?
Solved

VPN network 172.16.0.129/25 has limited access to internal network like 172.16.0.1/25 site to site works fine

Posted on 2010-01-08
5
Medium Priority
?
812 Views
Last Modified: 2012-05-08
hostname ktg-fw-001
domain-name westswede.int
enable password xxxxxx encrypted
passwd xxxxxx encrypted
names
!
interface Vlan1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan3
 nameif inside
 security-level 100
 ip address 172.16.0.1 255.255.255.128
!
interface Vlan72
 nameif westswede
 security-level 100
 ip address 172.16.1.1 255.255.255.128
!
interface Ethernet0/0
 description Telia
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 72
!
interface Ethernet0/3
 switchport access vlan 72
!
interface Ethernet0/4
 switchport access vlan 3
!
interface Ethernet0/5
 description Kiss DVD
 switchport access vlan 3
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport trunk allowed vlan 1,3,72-73
 switchport trunk native vlan 1
 switchport mode trunk
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup westswede
dns server-group DefaultDNS
 name-server 172.16.0.10
 name-server 172.16.9.11
 domain-name westswede.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.128 172.16.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.128 172.16.9.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.128 172.16.0.128 255.255.255.128
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.128 172.16.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.128 172.16.1.0 255.255.255.128
access-list inside_nat0_outbound extended permit tcp any interface outside eq www
access-list outside_cryptomap extended permit ip 172.16.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 172.16.0.0 255.255.254.0 172.16.3.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 172.16.0.0 255.255.254.0 172.16.9.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 172.16.0.128 255.255.255.128 172.16.1.0 255.255.255.128
access-list outside_nat0_outbound extended permit ip 172.16.0.128 255.255.255.128 172.16.0.0 255.255.255.128
access-list outside_nat0_outbound extended permit ip 172.16.0.128 255.255.255.128 172.16.9.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 172.16.0.128 255.255.255.128 172.16.2.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 172.16.0.128 255.255.255.128 172.16.3.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 172.16.0.128 255.255.255.128 172.16.6.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 172.16.0.128 255.255.255.128 172.16.11.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 172.16.0.128 255.255.255.128 172.16.8.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 172.16.0.128 255.255.255.128 172.16.13.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 172.16.0.0 255.255.254.0 172.16.2.0 255.255.255.0
access-list outside_access_in extended permit tcp any host "outside ip" eq www
access-list outside_access_in extended permit ip any any
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 172.16.9.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 172.16.1.0 255.255.255.128
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 172.16.3.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 172.16.0.128 255.255.255.128
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 172.16.2.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 172.16.6.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 172.16.11.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 172.16.8.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 172.16.13.0 255.255.255.0
access-list westswede_nat0_outbound_1 extended permit ip 172.16.1.0 255.255.255.128 172.16.0.0 255.255.255.128
access-list westswede_nat0_outbound_1 extended permit ip 172.16.1.0 255.255.255.128 172.16.9.0 255.255.255.0
access-list westswede_nat0_outbound_1 extended permit ip 172.16.1.0 255.255.255.128 172.16.2.0 255.255.255.0
access-list westswede_nat0_outbound_1 extended permit ip 172.16.1.0 255.255.255.128 172.16.3.0 255.255.255.0
access-list westswede_nat0_outbound_1 extended permit ip 172.16.1.0 255.255.255.128 172.16.0.128 255.255.255.128
access-list westswede_nat0_outbound_1 extended permit ip 172.16.1.0 255.255.255.128 172.16.6.0 255.255.255.0
access-list westswede_nat0_outbound_1 extended permit ip 172.16.1.0 255.255.255.128 172.16.11.0 255.255.255.0
access-list outside_cryptomap_6 extended permit ip 172.16.0.0 255.255.254.0 172.16.11.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 172.16.0.0 255.255.255.0 172.16.8.0 255.255.255.0
access-list outside_cryptomap_4 extended permit ip 172.16.0.0 255.255.254.0 172.16.6.0 255.255.255.0
access-list Westswede-vpn extended permit ip any any
pager lines 24
logging enable
logging asdm warnings
mtu outside 1500
mtu inside 1500
mtu westswede 1500
ip local pool VPN-Pool 172.16.0.129-172.16.0.254 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list outside_nat0_outbound
nat (outside) 1 172.16.0.128 255.255.255.128
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
nat (westswede) 0 access-list westswede_nat0_outbound_1
nat (westswede) 1 172.16.1.0 255.255.255.128
static (inside,outside) tcp interface www 172.16.0.10 www netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.0.0 255.255.0.0 inside
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set trans-set esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map ktgwestswede.gotdns.com 1 match address outside_cryptomap
crypto dynamic-map ktgwestswede.gotdns.com 1 set pfs
crypto dynamic-map ktgwestswede.gotdns.com 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map ktgwestswede.gotdns.com 1 set security-association lifetime seconds 28800
crypto dynamic-map ktgwestswede.gotdns.com 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 83.227.197.178
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 81.232.115.212
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 90.229.200.213
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 4 match address outside_cryptomap_1
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 82.183.161.68
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 4 set security-association lifetime seconds 28800
crypto map outside_map 4 set security-association lifetime kilobytes 4608000
crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set peer 90.227.186.243
crypto map outside_map 5 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 5 set security-association lifetime seconds 28800
crypto map outside_map 5 set security-association lifetime kilobytes 4608000
crypto map outside_map 5 set phase1-mode aggressive
crypto map outside_map 7 match address outside_cryptomap_6
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer 213.112.156.248
crypto map outside_map 7 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 7 set security-association lifetime seconds 28800
crypto map outside_map 7 set security-association lifetime kilobytes 4608000
crypto map outside_map 7 set phase1-mode aggressive
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map outeside-tele2_map 65535 set security-association lifetime seconds 28800
crypto map outeside-tele2_map 65535 set security-association lifetime kilobytes 4608000
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 50
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
vpn-addr-assign local reuse-delay 360
telnet 172.16.0.0 255.255.255.0 inside
telnet 172.16.0.0 255.255.0.0 inside
telnet 172.16.1.0 255.255.255.0 westswede
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 172.16.0.50-172.16.0.71 inside
dhcpd dns 172.16.0.10 172.16.9.11 interface inside
dhcpd wins 172.16.9.11 172.16.1.11 interface inside
dhcpd domain westswede.net interface inside
dhcpd auto_config outside interface inside
dhcpd update dns both interface inside
!
dhcprelay server 172.16.0.10 inside
dhcprelay enable westswede
dhcprelay setroute westswede
dhcprelay timeout 60

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec svc
group-policy WESTSWEDE internal
group-policy WESTSWEDE attributes
 banner value Welcome to WestSwede corporate environment
 wins-server value 172.16.0.10
 dns-server value 172.16.0.10 172.16.9.11
 vpn-filter value Westswede-vpn
 vpn-tunnel-protocol IPSec
 ip-comp enable
 default-domain value westswede.net
 address-pools value VPN-Pool
group-policy Jivarp internal
group-policy Jivarp attributes
 banner value Welcome to Jivarp home environment.
 wins-server value 172.16.8.10
 dns-server value 172.16.8.10
 vpn-filter value Westswede-vpn
 vpn-tunnel-protocol IPSec
 default-domain value jivarp.se.local
 address-pools value VPN-Pool
username TestUser password xxxxx encrypted
username TestUser attributes
 vpn-group-policy WESTSWEDE
 group-lock value WESTSWEDE
username banjo password xxxxxxxx encrypted
username banjo attributes
 vpn-group-policy WESTSWEDE
 group-lock value WESTSWEDE
tunnel-group 81.232.115.212 type ipsec-l2l
tunnel-group 81.232.115.212 ipsec-attributes
 pre-shared-key *
tunnel-group 90.227.186.243 type ipsec-l2l
tunnel-group 90.227.186.243 ipsec-attributes
 pre-shared-key *
tunnel-group 90.229.200.213 type ipsec-l2l
tunnel-group 90.229.200.213 ipsec-attributes
 pre-shared-key *
tunnel-group WESTSWEDE type remote-access
tunnel-group WESTSWEDE general-attributes
 address-pool VPN-Pool
 default-group-policy WESTSWEDE
tunnel-group WESTSWEDE ipsec-attributes
 pre-shared-key *
tunnel-group 82.183.161.68 type ipsec-l2l
tunnel-group 82.183.161.68 ipsec-attributes
 pre-shared-key *
tunnel-group ktgwestswede.gotdns.com type ipsec-l2l
tunnel-group ktgwestswede.gotdns.com ipsec-attributes
 pre-shared-key *
tunnel-group 83.227.197.178 type ipsec-l2l
tunnel-group 83.227.197.178 ipsec-attributes
 pre-shared-key *
tunnel-group 213.112.156.248 type ipsec-l2l
tunnel-group 213.112.156.248 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b9d4770e6116b020958c48ff2efd141b
: end
asdm image disk0:/asdm-623.bin
no asdm history enable
0
Comment
Question by:Veprox
5 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26208033
this line are not need:

nat (outside) 0 access-list outside_nat0_outbound
nat (outside) 1 172.16.0.128 255.255.255.128
0
 
LVL 9

Expert Comment

by:MinoDC
ID: 26208148
It could be useful configure nat traversal for your vpn as following:

hostname(config)# isakmp enable

hostname(config)# isakmp nat-traversal 30


try it !!
0
 

Author Comment

by:Veprox
ID: 26209551
Thanks it works now execpt accessing internet through the VPN connection.  
0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26209808
add this to your ACL

access-list inside_nat0_outbound_1 extended permit ip any 172.16.0.0 mask 255.255.255.128
0
 

Accepted Solution

by:
Veprox earned 0 total points
ID: 26278356
when I remove Nat for outside (vpn-users) I could access all the internal networks but I whas unable to access internet through the vpn endpoint.
I tryed to put back nat for outside and it allt worked again.

Here is the working config:
: Saved
:
ASA Version 8.2(1)
!
hostname xxx-fw-001
domain-name westswede.net
enable password xxxx encrypted
passwd xxxx encrypted
names
name 172.16.0.128 Westswede-vpn
!
interface Vlan1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan3
 nameif inside
 security-level 100
 ip address 172.16.0.1 255.255.255.128
!
interface Vlan72
 nameif westswede
 security-level 100
 ip address 172.16.1.1 255.255.255.128
!
interface Ethernet0/0
 description Telia
 switchport access vlan 2
!
interface Ethernet0/1
 description Tele2
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 72
!
interface Ethernet0/3
 switchport access vlan 72
!
interface Ethernet0/4
 switchport access vlan 3
!
interface Ethernet0/5
 description Kiss DVD
 switchport access vlan 3
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport trunk allowed vlan 1,3,72-73
 switchport trunk native vlan 1
 switchport mode trunk
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup westswede
dns server-group DefaultDNS
 name-server 172.16.0.10
 name-server 172.16.9.11
 domain-name westswede.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.128 172.16.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.128 172.16.9.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.128 Westswede-vpn 255.255.255.128
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.128 172.16.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.128 172.16.1.0 255.255.255.128
access-list inside_nat0_outbound extended permit tcp any interface outside eq www
access-list outside_cryptomap extended permit ip 172.16.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 172.16.0.0 255.255.254.0 172.16.3.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 172.16.0.0 255.255.254.0 172.16.9.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip Westswede-vpn 255.255.255.128 172.16.1.0 255.255.255.128
access-list outside_nat0_outbound extended permit ip Westswede-vpn 255.255.255.128 172.16.0.0 255.255.255.128
access-list outside_nat0_outbound extended permit ip Westswede-vpn 255.255.255.128 172.16.9.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip Westswede-vpn 255.255.255.128 172.16.2.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip Westswede-vpn 255.255.255.128 172.16.3.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip Westswede-vpn 255.255.255.128 172.16.6.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip Westswede-vpn 255.255.255.128 172.16.11.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip Westswede-vpn 255.255.255.128 172.16.8.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip Westswede-vpn 255.255.255.128 172.16.13.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 172.16.0.0 255.255.254.0 172.16.2.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 90.230.xxx.xxx eq www
access-list outside_access_in extended permit ip any any
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 172.16.9.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 172.16.1.0 255.255.255.128
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 172.16.3.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 Westswede-vpn 255.255.255.128
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 172.16.2.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 172.16.6.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 172.16.11.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 172.16.8.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.16.0.0 255.255.255.128 172.16.13.0 255.255.255.0
access-list westswede_nat0_outbound_1 extended permit ip 172.16.1.0 255.255.255.128 172.16.0.0 255.255.255.128
access-list westswede_nat0_outbound_1 extended permit ip 172.16.1.0 255.255.255.128 172.16.9.0 255.255.255.0
access-list westswede_nat0_outbound_1 extended permit ip 172.16.1.0 255.255.255.128 172.16.2.0 255.255.255.0
access-list westswede_nat0_outbound_1 extended permit ip 172.16.1.0 255.255.255.128 172.16.3.0 255.255.255.0
access-list westswede_nat0_outbound_1 extended permit ip 172.16.1.0 255.255.255.128 Westswede-vpn 255.255.255.128
access-list westswede_nat0_outbound_1 extended permit ip 172.16.1.0 255.255.255.128 172.16.6.0 255.255.255.0
access-list westswede_nat0_outbound_1 extended permit ip 172.16.1.0 255.255.255.128 172.16.11.0 255.255.255.0
access-list outside_cryptomap_6 extended permit ip 172.16.0.0 255.255.254.0 172.16.11.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 172.16.0.0 255.255.255.0 172.16.8.0 255.255.255.0
access-list outside_cryptomap_4 extended permit ip 172.16.0.0 255.255.254.0 172.16.6.0 255.255.255.0
access-list Westswede-vpn extended permit ip any any
access-list outside_nat0_outbound_1 extended permit ip Westswede-vpn 255.255.255.128 172.16.0.0 255.255.255.128
access-list outside_nat0_outbound_1 extended permit ip Westswede-vpn 255.255.255.128 172.16.1.0 255.255.255.128
access-list outside_nat0_outbound_1 extended permit ip Westswede-vpn 255.255.255.128 172.16.2.0 255.255.255.0
access-list outside_nat0_outbound_1 extended permit ip Westswede-vpn 255.255.255.128 172.16.3.0 255.255.255.0
access-list outside_nat0_outbound_1 extended permit ip Westswede-vpn 255.255.255.128 172.16.6.0 255.255.255.0
access-list outside_nat0_outbound_1 extended permit ip Westswede-vpn 255.255.255.128 172.16.8.0 255.255.255.0
access-list outside_nat0_outbound_1 extended permit ip Westswede-vpn 255.255.255.128 172.16.9.0 255.255.255.0
access-list outside_nat0_outbound_1 extended permit ip Westswede-vpn 255.255.255.128 172.16.11.0 255.255.255.0
access-list outside_nat0_outbound_1 extended permit ip Westswede-vpn 255.255.255.128 172.16.13.0 255.255.255.0
pager lines 24
logging enable
logging asdm warnings
mtu outside 1500
mtu inside 1500
mtu westswede 1500
ip local pool VPN-Pool 172.16.0.129-172.16.0.254 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list outside_nat0_outbound_1
nat (outside) 1 Westswede-vpn 255.255.255.128
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
nat (westswede) 0 access-list westswede_nat0_outbound_1
nat (westswede) 1 172.16.1.0 255.255.255.128
static (inside,outside) tcp interface www 172.16.0.10 www netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.0.0 255.255.0.0 inside
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set trans-set esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map xxxwestswede.xxx.com 1 match address outside_cryptomap
crypto dynamic-map xxxwestswede.xxx.com 1 set pfs
crypto dynamic-map xxxwestswede.xxx.com 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map xxxwestswede.xxx.com 1 set security-association lifetime seconds 28800
crypto dynamic-map xxxwestswede.xxx.com 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 83.227.xxx.178
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 81.232.xxx.212
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 90.229.xxx.213
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 4 match address outside_cryptomap_1
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 82.183.xxx.68
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 4 set security-association lifetime seconds 28800
crypto map outside_map 4 set security-association lifetime kilobytes 4608000
crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set peer 90.227.xxx.243
crypto map outside_map 5 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 5 set security-association lifetime seconds 28800
crypto map outside_map 5 set security-association lifetime kilobytes 4608000
crypto map outside_map 5 set phase1-mode aggressive
crypto map outside_map 7 match address outside_cryptomap_6
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer 213.112.xxx.248
crypto map outside_map 7 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 7 set security-association lifetime seconds 28800
crypto map outside_map 7 set security-association lifetime kilobytes 4608000
crypto map outside_map 7 set phase1-mode aggressive
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map outeside-tele2_map 65535 set security-association lifetime seconds 28800
crypto map outeside-tele2_map 65535 set security-association lifetime kilobytes 4608000
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 50
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp nat-traversal 30
vpn-addr-assign local reuse-delay 360
telnet 172.16.0.0 255.255.255.0 inside
telnet 172.16.0.0 255.255.0.0 inside
telnet 172.16.1.0 255.255.255.0 westswede
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 172.16.0.50-172.16.0.71 inside
dhcpd dns 172.16.0.10 172.16.9.11 interface inside
dhcpd wins 172.16.9.11 172.16.1.11 interface inside
dhcpd domain westswede.net interface inside
dhcpd auto_config outside interface inside
dhcpd update dns both interface inside
!
dhcprelay server 172.16.0.10 inside
dhcprelay enable westswede
dhcprelay setroute westswede
dhcprelay timeout 60

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec svc
group-policy WESTSWEDE internal
group-policy WESTSWEDE attributes
 banner value Welcome to WestSwede corporate environment
 wins-server value 172.16.0.10
 dns-server value 172.16.0.10 172.16.9.11
 vpn-filter value Westswede-vpn
 vpn-tunnel-protocol IPSec
 ip-comp enable
 default-domain value westswede.net
 address-pools value VPN-Pool
group-policy Jivarp internal
group-policy Jivarp attributes
 banner value Welcome to Jivarp home environment.
 wins-server value 172.16.8.10
 dns-server value 172.16.8.10
 vpn-filter value Westswede-vpn
 vpn-tunnel-protocol IPSec
 default-domain value jivarp.se.local
 address-pools value VPN-Pool
username TestUser password xxx encrypted
username TestUser attributes
 vpn-group-policy WESTSWEDE
 group-lock value WESTSWEDE
username test1 password xxx encrypted
username test1 attributes
 vpn-group-policy Jivarp
 group-lock value WESTSWEDE

tunnel-group 81.232.xxx.212 type ipsec-l2l
tunnel-group 81.232.xxx.212 ipsec-attributes
 pre-shared-key *
tunnel-group 90.227.xxx.243 type ipsec-l2l
tunnel-group 90.227.xxx.243 ipsec-attributes
 pre-shared-key *
tunnel-group 90.229.xxx.213 type ipsec-l2l
tunnel-group 90.229.xxx.213 ipsec-attributes
 pre-shared-key *
tunnel-group WESTSWEDE type remote-access
tunnel-group WESTSWEDE general-attributes
 address-pool VPN-Pool
 default-group-policy WESTSWEDE
tunnel-group WESTSWEDE ipsec-attributes
 pre-shared-key *
tunnel-group 82.183.xxx.68 type ipsec-l2l
tunnel-group 82.183.xxx.68 ipsec-attributes
 pre-shared-key *
tunnel-group xxxwestswede.xxx.com type ipsec-l2l
tunnel-group xxxwestswede.xxx.com ipsec-attributes
 pre-shared-key *
tunnel-group 83.227.xxx.178 type ipsec-l2l
tunnel-group 83.227.xxx.178 ipsec-attributes
 pre-shared-key *
tunnel-group 213.112.xxx.248 type ipsec-l2l
tunnel-group 213.112.xxx.248 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cb5b62377484027ad32682f2638ea700
: end
asdm image disk0:/asdm-623.bin
no asdm history enable

0

Featured Post

Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question