ThePhreakshow
asked on
Cannot Access Shares Across Cisco Site-to-Site VPN
I have two different DC's running at two sites. The remote site is connected from its ASA5505 to the main office ASA5510. Both DC's are running AD, DNS, and WINS.
Connectivity from the remote site to HQ works perfectly. All traffic that is not destined for the private HQ network is sent out of its local connection.
HQ on the other hand has some issues communicating with the remote site. All hosts at the remote site can be PING'd using its Netbios name, FQDN or IP address...
The problem comes when trying to access a share on the remote site using a UNC path, or even a FQDN... Cannot see anything.. On any of the hosts at the remote site, even when trying to use admin shares (\\remote-PC\c$).
Connectivity from the remote site to HQ works perfectly. All traffic that is not destined for the private HQ network is sent out of its local connection.
HQ on the other hand has some issues communicating with the remote site. All hosts at the remote site can be PING'd using its Netbios name, FQDN or IP address...
The problem comes when trying to access a share on the remote site using a UNC path, or even a FQDN... Cannot see anything.. On any of the hosts at the remote site, even when trying to use admin shares (\\remote-PC\c$).
rauenpc
Would you be able to post scrubbed configs from both sides?
ASKER
Did not fully scrub them, but IP addresses have been changed to protect the innocent...
--------- HEADQUARTERS SITE ------------
: Saved
:
ASA Version 8.2(5)
!
terminal width 511
hostname ford-main-asa
domain-name mycompany.com
name 192.168.1.3 Galileo
name 192.168.0.13 Beethoven
name 192.168.1.2 Einstein
name 10.1.1.190 Nancy
name 10.1.1.189 Sid
name 10.1.1.176 DMZ
name 229.55.100.179 Public-WWW
name 229.55.100.176 Verio-Network
name 10.1.1.186 ADP-GetWired
name 192.168.7.0 Affordable-Net
name 192.168.15.0 Collision-Fones
name 192.168.5.0 Collision-Net
name 10.1.1.0 DMZ-Net
name 192.168.11.0 Ford-Fones
name 192.168.1.0 Ford-Net
name 10.1.1.187 Ford-Secure
name 192.168.6.0 Holyoke-Net
name 192.168.13.0 Lincoln-Fones
name 192.168.3.0 Lincoln-Net
name 10.1.1.184 Michaelangelo-1
name 10.1.1.185 Michaelangelo-2
name 10.1.1.180 Nostradamus-Mail
name 10.1.1.179 Nostradamus-WWW
name 10.1.1.181 Phantom-DNS
name 229.55.100.186 Public-ADP-GetWired
name 229.55.100.187 Public-Ford-Secure
name 229.55.100.180 Public-Mail
name 229.55.100.184 Public-Michaelangelo-1
name 229.55.100.185 Public-Michaelangelo-2
name 229.55.100.190 Public-Nancy
name 229.55.100.189 Public-Sid
name 192.168.1.13 MacBook
name 192.168.0.0 Jaguar-Net
name 192.168.4.0 Ford-VPN
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
shutdown
nameif vacant
security-level 75
no ip address
!
interface Ethernet0/2
nameif dmz
security-level 25
ip address 10.1.1.177 255.255.255.240
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 229.55.100.178 255.255.255.240
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup outside
dns server-group DefaultDNS
name-server Einstein
name-server 192.168.3.2
domain-name demmer.com
same-security-traffic permit intra-interface
access-list outbound extended permit ip any any
access-list to-dmz extended permit udp any host Public-WWW eq domain
access-list to-dmz extended permit udp any host Public-Sid eq domain
access-list to-dmz extended permit udp any host Public-Nancy eq domain
access-list to-dmz extended permit udp any host Public-WWW eq dnsix
access-list to-dmz extended permit udp any host Public-Sid eq dnsix
access-list to-dmz extended permit udp any host Public-Nancy eq dnsix
access-list to-dmz extended permit tcp any host Public-WWW eq www
access-list to-dmz extended permit tcp any host Public-Mail eq www
access-list to-dmz extended permit tcp any host Public-Sid eq www
access-list to-dmz extended permit tcp any host Public-Nancy eq www
access-list to-dmz extended permit tcp any host Public-WWW eq ftp
access-list to-dmz extended permit tcp any host Public-Mail eq smtp
access-list to-dmz extended permit tcp any host Public-Mail eq pop3
access-list to-dmz extended permit tcp any host Public-Mail eq imap4
access-list to-dmz extended permit udp any host Public-Mail eq 143
access-list to-dmz extended permit ip any host Public-ADP-GetWired
access-list to-dmz extended permit ip any host Public-Ford-Secure
access-list to-dmz extended permit tcp any host Public-Mail eq 465
access-list to-dmz extended permit tcp any host Public-Mail eq https
access-list to-dmz extended permit udp any host Public-Mail eq 443
access-list to-dmz extended permit icmp any any
access-list dmz-in extended permit udp any host Phantom-DNS eq domain
access-list dmz-in extended permit ip DMZ-Net 255.255.255.0 any
access-list dmz-in extended permit tcp any host Phantom-DNS eq domain
access-list dmz-in extended permit icmp any any
access-list inside extended deny udp any any eq 135
access-list inside extended permit udp any any eq tftp
access-list inside extended deny udp any any eq netbios-ns
access-list inside extended deny udp any any eq netbios-dgm
access-list inside extended deny udp any any eq 139
access-list inside extended deny tcp any any eq 135
access-list inside extended deny tcp any any eq 137
access-list inside extended deny tcp any any eq 138
access-list inside extended deny tcp any any eq netbios-ssn
access-list inside extended deny tcp any any eq 445
access-list inside extended deny tcp any any eq 593
access-list inside extended deny tcp any any eq 4444
access-list inside extended permit ip any any
access-list Inside_nat0_outbound extended permit ip Ford-Net 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip DMZ-Net 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Lincoln-Net 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Collision-Net 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Holyoke-Net 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Affordable-Net 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Ford-Fones 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Lincoln-Fones 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Collision-Fones 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip DMZ-Net 255.255.255.0 Ford-VPN 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Ford-VPN 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Ford-VPN 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Ford-Net 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip DMZ-Net 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Lincoln-Net 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Collision-Net 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Affordable-Net 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Ford-Fones 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Lincoln-Fones 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Collision-Fones 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Ford-VPN 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any Ford-VPN 255.255.255.192
no pager
logging enable
logging timestamp
logging buffer-size 100000
logging asdm-buffer-size 512
logging console errors
logging buffered warnings
logging trap notifications
logging history errors
logging asdm warnings
logging host inside Galileo
logging flash-bufferwrap
logging flash-maximum-allocation 10000
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside Galileo 2055
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu inside 1500
mtu vacant 1500
mtu dmz 1500
mtu outside 1500
ip local pool VPN-Pool 192.168.4.25-192.168.4.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
icmp permit any outside
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
nat-control
global (dmz) 10 interface
global (outside) 10 interface
nat (inside) 0 access-list Inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list Inside_nat0_outbound
static (dmz,outside) Public-Nancy Nancy netmask 255.255.255.255 tcp 1000 100
static (dmz,outside) Public-WWW Nostradamus-WWW netmask 255.255.255.255 tcp 1000 100
static (dmz,outside) Public-Mail Nostradamus-Mail netmask 255.255.255.255 tcp 1000 100
static (dmz,outside) Public-Sid Sid netmask 255.255.255.255 tcp 1000 100
static (dmz,outside) Public-ADP-GetWired ADP-GetWired netmask 255.255.255.255 tcp 1000 100
static (dmz,outside) Public-Ford-Secure Ford-Secure netmask 255.255.255.255 tcp 1000 100
static (dmz,outside) Public-Michaelangelo-2 Michaelangelo-2 netmask 255.255.255.255 tcp 50 50
static (dmz,outside) Public-Michaelangelo-1 Michaelangelo-1 netmask 255.255.255.255 tcp 50 50
static (inside,dmz) Phantom-DNS Einstein netmask 255.255.255.255
access-group inside in interface inside
access-group dmz-in in interface dmz
access-group to-dmz in interface outside
route outside 0.0.0.0 0.0.0.0 229.55.100.177 1
route outside Jaguar-Net 255.255.255.0 229.55.100.177 1
route inside Lincoln-Net 255.255.255.0 192.168.1.254 1
route inside Collision-Net 255.255.255.0 192.168.1.254 1
route outside Holyoke-Net 255.255.255.0 229.55.100.177 1
route inside Affordable-Net 255.255.255.0 192.168.1.254 1
route inside Ford-Fones 255.255.255.0 192.168.1.254 1
route inside Lincoln-Fones 255.255.255.0 192.168.1.254 1
route inside Collision-Fones 255.255.255.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
url-server (inside) vendor websense host Galileo timeout 10 protocol TCP version 4 connections 8
aaa authentication ssh console LOCAL
filter url except 0.0.0.0 0.0.0.0 DMZ-Net 255.255.255.0
filter url except 0.0.0.0 0.0.0.0 198.181.158.53 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 199.244.232.52 255.255.255.255
filter url except DMZ-Net 255.255.255.0 0.0.0.0 0.0.0.0
filter url except 0.0.0.0 0.0.0.0 198.181.158.51 255.255.255.255
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow proxy-block
http server enable
http 192.168.1.69 255.255.255.255 inside
http Jaguar-Net 255.255.255.0 inside
http MacBook 255.255.255.255 inside
http Galileo 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map VPN 1 set transform-set ESP-3DES-SHA
crypto map dyn-map 10 ipsec-isakmp dynamic VPN
crypto map dyn-map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dyn-map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh Jaguar-Net 255.255.255.0 inside
ssh Galileo 255.255.255.255 inside
ssh timeout 15
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics host number-of-rate 3
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
url-block url-mempool 1500
url-block url-size 4
tftp-server inside Einstein /cisco
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
group-policy Ford-IPSEC-TG internal
group-policy Ford-IPSEC-TG attributes
dns-server value 192.168.1.2 192.168.3.2
vpn-tunnel-protocol IPSec
default-domain value mycompany.com
username demmerasa password WHZXLNEClNp4.T8l encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group Ford-IPSEC-TG type remote-access
tunnel-group Ford-IPSEC-TG general-attributes
address-pool VPN-Pool
default-group-policy Ford-IPSEC-TG
tunnel-group Ford-IPSEC-TG ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map
inspect http
inspect ils
class class-default
flow-export event-type all destination Galileo
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a94d1a3b531
: end
asdm image disk0:/asdm-625.bin
no asdm history enable
----- REMOTE SITE -------
: Saved
:
ASA Version 8.2(5)
!
terminal width 511
hostname jag-remote-asa
domain-name mycompany.com
name 192.168.1.0 Ford-Net
name 192.168.0.0 Jaguar-Net
name 192.168.7.0 Affordable-Net
name 192.168.15.0 Collision-Fones
name 192.168.5.0 Collision-Net
name 10.1.1.0 DMZ-Net
name 192.168.11.0 Ford-Fones
name 192.168.6.0 Holyoke-Net
name 192.168.13.0 Lincoln-Fones
name 192.168.3.0 Lincoln-Net
name 192.168.4.0 Ford-VPN
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
switchport access vlan 10
!
interface Ethernet0/5
switchport access vlan 10
shutdown
!
interface Ethernet0/6
switchport access vlan 10
shutdown
!
interface Ethernet0/7
switchport access vlan 10
shutdown
!
interface Vlan1
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan10
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 209.18.47.61
name-server 209.18.47.62
domain-name mycompany.com
object-group service NightOwl tcp-udp
description Video DVR
port-object eq 2050
port-object eq 9000
port-object eq nfs
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 Ford-Net 255.255.255.0
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 DMZ-Net 255.255.255.0
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 Lincoln-Net 255.255.255.0
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 Collision-Net 255.255.255.0
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 Affordable-Net 255.255.255.0
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 Ford-Fones 255.255.255.0
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 Lincoln-Fones 255.255.255.0
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 Collision-Fones 255.255.255.0
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 Ford-VPN 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Ford-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 DMZ-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Lincoln-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Collision-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Affordable-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Ford-Fones 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Lincoln-Fones 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Collision-Fones 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Ford-VPN 255.255.255.0
access-list outside_2_cryptomap extended permit ip Jaguar-Net 255.255.255.0 Holyoke-Net 255.255.255.0
access-list outside_access_in extended permit object-group TCPUDP any interface outside object-group NightOwl
pager lines 24
logging enable
logging monitor debugging
logging asdm critical
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list Inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 9000 192.168.0.234 9000 netmask 255.255.255.255
static (inside,outside) udp interface 9000 192.168.0.234 9000 netmask 255.255.255.255
static (inside,outside) tcp interface nfs 192.168.0.234 nfs netmask 255.255.255.255
static (inside,outside) udp interface nfs 192.168.0.234 nfs netmask 255.255.255.255
static (inside,outside) tcp interface 2050 192.168.0.234 2050 netmask 255.255.255.255
static (inside,outside) udp interface 2050 192.168.0.234 2050 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
http server enable
http Jaguar-Net 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address jaguar_to_ford
crypto map outside_map 1 set peer 229.55.100.178
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 75.114.204.241
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh Jaguar-Net 255.255.255.0 inside
ssh timeout 15
console timeout 0
dhcp-client client-id interface outside
dhcprelay server 192.168.0.2 inside
dhcprelay timeout 60
no threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
username mycompanyasa password WHZXLNEClNp4.T8l encrypted
tunnel-group 229.55.100.178 type ipsec-l2l
tunnel-group 229.55.100.178 ipsec-attributes
pre-shared-key *****
tunnel-group 75.004.204.241 type ipsec-l2l
tunnel-group 75.004.204.241 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect icmp
inspect sip
inspect mgcp
inspect h323 h225
inspect h323 ras
inspect skinny
inspect ip-options
!
service-policy global_policy global
prompt hostname
no call-home reporting anonymous
Cryptochecksum:cabdf0ddcc5
: end
asdm image disk0:/asdm-641.bin
no asdm history enable
--------- HEADQUARTERS SITE ------------
: Saved
:
ASA Version 8.2(5)
!
terminal width 511
hostname ford-main-asa
domain-name mycompany.com
name 192.168.1.3 Galileo
name 192.168.0.13 Beethoven
name 192.168.1.2 Einstein
name 10.1.1.190 Nancy
name 10.1.1.189 Sid
name 10.1.1.176 DMZ
name 229.55.100.179 Public-WWW
name 229.55.100.176 Verio-Network
name 10.1.1.186 ADP-GetWired
name 192.168.7.0 Affordable-Net
name 192.168.15.0 Collision-Fones
name 192.168.5.0 Collision-Net
name 10.1.1.0 DMZ-Net
name 192.168.11.0 Ford-Fones
name 192.168.1.0 Ford-Net
name 10.1.1.187 Ford-Secure
name 192.168.6.0 Holyoke-Net
name 192.168.13.0 Lincoln-Fones
name 192.168.3.0 Lincoln-Net
name 10.1.1.184 Michaelangelo-1
name 10.1.1.185 Michaelangelo-2
name 10.1.1.180 Nostradamus-Mail
name 10.1.1.179 Nostradamus-WWW
name 10.1.1.181 Phantom-DNS
name 229.55.100.186 Public-ADP-GetWired
name 229.55.100.187 Public-Ford-Secure
name 229.55.100.180 Public-Mail
name 229.55.100.184 Public-Michaelangelo-1
name 229.55.100.185 Public-Michaelangelo-2
name 229.55.100.190 Public-Nancy
name 229.55.100.189 Public-Sid
name 192.168.1.13 MacBook
name 192.168.0.0 Jaguar-Net
name 192.168.4.0 Ford-VPN
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
shutdown
nameif vacant
security-level 75
no ip address
!
interface Ethernet0/2
nameif dmz
security-level 25
ip address 10.1.1.177 255.255.255.240
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 229.55.100.178 255.255.255.240
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup outside
dns server-group DefaultDNS
name-server Einstein
name-server 192.168.3.2
domain-name demmer.com
same-security-traffic permit intra-interface
access-list outbound extended permit ip any any
access-list to-dmz extended permit udp any host Public-WWW eq domain
access-list to-dmz extended permit udp any host Public-Sid eq domain
access-list to-dmz extended permit udp any host Public-Nancy eq domain
access-list to-dmz extended permit udp any host Public-WWW eq dnsix
access-list to-dmz extended permit udp any host Public-Sid eq dnsix
access-list to-dmz extended permit udp any host Public-Nancy eq dnsix
access-list to-dmz extended permit tcp any host Public-WWW eq www
access-list to-dmz extended permit tcp any host Public-Mail eq www
access-list to-dmz extended permit tcp any host Public-Sid eq www
access-list to-dmz extended permit tcp any host Public-Nancy eq www
access-list to-dmz extended permit tcp any host Public-WWW eq ftp
access-list to-dmz extended permit tcp any host Public-Mail eq smtp
access-list to-dmz extended permit tcp any host Public-Mail eq pop3
access-list to-dmz extended permit tcp any host Public-Mail eq imap4
access-list to-dmz extended permit udp any host Public-Mail eq 143
access-list to-dmz extended permit ip any host Public-ADP-GetWired
access-list to-dmz extended permit ip any host Public-Ford-Secure
access-list to-dmz extended permit tcp any host Public-Mail eq 465
access-list to-dmz extended permit tcp any host Public-Mail eq https
access-list to-dmz extended permit udp any host Public-Mail eq 443
access-list to-dmz extended permit icmp any any
access-list dmz-in extended permit udp any host Phantom-DNS eq domain
access-list dmz-in extended permit ip DMZ-Net 255.255.255.0 any
access-list dmz-in extended permit tcp any host Phantom-DNS eq domain
access-list dmz-in extended permit icmp any any
access-list inside extended deny udp any any eq 135
access-list inside extended permit udp any any eq tftp
access-list inside extended deny udp any any eq netbios-ns
access-list inside extended deny udp any any eq netbios-dgm
access-list inside extended deny udp any any eq 139
access-list inside extended deny tcp any any eq 135
access-list inside extended deny tcp any any eq 137
access-list inside extended deny tcp any any eq 138
access-list inside extended deny tcp any any eq netbios-ssn
access-list inside extended deny tcp any any eq 445
access-list inside extended deny tcp any any eq 593
access-list inside extended deny tcp any any eq 4444
access-list inside extended permit ip any any
access-list Inside_nat0_outbound extended permit ip Ford-Net 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip DMZ-Net 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Lincoln-Net 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Collision-Net 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Holyoke-Net 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Affordable-Net 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Ford-Fones 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Lincoln-Fones 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Collision-Fones 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip DMZ-Net 255.255.255.0 Ford-VPN 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Ford-VPN 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Ford-VPN 255.255.255.0 Jaguar-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Ford-Net 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip DMZ-Net 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Lincoln-Net 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Collision-Net 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Affordable-Net 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Ford-Fones 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Lincoln-Fones 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Collision-Fones 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Ford-VPN 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any Ford-VPN 255.255.255.192
no pager
logging enable
logging timestamp
logging buffer-size 100000
logging asdm-buffer-size 512
logging console errors
logging buffered warnings
logging trap notifications
logging history errors
logging asdm warnings
logging host inside Galileo
logging flash-bufferwrap
logging flash-maximum-allocation 10000
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside Galileo 2055
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu inside 1500
mtu vacant 1500
mtu dmz 1500
mtu outside 1500
ip local pool VPN-Pool 192.168.4.25-192.168.4.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
icmp permit any outside
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
nat-control
global (dmz) 10 interface
global (outside) 10 interface
nat (inside) 0 access-list Inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list Inside_nat0_outbound
static (dmz,outside) Public-Nancy Nancy netmask 255.255.255.255 tcp 1000 100
static (dmz,outside) Public-WWW Nostradamus-WWW netmask 255.255.255.255 tcp 1000 100
static (dmz,outside) Public-Mail Nostradamus-Mail netmask 255.255.255.255 tcp 1000 100
static (dmz,outside) Public-Sid Sid netmask 255.255.255.255 tcp 1000 100
static (dmz,outside) Public-ADP-GetWired ADP-GetWired netmask 255.255.255.255 tcp 1000 100
static (dmz,outside) Public-Ford-Secure Ford-Secure netmask 255.255.255.255 tcp 1000 100
static (dmz,outside) Public-Michaelangelo-2 Michaelangelo-2 netmask 255.255.255.255 tcp 50 50
static (dmz,outside) Public-Michaelangelo-1 Michaelangelo-1 netmask 255.255.255.255 tcp 50 50
static (inside,dmz) Phantom-DNS Einstein netmask 255.255.255.255
access-group inside in interface inside
access-group dmz-in in interface dmz
access-group to-dmz in interface outside
route outside 0.0.0.0 0.0.0.0 229.55.100.177 1
route outside Jaguar-Net 255.255.255.0 229.55.100.177 1
route inside Lincoln-Net 255.255.255.0 192.168.1.254 1
route inside Collision-Net 255.255.255.0 192.168.1.254 1
route outside Holyoke-Net 255.255.255.0 229.55.100.177 1
route inside Affordable-Net 255.255.255.0 192.168.1.254 1
route inside Ford-Fones 255.255.255.0 192.168.1.254 1
route inside Lincoln-Fones 255.255.255.0 192.168.1.254 1
route inside Collision-Fones 255.255.255.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
url-server (inside) vendor websense host Galileo timeout 10 protocol TCP version 4 connections 8
aaa authentication ssh console LOCAL
filter url except 0.0.0.0 0.0.0.0 DMZ-Net 255.255.255.0
filter url except 0.0.0.0 0.0.0.0 198.181.158.53 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 199.244.232.52 255.255.255.255
filter url except DMZ-Net 255.255.255.0 0.0.0.0 0.0.0.0
filter url except 0.0.0.0 0.0.0.0 198.181.158.51 255.255.255.255
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow proxy-block
http server enable
http 192.168.1.69 255.255.255.255 inside
http Jaguar-Net 255.255.255.0 inside
http MacBook 255.255.255.255 inside
http Galileo 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map VPN 1 set transform-set ESP-3DES-SHA
crypto map dyn-map 10 ipsec-isakmp dynamic VPN
crypto map dyn-map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dyn-map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh Jaguar-Net 255.255.255.0 inside
ssh Galileo 255.255.255.255 inside
ssh timeout 15
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics host number-of-rate 3
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
url-block url-mempool 1500
url-block url-size 4
tftp-server inside Einstein /cisco
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
group-policy Ford-IPSEC-TG internal
group-policy Ford-IPSEC-TG attributes
dns-server value 192.168.1.2 192.168.3.2
vpn-tunnel-protocol IPSec
default-domain value mycompany.com
username demmerasa password WHZXLNEClNp4.T8l encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group Ford-IPSEC-TG type remote-access
tunnel-group Ford-IPSEC-TG general-attributes
address-pool VPN-Pool
default-group-policy Ford-IPSEC-TG
tunnel-group Ford-IPSEC-TG ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map
inspect http
inspect ils
class class-default
flow-export event-type all destination Galileo
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a94d1a3b531
: end
asdm image disk0:/asdm-625.bin
no asdm history enable
----- REMOTE SITE -------
: Saved
:
ASA Version 8.2(5)
!
terminal width 511
hostname jag-remote-asa
domain-name mycompany.com
name 192.168.1.0 Ford-Net
name 192.168.0.0 Jaguar-Net
name 192.168.7.0 Affordable-Net
name 192.168.15.0 Collision-Fones
name 192.168.5.0 Collision-Net
name 10.1.1.0 DMZ-Net
name 192.168.11.0 Ford-Fones
name 192.168.6.0 Holyoke-Net
name 192.168.13.0 Lincoln-Fones
name 192.168.3.0 Lincoln-Net
name 192.168.4.0 Ford-VPN
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
switchport access vlan 10
!
interface Ethernet0/5
switchport access vlan 10
shutdown
!
interface Ethernet0/6
switchport access vlan 10
shutdown
!
interface Ethernet0/7
switchport access vlan 10
shutdown
!
interface Vlan1
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan10
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 209.18.47.61
name-server 209.18.47.62
domain-name mycompany.com
object-group service NightOwl tcp-udp
description Video DVR
port-object eq 2050
port-object eq 9000
port-object eq nfs
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 Ford-Net 255.255.255.0
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 DMZ-Net 255.255.255.0
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 Lincoln-Net 255.255.255.0
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 Collision-Net 255.255.255.0
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 Affordable-Net 255.255.255.0
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 Ford-Fones 255.255.255.0
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 Lincoln-Fones 255.255.255.0
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 Collision-Fones 255.255.255.0
access-list jaguar_to_ford extended permit ip Jaguar-Net 255.255.255.0 Ford-VPN 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Ford-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 DMZ-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Lincoln-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Collision-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Holyoke-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Affordable-Net 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Ford-Fones 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Lincoln-Fones 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Collision-Fones 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Jaguar-Net 255.255.255.0 Ford-VPN 255.255.255.0
access-list outside_2_cryptomap extended permit ip Jaguar-Net 255.255.255.0 Holyoke-Net 255.255.255.0
access-list outside_access_in extended permit object-group TCPUDP any interface outside object-group NightOwl
pager lines 24
logging enable
logging monitor debugging
logging asdm critical
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list Inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 9000 192.168.0.234 9000 netmask 255.255.255.255
static (inside,outside) udp interface 9000 192.168.0.234 9000 netmask 255.255.255.255
static (inside,outside) tcp interface nfs 192.168.0.234 nfs netmask 255.255.255.255
static (inside,outside) udp interface nfs 192.168.0.234 nfs netmask 255.255.255.255
static (inside,outside) tcp interface 2050 192.168.0.234 2050 netmask 255.255.255.255
static (inside,outside) udp interface 2050 192.168.0.234 2050 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
http server enable
http Jaguar-Net 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address jaguar_to_ford
crypto map outside_map 1 set peer 229.55.100.178
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 75.114.204.241
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh Jaguar-Net 255.255.255.0 inside
ssh timeout 15
console timeout 0
dhcp-client client-id interface outside
dhcprelay server 192.168.0.2 inside
dhcprelay timeout 60
no threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
username mycompanyasa password WHZXLNEClNp4.T8l encrypted
tunnel-group 229.55.100.178 type ipsec-l2l
tunnel-group 229.55.100.178 ipsec-attributes
pre-shared-key *****
tunnel-group 75.004.204.241 type ipsec-l2l
tunnel-group 75.004.204.241 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect icmp
inspect sip
inspect mgcp
inspect h323 h225
inspect h323 ras
inspect skinny
inspect ip-options
!
service-policy global_policy global
prompt hostname
no call-home reporting anonymous
Cryptochecksum:cabdf0ddcc5
: end
asdm image disk0:/asdm-641.bin
no asdm history enable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That did the trick!! I had to switch around your syntax a little bit, as you had the /24 network as source and /16 network as destination.. I flip-flopped those two and Voila! I can not access the shares from HQ to remote over the tunnel.
Whats your opinion on just removing all those ACL's that relate to NetBIOS and AD communications? I'm fairly certain I put those in a long, long, long time ago when it was a PIX 505 to stop some kind of attack/flood that was going on that week.
One other item to note is that while I can access via UNC path machines at the remote site that have shares, I am UNABLE to access the administrative share (\\remote-machine\c$) on anything on the remote end of the tunnel from HQ... As a matter of fact, that goes both ways.....
Whats your opinion on just removing all those ACL's that relate to NetBIOS and AD communications? I'm fairly certain I put those in a long, long, long time ago when it was a PIX 505 to stop some kind of attack/flood that was going on that week.
One other item to note is that while I can access via UNC path machines at the remote site that have shares, I am UNABLE to access the administrative share (\\remote-machine\c$) on anything on the remote end of the tunnel from HQ... As a matter of fact, that goes both ways.....