troubleshooting Question

Cisco ASA - Firewall issue within LAN (Denied ICMP type=0, from laddr 192.168.16.19 on interface data to 192.168.16.50: no matching session)

Avatar of FutureDBA-
FutureDBA- asked on
Hardware FirewallsCiscoNetwork Security
14 Comments1 Solution11008 ViewsLast Modified:
I have a very weird issue on my LAN which I cannot pinpoint what the root cause is.

I have a printer on my lan with IP address of 192.168.16.19

My computer is 192.168.16.50

My second computer is 192.168.16.51

All machines have a gateway of 192.168.16.254 (Cisco ASA 5515-X)

... From Computer 1 (.50) whenever I try to ping the printer. sometimes it will ping successfully, other times, it will not ping at all.
... From Computer 2 (.51) I can ping successfully 100% of the time

I have ran ping simultaneously from both machines, Computer 1, no ping, Computer 2 can ping. at the same time.

I was under the impression that because both machines are locally on the same lan, they would not have to go through the firewall, even though they both use it as a gateway.

When i look at my ASA logs via ASDM..

I get this error message here

4      Nov 23 2014      18:38:46                                    Denied ICMP type=0, from laddr 192.168.16.19 on interface data to 192.168.16.50: no matching session

over and over while i run the ping.

I made sure that my host is not shunned, and have disabled threat detection scanning and blocking.

This is my ASA config, I blocked out any public IP address information.

Thanks in advanced.
: Saved
:
ASA Version 9.1(2) 
!
hostname asa5515
domain-name somedomain.local
enable password M82a6Pogb3RUeDkW encrypted
names
ip local pool vpn-pool 192.168.18.10-192.168.18.100 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address *.*.214.110 255.255.255.240 
!
interface GigabitEthernet0/1
 nameif data
 security-level 100
 ip address 192.168.16.254 255.255.255.0 
!
interface GigabitEthernet0/2
 nameif voice
 security-level 100
 ip address 192.168.20.254 255.255.255.0 
!
interface GigabitEthernet0/3
 nameif video
 security-level 100
 ip address 192.168.22.254 255.255.255.0 
!
interface GigabitEthernet0/4
 nameif clients
 security-level 100
 ip address 192.168.24.254 255.255.255.0 
!
interface GigabitEthernet0/5
 nameif dmz
 security-level 10
 ip address 192.168.26.254 255.255.255.0 
!
interface Management0/0
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name somedomain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-subnet
 subnet 192.168.16.0 255.255.255.0
object network voice-subnet
 subnet 192.168.20.0 255.255.255.0
object network dns-server
 host 192.168.16.30
object network Elmhurst
 subnet 10.0.0.0 255.0.0.0
 description Elmhurst
object network mstsc
 host 192.168.16.119
object service RDP
 service tcp source eq 3389 destination eq 3389 
 description Remote Desktop Connection
object network apex
 host 192.168.16.40
object network *.*.214.109
 host *.*.214.109
object network reports
 host 192.168.16.40
object network reports-internal
 host 192.168.16.40
object network obj-192.168.16.40
 host 192.168.16.40
object network obj-192.168.16.201
 host 192.168.16.201
object network obj-192.168.16.194
 host 192.168.16.194
object network rails
 host 192.168.16.194
object network ssh-ruby
 host 192.168.16.194
object network NETWORK_OBJ_10.0.0.0_8
 subnet 10.0.0.0 255.0.0.0
object network NETWORK_OBJ_192.168.16.0_24
 subnet 192.168.16.0 255.255.255.0
object network NETWORK_OBJ_192.168.18.0_25
 subnet 192.168.18.0 255.255.255.128
object network *.*.214.105
 host *.*.214.105
object network orcl
 host 192.168.16.195
object network credit_application
 host *.*.214.104
object network obj_104
 host *.*.214.104
object network *.*.214.104
 host *.*.214.104
object service http_8080
 service tcp source eq 8080 destination eq 8080 
object network obj-192.168.16.253
 host 192.168.16.253
object network obj-192.168.16.118
 host 192.168.16.118
object network obj-192.168.16.6
 host 192.168.16.6
object network obj-192.168.16.119
 host 192.168.16.119
object network NETWORK_OBJ_192.168.24.0_24
 subnet 192.168.24.0 255.255.255.0
object network obj-192.168.16.195
 host 192.168.16.195
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 8080
 port-object eq ssh
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
 protocol-object ip
 protocol-object icmp
object-group service RemoteD tcp
 port-object eq 3389
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object tcp destination eq www 
object-group service apexreports
object-group network VPNTunnelGroup
 network-object 10.0.0.0 255.0.0.0
 network-object 192.168.16.0 255.255.255.0
 network-object 192.168.0.0 255.255.0.0
object-group protocol DM_INLINE_PROTOCOL_9
 protocol-object ip
 protocol-object icmp
object-group network video-subnet
 network-object 192.168.22.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_acl extended permit tcp any host 192.168.16.253 eq www 
access-list outside_acl extended permit tcp any host 192.168.16.6 eq 22014 
access-list outside_acl extended permit tcp any host 192.168.16.195 object-group DM_INLINE_TCP_1 
access-list dmz_acl extended permit udp any object dns-server eq domain 
access-list dmz_acl extended permit object-group DM_INLINE_PROTOCOL_4 any object inside-subnet 
access-list dmz_acl extended permit object-group DM_INLINE_PROTOCOL_3 any any 
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any 
access-list outside_cryptomap extended permit ip object inside-subnet object Elmhurst 
access-list outside_cryptomap_1 extended permit ip 192.168.16.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list ACL-INSIDE-NONAT extended permit ip 192.168.16.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list video_access_in extended permit object-group DM_INLINE_PROTOCOL_9 any object inside-subnet 
access-list video_access_in extended permit ip any any 
access-list outside_cryptomap_2 extended permit ip 192.168.16.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list split_tunnel standard permit 192.168.16.0 255.255.255.0 
pager lines 24
logging enable
logging timestamp
logging buffer-size 104857
logging buffered debugging
logging trap errors
logging asdm notifications
logging facility 21
logging host data 192.168.16.119
flow-export destination data 192.168.16.119 2055
mtu outside 1500
mtu data 1500
mtu voice 1500
mtu video 1500
mtu clients 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (data,voice) source static inside-subnet inside-subnet destination static voice-subnet voice-subnet
nat (voice,outside) source static voice-subnet voice-subnet destination static Elmhurst Elmhurst no-proxy-arp route-lookup
nat (outside,data) source static *.*.214.109 *.*.214.109 destination static apex apex no-proxy-arp
nat (data,outside) source static VPNTunnelGroup VPNTunnelGroup destination static NETWORK_OBJ_192.168.18.0_25 NETWORK_OBJ_192.168.18.0_25 no-proxy-arp route-lookup
nat (video,data) source static inside-subnet inside-subnet destination static video-subnet video-subnet
nat (data,outside) source static NETWORK_OBJ_192.168.16.0_24 NETWORK_OBJ_192.168.16.0_24 destination static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 no-proxy-arp route-lookup
nat (voice,outside) source static VPNTunnelGroup VPNTunnelGroup destination static NETWORK_OBJ_192.168.18.0_25 NETWORK_OBJ_192.168.18.0_25 no-proxy-arp route-lookup
nat (clients,outside) source static NETWORK_OBJ_192.168.24.0_24 NETWORK_OBJ_192.168.24.0_24 destination static Elmhurst Elmhurst no-proxy-arp route-lookup
nat (clients,outside) source static NETWORK_OBJ_192.168.24.0_24 NETWORK_OBJ_192.168.24.0_24 destination static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 no-proxy-arp route-lookup
!
object network inside-subnet
 nat (data,outside) dynamic interface
object network voice-subnet
 nat (voice,outside) dynamic interface
object network obj-192.168.16.253
 nat (data,outside) static *.*.214.100
object network obj-192.168.16.6
 nat (data,outside) static *.*.214.102
object network obj-192.168.16.195
 nat (data,outside) static *.*.214.104
access-group outside_acl in interface outside
access-group inside_access_in in interface data
access-group dmz_acl in interface voice
access-group video_access_in in interface video
route outside 0.0.0.0 0.0.0.0 *.*.214.97 1
route outside 10.0.0.0 255.0.0.0 *.*.178.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAPSERVER protocol ldap
aaa-server LDAPSERVER (data) host 192.168.16.31
 ldap-base-dn DC=somedomain,DC=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=John Terrero,OU=Users,OU=_Doras,DC=somedomain,DC=local
 server-type microsoft
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 192.168.16.201 255.255.255.255 data
http 192.168.16.0 255.255.255.0 data
http 0.0.0.0 0.0.0.0 data
http 0.0.0.0 0.0.0.0 outside
snmp-server group Authentication&Encryption v3 priv 
snmp-server user johnt Authentication&Encryption v3 encrypted auth md5 87:40:72:55:60:71:15:4f:8c:f4:db:11:ea:94:61:cb priv 3des 87:40:72:55:60:71:15:4f:8c:f4:db:11:ea:94:61:cb:c6:09:3e:d8:31:0a:4a:14:b6:9e:23:32:33:67:d8:a8 
snmp-server host data 192.168.16.31 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer *.*.178.2 
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-128-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 1 set security-association lifetime kilobytes unlimited
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer *.*.178.2 
crypto map outside_map 60 match address outside_cryptomap_1
crypto map outside_map 60 set peer *.*.178.2 
crypto map outside_map 60 set ikev1 transform-set ESP-AES-256-MD5
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 subject-name CN=asa5515.somedomain.local,O=somedomain,C=US
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 subject-name CN=asa5515.somedomain.local,O=somedomain,C=us
 crl configure
crypto ca trustpoint self
 enrollment self
 subject-name cn=192.168.16.254
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 subject-name CN=192.168.16.254,CN=asa5515
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
 enrollment self
 subject-name CN=192.168.16.254,CN=asa5515
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_2
 enrollment self
 subject-name CN=192.168.16.254,CN=asa5515
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_3
 enrollment self
 subject-name CN=192.168.16.254,CN=asa5515
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment terminal
 subject-name CN=asa5515.somedomain.local,O=somedomain,C=us
 crl configure
crypto ca trustpool policy
crypto ca certificate chain self
 certificate 48ff5954
    30820201 3082016a a0030201 02020448 ff595430 0d06092a 864886f7 0d010105 
    05003045 31173015 06035504 03130e31 39322e31 36382e31 362e3235 34312a30 
    2806092a 864886f7 0d010902 161b6173 61353531 352e646f 7261736e 61747572 
    616c732e 6c6f6361 6c301e17 0d313431 31303631 39333930 395a170d 32343131 
    30333139 33393039 5a304531 17301506 03550403 130e3139 322e3136 382e3136 
    2e323534 312a3028 06092a86 4886f70d 01090216 1b617361 35353135 2e646f72 
    61736e61 74757261 6c732e6c 6f63616c 30819f30 0d06092a 864886f7 0d010101 
    05000381 8d003081 89028181 00c1670c bdd9aab0 94450e21 fda9e6ba 45a4fa8b 
    dab0cb36 540d769b 58aa0c34 343b9aa1 5cd40bfa 3ba4f872 f9550803 902ec3bc 
    42f2b06d ce6bbb1d a78591d6 a7a159e2 f8eef18a 0d93ffec 40a7d3c3 8696c676 
    c3809695 02dd8297 ad498b91 ebd74615 73759614 e8a69992 332498f2 0b080171 
    d37fde23 d226e99b a842f286 f3020301 0001300d 06092a86 4886f70d 01010505 
    00038181 00c019e6 f55b2678 b44c08f6 a575b463 b9abc06a 90f408a4 774a16ea 
    7fac34de 2e5472f5 bac39292 0d2f3131 e48b0cb7 2e1c9c5c e904b2d8 941e59ab 
    f0c16aa5 e7244ce4 2ef0ef48 978ffe01 8236b635 08931dec dbe0637e 9b5e84c6 
    b152e48a b100c497 749dfacf 94ec1e6e c04f308b 44b678da 049d988f 1e8632f6 
    e61d3e22 d0
  quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate 49ff5954
    30820225 3082018e a0030201 02020449 ff595430 0d06092a 864886f7 0d010105 
    05003057 3110300e 06035504 03130761 73613535 31353117 30150603 55040313 
    0e313932 2e313638 2e31362e 32353431 2a302806 092a8648 86f70d01 0902161b 
    61736135 3531352e 646f7261 736e6174 7572616c 732e6c6f 63616c30 1e170d31 
    34313131 36313130 3931315a 170d3234 31313133 31313039 31315a30 57311030 
    0e060355 04031307 61736135 35313531 17301506 03550403 130e3139 322e3136 
    382e3136 2e323534 312a3028 06092a86 4886f70d 01090216 1b617361 35353135 
    2e646f72 61736e61 74757261 6c732e6c 6f63616c 30819f30 0d06092a 864886f7 
    0d010101 05000381 8d003081 89028181 00c1670c bdd9aab0 94450e21 fda9e6ba 
    45a4fa8b dab0cb36 540d769b 58aa0c34 343b9aa1 5cd40bfa 3ba4f872 f9550803 
    902ec3bc 42f2b06d ce6bbb1d a78591d6 a7a159e2 f8eef18a 0d93ffec 40a7d3c3 
    8696c676 c3809695 02dd8297 ad498b91 ebd74615 73759614 e8a69992 332498f2 
    0b080171 d37fde23 d226e99b a842f286 f3020301 0001300d 06092a86 4886f70d 
    01010505 00038181 0055eb55 dcbcde5c c35c0f84 8e34d735 88e91ff0 5f7a8f9b 
    c3ac0780 b0fce5fe 2d3b9d3c 2e360f33 4b2a8630 978dc8eb c2139aa8 f4917fa4 
    1112765e d2ad5000 90af0f83 2c755f5f 88685180 13e67408 4a7815aa 503de98a 
    8561d38c b4f77d06 15deea67 4c2c9914 d4d02331 b05d7c9e 793e5a84 949bb641 
    cd1db3ff 3d08bad7 90
  quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_1
 certificate 4aff5954
    30820225 3082018e a0030201 0202044a ff595430 0d06092a 864886f7 0d010105 
    05003057 3110300e 06035504 03130761 73613535 31353117 30150603 55040313 
    0e313932 2e313638 2e31362e 32353431 2a302806 092a8648 86f70d01 0902161b 
    61736135 3531352e 646f7261 736e6174 7572616c 732e6c6f 63616c30 1e170d31 
    34313131 37313733 3935355a 170d3234 31313134 31373339 35355a30 57311030 
    0e060355 04031307 61736135 35313531 17301506 03550403 130e3139 322e3136 
    382e3136 2e323534 312a3028 06092a86 4886f70d 01090216 1b617361 35353135 
    2e646f72 61736e61 74757261 6c732e6c 6f63616c 30819f30 0d06092a 864886f7 
    0d010101 05000381 8d003081 89028181 00c1670c bdd9aab0 94450e21 fda9e6ba 
    45a4fa8b dab0cb36 540d769b 58aa0c34 343b9aa1 5cd40bfa 3ba4f872 f9550803 
    902ec3bc 42f2b06d ce6bbb1d a78591d6 a7a159e2 f8eef18a 0d93ffec 40a7d3c3 
    8696c676 c3809695 02dd8297 ad498b91 ebd74615 73759614 e8a69992 332498f2 
    0b080171 d37fde23 d226e99b a842f286 f3020301 0001300d 06092a86 4886f70d 
    01010505 00038181 004b34fd 5b065c1f 19788daf d8632ce7 d105f443 13105ad3 
    019fe4ab d84018b3 2c70563f 5a44c454 0f4475b6 0ff12c29 c7cbd5b2 b1c769fb 
    2ff1681b b9cf9e90 60c1bbf6 401274ef 3668a557 0216ffc5 025db05b 7da5518f 
    f43fd309 9e9cd3ad 62fbd883 c93285bb 035dbe55 d6b39966 f7b3ec5f 06e3f066 
    682dc0e4 6aa9bffd f0
  quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_2
 certificate 4bff5954
    30820225 3082018e a0030201 0202044b ff595430 0d06092a 864886f7 0d010105 
    05003057 3110300e 06035504 03130761 73613535 31353117 30150603 55040313 
    0e313932 2e313638 2e31362e 32353431 2a302806 092a8648 86f70d01 0902161b 
    61736135 3531352e 646f7261 736e6174 7572616c 732e6c6f 63616c30 1e170d31 
    34313131 38313333 3235355a 170d3234 31313135 31333332 35355a30 57311030 
    0e060355 04031307 61736135 35313531 17301506 03550403 130e3139 322e3136 
    382e3136 2e323534 312a3028 06092a86 4886f70d 01090216 1b617361 35353135 
    2e646f72 61736e61 74757261 6c732e6c 6f63616c 30819f30 0d06092a 864886f7 
    0d010101 05000381 8d003081 89028181 00c1670c bdd9aab0 94450e21 fda9e6ba 
    45a4fa8b dab0cb36 540d769b 58aa0c34 343b9aa1 5cd40bfa 3ba4f872 f9550803 
    902ec3bc 42f2b06d ce6bbb1d a78591d6 a7a159e2 f8eef18a 0d93ffec 40a7d3c3 
    8696c676 c3809695 02dd8297 ad498b91 ebd74615 73759614 e8a69992 332498f2 
    0b080171 d37fde23 d226e99b a842f286 f3020301 0001300d 06092a86 4886f70d 
    01010505 00038181 007fca5e e6f75299 a3231268 45e4096f 41ad1afc 2222fc0d 
    c291cde0 36e2a033 06f9c5ca 5e2258f5 838df342 7be2b710 95dfd89d 11bf5929 
    469c8164 d08f9664 a11ebd1c bd7955ba fb3f8443 5f3a9e69 c660439e 70ff5052 
    fd52c329 f7adc5b0 64a01a88 854f5d6f f72e7cd1 d6559709 b669172a bc810048 
    93edc522 e351c950 1f
  quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_3
 certificate 4cff5954
    30820225 3082018e a0030201 0202044c ff595430 0d06092a 864886f7 0d010105 
    05003057 3110300e 06035504 03130761 73613535 31353117 30150603 55040313 
    0e313932 2e313638 2e31362e 32353431 2a302806 092a8648 86f70d01 0902161b 
    61736135 3531352e 646f7261 736e6174 7572616c 732e6c6f 63616c30 1e170d31 
    34313131 38313734 3934335a 170d3234 31313135 31373439 34335a30 57311030 
    0e060355 04031307 61736135 35313531 17301506 03550403 130e3139 322e3136 
    382e3136 2e323534 312a3028 06092a86 4886f70d 01090216 1b617361 35353135 
    2e646f72 61736e61 74757261 6c732e6c 6f63616c 30819f30 0d06092a 864886f7 
    0d010101 05000381 8d003081 89028181 00c1670c bdd9aab0 94450e21 fda9e6ba 
    45a4fa8b dab0cb36 540d769b 58aa0c34 343b9aa1 5cd40bfa 3ba4f872 f9550803 
    902ec3bc 42f2b06d ce6bbb1d a78591d6 a7a159e2 f8eef18a 0d93ffec 40a7d3c3 
    8696c676 c3809695 02dd8297 ad498b91 ebd74615 73759614 e8a69992 332498f2 
    0b080171 d37fde23 d226e99b a842f286 f3020301 0001300d 06092a86 4886f70d 
    01010505 00038181 00a474b3 7ae1cd37 97af5dce 4a0fc2bb a7b12f59 4586f98e 
    a3965727 fb7a5788 b15e28cd 4875bfe4 be70898c 5747a9c4 54196ad2 11a37531 
    522e1f54 777856f3 00e3b5eb a070b6c9 3b9b459a b07ac382 61e1d5bf 601c6ecb 
    5b3e8f33 f415e440 d3da46d9 da06a2c0 ebd26e13 06d61b32 56d29552 d10b68f0 
    5eef98e4 2d1b9479 30
  quit
crypto isakmp identity address 
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable data
crypto ikev1 enable outside
crypto ikev1 enable data
crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 15
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.16.119 255.255.255.255 data
ssh 192.168.16.201 255.255.255.255 data
ssh 192.168.16.0 255.255.255.0 data
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access voice
dhcpd address 192.168.20.1-192.168.20.199 voice
dhcpd dns 192.168.16.30 4.2.2.1 interface voice
dhcpd enable voice
!
dhcpd address 192.168.22.10-192.168.22.200 video
dhcpd dns 192.168.16.30 4.2.2.1 interface video
dhcpd enable video
!
dhcpd address 192.168.24.1-192.168.24.200 clients
dhcpd dns 192.168.16.30 4.2.2.1 interface clients
dhcpd enable clients
!
dhcpd address 192.168.26.10-192.168.26.100 dmz
dhcpd dns 192.168.16.30 192.168.16.31 interface dmz
dhcpd enable dmz
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption 3des-sha1 aes256-sha1 dhe-aes256-sha1
ssl trust-point ASDM_Launcher_Access_TrustPoint_3 data vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_3 data
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05187-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_Anyconnect internal
group-policy GroupPolicy_Anyconnect attributes
 wins-server none
 dns-server value 192.168.16.30 10.16.0.0
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
 default-domain value somedomain.local
group-policy GroupPolicy_vpn-users internal
group-policy GroupPolicy_vpn-users attributes
 wins-server none
 dns-server value 192.168.16.30
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
 default-domain value somedomain.local
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1 ikev2 
username dannf password RvGQ92odT9kjOIf8 encrypted
username johnt password Hhe.i9znJjAGRtYw encrypted
username ldiadmin password FnejGv4pwEeHVWJd encrypted
username ncs password xwmp2NT3BYMDFcxh encrypted
username julios password wTmjpIfjCMIBCCGO encrypted
tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
 address-pool vpn-pool
 default-group-policy GroupPolicy_Anyconnect
tunnel-group Anyconnect webvpn-attributes
 group-alias Anyconnect enable
tunnel-group vpn-users type remote-access
tunnel-group vpn-users general-attributes
 address-pool vpn-pool
 authentication-server-group LDAPSERVER LOCAL
 default-group-policy GroupPolicy_vpn-users
tunnel-group vpn-users webvpn-attributes
 group-alias vpn-users enable
tunnel-group *.*.178.2 type ipsec-l2l
tunnel-group *.*.178.2 general-attributes
 default-group-policy GroupPolicy1
tunnel-group *.*.178.2 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 remote-authentication certificate
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:9a0bd1383c57841a01fcefad99dd1a61
: end
asdm image disk0:/asdm-731-101.bin
no asdm history enable
ASKER CERTIFIED SOLUTION
Otto_N

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 14 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 14 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros