Hi all,
I have set up a site to site Vpn and everything works fine from the remote site to the corporate site, however from the corporate site asa 5510 i can't get any access to the remote site asa 5505. I have checked logging on the ASA and i can see the packets being dropped but i can't find what i need to do to allow this traffic through. Below is most of my 5510 config i am sure it is something simple that i am missing but i just can't get it working please help.
REMOTE Network is 192.168.72.0
: Saved
: Written by enable_15 at 10:29:17.163 GMT/BDT Thu Jun 10 2010
!
ASA Version 8.0(5)
!
hostname Casa
domain-name uk
enable password VgZT0UwPdkSV9l7N encrypted
passwd zlo5ImUVRkHl4lcl encrypted
names
name 192.168.103.14 CITRIX-Appliance description CITRIX-Appliance
name 192.168.3.12 tney description tney
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.123 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.3.254 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.103.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa805-k8.bin
boot system disk0:/asa707-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name uk
object-group network ExternalAccess
description Hosts allowed direct web access
network-object SVR-01 255.255.255.255
network-object SVR-GIS 255.255.255.255
network-object host Tntu
network-object host tney
object-group network ExternalAccessFromDMZ
description Hosts allowed direct web access from DMZ
network-object CITRIX-Appliance 255.255.255.255
network-object IRONPORT1 255.255.255.255
network-object worker 255.255.255.255
object-group service MitelUDPinternet udp
description Mitel UDP services needed from internet
port-object range 20000 27000
port-object eq sip
port-object eq 5064
object-group service MitelTCPinternet tcp
description Mitel TCP services needed from internet
port-object eq 2114
port-object eq 2116
port-object eq 35000
port-object eq 37000
port-object eq 3998
port-object range 6801 6802
port-object eq 6880
port-object eq www
port-object eq https
port-object eq 6800
port-object eq 3478
port-object eq sip
port-object eq ssh
object-group service MitelTCPinternetOpt tcp
description Mitel TCP optional services from internet
port-object eq 3300
port-object range 6806 6807
port-object range 36005 36005
port-object range 36005 36006
port-object eq 3478
port-object eq sip
object-group service MitelUDP2LAN udp
description Mitel UDP services needed to LAN
port-object range 1024 65535
port-object eq sip
object-group service MitelTCP2LAN tcp
description Mitel TCP services needed to LAN
port-object eq 2114
port-object eq 2116
port-object eq 35000
port-object eq 37000
port-object eq 1606
port-object eq 4443
port-object eq 3998
port-object eq 3999
port-object range 6801 6802
port-object eq 6880
port-object eq www
port-object eq https
port-object eq 3478
port-object eq sip
access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended permit icmp any any unreachable
access-list acl_outside extended permit icmp any any source-quench
access-list acl_outside extended permit tcp any host Mail_Outside_AGH eq smtp
access-list acl_outside extended permit tcp any host Mail_Outside_AGH eq https
access-list acl_outside extended permit tcp any host x.x.x.123 eq ssh
access-list acl_outside extended permit tcp host x.x.x.x host Icritical_Outside eq ssh
access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq 8088
access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq https
access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq 8081
access-list acl_outside extended permit tcp any host Mail_Outside_AVON eq smtp
access-list acl_outside extended permit tcp any host Mail_Outside_AVON eq https
access-list acl_outside extended permit udp host x.x.x.x host Icritical_Outside eq snmp
access-list acl_outside extended permit udp host x.x.x.x host Icritical_Outside eq snmp
access-list acl_outside extended permit tcp any host teleworker_outside object-group MitelTCPinternet
access-list acl_outside extended permit udp any host teleworker_outside object-group MitelUDPinternet
access-list acl_outside extended permit tcp any host teleworker_outside object-group MitelTCPinternetOpt
access-list acl_outside extended permit tcp host x.x.x.x host Icritical_Outside eq ssh
access-list acl_outside extended permit udp any host PAL-ESX-01 eq ntp
access-list acl_outside extended permit udp any host PAL-ESX-02 eq ntp
access-list acl_outside extended permit udp any host PAL-ESX-03 eq ntp
access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 172.30.100.0 255.255.255.224 inactive
access-list inside_outbound_nat0_acl extended permit ip any 172.31.1.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0
access-list inside_pnat_outbound extended permit ip object-group ExternalAccess any
access-list acl_dmz extended permit ip host IRONPORT1 host Mail_Inside_AGH
access-list acl_dmz extended permit udp host IRONPORT1 host pal-svr-22 eq domain
access-list acl_dmz extended permit tcp host IRONPORT1 host pal-svr-22 eq 3268
access-list acl_dmz extended permit udp host IRONPORT1 host ARM-SVR-01 eq domain
access-list acl_dmz extended permit tcp host IRONPORT1 host ARM-SVR-01 eq 3268
access-list acl_dmz extended permit udp host IRONPORT1 host Pal-Svr-17 eq domain
access-list acl_dmz extended permit icmp host IRONPORT1 host Mail_Inside_AGH
access-list acl_dmz extended permit ip 192.168.103.0 255.255.255.0 any
access-list acl_dmz extended permit tcp host CITRIX-Appliance host CITRIXCSG-lan eq https inactive
access-list acl_dmz extended permit ip any host CITRIXCSG-lan inactive
access-list acl_dmz extended permit tcp host IRONPORT1 host Mail_Outside_AGH eq smtp
access-list acl_dmz extended permit tcp host Teleworker host 192.168.20.1 object-group MitelTCP2LAN
access-list acl_dmz extended permit udp host Teleworker host 192.168.20.1 object-group MitelUDP2LAN
access-list dmz_pnat_outbound extended permit ip object-group ExternalAccessFromDMZ any
access-list dmz_nat0_inbound extended permit ip 192.168.103.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list dmz_nat0_inbound extended permit ip host Teleworker host 192.168.20.1
access-list inside_pnat_outbound_AVON extended permit ip 192.168.21.0 255.255.255.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.22.0 255.255.255.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.23.0 255.255.255.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.24.0 255.255.248.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.32.0 255.255.240.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.48.0 255.255.248.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.56.0 255.255.252.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.60.0 255.255.255.0 any
access-list any extended permit ip any any
access-list inside_nat_AVON_Marshall extended permit ip host Mail_Inside_AVON any
access-list dmz_pnat1_outbound extended permit ip host Teleworker any
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging mail notifications
logging from-address uk
logging recipient-address [email protected] level critical
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool vpnpool 172.31.1.1-172.31.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo dmz
icmp permit any dmz
asdm image disk0:/asdm-625-53.bin
asdm location SVR-01 255.255.255.255 inside
asdm location svr-02 255.255.255.255 inside
asdm location IRONPORT1 255.255.255.255 dmz
asdm location 194.81.55.226 255.255.255.255 dmz
asdm location Server 255.255.255.255 inside
asdm location CITRIX-Appliance 255.255.255.255 dmz
asdm group ExternalAccess inside
asdm group ExternalAccessFromDMZ dmz
no asdm history enable
arp timeout 14400
global (outside) 2 x.x.x.121
global (outside) 1 x.x.x.125
global (outside) 3 Mail_Outside_AVON
global (outside) 4 Mail_Outside_AGH
global (outside) 5 teleworker_outside
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 access-list inside_pnat_outbound_AVON
nat (inside) 3 access-list inside_nat_AVON_Marshall
nat (inside) 1 access-list inside_pnat_outbound
nat (dmz) 0 access-list dmz_nat0_inbound outside
nat (dmz) 4 access-list dmz_pnat_outbound
nat (dmz) 5 access-list dmz_pnat1_outbound
static (inside,outside) tcp Icritical_Outside ssh Icritical ssh netmask 255.255.255.255
static (inside,outside) tcp Mail_Outside_AGH https Mail_Inside_AGH https netmask 255.255.255.255
static (dmz,outside) tcp Mail_Outside_AGH smtp IRONPORT1 smtp netmask 255.255.255.255
static (inside,outside) tcp Mail_Outside_AVON https Exchange_Inside_AVON https netmask 255.255.255.255
static (inside,outside) tcp Mail_Outside_AVON smtp Mail_Inside_AVON smtp netmask 255.255.255.255
static (inside,outside) udp Icritical_Outside snmp Icritical snmp netmask 255.255.255.255
static (dmz,outside) Citrix_Portal_outside CITRIX-Appliance netmask 255.255.255.255
static (inside,outside) Mail_Outside_AVON Mail_Inside_AVON netmask 255.255.255.255
static (dmz,outside) teleworker_outside Teleworker netmask 255.255.255.255
access-group acl_outside in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 X.X.X.254 1
route inside 192.168.0.0 255.255.0.0 192.168.3.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http oner 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer r.r.r.244
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh x.x.x.x 255.255.255.255 outside
ssh Mail_Inside_AGH 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server SVR-DC1 source inside prefer
group-policy VPN internal
group-policy VPN attributes
wins-server value 192.168.x.x 192.168.x.x
dns-server value 192.168.x.x 192.168.x.x
ipsec-udp enable
default-domain value ACE
username VPN password pmmPwcDD/inpnNfB encrypted privilege 0
username VPN attributes
vpn-group-policy VPN
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool vpnpool
default-group-policy VPN
tunnel-group VPN ipsec-attributes
pre-shared-key ******
tunnel-group r.r.r.244 type ipsec-l2l
tunnel-group r.r.r.244 ipsec-attributes
pre-shared-key ****
tunnel-group-map default-group r.r.r.244
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect sip
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8360816431357f109b3c4b950d545c86
: end
I have set up a site to site Vpn and everything works fine from the remote site to the corporate site, however from the corporate site asa 5510 i can't get any access to the remote site asa 5505. I have checked logging on the ASA and i can see the packets being dropped but i can't find what i need to do to allow this traffic through. Below is most of my 5510 config i am sure it is something simple that i am missing but i just can't get it working please help.
REMOTE Network is 192.168.72.0
: Saved
: Written by enable_15 at 10:29:17.163 GMT/BDT Thu Jun 10 2010
!
ASA Version 8.0(5)
!
hostname Casa
domain-name uk
enable password VgZT0UwPdkSV9l7N encrypted
passwd zlo5ImUVRkHl4lcl encrypted
names
name 192.168.103.14 CITRIX-Appliance description CITRIX-Appliance
name 192.168.3.12 tney description tney
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.123 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.3.254 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.103.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa805-k8.bin
boot system disk0:/asa707-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name uk
object-group network ExternalAccess
description Hosts allowed direct web access
network-object SVR-01 255.255.255.255
network-object SVR-GIS 255.255.255.255
network-object host Tntu
network-object host tney
object-group network ExternalAccessFromDMZ
description Hosts allowed direct web access from DMZ
network-object CITRIX-Appliance 255.255.255.255
network-object IRONPORT1 255.255.255.255
network-object worker 255.255.255.255
object-group service MitelUDPinternet udp
description Mitel UDP services needed from internet
port-object range 20000 27000
port-object eq sip
port-object eq 5064
object-group service MitelTCPinternet tcp
description Mitel TCP services needed from internet
port-object eq 2114
port-object eq 2116
port-object eq 35000
port-object eq 37000
port-object eq 3998
port-object range 6801 6802
port-object eq 6880
port-object eq www
port-object eq https
port-object eq 6800
port-object eq 3478
port-object eq sip
port-object eq ssh
object-group service MitelTCPinternetOpt tcp
description Mitel TCP optional services from internet
port-object eq 3300
port-object range 6806 6807
port-object range 36005 36005
port-object range 36005 36006
port-object eq 3478
port-object eq sip
object-group service MitelUDP2LAN udp
description Mitel UDP services needed to LAN
port-object range 1024 65535
port-object eq sip
object-group service MitelTCP2LAN tcp
description Mitel TCP services needed to LAN
port-object eq 2114
port-object eq 2116
port-object eq 35000
port-object eq 37000
port-object eq 1606
port-object eq 4443
port-object eq 3998
port-object eq 3999
port-object range 6801 6802
port-object eq 6880
port-object eq www
port-object eq https
port-object eq 3478
port-object eq sip
access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended permit icmp any any unreachable
access-list acl_outside extended permit icmp any any source-quench
access-list acl_outside extended permit tcp any host Mail_Outside_AGH eq smtp
access-list acl_outside extended permit tcp any host Mail_Outside_AGH eq https
access-list acl_outside extended permit tcp any host x.x.x.123 eq ssh
access-list acl_outside extended permit tcp host x.x.x.x host Icritical_Outside eq ssh
access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq 8088
access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq https
access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq 8081
access-list acl_outside extended permit tcp any host Mail_Outside_AVON eq smtp
access-list acl_outside extended permit tcp any host Mail_Outside_AVON eq https
access-list acl_outside extended permit udp host x.x.x.x host Icritical_Outside eq snmp
access-list acl_outside extended permit udp host x.x.x.x host Icritical_Outside eq snmp
access-list acl_outside extended permit tcp any host teleworker_outside object-group MitelTCPinternet
access-list acl_outside extended permit udp any host teleworker_outside object-group MitelUDPinternet
access-list acl_outside extended permit tcp any host teleworker_outside object-group MitelTCPinternetOpt
access-list acl_outside extended permit tcp host x.x.x.x host Icritical_Outside eq ssh
access-list acl_outside extended permit udp any host PAL-ESX-01 eq ntp
access-list acl_outside extended permit udp any host PAL-ESX-02 eq ntp
access-list acl_outside extended permit udp any host PAL-ESX-03 eq ntp
access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 172.30.100.0 255.255.255.224 inactive
access-list inside_outbound_nat0_acl extended permit ip any 172.31.1.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0
access-list inside_pnat_outbound extended permit ip object-group ExternalAccess any
access-list acl_dmz extended permit ip host IRONPORT1 host Mail_Inside_AGH
access-list acl_dmz extended permit udp host IRONPORT1 host pal-svr-22 eq domain
access-list acl_dmz extended permit tcp host IRONPORT1 host pal-svr-22 eq 3268
access-list acl_dmz extended permit udp host IRONPORT1 host ARM-SVR-01 eq domain
access-list acl_dmz extended permit tcp host IRONPORT1 host ARM-SVR-01 eq 3268
access-list acl_dmz extended permit udp host IRONPORT1 host Pal-Svr-17 eq domain
access-list acl_dmz extended permit icmp host IRONPORT1 host Mail_Inside_AGH
access-list acl_dmz extended permit ip 192.168.103.0 255.255.255.0 any
access-list acl_dmz extended permit tcp host CITRIX-Appliance host CITRIXCSG-lan eq https inactive
access-list acl_dmz extended permit ip any host CITRIXCSG-lan inactive
access-list acl_dmz extended permit tcp host IRONPORT1 host Mail_Outside_AGH eq smtp
access-list acl_dmz extended permit tcp host Teleworker host 192.168.20.1 object-group MitelTCP2LAN
access-list acl_dmz extended permit udp host Teleworker host 192.168.20.1 object-group MitelUDP2LAN
access-list dmz_pnat_outbound extended permit ip object-group ExternalAccessFromDMZ any
access-list dmz_nat0_inbound extended permit ip 192.168.103.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list dmz_nat0_inbound extended permit ip host Teleworker host 192.168.20.1
access-list inside_pnat_outbound_AVON extended permit ip 192.168.21.0 255.255.255.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.22.0 255.255.255.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.23.0 255.255.255.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.24.0 255.255.248.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.32.0 255.255.240.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.48.0 255.255.248.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.56.0 255.255.252.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.60.0 255.255.255.0 any
access-list any extended permit ip any any
access-list inside_nat_AVON_Marshall extended permit ip host Mail_Inside_AVON any
access-list dmz_pnat1_outbound extended permit ip host Teleworker any
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging mail notifications
logging from-address uk
logging recipient-address [email protected] level critical
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool vpnpool 172.31.1.1-172.31.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo dmz
icmp permit any dmz
asdm image disk0:/asdm-625-53.bin
asdm location SVR-01 255.255.255.255 inside
asdm location svr-02 255.255.255.255 inside
asdm location IRONPORT1 255.255.255.255 dmz
asdm location 194.81.55.226 255.255.255.255 dmz
asdm location Server 255.255.255.255 inside
asdm location CITRIX-Appliance 255.255.255.255 dmz
asdm group ExternalAccess inside
asdm group ExternalAccessFromDMZ dmz
no asdm history enable
arp timeout 14400
global (outside) 2 x.x.x.121
global (outside) 1 x.x.x.125
global (outside) 3 Mail_Outside_AVON
global (outside) 4 Mail_Outside_AGH
global (outside) 5 teleworker_outside
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 access-list inside_pnat_outbound_AVON
nat (inside) 3 access-list inside_nat_AVON_Marshall
nat (inside) 1 access-list inside_pnat_outbound
nat (dmz) 0 access-list dmz_nat0_inbound outside
nat (dmz) 4 access-list dmz_pnat_outbound
nat (dmz) 5 access-list dmz_pnat1_outbound
static (inside,outside) tcp Icritical_Outside ssh Icritical ssh netmask 255.255.255.255
static (inside,outside) tcp Mail_Outside_AGH https Mail_Inside_AGH https netmask 255.255.255.255
static (dmz,outside) tcp Mail_Outside_AGH smtp IRONPORT1 smtp netmask 255.255.255.255
static (inside,outside) tcp Mail_Outside_AVON https Exchange_Inside_AVON https netmask 255.255.255.255
static (inside,outside) tcp Mail_Outside_AVON smtp Mail_Inside_AVON smtp netmask 255.255.255.255
static (inside,outside) udp Icritical_Outside snmp Icritical snmp netmask 255.255.255.255
static (dmz,outside) Citrix_Portal_outside CITRIX-Appliance netmask 255.255.255.255
static (inside,outside) Mail_Outside_AVON Mail_Inside_AVON netmask 255.255.255.255
static (dmz,outside) teleworker_outside Teleworker netmask 255.255.255.255
access-group acl_outside in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 X.X.X.254 1
route inside 192.168.0.0 255.255.0.0 192.168.3.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http oner 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer r.r.r.244
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh x.x.x.x 255.255.255.255 outside
ssh Mail_Inside_AGH 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server SVR-DC1 source inside prefer
group-policy VPN internal
group-policy VPN attributes
wins-server value 192.168.x.x 192.168.x.x
dns-server value 192.168.x.x 192.168.x.x
ipsec-udp enable
default-domain value ACE
username VPN password pmmPwcDD/inpnNfB encrypted privilege 0
username VPN attributes
vpn-group-policy VPN
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool vpnpool
default-group-policy VPN
tunnel-group VPN ipsec-attributes
pre-shared-key ******
tunnel-group r.r.r.244 type ipsec-l2l
tunnel-group r.r.r.244 ipsec-attributes
pre-shared-key ****
tunnel-group-map default-group r.r.r.244
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect sip
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8360816431357f109b3c4b950d545c86
: end