mhentrich
asked on
VPN user cannot ping other VPN user
Experts, to my rescue again:
We have a working VPN Tunnel in place here that we've been using for years without issue. Users who are on our internal network exist in the 192.168.1.X subnet, while VPN users are given 172.16.223.X addresses.
What I've just today found is when I am internal I can ping any of my VPN users with no problem. Also, when I'm VPN'd in, I can ping internal resources with no problem. However, if I'm VPN'd in, I can't ping other VPN'd in users.
I've tried the cursory addition of ACL's all over the place with no luck. Packet trace reports that it should work fine (but it doesn't). This is crucially important to our softphone deployment, as the phones work fine over VPN until an individual tries to call another VPN user (at which point, no audio is transmitted).
Here's the scrubbed running config (sorry about the length, lot of cooks in the kitchen):
: Saved
:
ASA Version 8.0(3)
!
!
interface Ethernet0/0
nameif outside
security-level 0
ip address
ospf cost 10
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.224 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/3
speed 100
duplex full
nameif Dev
security-level 50
ip address 192.168.30.1 255.255.255.0
ospf cost 10
!
interface Management0/0
nameif Secure
security-level 100
ip address 192.168.60.1 255.255.255.0
ospf cost 10
!
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone Central -6
dns server-group DefaultDNS
domain-name we-mail.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service TeleworkerTCP tcp
port-object eq ssh
port-object range 6800 6802
port-object range 3998 3999
port-object eq 6880
port-object eq www
object-group service TeleworkerUDP udp
port-object eq domain
port-object range 1024 65535
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service BackupExec tcp
port-object range 25100 25110
object-group service Cuda tcp
port-object eq 8000
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any time-exceeded
access-list inbound extended permit tcp any host XX.XXX.XXX.90 eq domain
access-list inbound extended permit udp any host XX.XXX.XXX.90 eq domain
access-list inbound extended permit tcp any host XX.XXX.XXX.72 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.75 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.80 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.80 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.81 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.81 eq ftp
access-list inbound extended permit tcp any host XX.XXX.XXX.81 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.82 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.82 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.83 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.83 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq ftp
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq 990
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq 3000
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq 3001
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq 3002
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq 3003
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq ssh
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq https
access-list inbound extended permit ip any host XX.XXX.XXX.93
access-list inbound extended permit tcp any host XX.XXX.XXX.84 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.84 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.85 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.85 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.75 eq smtp
access-list inbound extended permit tcp any host XX.XXX.XXX.86 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.87 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.87 eq www
access-list inbound extended permit udp any host XX.XXX.XXX.75 eq ntp
access-list inbound extended permit tcp any host XX.XXX.XXX.86 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.91 eq www
access-list inbound extended permit icmp 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list dmz extended permit ip host 192.168.10.200 any
access-list dmz extended permit icmp any any unreachable
access-list dmz extended permit icmp any any echo-reply
access-list dmz extended permit icmp any any time-exceeded
access-list dmz extended permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list dmz extended permit tcp 192.168.10.0 255.255.255.0 any eq domain
access-list dmz extended permit udp 192.168.10.0 255.255.255.0 any eq domain
access-list dmz extended permit tcp host 192.168.10.31 host 192.168.1.14 eq 1433
access-list dmz extended permit tcp host 192.168.10.50 host 192.168.1.17 eq smtp inactive
access-list dmz extended permit tcp host 192.168.10.31 host 192.168.1.17 eq smtp inactive
access-list dmz extended permit tcp host 192.168.10.50 host 192.168.1.4 eq 8100
access-list dmz extended permit tcp host 192.168.10.31 host 192.168.1.3 eq 1433
access-list dmz extended permit tcp 192.168.10.0 255.255.255.0 any eq https
access-list dmz extended permit tcp host 192.168.10.100 host 192.168.1.17 eq smtp inactive
access-list dmz extended permit tcp host 192.168.10.32 host 192.168.1.14 eq 1433
access-list dmz extended permit tcp 192.168.10.0 255.255.255.0 any eq ssh inactive
access-list dmz extended permit tcp host 192.168.10.31 host 192.168.1.14 eq www inactive
access-list dmz extended permit tcp host 192.168.10.33 host 192.168.1.14 eq www inactive
access-list dmz extended permit tcp host 192.168.10.17 host 192.168.1.11 eq smtp
access-list dmz extended permit tcp host 192.168.10.17 host 192.168.1.6 eq ldap
access-list dmz extended permit tcp host 192.168.10.17 host 192.168.1.252 eq ldap
access-list dmz extended permit tcp host 192.168.10.17 any eq smtp
access-list dmz extended permit tcp host 192.168.10.90 host 192.168.1.14 eq 1433
access-list dmz extended permit tcp host 192.168.10.80 host 192.168.1.14 eq 1433
access-list dmz extended permit tcp host 192.168.10.80 host 192.168.1.11 eq 993
access-list dmz extended permit udp host 192.168.10.17 host 192.168.1.19 eq syslog
access-list dmz extended permit icmp any any
access-list dmz extended permit tcp host 192.168.10.80 host 192.168.1.11 eq smtp
access-list dmz extended permit tcp host 192.168.10.31 object-group BackupExec host 192.168.1.22
access-list dmz extended permit udp 192.168.10.0 255.255.255.0 any eq ntp
access-list dmz extended permit tcp host 192.168.10.2 any eq ssh
access-list dmz extended permit tcp host 192.168.10.2 any object-group Cuda
access-list dmz extended deny tcp Allegheny 255.255.255.0 host 192.168.10.100 eq https inactive
access-list dmz extended permit tcp any any eq ssh inactive
access-list outbound extended permit ip 192.168.50.0 255.255.255.0 any
access-list outbound extended permit ip 192.168.1.0 255.255.255.0 any
access-list outbound extended permit udp any any object-group TeleworkerUDP
access-list outbound extended permit object-group DM_INLINE_PROTOCOL_2 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list REMOTE extended permit ip 192.168.1.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list REMOTE extended permit ip 192.168.10.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list REMOTE extended permit ip 192.168.50.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list REMOTE extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list REMOTE extended permit udp 192.168.1.0 255.255.255.0 172.16.223.0 255.255.255.0 object-group TeleworkerUDP
access-list REMOTE extended permit ip 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list REMOTE extended permit icmp 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list VPN_SPLIT_TUNNEL extended permit ip 192.168.1.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list VPN_SPLIT_TUNNEL extended permit ip 192.168.10.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list VPN_SPLIT_TUNNEL extended permit ip 192.168.50.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list VPN_SPLIT_TUNNEL extended permit udp 192.168.1.0 255.255.255.0 172.16.223.0 255.255.255.0 object-group TeleworkerUDP
access-list VPN_SPLIT_TUNNEL extended permit ip 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list VPN_SPLIT_TUNNEL extended permit icmp 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list global_mpc extended permit tcp any any
access-list Dev_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Dev_access_in extended permit tcp 192.168.30.0 255.255.255.0 any eq www
access-list Dev_access_in extended permit tcp 192.168.30.0 255.255.255.0 any eq domain
access-list Dev_access_in extended permit udp 192.168.30.0 255.255.255.0 any eq domain
access-list Dev_access_in extended permit tcp 192.168.30.0 255.255.255.0 any eq https
access-list Dev_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list Dev_access_in extended permit udp 192.168.30.0 255.255.255.0 any eq ntp
access-list Dev_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2
access-list Dev_access_in extended permit ip 192.168.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_mpc extended permit object-group TCPUDP any any eq www
access-list Secure_access_in extended permit ip any any
access-list Secure_access_in extended permit icmp any any echo-reply
access-list Secure_access_in extended permit icmp any any unreachable
access-list Secure_access_in extended permit icmp any any time-exceeded
access-list Secure_access_in extended permit tcp 192.168.30.0 255.255.255.0 any eq www
access-list Secure_access_in extended permit tcp 192.168.30.0 255.255.255.0 any eq domain
access-list Secure_access_in extended permit udp 192.168.30.0 255.255.255.0 any eq domain
pager lines 20
logging enable
logging timestamp
logging buffer-size 12000
logging trap notifications
logging history notifications
logging asdm informational
logging facility 23
logging host inside 192.168.1.19
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu Dev 1500
mtu Secure 1500
ip local pool VPN-IP2 172.16.223.10-172.16.223.7
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
global (Dev) 1 interface
nat (inside) 0 access-list REMOTE
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list REMOTE
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (Dev) 0 access-list Dev_nat0_outbound outside
nat (Dev) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp XX.XXX.XXX.80 https 192.168.1.5 https netmask 255.255.255.255 tcp 500 500
static (inside,outside) tcp XX.XXX.XXX.80 www 192.168.1.5 www netmask 255.255.255.255 tcp 500 500
static (inside,outside) tcp XX.XXX.XXX.82 https 192.168.1.11 https netmask 255.255.255.255 tcp 500 500
static (inside,outside) tcp XX.XXX.XXX.82 www 192.168.1.11 www netmask 255.255.255.255 tcp 500 500
static (dmz,outside) tcp XX.XXX.XXX.81 ftp 192.168.10.35 ftp netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.81 www 192.168.10.31 www netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.81 https 192.168.10.31 https netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.84 www 192.168.10.32 www netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.84 https 192.168.10.32 https netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.85 www 192.168.10.33 www netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.85 https 192.168.10.33 https netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.75 smtp 192.168.10.17 smtp netmask 255.255.255.255 tcp 500 500
static (dmz,outside) tcp XX.XXX.XXX.87 www 192.168.10.36 www netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.87 https 192.168.10.36 https netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.86 www 192.168.10.80 www netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.86 https 192.168.10.80 https netmask 255.255.255.255
static (dmz,outside) XX.XXX.XXX.72 192.168.10.20 netmask 255.255.255.255 tcp 500 500
static (dmz,outside) XX.XXX.XXX.90 192.168.10.10 netmask 255.255.255.255 tcp 1500 1500
static (dmz,outside) XX.XXX.XXX.83 192.168.10.50 netmask 255.255.255.255 tcp 500 500
static (dmz,outside) XX.XXX.XXX.94 192.168.10.200 netmask 255.255.255.255 tcp 500 500
static (dmz,outside) XX.XXX.XXX.92 192.168.10.100 netmask 255.255.255.255
static (inside,dmz) 192.168.10.10 192.168.10.10 netmask 255.255.255.255
static (inside,dmz) 192.168.10.31 192.168.10.31 netmask 255.255.255.255
static (inside,dmz) 192.168.1.14 192.168.1.14 netmask 255.255.255.255
static (inside,dmz) 192.168.1.4 192.168.1.4 netmask 255.255.255.255
static (inside,dmz) 192.168.1.17 192.168.1.17 netmask 255.255.255.255
static (inside,dmz) 192.168.1.3 192.168.1.3 netmask 255.255.255.255
static (inside,dmz) 192.168.1.19 192.168.1.19 netmask 255.255.255.255 tcp 500 500
static (inside,dmz) 192.168.1.86 192.168.1.86 netmask 255.255.255.255
static (inside,dmz) 192.168.1.6 192.168.1.6 netmask 255.255.255.255
static (inside,dmz) 192.168.1.252 192.168.1.252 netmask 255.255.255.255
static (inside,dmz) 192.168.1.11 192.168.1.11 netmask 255.255.255.255
static (inside,outside) XX.XXX.XXX.91 192.168.1.164 netmask 255.255.255.255
access-group inbound in interface outside
access-group outbound in interface inside
access-group dmz in interface dmz
access-group Dev_access_in in interface Dev
access-group Secure_access_in in interface Secure
!
router ospf 2003
network 0.0.0.0 0.0.0.0 area 0
log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 XX.XXX.XXX.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
aaa-server partnerauth protocol radius
aaa-server partnerauth host 192.168.1.6
key RSM.McGl@dr3y
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 192.168.1.19 community ncc1700
no snmp-server location
no snmp-server contact
snmp-server community ncc1700
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map mymap 30 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 60
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
ssl encryption aes256-sha1 aes128-sha1 rc4-sha1 3des-sha1
group-policy PFCremotePolicy internal
group-policy PFCremotePolicy attributes
wins-server value 192.168.1.6 192.168.1.252
dns-server value 192.168.1.6 192.168.1.252
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_SPLIT_TUNNEL
default-domain value we-mail.com
tunnel-group PFCremote type remote-access
tunnel-group PFCremote general-attributes
address-pool VPN-IP2
authentication-server-grou
default-group-policy PFCremotePolicy
tunnel-group PFCremote ipsec-attributes
pre-shared-key *
!
class-map global-class
match access-list global_mpc
class-map type regex match-any DomainBlockList
match regex domainlist1
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
match request uri regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map httptraffic
match access-list inside_mpc
!
!
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class BlockDomainsClass
reset log
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect esmtp
inspect sip
class global-class
ips inline fail-open
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
policy-map type inspect sip Test
parameters
max-forwards-validation action drop log
!
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
Cryptochecksum:f2ba651cbf0
: end
asdm image disk0:/asdm-613.bin
asdm location Allegheny 255.255.255.0 inside
no asdm history enable
Thanks in advance,
Matt
We have a working VPN Tunnel in place here that we've been using for years without issue. Users who are on our internal network exist in the 192.168.1.X subnet, while VPN users are given 172.16.223.X addresses.
What I've just today found is when I am internal I can ping any of my VPN users with no problem. Also, when I'm VPN'd in, I can ping internal resources with no problem. However, if I'm VPN'd in, I can't ping other VPN'd in users.
I've tried the cursory addition of ACL's all over the place with no luck. Packet trace reports that it should work fine (but it doesn't). This is crucially important to our softphone deployment, as the phones work fine over VPN until an individual tries to call another VPN user (at which point, no audio is transmitted).
Here's the scrubbed running config (sorry about the length, lot of cooks in the kitchen):
: Saved
:
ASA Version 8.0(3)
!
!
interface Ethernet0/0
nameif outside
security-level 0
ip address
ospf cost 10
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.224 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/3
speed 100
duplex full
nameif Dev
security-level 50
ip address 192.168.30.1 255.255.255.0
ospf cost 10
!
interface Management0/0
nameif Secure
security-level 100
ip address 192.168.60.1 255.255.255.0
ospf cost 10
!
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone Central -6
dns server-group DefaultDNS
domain-name we-mail.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service TeleworkerTCP tcp
port-object eq ssh
port-object range 6800 6802
port-object range 3998 3999
port-object eq 6880
port-object eq www
object-group service TeleworkerUDP udp
port-object eq domain
port-object range 1024 65535
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service BackupExec tcp
port-object range 25100 25110
object-group service Cuda tcp
port-object eq 8000
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any time-exceeded
access-list inbound extended permit tcp any host XX.XXX.XXX.90 eq domain
access-list inbound extended permit udp any host XX.XXX.XXX.90 eq domain
access-list inbound extended permit tcp any host XX.XXX.XXX.72 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.75 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.80 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.80 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.81 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.81 eq ftp
access-list inbound extended permit tcp any host XX.XXX.XXX.81 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.82 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.82 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.83 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.83 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq ftp
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq 990
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq 3000
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq 3001
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq 3002
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq 3003
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq ssh
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.92 eq https
access-list inbound extended permit ip any host XX.XXX.XXX.93
access-list inbound extended permit tcp any host XX.XXX.XXX.84 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.84 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.85 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.85 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.75 eq smtp
access-list inbound extended permit tcp any host XX.XXX.XXX.86 eq www
access-list inbound extended permit tcp any host XX.XXX.XXX.87 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.87 eq www
access-list inbound extended permit udp any host XX.XXX.XXX.75 eq ntp
access-list inbound extended permit tcp any host XX.XXX.XXX.86 eq https
access-list inbound extended permit tcp any host XX.XXX.XXX.91 eq www
access-list inbound extended permit icmp 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list dmz extended permit ip host 192.168.10.200 any
access-list dmz extended permit icmp any any unreachable
access-list dmz extended permit icmp any any echo-reply
access-list dmz extended permit icmp any any time-exceeded
access-list dmz extended permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list dmz extended permit tcp 192.168.10.0 255.255.255.0 any eq domain
access-list dmz extended permit udp 192.168.10.0 255.255.255.0 any eq domain
access-list dmz extended permit tcp host 192.168.10.31 host 192.168.1.14 eq 1433
access-list dmz extended permit tcp host 192.168.10.50 host 192.168.1.17 eq smtp inactive
access-list dmz extended permit tcp host 192.168.10.31 host 192.168.1.17 eq smtp inactive
access-list dmz extended permit tcp host 192.168.10.50 host 192.168.1.4 eq 8100
access-list dmz extended permit tcp host 192.168.10.31 host 192.168.1.3 eq 1433
access-list dmz extended permit tcp 192.168.10.0 255.255.255.0 any eq https
access-list dmz extended permit tcp host 192.168.10.100 host 192.168.1.17 eq smtp inactive
access-list dmz extended permit tcp host 192.168.10.32 host 192.168.1.14 eq 1433
access-list dmz extended permit tcp 192.168.10.0 255.255.255.0 any eq ssh inactive
access-list dmz extended permit tcp host 192.168.10.31 host 192.168.1.14 eq www inactive
access-list dmz extended permit tcp host 192.168.10.33 host 192.168.1.14 eq www inactive
access-list dmz extended permit tcp host 192.168.10.17 host 192.168.1.11 eq smtp
access-list dmz extended permit tcp host 192.168.10.17 host 192.168.1.6 eq ldap
access-list dmz extended permit tcp host 192.168.10.17 host 192.168.1.252 eq ldap
access-list dmz extended permit tcp host 192.168.10.17 any eq smtp
access-list dmz extended permit tcp host 192.168.10.90 host 192.168.1.14 eq 1433
access-list dmz extended permit tcp host 192.168.10.80 host 192.168.1.14 eq 1433
access-list dmz extended permit tcp host 192.168.10.80 host 192.168.1.11 eq 993
access-list dmz extended permit udp host 192.168.10.17 host 192.168.1.19 eq syslog
access-list dmz extended permit icmp any any
access-list dmz extended permit tcp host 192.168.10.80 host 192.168.1.11 eq smtp
access-list dmz extended permit tcp host 192.168.10.31 object-group BackupExec host 192.168.1.22
access-list dmz extended permit udp 192.168.10.0 255.255.255.0 any eq ntp
access-list dmz extended permit tcp host 192.168.10.2 any eq ssh
access-list dmz extended permit tcp host 192.168.10.2 any object-group Cuda
access-list dmz extended deny tcp Allegheny 255.255.255.0 host 192.168.10.100 eq https inactive
access-list dmz extended permit tcp any any eq ssh inactive
access-list outbound extended permit ip 192.168.50.0 255.255.255.0 any
access-list outbound extended permit ip 192.168.1.0 255.255.255.0 any
access-list outbound extended permit udp any any object-group TeleworkerUDP
access-list outbound extended permit object-group DM_INLINE_PROTOCOL_2 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list REMOTE extended permit ip 192.168.1.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list REMOTE extended permit ip 192.168.10.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list REMOTE extended permit ip 192.168.50.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list REMOTE extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list REMOTE extended permit udp 192.168.1.0 255.255.255.0 172.16.223.0 255.255.255.0 object-group TeleworkerUDP
access-list REMOTE extended permit ip 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list REMOTE extended permit icmp 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list VPN_SPLIT_TUNNEL extended permit ip 192.168.1.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list VPN_SPLIT_TUNNEL extended permit ip 192.168.10.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list VPN_SPLIT_TUNNEL extended permit ip 192.168.50.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list VPN_SPLIT_TUNNEL extended permit udp 192.168.1.0 255.255.255.0 172.16.223.0 255.255.255.0 object-group TeleworkerUDP
access-list VPN_SPLIT_TUNNEL extended permit ip 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list VPN_SPLIT_TUNNEL extended permit icmp 172.16.223.0 255.255.255.0 172.16.223.0 255.255.255.0
access-list global_mpc extended permit tcp any any
access-list Dev_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Dev_access_in extended permit tcp 192.168.30.0 255.255.255.0 any eq www
access-list Dev_access_in extended permit tcp 192.168.30.0 255.255.255.0 any eq domain
access-list Dev_access_in extended permit udp 192.168.30.0 255.255.255.0 any eq domain
access-list Dev_access_in extended permit tcp 192.168.30.0 255.255.255.0 any eq https
access-list Dev_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list Dev_access_in extended permit udp 192.168.30.0 255.255.255.0 any eq ntp
access-list Dev_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2
access-list Dev_access_in extended permit ip 192.168.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_mpc extended permit object-group TCPUDP any any eq www
access-list Secure_access_in extended permit ip any any
access-list Secure_access_in extended permit icmp any any echo-reply
access-list Secure_access_in extended permit icmp any any unreachable
access-list Secure_access_in extended permit icmp any any time-exceeded
access-list Secure_access_in extended permit tcp 192.168.30.0 255.255.255.0 any eq www
access-list Secure_access_in extended permit tcp 192.168.30.0 255.255.255.0 any eq domain
access-list Secure_access_in extended permit udp 192.168.30.0 255.255.255.0 any eq domain
pager lines 20
logging enable
logging timestamp
logging buffer-size 12000
logging trap notifications
logging history notifications
logging asdm informational
logging facility 23
logging host inside 192.168.1.19
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu Dev 1500
mtu Secure 1500
ip local pool VPN-IP2 172.16.223.10-172.16.223.7
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
global (Dev) 1 interface
nat (inside) 0 access-list REMOTE
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list REMOTE
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (Dev) 0 access-list Dev_nat0_outbound outside
nat (Dev) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp XX.XXX.XXX.80 https 192.168.1.5 https netmask 255.255.255.255 tcp 500 500
static (inside,outside) tcp XX.XXX.XXX.80 www 192.168.1.5 www netmask 255.255.255.255 tcp 500 500
static (inside,outside) tcp XX.XXX.XXX.82 https 192.168.1.11 https netmask 255.255.255.255 tcp 500 500
static (inside,outside) tcp XX.XXX.XXX.82 www 192.168.1.11 www netmask 255.255.255.255 tcp 500 500
static (dmz,outside) tcp XX.XXX.XXX.81 ftp 192.168.10.35 ftp netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.81 www 192.168.10.31 www netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.81 https 192.168.10.31 https netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.84 www 192.168.10.32 www netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.84 https 192.168.10.32 https netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.85 www 192.168.10.33 www netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.85 https 192.168.10.33 https netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.75 smtp 192.168.10.17 smtp netmask 255.255.255.255 tcp 500 500
static (dmz,outside) tcp XX.XXX.XXX.87 www 192.168.10.36 www netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.87 https 192.168.10.36 https netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.86 www 192.168.10.80 www netmask 255.255.255.255
static (dmz,outside) tcp XX.XXX.XXX.86 https 192.168.10.80 https netmask 255.255.255.255
static (dmz,outside) XX.XXX.XXX.72 192.168.10.20 netmask 255.255.255.255 tcp 500 500
static (dmz,outside) XX.XXX.XXX.90 192.168.10.10 netmask 255.255.255.255 tcp 1500 1500
static (dmz,outside) XX.XXX.XXX.83 192.168.10.50 netmask 255.255.255.255 tcp 500 500
static (dmz,outside) XX.XXX.XXX.94 192.168.10.200 netmask 255.255.255.255 tcp 500 500
static (dmz,outside) XX.XXX.XXX.92 192.168.10.100 netmask 255.255.255.255
static (inside,dmz) 192.168.10.10 192.168.10.10 netmask 255.255.255.255
static (inside,dmz) 192.168.10.31 192.168.10.31 netmask 255.255.255.255
static (inside,dmz) 192.168.1.14 192.168.1.14 netmask 255.255.255.255
static (inside,dmz) 192.168.1.4 192.168.1.4 netmask 255.255.255.255
static (inside,dmz) 192.168.1.17 192.168.1.17 netmask 255.255.255.255
static (inside,dmz) 192.168.1.3 192.168.1.3 netmask 255.255.255.255
static (inside,dmz) 192.168.1.19 192.168.1.19 netmask 255.255.255.255 tcp 500 500
static (inside,dmz) 192.168.1.86 192.168.1.86 netmask 255.255.255.255
static (inside,dmz) 192.168.1.6 192.168.1.6 netmask 255.255.255.255
static (inside,dmz) 192.168.1.252 192.168.1.252 netmask 255.255.255.255
static (inside,dmz) 192.168.1.11 192.168.1.11 netmask 255.255.255.255
static (inside,outside) XX.XXX.XXX.91 192.168.1.164 netmask 255.255.255.255
access-group inbound in interface outside
access-group outbound in interface inside
access-group dmz in interface dmz
access-group Dev_access_in in interface Dev
access-group Secure_access_in in interface Secure
!
router ospf 2003
network 0.0.0.0 0.0.0.0 area 0
log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 XX.XXX.XXX.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
aaa-server partnerauth protocol radius
aaa-server partnerauth host 192.168.1.6
key RSM.McGl@dr3y
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 192.168.1.19 community ncc1700
no snmp-server location
no snmp-server contact
snmp-server community ncc1700
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map mymap 30 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 60
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
ssl encryption aes256-sha1 aes128-sha1 rc4-sha1 3des-sha1
group-policy PFCremotePolicy internal
group-policy PFCremotePolicy attributes
wins-server value 192.168.1.6 192.168.1.252
dns-server value 192.168.1.6 192.168.1.252
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_SPLIT_TUNNEL
default-domain value we-mail.com
tunnel-group PFCremote type remote-access
tunnel-group PFCremote general-attributes
address-pool VPN-IP2
authentication-server-grou
default-group-policy PFCremotePolicy
tunnel-group PFCremote ipsec-attributes
pre-shared-key *
!
class-map global-class
match access-list global_mpc
class-map type regex match-any DomainBlockList
match regex domainlist1
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
match request uri regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map httptraffic
match access-list inside_mpc
!
!
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class BlockDomainsClass
reset log
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect esmtp
inspect sip
class global-class
ips inline fail-open
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
policy-map type inspect sip Test
parameters
max-forwards-validation action drop log
!
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
Cryptochecksum:f2ba651cbf0
: end
asdm image disk0:/asdm-613.bin
asdm location Allegheny 255.255.255.0 inside
no asdm history enable
Thanks in advance,
Matt
ASKER
Spaperov,
Thank you much for your input. I've tried it out (I believe I did it right) and no luck. I've attached my new running config here.
Any other ideas? Thanks!
Matt RunningConfig.txt
Thank you much for your input. I've tried it out (I believe I did it right) and no luck. I've attached my new running config here.
Any other ideas? Thanks!
Matt RunningConfig.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
All,
I haven't had the time to try and implement this fully, but I'm guessing Spaperov is right (makes sense, anyways) :P
Thanks,
Matt
I haven't had the time to try and implement this fully, but I'm guessing Spaperov is right (makes sense, anyways) :P
Thanks,
Matt
You need to alter the following lines:
Open in new window