Remote Administration
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan165 255.255.255.0 eq 5900
access-list SpfldToFla_ACL remark File Shares fo DSP to Livescan
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 host 10.165.165.35 eq 445
access-list SpfldToFla_ACL remark Radius Authentication (Host)
access-list SpfldToFla_ACL extended permit tcp host 172.16.32.1 host 10.165.165.254 eq 1645
access-list SpfldToFla_ACL remark HTTP Access
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan161 255.255.255.0 eq www
access-list SpfldToFla_ACL remark HTTP Access
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan162 255.255.255.0 eq www
access-list SpfldToFla_ACL remark HTTP Access
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan164 255.255.255.0 eq www
access-list SpfldToFla_ACL remark HTTP Access
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan165 255.255.255.0 eq www
access-list SpfldToFla_ACL remark HTTPS Access
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan161 255.255.255.0 eq https
access-list SpfldToFla_ACL remark HTTPS Access
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan162 255.255.255.0 eq https
access-list SpfldToFla_ACL remark HTTPS Access
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan164 255.255.255.0 eq https
access-list SpfldToFla_ACL remark HTTPS Access
access-list SpfldToFla_ACL extended permit tcp 172.16.32.0 255.255.240.0 vlan165 255.255.255.0 eq https
access-list SpfldToFla_ACL extended permit ip 192.168.130.0 255.255.255.0 172.16.32.0 255.255.240.0
access-list OutsideInet_access_in_1 extended permit ip 10.165.181.0 255.255.255.0 any
access-list OutsideInet_access_in_1 extended permit udp host xxx.xxx.xxx.xxx 10.165.180.0 255.255.255.0 eq ntp
access-list OutsideInet_access_in_1 extended permit ip 172.16.32.0 255.255.240.0 vlan165 255.255.255.0
access-list Inside_access_in extended permit ip vlan165 255.255.255.0 any
access-list Inside_access_in extended permit ip 10.165.181.0 255.255.255.0 any
access-list Inside_access_in extended permit ip 10.165.180.0 255.255.255.0 any inactive
access-list global_mpc_2 extended permit ip host 172.16.32.50 host 10.165.165.75
access-list global_mpc_1 extended permit ip host 172.16.32.50 host 10.165.165.107
access-list global_mpc_3 extended permit ip host 10.165.165.75 host 172.16.32.50
access-list global_mpc extended permit ip host 10.165.165.107 host 172.16.32.50
access-list ibttxspartner_splitTunnelAcl standard permit vlan165 255.255.255.0
access-list ibttxspartner_splitTunnelAcl standard deny any
access-list ibttxspartner_splitTunnelAcl remark Permits access to the network server, restrictions applied by ACL Texas_Users
access-list Inside_nat0_outbound extended permit ip vlan165 255.255.255.0 vlan165 255.255.255.0
access-list Inside_nat0_outbound_1 extended permit ip vlan165 255.255.255.0 vlan165 255.255.255.0
access-list Internal_nat0_outbound extended permit ip host xxx.xxx.xxx.xxx 172.16.32.0 255.255.240.0
access-list OutsideInet_nat0_outbound extended permit ip vlan165 255.255.255.0 172.16.32.0 255.255.240.0
access-list OutsideInet_nat0_outbound extended permit ip vlan165 255.255.255.0 192.168.130.0 255.255.255.0
access-list test extended permit ip 10.165.180.0 255.255.255.0 vlan165 255.255.255.0
access-list test remark allows .180 to see Vlan 165
access-list test extended permit ip vlan165 255.255.255.0 10.165.180.0 255.255.255.0
access-list test remark allows .181 to see Vlan 165
access-list test extended permit ip vlan165 255.255.255.0 10.165.181.0 255.255.255.0
access-list test remark allows .181 to see Vlan 162
access-list test extended permit ip vlan162 255.255.255.0 10.165.181.0 255.255.255.0
access-list test remark allows .181 to see Vlan 161
access-list test extended permit ip vlan161 255.255.255.0 10.165.181.0 255.255.255.0
access-list test remark Local network Access to Florida
access-list test extended permit ip 172.16.32.0 255.255.240.0 vlan165 255.255.255.0
access-list test remark Allows florida access to .180
access-list test extended permit ip 172.16.32.0 255.255.240.0 10.165.180.0 255.255.255.0
access-list test remark Allows florida access to .181
access-list test extended permit ip 172.16.32.0 255.255.240.0 10.165.181.0 255.255.255.0
access-list test remark Copied from Concentrator
access-list test extended permit ip host xxx.xxx.xxx.xxx 172.16.32.0 255.255.240.0
access-list test remark Copied from Concentrator
access-list test extended permit ip xxx.xxx.xxx.xxx 255.255.255.0 172.16.32.0 255.255.240.0
access-list test remark allows access to Richmond Virgina
access-list test extended permit ip 192.168.130.0 255.255.255.0 vlan165 255.255.255.0
access-list test remark allows .181 to access remote .181
access-list test extended permit ip 10.165.181.0 255.255.255.0 10.165.181.0 255.255.255.0
access-list test extended permit ip vlan165 255.255.255.0 10.2.20.0 255.255.255.0
access-list test extended permit ip host xxx.xxx.xxx.xxx vlan165 255.255.255.0
access-list test remark Allows florida access to Richmond Virginia
access-list test extended permit ip 192.168.130.0 255.255.255.0 172.16.32.0 255.255.240.0
access-list test extended permit ip host xxx.xxx.xxx.xxx 172.16.32.0 255.255.240.0
access-list test remark allows access to Virginia, Richmond
access-list test extended permit ip vlan165 255.255.255.0 192.168.130.0 255.255.255.0
access-list test remark allows florida access to .181
access-list test extended permit ip 10.165.181.0 255.255.255.0 172.16.32.0 255.255.240.0
access-list test remark allows florida access to Vlan 165
access-list test extended permit ip vlan165 255.255.255.0 172.16.32.0 255.255.240.0
access-list test remark Pearson VPN Access
access-list test extended permit ip vlan165 255.255.255.0 A-xxx.xxx.xxx.xxx 255.255.0.0
access-list test extended permit ip host A-xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
access-list OutsideInet_2_cryptomap extended permit ip vlan165 255.255.255.0 A-xxx.xxx.xxx.xxx 255.255.0.0
access-list OutsideInet_3_cryptomap extended permit ip host A-xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0
access-list Texas_Users extended permit tcp 10.165.180.0 255.255.255.0 vlan165 255.255.255.0 eq 5900
access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0 range 2000 2999
access-list Texas_Users extended permit icmp any any echo
access-list Texas_Users extended permit icmp any any echo-reply
access-list Texas_Users extended permit icmp any any traceroute
access-list Texas_Users extended permit icmp any any time-exceeded
access-list Texas_Users extended permit icmp any any unreachable
access-list Texas_Users remark HTTP
access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0 eq www
access-list Texas_Users remark HTTPS
access-list Texas_Users extended permit tcp vlan165 255.255.255.0 10.165.180.0 255.255.255.0 eq https
access-list Texas_Users remark SNF .47 Access
access-list Texas_Users extended permit object-group DM_INLINE_SERVICE_2 10.165.180.0 255.255.255.0 host 10.165.165.47
access-list Texas_Users remark Snf .48 Access
access-list Texas_Users extended permit object-group DM_INLINE_SERVICE_3 10.165.180.0 255.255.255.0 host 10.165.165.48
access-list Texas_Users remark SNF .49 Access
access-list Texas_Users extended permit object-group DM_INLINE_SERVICE_4 10.165.180.0 255.255.255.0 host 10.165.165.49
access-list Texas_Users extended deny ip any any
pager lines 25
logging enable
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm informational
logging device-id hostname
mtu RemoteVPN 1500
mtu OutsideInet 1500
mtu Inside 1500
mtu management 1500
ip local pool tx 10.2.20.2-10.2.20.255 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo OutsideInet
icmp permit any echo-reply OutsideInet
icmp permit any time-exceeded OutsideInet
icmp permit any unreachable OutsideInet
icmp permit any echo Inside
icmp permit any echo-reply Inside
icmp permit any time-exceeded Inside
icmp permit any unreachable Inside
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (OutsideInet) 1 xxx.xxx.xxx.xxx netmask 255.255.255.248
global (OutsideInet) 2 xxx.xxx.xxx.xxx netmask 255.0.0.0
global (OutsideInet) 1 interface
global (OutsideInet) 3 A-xxx.xxx.xxx.xxx netmask 255.255.255.0
global (Inside) 2 10.165.165.238 netmask 255.0.0.0
nat (OutsideInet) 0 access-list OutsideInet_nat0_outbound
nat (Inside) 0 access-list test
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,OutsideInet) A-xxx.xxx.xxx.xxx 10.165.165.56 netmask 255.255.255.255
static (Inside,OutsideInet) xxx.xxx.xxx.xxx 10.165.165.98 netmask 255.255.255.255
access-group InsidePublic_access_in in interface RemoteVPN
access-group OutsideInet_access_in_1 in interface OutsideInet control-plane
access-group OutsideInet_access_in in interface OutsideInet
access-group Inside_access_in in interface Inside control-plane
route OutsideInet 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route Inside vlan162 255.255.255.0 10.165.181.1 1
route Inside vlan165 255.255.255.0 10.165.181.1 1
route OutsideInet 172.16.32.0 255.255.255.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server SpfldRadius protocol radius
aaa-server SpfldRadius (Inside) host 10.165.165.254
 key cccccccccccc
 radius-common-pw ccccccccccc
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http vlan165 255.255.255.0 Inside
http 10.165.181.0 255.255.255.0 Inside
http 10.165.181.0 255.255.255.0 OutsideInet
snmp-server host Inside 10.165.165.137 community meth0d version 2c
snmp-server host Inside 10.165.165.180 community meth0d version 2c
snmp-server location Spfld
no snmp-server contact
snmp-server community mmmmmmmm
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
sysopt connection tcpmss 1250
sysopt connection reclassify-vpn
auth-prompt prompt This system is intended for the use of authorized users only. All activities of individuals using this computing system with or without authority or in excess of their authority may
auth-prompt accept This system is intended for the use of authorized users only. All activities of individuals using this computing system with or without authority or in excess of their authority may
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Internal_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Internal_map interface Inside
crypto map Public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OutsideInet_map 1 match address OutsideInet_1_cryptomap
crypto map OutsideInet_map 1 set peer xxx.xxx.xxx.xxx
crypto map OutsideInet_map 1 set transform-set ESP-3DES-MD5
crypto map OutsideInet_map 1 set security-association lifetime seconds 86400
crypto map OutsideInet_map 1 set security-association lifetime kilobytes 4608000
crypto map OutsideInet_map 1 set reverse-route
crypto map OutsideInet_map 2 match address OutsideInet_2_cryptomap
crypto map OutsideInet_map 2 set peer xxx.xxx.xxx.xxx
crypto map OutsideInet_map 2 set transform-set ESP-3DES-SHA
crypto map OutsideInet_map 2 set security-association lifetime seconds 28800
crypto map OutsideInet_map 2 set security-association lifetime kilobytes 4608000
crypto map OutsideInet_map 3 match address OutsideInet_3_cryptomap
crypto map OutsideInet_map 3 set peer xxx.xxx.xxx.xxx
crypto map OutsideInet_map 3 set transform-set ESP-3DES-SHA
crypto map OutsideInet_map 3 set security-association lifetime seconds 28800
crypto map OutsideInet_map 3 set security-association lifetime kilobytes 4608000
crypto map OutsideInet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OutsideInet_map interface OutsideInet
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment self
 email Savart@l1id.com
 subject-name CN=SpfldASA
 serial-number
 ip-address 10.165.165.240
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment self
 subject-name CN=l1id.local
 crl configure
crypto isakmp identity address
crypto isakmp enable OutsideInet
crypto isakmp enable Inside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
no vpn-addr-assign aaa
no vpn-addr-assign local
telnet vlan165 255.255.255.0 Inside
telnet 10.165.165.254 255.255.255.255 Inside
telnet timeout 60
ssh 10.165.181.0 255.255.255.0 OutsideInet
ssh vlan165 255.255.255.0 Inside
ssh 10.165.181.0 255.255.255.0 Inside
ssh timeout 60
console timeout 0
management-access Inside
dhcprelay timeout 60
priority-queue OutsideInet
priority-queue Inside
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authentication-key 1 md5 *
ntp trusted-key 1
ntp server 10.165.165.180 key 1 source Inside prefer
ssl trust-point ASDM_TrustPoint2 OutsideInet
webvpn
 enable OutsideInet
 svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
 svc image disk0:/anyconnect-linux-2.3.2016-k9.pkg 2
 svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 3
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec
 msie-proxy local-bypass enable
group-policy SpfldToFla internal
group-policy SpfldToFla attributes
 vpn-filter value SpfldToFla_ACL
group-policy ibttxspartner internal
group-policy ibttxspartner attributes
 wins-server value 10.165.165.254
 dns-server value 10.165.165.250
 dhcp-network-scope 10.165.180.0
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter value Texas_Users
 vpn-tunnel-protocol IPSec svc
 group-lock value ibttxspartner
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ibttxspartner_splitTunnelAcl
 msie-proxy server value 127.0.0.1:80
 msie-proxy method use-server
 msie-proxy except-list value ibtfingerprint.com;identix.com;l1enrollment.com;l1id.com;www.microsoft.com;windowsupdate.microsoft.com;download.windowsupdate.com;update.microsoft.com;sditx.com;www.symantec.com;symantecliveupdate.com;security.symantec.com;searchg.symantec.com
group-policy L1ManSpfld internal
group-policy L1ManSpfld attributes
 wins-server value 10.165.165.254
 dns-server value 10.165.165.250
 dhcp-network-scope 10.165.181.20
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec svc
 ip-comp disable
 group-lock value L1ManSpfld
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value L1ManSpfld_splitTunnelAcl
 default-domain value l1id.local
 msie-proxy server value 127.0.0.1:80
 msie-proxy method use-server
 msie-proxy except-list value www.l1id.com;mail.l1id.com;www.google.com;extranet.ibtfingerprint.com;techinline.net
 msie-proxy local-bypass enable
group-policy L1ManSpfldInet internal
group-policy L1ManSpfldInet attributes
 wins-server value 10.165.165.254
 dns-server value 10.165.165.250
 dhcp-network-scope 10.165.181.20
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec svc
 group-lock value L1ManSpfldInet
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value L1ManSpfldInet_splitTunnelAcl
 default-domain value l1id.local
group-policy L1ITSpfld internal
group-policy L1ITSpfld attributes
 wins-server value 10.165.165.254
 dns-server value 10.165.165.250
 dhcp-network-scope 10.165.181.3
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec svc
 ip-comp disable
 group-lock value L1ITSpfld
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value L1ITSpfld_splitTunnelAcl
 default-domain value l1id.local
 webvpn
  url-list none
username savart password sibqx.ksKK encrypted privilege 15
username savart attributes
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
username admin password G0HaQRS2gc7 encrypted privilege 15
username admin attributes
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
username jburford password aNgJaaTsGz encrypted privilege 15
username HelpDesk password DRlz4m1j encrypted privilege 5
username HelpDesk attributes
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group L1ITSpfld type remote-access
tunnel-group L1ITSpfld general-attributes
 authentication-server-group SpfldRadius
 default-group-policy L1ITSpfld
 dhcp-server 10.165.165.254
tunnel-group L1ITSpfld webvpn-attributes
 group-alias L1ITSpfld enable
tunnel-group L1ITSpfld ipsec-attributes
 pre-shared-key *
tunnel-group L1ITSpfld ppp-attributes
 authentication ms-chap-v2
tunnel-group L1ManSpfld type remote-access
tunnel-group L1ManSpfld general-attributes
 authentication-server-group SpfldRadius
 default-group-policy L1ManSpfld
 dhcp-server 10.165.165.254
tunnel-group L1ManSpfld webvpn-attributes
 group-alias L1ManSpfld enable
tunnel-group L1ManSpfld ipsec-attributes
 pre-shared-key *
tunnel-group L1ManSpfldInet type remote-access
tunnel-group L1ManSpfldInet general-attributes
 authentication-server-group SpfldRadius
 default-group-policy L1ManSpfldInet
 dhcp-server 10.165.165.254
tunnel-group L1ManSpfldInet webvpn-attributes
 group-alias L1ManSpfldInet enable
tunnel-group L1ManSpfldInet ipsec-attributes
 pre-shared-key *
tunnel-group ibttxspartner type remote-access
tunnel-group ibttxspartner general-attributes
 authentication-server-group SpfldRadius
 default-group-policy ibttxspartner
 dhcp-server 10.165.165.254
tunnel-group ibttxspartner ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match access-list global_mpc
class-map inspection_default
 match default-inspection-traffic
class-map global-class1
 match access-list global_mpc_1
class-map global-class2
 match access-list global_mpc_2
class-map global-class3
 match access-list global_mpc_3
class-map Inside-class
 match access-list Inside_mpc
!
!
policy-map type inspect http Vlan165_BadSites
 parameters
  protocol-violation action drop-connection
 match request uri regex Myspace
  reset log
policy-map Vlan165
 class Inside-class
  inspect http Vlan165_BadSites
policy-map global_policy
 class inspection_default
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect tftp
  inspect pptp
  inspect icmp
 class global-class
  priority
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00
 class global-class1
  priority
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00
 class global-class2
  priority
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00
 class global-class3
  priority
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 tcp 0:00:00
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
!
service-policy global_policy global
service-policy Vlan165 interface Inside

Open in new window

remove the access list that contains the port range 2000 2999

Author

Commented:
I removed the ACL and tried to connect via VNC I received the same error
I think the problem is that the connection is being initiated from your end of the tunnel and the ACL is applied as a VPN Filter that is subject to Authentication....normally that error message is indicative of an "unauthorized" user trying to use a connection they have not authenticated to.  However the confusing issue is that it will work if there are no port restrictions, which really shouldn't make a difference with regards to "Authorization"  I wonder if it is feasible for you to have the connection initiated on their end.  Example.  User has problem, user calls help desk, help desk walks user through remote connection to help desk VNC listening viewer or server.  Even as a test, just to see if it would work with port restrictions it may be telling.  Otherwise I think you might have to initiate a vpn connection to their network or setup a site to site vpn connection ...since vpn connection will only encrypt "interesting" traffic you could even set it up for only VNC connections from your site to theirs.  Otherwise I am stumped as to why it works without port restrictions but will not work with them.

Author

Commented:
I am not able to initiate a VNC session from our client machines, the machines only have the server portion of the software installed. i have also opened a trouble ticket with Cisco...They are also stumped
Weird but still, have you tried rebooting the firewall once?

Cheers,
rsivanandan

Author

Commented:
yes, i have rebooted it a few times
Here take a look at this link.  It will kind of explain a little further what I meant by them initiating the connection.  Make sure and take note that the connection uses a different port...5500 I believe.  You will need to allow that port in the ACL instead of 5900.  Lots of people use this just as the forum describes, to access a computer behind a firewall they do not control.  In this case it is to access a computer behind a firewall that isn't behaving.  Anyway just an idea.

http://faq.gotomyvnc.com/fom-serve/cache/88.html
I got the answer from Cisco, it has to do with where the eq 5900 is placed. below is the correct syntax for what I need to do.



access-list Texas_Users extended permit tcp 10.165.180.0 255.255.255.0 eq 5900 10.165.165.0 255.255.255.0

Open in new window

Author

Commented:
Thanks to all who offered support

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial