Schmittie
asked on
Cisco PIX One-to-One NAT
Looking for help on the commands for adding a One-to-Nat on our PIX to a local server for RDP access. I know Cisco CLI for routing and switching but I know very little about a PIX I have never really gotten into access-lists. We have an available public IP from our pool of public IP's available to us from our ISP.
Would love help with a configuration example to add the NAT and the accompanying Access-list to allow the traffic.
for example our Public ip would be x.x.x.37 nat'ed to a private IP of 192.168.1.58
No one here at our company configured this this was done by several different vendors, we just need ot get this NAT added for RDP access ASAP.
Config is below Thanks.
PIX Version 7.2(3)
!
hostname H*****PIX1
domain-name ***********net
enable password ****************
no names
name 192.168.4.0 Bxxxxd
name 192.168.6.0 Mxxxille
name 192.168.1.0 Serxxxet
name 192.168.3.0 Lxxxxxrg
name 133.133.33.0 Cxxxxab
name 192.168.2.0 Coxxxte
name 192.168.2.253 Cxxxxtr2
name 216.248.12.128 IxxxxInt
name 192.168.2.254 Cxxxxtr1
name 216.248.29.221 Txxxxxtr
name 100.0.0.0 StTxxxxxt
name 10.168.1.2 PxxxZ
name 10.0.0.0 IxxxC
name 192.168.4.102 WxxxW
name 192.168.1.20 Txxx9
name 192.168.8.0 Gxxx
name 192.168.9.0 WIxDxxx
name 192.168.10.0 WIxxx
name 192.168.13.0 STTxxx
name 159.140.160.0 STxxx
name 192.168.19.0 Lexxx
name 192.168.15.0 Metrxxx
name 192.168.18.0 Muxxx
name 192.168.17.0 Mxxx
name 192.168.1.50 xxx
name 10.10.10.0 xxxoE
name 192.168.1.135 ZiXVPM2 description xxxxx
name 192.168.1.134 ZixVPM1 description xxxxx
name 192.168.1.150 xxx description xxxxx
dns-guard
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address x.x.x.41 255.255.255.240
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
interface Ethernet2
 speed 10
 duplex half
 nameif LAPTOP
 security-level 50
 no ip address
!
boot system flash:/pix723.bin
ftp mode passive
clock timezone xxTxx
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name xxxxxxup.net
object-group network xWAN
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
 network-object 192.168.4.0 255.255.255.0
 network-object 192.168.6.0 255.255.255.0
 network-object 192.168.8.0 255.255.255.240
 network-object 192.168.19.0 255.255.255.0
 network-object 192.168.17.0 255.255.255.0
 network-object 192.168.18.0 255.255.255.0
 network-object 10.10.10.0 255.255.255.0
object-group network Darwin
 network-object 192.168.32.0 255.255.255.0
object-group network Ht-C-IPs
 description 192.168.0.0 to 192.168.31.254
 network-object 192.168.0.0 255.255.224.0
access-list outside_access_in extended permit tcp any host x.x.x.131 eq ssh
access-list outside_access_in extended permit tcp any host x.x.x.31 eq https
access-list outside_access_in extended permit tcp any host x.x.x.31 eq www
access-list outside_access_in extended permit tcp any host x.x.x.40 eq pop3
access-list outside_access_in extended permit tcp any host x.x.x.140 eq imap4
access-list outside_access_in extended permit tcp any host x.x.x.140 eq https
access-list outside_access_in extended permit tcp any host x.x.x.40 eq www
access-list outside_access_in extended permit tcp any host x.x.x.40 eq smtp
access-list outside_access_in extended permit tcp any host x.x.x.39 eq smtp
access-list outside_access_in extended permit tcp any host 192.168.100.44
access-list outside_access_in extended permit icmp any host 192.168.100.44
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any host x.x.x.6
access-list inside_outbound_nat0_acl extended permit ip host 192.168.4.100 172.16.1.8 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip host 192.168.4.102 172.16.1.8 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip host 192.168.2.25 172.16.1.8 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip any 192.168.5.16 255.255.255.240
access-list inside_outbound_nat0_acl extended permit ip any 172.16.1.16 255.255.255.240
access-list inside_outbound_nat0_acl extended permit ip host 192.168.1.5 10.1.10.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.5.16 255.255.255.240 192.168.5.16 255.255.255.240
access-list inside_outbound_nat0_acl extended permit ip 10.0.0.0 255.0.0.0 192.168.22.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 172.16.0.0 255.240.0.0 192.168.22.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.0.0 255.255.0.0 192.168.22.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 100.0.0.0 255.0.0.0 192.168.22.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 159.140.0.0 255.255.0.0 192.168.22.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 180.30.0.0 255.255.0.0 192.168.22.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.0.0.0 255.0.0.0 192.168.23.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 172.16.0.0 255.240.0.0 192.168.23.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.0.0 255.255.0.0 192.168.23.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 100.0.0.0 255.0.0.0 192.168.23.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 159.140.0.0 255.255.0.0 192.168.23.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 180.30.0.0 255.255.0.0 192.168.23.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.0.0.0 255.0.0.0 192.168.24.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 172.16.0.0 255.240.0.0 192.168.24.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.0.0 255.255.0.0 192.168.24.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 100.0.0.0 255.0.0.0 192.168.24.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 159.140.0.0 255.255.0.0 192.168.24.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip x.x.x0.0 255.255.0.0 192.168.24.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 172.16.0.0 255.240.0.0 192.168.29.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.0.0 255.255.0.0 192.168.29.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 100.0.0.0 255.0.0.0 192.168.29.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 159.140.0.0 255.255.0.0 192.168.29.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 180.30.0.0 255.255.0.0 192.168.29.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.10.1.0 255.255.255.0 192.168.29.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.85.0.0 255.255.0.0 192.168.29.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip object-group Heart-Clinic-IPs object-group Darwin
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.5.16 255.255.255.240
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host 10.168.1.2
access-list inside_access_in extended permit icmp any any
access-list outside_cryptomap_dyn_40 extended permit ip any 172.16.1.16 255.255.255.240
access-list outside_cryptomap_20 extended permit ip host 192.168.1.5 10.1.10.0 255.255.255.0
access-list PhoneVPN_splitTunnelAcl standard permit 192.168.5.16 255.255.255.240
access-list Phone_splitTunnelAcl standard permit any
access-list outside_cryptomap_65535.60
access-list webtraffic extended permit icmp host 7x.x.x.0 host 216.248.12.140
access-list DCI_Split_Tunnel_List standard permit 192.168.0.0 255.255.0.0
access-list DCI_Split_Tunnel_List standard permit 10.10.10.0 255.255.255.0
access-list DCI_Split_Tunnel_List standard permit 172.16.1.0 255.255.255.0
access-list outside_cryptomap_dyn_60 extended permit ip 10.0.0.0 255.0.0.0 192.168.22.0 255.255.255.0
access-list outside_cryptomap_dyn_60 extended permit ip 172.16.0.0 255.240.0.0 192.168.22.0 255.255.255.0
access-list outside_cryptomap_dyn_60 extended permit ip 192.168.0.0 255.255.0.0 192.168.22.0 255.255.255.0
access-list outside_cryptomap_dyn_60 extended permit ip 100.0.0.0 255.0.0.0 192.168.22.0 255.255.255.0
access-list outside_cryptomap_dyn_60 extended permit ip 159.140.0.0 255.255.0.0 192.168.22.0 255.255.255.0
access-list outside_cryptomap_dyn_60 extended permit ip x.x.x..0 255.255.0.0 192.168.22.0 255.255.255.0
access-list capout extended permit ip host 192.168.1.5 host 1x.x.x.7
access-list capout extended permit ip host 192.168.2.60 host 1x.x.x.7
access-list outside_cryptomap_dyn_100 extended permit ip 10.0.0.0 255.0.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_dyn_100 extended permit ip 172.16.0.0 255.240.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_dyn_100 extended permit ip 192.168.0.0 255.255.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_dyn_100 extended permit ip 100.0.0.0 255.0.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_dyn_100 extended permit ip 159.140.0.0 255.255.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_dyn_100 extended permit ip x.x.x..0 255.255.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 10.0.0.0 255.0.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 172.16.0.0 255.240.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 192.168.0.0 255.255.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 100.0.0.0 255.0.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip x.x.x..0 255.255.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip x.x.x.0 255.255.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 10.0.0.0 255.0.0.0 192.168.24.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 172.16.0.0 255.240.0.0 192.168.24.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 192.168.0.0 255.255.0.0 192.168.24.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 100.0.0.0 255.0.0.0 192.168.24.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip x.x.x.0.0 255.255.0.0 192.168.24.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip x.x.x..0 255.255.0.0 192.168.24.0 255.255.255.0
access-list tst extended permit ip host 192.168.15.150 host 216.166.12.247
access-list tst2 extended permit ip host x.x.x.7 host 216.248.12.142
access-list Darwin extended permit ip 192.168.0.0 255.255.224.0 192.168.32.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 500
logging buffered informational
logging asdm alerts
mtu outside 1500
mtu inside 1500
mtu LAPTOP 1500
ip local pool newuserpool 192.168.5.17-192.168.5.31
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
asdm image flash:/asdm-523.bin
asdm location 192.168.2.0 255.255.255.0 inside
asdm location 192.168.1.0 255.255.255.0 inside
asdm location 192.168.3.0 255.255.255.0 inside
asdm location 192.168.4.0 255.255.255.0 inside
asdm location 192.168.6.0 255.255.255.0 inside
asdm location 133.133.33.0 255.255.255.0 inside
asdm location 192.168.2.253 255.255.255.255 inside
asdm location 192.168.2.254 255.255.255.255 inside
asdm location 216.248.29.221 255.255.255.255 outside
asdm location 192.168.0.0 255.255.0.0 inside
asdm location 172.16.1.0 255.255.255.248 outside
asdm location 172.16.1.0 255.255.255.128 outside
asdm location 172.16.1.28 255.255.255.252 outside
asdm location 172.16.1.0 255.255.255.252 outside
asdm location 192.168.2.25 255.255.255.255 inside
asdm location 100.7.0.0 255.255.0.0 outside
asdm location 100.0.0.0 255.0.0.0 outside
asdm location 10.168.1.2 255.255.255.255 LAPTOP
asdm location 100.0.0.0 255.0.0.0 LAPTOP
asdm location 10.168.0.0 255.255.0.0 inside
asdm location 10.168.0.0 255.255.0.0 LAPTOP
asdm location 67.142.29.86 255.255.255.255 outside
asdm location 172.16.1.16 255.255.255.240 outside
asdm location 172.16.1.8 255.255.255.248 outside
asdm location 192.168.13.0 255.255.255.224 inside
asdm location 192.168.10.0 255.255.254.0 inside
asdm location 192.168.4.102 255.255.255.255 inside
asdm location 192.168.1.20 255.255.255.255 inside
asdm location 192.168.4.100 255.255.255.255 inside
asdm location 192.168.1.25 255.255.255.255 inside
asdm location 192.168.2.183 255.255.255.255 inside
asdm location 192.168.8.0 255.255.255.240 inside
asdm location 192.168.8.0 255.255.255.0 inside
asdm location 192.168.9.0 255.255.255.0 inside
asdm location 10.168.1.2 255.255.255.255 outside
asdm location 159.140.160.0 255.255.240.0 outside
asdm location 67.33.45.35 255.255.255.255 outside
asdm location 67.33.45.37 255.255.255.255 outside
asdm location 171.68.225.213 255.255.255.255 outside
asdm location 171.68.225.212 255.255.255.255 outside
asdm location 66.168.99.170 255.255.255.255 outside
asdm location 192.168.2.85 255.255.255.255 inside
asdm location 71.4.240.1 255.255.255.255 outside
asdm location 192.168.1.139 255.255.255.255 inside
asdm location 192.168.100.1 255.255.255.255 inside
asdm location 192.168.26.15 255.255.255.255 outside
asdm location 192.168.26.0 255.255.255.0 outside
asdm location 192.168.1.44 255.255.255.255 inside
asdm location 192.168.19.0 255.255.255.0 inside
asdm location 192.168.18.0 255.255.255.0 inside
asdm location 192.168.17.0 255.255.255.0 inside
asdm group WAN inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 x.x.x.2
global (outside) 11 x.x.x.3
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.1 192.168.4.102 netmask 255.255.255.255
static (inside,outside) x.x.x.0 192.168.1.20 netmask 255.255.255.255
static (inside,outside) x.x.x.2 192.168.1.50 netmask 255.255.255.255
static (inside,outside) x.x.x.9 192.168.1.134 netmask 255.255.255.255
static (inside,outside) x.x.x.6 192.168.1.150 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http x.x.x.7 255.255.255.255 outside
http x.x.x..170 255.255.255.255 outside
http x.x.x..1 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 172.16.1.1 255.255.255.255 inside
http 10.168.0.0 255.255.0.0 LAPTOP
http 172.16.1.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set nsset esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_65535.60
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set security-association lifetime seconds 28800
crypto map outside_map 10 set peer x.x.x.6.2
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.4
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 50 set peer x.x.x.8
crypto map outside_map 50 set transform-set ESP-3DES-MD5
crypto map outside_map 50 set security-association lifetime seconds 28800
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer x.x.x.9
crypto map outside_map 100 set transform-set ESP-3DES-MD5
crypto map outside_map 100 set security-association lifetime seconds 28800
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map nsmap 40 match address Darwin
crypto map nsmap 40 set peer x.x.x.1
crypto map nsmap 40 set transform-set nsset
crypto map nsmap 40 set reverse-route
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.2.253 255.255.255.255 inside
telnet 192.168.2.254 255.255.255.255 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.25.0 255.255.255.252 LAPTOP
telnet timeout 15
ssh x.x.x.7 255.255.255.255 outside
ssh x.x.x.0 255.255.255.255 outside
ssh x.x.x..1 255.255.255.255 outside
ssh x.x.x..0 255.255.0.0 outside
ssh x.x.x.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh 172.16.1.100 255.255.255.255 inside
ssh timeout 30
ssh version 1
console timeout 0
management-access inside
!
class-map Frost-Arnett
 match flow ip destination-address
 match tunnel-group x.x.x.4
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
 message-length maximum 512
policy-map global_policy
 class inspection_default
 inspect dns migrated_dns_map_1
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect ils
 inspect netbios
 inspect pptp
 inspect rsh
 inspect rtsp
 inspect skinny
 inspect sqlnet
 inspect sunrpc
 inspect tftp
 inspect sip
 inspect xdmcp
policy-map qos
 class Frost-Arnett
 police output 1500000 256000
!
service-policy global_policy global
service-policy qos interface outside
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication
 user-authentication disable
 user-authentication-idle-t
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconne
 client-firewall none
 client-access-rule none
group-policy UserVPN internal
group-policy UserVPN attributes
 wins-server value x.x.x.1 x.x.x.2
 dns-server value 1x.x.x.1 x.x.x.2
 vpn-idle-timeout 30
 default-domain value heartgroup.local
group-policy DciVPN internal
group-policy DciVPN attributes
 wins-server value x.x.x..21 x.x.x.2
 dns-server value x.x.x.1.21 x.x.x.2
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DCI_Split_Tunnel_List
 default-domain value heartgroup.local
group-policy PhoneVPN internal
group-policy PhoneVPN attributes
 wins-server value x.x.x.1 x.x.x.2
 dns-server value x.x.x.1 x.x.x.2
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain value
 split-dns none
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key cisco123
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp ikev1-user-authentication (outside) none
tunnel-group UserVPN type ipsec-ra
tunnel-group UserVPN general-attributes
 address-pool newuserpool
 default-group-policy UserVPN
 password-management
tunnel-group UserVPN ipsec-attributes
 pre-shared-key *************
 isakmp ikev1-user-authentication (outside) none
tunnel-group x.x.x.x4 type ipsec-l2l
tunnel-group x.x.x4 ipsec-attributes
 pre-shared-key ***************
tunnel-group DciVPN type ipsec-ra
tunnel-group DciVPN general-attributes
 address-pool newuserpool
 default-group-policy DciVPN
tunnel-group DciVPN ipsec-attributes
 pre-shared-key************
tunnel-group x.x.x.2 type ipsec-l2l
tunnel-group x.x.x.2 ipsec-attributes
 pre-shared-key *************
tunnel-group x.x.x.9 type ipsec-l2l
tunnel-group x.x.x.9 ipsec-attributes
 pre-shared-key **************
tunnel-group x.x.x.1 type ipsec-l2l
tunnel-group x.x.x.1 general-attributes
tunnel-group x.x.x.1 ipsec-attributes
Â
Would love help with a configuration example to add the NAT and the accompanying Access-list to allow the traffic.
for example our Public ip would be x.x.x.37 nat'ed to a private IP of 192.168.1.58
No one here at our company configured this this was done by several different vendors, we just need ot get this NAT added for RDP access ASAP.
Config is below Thanks.
PIX Version 7.2(3)
!
hostname H*****PIX1
domain-name ***********net
enable password ****************
no names
name 192.168.4.0 Bxxxxd
name 192.168.6.0 Mxxxille
name 192.168.1.0 Serxxxet
name 192.168.3.0 Lxxxxxrg
name 133.133.33.0 Cxxxxab
name 192.168.2.0 Coxxxte
name 192.168.2.253 Cxxxxtr2
name 216.248.12.128 IxxxxInt
name 192.168.2.254 Cxxxxtr1
name 216.248.29.221 Txxxxxtr
name 100.0.0.0 StTxxxxxt
name 10.168.1.2 PxxxZ
name 10.0.0.0 IxxxC
name 192.168.4.102 WxxxW
name 192.168.1.20 Txxx9
name 192.168.8.0 Gxxx
name 192.168.9.0 WIxDxxx
name 192.168.10.0 WIxxx
name 192.168.13.0 STTxxx
name 159.140.160.0 STxxx
name 192.168.19.0 Lexxx
name 192.168.15.0 Metrxxx
name 192.168.18.0 Muxxx
name 192.168.17.0 Mxxx
name 192.168.1.50 xxx
name 10.10.10.0 xxxoE
name 192.168.1.135 ZiXVPM2 description xxxxx
name 192.168.1.134 ZixVPM1 description xxxxx
name 192.168.1.150 xxx description xxxxx
dns-guard
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address x.x.x.41 255.255.255.240
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
interface Ethernet2
 speed 10
 duplex half
 nameif LAPTOP
 security-level 50
 no ip address
!
boot system flash:/pix723.bin
ftp mode passive
clock timezone xxTxx
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name xxxxxxup.net
object-group network xWAN
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
 network-object 192.168.4.0 255.255.255.0
 network-object 192.168.6.0 255.255.255.0
 network-object 192.168.8.0 255.255.255.240
 network-object 192.168.19.0 255.255.255.0
 network-object 192.168.17.0 255.255.255.0
 network-object 192.168.18.0 255.255.255.0
 network-object 10.10.10.0 255.255.255.0
object-group network Darwin
 network-object 192.168.32.0 255.255.255.0
object-group network Ht-C-IPs
 description 192.168.0.0 to 192.168.31.254
 network-object 192.168.0.0 255.255.224.0
access-list outside_access_in extended permit tcp any host x.x.x.131 eq ssh
access-list outside_access_in extended permit tcp any host x.x.x.31 eq https
access-list outside_access_in extended permit tcp any host x.x.x.31 eq www
access-list outside_access_in extended permit tcp any host x.x.x.40 eq pop3
access-list outside_access_in extended permit tcp any host x.x.x.140 eq imap4
access-list outside_access_in extended permit tcp any host x.x.x.140 eq https
access-list outside_access_in extended permit tcp any host x.x.x.40 eq www
access-list outside_access_in extended permit tcp any host x.x.x.40 eq smtp
access-list outside_access_in extended permit tcp any host x.x.x.39 eq smtp
access-list outside_access_in extended permit tcp any host 192.168.100.44
access-list outside_access_in extended permit icmp any host 192.168.100.44
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any host x.x.x.6
access-list inside_outbound_nat0_acl extended permit ip host 192.168.4.100 172.16.1.8 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip host 192.168.4.102 172.16.1.8 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip host 192.168.2.25 172.16.1.8 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip any 192.168.5.16 255.255.255.240
access-list inside_outbound_nat0_acl extended permit ip any 172.16.1.16 255.255.255.240
access-list inside_outbound_nat0_acl extended permit ip host 192.168.1.5 10.1.10.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.5.16 255.255.255.240 192.168.5.16 255.255.255.240
access-list inside_outbound_nat0_acl extended permit ip 10.0.0.0 255.0.0.0 192.168.22.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 172.16.0.0 255.240.0.0 192.168.22.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.0.0 255.255.0.0 192.168.22.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 100.0.0.0 255.0.0.0 192.168.22.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 159.140.0.0 255.255.0.0 192.168.22.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 180.30.0.0 255.255.0.0 192.168.22.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.0.0.0 255.0.0.0 192.168.23.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 172.16.0.0 255.240.0.0 192.168.23.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.0.0 255.255.0.0 192.168.23.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 100.0.0.0 255.0.0.0 192.168.23.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 159.140.0.0 255.255.0.0 192.168.23.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 180.30.0.0 255.255.0.0 192.168.23.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.0.0.0 255.0.0.0 192.168.24.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 172.16.0.0 255.240.0.0 192.168.24.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.0.0 255.255.0.0 192.168.24.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 100.0.0.0 255.0.0.0 192.168.24.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 159.140.0.0 255.255.0.0 192.168.24.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip x.x.x0.0 255.255.0.0 192.168.24.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 172.16.0.0 255.240.0.0 192.168.29.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.0.0 255.255.0.0 192.168.29.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 100.0.0.0 255.0.0.0 192.168.29.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 159.140.0.0 255.255.0.0 192.168.29.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 180.30.0.0 255.255.0.0 192.168.29.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.10.1.0 255.255.255.0 192.168.29.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.85.0.0 255.255.0.0 192.168.29.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip object-group Heart-Clinic-IPs object-group Darwin
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.5.16 255.255.255.240
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host 10.168.1.2
access-list inside_access_in extended permit icmp any any
access-list outside_cryptomap_dyn_40 extended permit ip any 172.16.1.16 255.255.255.240
access-list outside_cryptomap_20 extended permit ip host 192.168.1.5 10.1.10.0 255.255.255.0
access-list PhoneVPN_splitTunnelAcl standard permit 192.168.5.16 255.255.255.240
access-list Phone_splitTunnelAcl standard permit any
access-list outside_cryptomap_65535.60
access-list webtraffic extended permit icmp host 7x.x.x.0 host 216.248.12.140
access-list DCI_Split_Tunnel_List standard permit 192.168.0.0 255.255.0.0
access-list DCI_Split_Tunnel_List standard permit 10.10.10.0 255.255.255.0
access-list DCI_Split_Tunnel_List standard permit 172.16.1.0 255.255.255.0
access-list outside_cryptomap_dyn_60 extended permit ip 10.0.0.0 255.0.0.0 192.168.22.0 255.255.255.0
access-list outside_cryptomap_dyn_60 extended permit ip 172.16.0.0 255.240.0.0 192.168.22.0 255.255.255.0
access-list outside_cryptomap_dyn_60 extended permit ip 192.168.0.0 255.255.0.0 192.168.22.0 255.255.255.0
access-list outside_cryptomap_dyn_60 extended permit ip 100.0.0.0 255.0.0.0 192.168.22.0 255.255.255.0
access-list outside_cryptomap_dyn_60 extended permit ip 159.140.0.0 255.255.0.0 192.168.22.0 255.255.255.0
access-list outside_cryptomap_dyn_60 extended permit ip x.x.x..0 255.255.0.0 192.168.22.0 255.255.255.0
access-list capout extended permit ip host 192.168.1.5 host 1x.x.x.7
access-list capout extended permit ip host 192.168.2.60 host 1x.x.x.7
access-list outside_cryptomap_dyn_100 extended permit ip 10.0.0.0 255.0.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_dyn_100 extended permit ip 172.16.0.0 255.240.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_dyn_100 extended permit ip 192.168.0.0 255.255.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_dyn_100 extended permit ip 100.0.0.0 255.0.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_dyn_100 extended permit ip 159.140.0.0 255.255.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_dyn_100 extended permit ip x.x.x..0 255.255.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 10.0.0.0 255.0.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 172.16.0.0 255.240.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 192.168.0.0 255.255.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 100.0.0.0 255.0.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip x.x.x..0 255.255.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip x.x.x.0 255.255.0.0 192.168.23.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 10.0.0.0 255.0.0.0 192.168.24.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 172.16.0.0 255.240.0.0 192.168.24.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 192.168.0.0 255.255.0.0 192.168.24.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 100.0.0.0 255.0.0.0 192.168.24.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip x.x.x.0.0 255.255.0.0 192.168.24.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip x.x.x..0 255.255.0.0 192.168.24.0 255.255.255.0
access-list tst extended permit ip host 192.168.15.150 host 216.166.12.247
access-list tst2 extended permit ip host x.x.x.7 host 216.248.12.142
access-list Darwin extended permit ip 192.168.0.0 255.255.224.0 192.168.32.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 500
logging buffered informational
logging asdm alerts
mtu outside 1500
mtu inside 1500
mtu LAPTOP 1500
ip local pool newuserpool 192.168.5.17-192.168.5.31
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
asdm image flash:/asdm-523.bin
asdm location 192.168.2.0 255.255.255.0 inside
asdm location 192.168.1.0 255.255.255.0 inside
asdm location 192.168.3.0 255.255.255.0 inside
asdm location 192.168.4.0 255.255.255.0 inside
asdm location 192.168.6.0 255.255.255.0 inside
asdm location 133.133.33.0 255.255.255.0 inside
asdm location 192.168.2.253 255.255.255.255 inside
asdm location 192.168.2.254 255.255.255.255 inside
asdm location 216.248.29.221 255.255.255.255 outside
asdm location 192.168.0.0 255.255.0.0 inside
asdm location 172.16.1.0 255.255.255.248 outside
asdm location 172.16.1.0 255.255.255.128 outside
asdm location 172.16.1.28 255.255.255.252 outside
asdm location 172.16.1.0 255.255.255.252 outside
asdm location 192.168.2.25 255.255.255.255 inside
asdm location 100.7.0.0 255.255.0.0 outside
asdm location 100.0.0.0 255.0.0.0 outside
asdm location 10.168.1.2 255.255.255.255 LAPTOP
asdm location 100.0.0.0 255.0.0.0 LAPTOP
asdm location 10.168.0.0 255.255.0.0 inside
asdm location 10.168.0.0 255.255.0.0 LAPTOP
asdm location 67.142.29.86 255.255.255.255 outside
asdm location 172.16.1.16 255.255.255.240 outside
asdm location 172.16.1.8 255.255.255.248 outside
asdm location 192.168.13.0 255.255.255.224 inside
asdm location 192.168.10.0 255.255.254.0 inside
asdm location 192.168.4.102 255.255.255.255 inside
asdm location 192.168.1.20 255.255.255.255 inside
asdm location 192.168.4.100 255.255.255.255 inside
asdm location 192.168.1.25 255.255.255.255 inside
asdm location 192.168.2.183 255.255.255.255 inside
asdm location 192.168.8.0 255.255.255.240 inside
asdm location 192.168.8.0 255.255.255.0 inside
asdm location 192.168.9.0 255.255.255.0 inside
asdm location 10.168.1.2 255.255.255.255 outside
asdm location 159.140.160.0 255.255.240.0 outside
asdm location 67.33.45.35 255.255.255.255 outside
asdm location 67.33.45.37 255.255.255.255 outside
asdm location 171.68.225.213 255.255.255.255 outside
asdm location 171.68.225.212 255.255.255.255 outside
asdm location 66.168.99.170 255.255.255.255 outside
asdm location 192.168.2.85 255.255.255.255 inside
asdm location 71.4.240.1 255.255.255.255 outside
asdm location 192.168.1.139 255.255.255.255 inside
asdm location 192.168.100.1 255.255.255.255 inside
asdm location 192.168.26.15 255.255.255.255 outside
asdm location 192.168.26.0 255.255.255.0 outside
asdm location 192.168.1.44 255.255.255.255 inside
asdm location 192.168.19.0 255.255.255.0 inside
asdm location 192.168.18.0 255.255.255.0 inside
asdm location 192.168.17.0 255.255.255.0 inside
asdm group WAN inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 x.x.x.2
global (outside) 11 x.x.x.3
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.1 192.168.4.102 netmask 255.255.255.255
static (inside,outside) x.x.x.0 192.168.1.20 netmask 255.255.255.255
static (inside,outside) x.x.x.2 192.168.1.50 netmask 255.255.255.255
static (inside,outside) x.x.x.9 192.168.1.134 netmask 255.255.255.255
static (inside,outside) x.x.x.6 192.168.1.150 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http x.x.x.7 255.255.255.255 outside
http x.x.x..170 255.255.255.255 outside
http x.x.x..1 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 172.16.1.1 255.255.255.255 inside
http 10.168.0.0 255.255.0.0 LAPTOP
http 172.16.1.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set nsset esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_65535.60
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set security-association lifetime seconds 28800
crypto map outside_map 10 set peer x.x.x.6.2
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.4
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 50 set peer x.x.x.8
crypto map outside_map 50 set transform-set ESP-3DES-MD5
crypto map outside_map 50 set security-association lifetime seconds 28800
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer x.x.x.9
crypto map outside_map 100 set transform-set ESP-3DES-MD5
crypto map outside_map 100 set security-association lifetime seconds 28800
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map nsmap 40 match address Darwin
crypto map nsmap 40 set peer x.x.x.1
crypto map nsmap 40 set transform-set nsset
crypto map nsmap 40 set reverse-route
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.2.253 255.255.255.255 inside
telnet 192.168.2.254 255.255.255.255 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.25.0 255.255.255.252 LAPTOP
telnet timeout 15
ssh x.x.x.7 255.255.255.255 outside
ssh x.x.x.0 255.255.255.255 outside
ssh x.x.x..1 255.255.255.255 outside
ssh x.x.x..0 255.255.0.0 outside
ssh x.x.x.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh 172.16.1.100 255.255.255.255 inside
ssh timeout 30
ssh version 1
console timeout 0
management-access inside
!
class-map Frost-Arnett
 match flow ip destination-address
 match tunnel-group x.x.x.4
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
 message-length maximum 512
policy-map global_policy
 class inspection_default
 inspect dns migrated_dns_map_1
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect ils
 inspect netbios
 inspect pptp
 inspect rsh
 inspect rtsp
 inspect skinny
 inspect sqlnet
 inspect sunrpc
 inspect tftp
 inspect sip
 inspect xdmcp
policy-map qos
 class Frost-Arnett
 police output 1500000 256000
!
service-policy global_policy global
service-policy qos interface outside
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication
 user-authentication disable
 user-authentication-idle-t
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconne
 client-firewall none
 client-access-rule none
group-policy UserVPN internal
group-policy UserVPN attributes
 wins-server value x.x.x.1 x.x.x.2
 dns-server value 1x.x.x.1 x.x.x.2
 vpn-idle-timeout 30
 default-domain value heartgroup.local
group-policy DciVPN internal
group-policy DciVPN attributes
 wins-server value x.x.x..21 x.x.x.2
 dns-server value x.x.x.1.21 x.x.x.2
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DCI_Split_Tunnel_List
 default-domain value heartgroup.local
group-policy PhoneVPN internal
group-policy PhoneVPN attributes
 wins-server value x.x.x.1 x.x.x.2
 dns-server value x.x.x.1 x.x.x.2
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain value
 split-dns none
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key cisco123
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp ikev1-user-authentication (outside) none
tunnel-group UserVPN type ipsec-ra
tunnel-group UserVPN general-attributes
 address-pool newuserpool
 default-group-policy UserVPN
 password-management
tunnel-group UserVPN ipsec-attributes
 pre-shared-key *************
 isakmp ikev1-user-authentication (outside) none
tunnel-group x.x.x.x4 type ipsec-l2l
tunnel-group x.x.x4 ipsec-attributes
 pre-shared-key ***************
tunnel-group DciVPN type ipsec-ra
tunnel-group DciVPN general-attributes
 address-pool newuserpool
 default-group-policy DciVPN
tunnel-group DciVPN ipsec-attributes
 pre-shared-key************
tunnel-group x.x.x.2 type ipsec-l2l
tunnel-group x.x.x.2 ipsec-attributes
 pre-shared-key *************
tunnel-group x.x.x.9 type ipsec-l2l
tunnel-group x.x.x.9 ipsec-attributes
 pre-shared-key **************
tunnel-group x.x.x.1 type ipsec-l2l
tunnel-group x.x.x.1 general-attributes
tunnel-group x.x.x.1 ipsec-attributes
Â
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
sorry erniebeek, did not see your comment, must be typing while you post it.
ASKER
thanks guys, we will give that a go and hopefully all will be good.
Post back in a minute or two.
Post back in a minute or two.
@mwblsz:never mind, happens to me all of the time. Atleast we're thinking in the same direction :)
ASKER
thats got it I had written something very similar already in a txt file i was just to chicken to use it with out being 100% sure. Which I am glad I asked I did have the syntax wrong on one of the commands.
Thanks again!
Thanks again!
ASKER
Thanks again guys on a side note do you know of a good reference material i.e. a book or something to help learn more on the PIX?
You're welcome, glad you fixed it :)
;)