[vpn-help] Cisco ASA cannot see internal network

Robert Bourguignon robertb at plusinc.net
Tue Apr 26 14:22:31 CDT 2011


Hello,
                I can connect to the Firewall with tunnel enabled. But I cannot see anything on the inside network. Included is the ASA config and the IPsec Trace. I can't ping, tracert, etc.


Here is the IPsec Trace

11/04/26 15:07:36 ## : IPSEC Daemon, ver 2.1.7
11/04/26 15:07:36 ## : Copyright 2010 Shrew Soft Inc.
11/04/26 15:07:36 ## : This product linked OpenSSL 0.9.8h 28 May 2008
11/04/26 15:07:36 ## : This product linked zlib v1.2.3
11/04/26 15:07:36 ii : network send process thread begin ...
11/04/26 15:07:36 ii : network recv process thread begin ...
11/04/26 15:07:36 ii : vflt send device attached
11/04/26 15:07:36 ii : pfkey server process thread begin ...
11/04/26 15:07:36 ii : vflt recv device attached
11/04/26 15:07:36 ii : pfkey client process thread begin ...
11/04/26 15:07:36 K< : recv DUMP UNSPEC message
11/04/26 15:07:36 K< : recv X_SPDDUMP UNSPEC message
11/04/26 15:07:37 ii : pfkey client process thread begin ...
11/04/26 15:07:37 K< : message REGISTER AH received
11/04/26 15:07:37 K< : message REGISTER ESP received
11/04/26 15:07:37 K< : message REGISTER IPCOMP received
11/04/26 15:07:37 K< : recv X_SPDDUMP UNSPEC message
11/04/26 15:07:43 K< : recv X_SPDADD UNSPEC pfkey message
11/04/26 15:07:43 ii : - id   = 0
11/04/26 15:07:43 ii : - type = NONE
11/04/26 15:07:43 ii : - dir  = INBOUND
11/04/26 15:07:43 DB : policy ref increment ( ref count = 1, policy count = 0 )
11/04/26 15:07:43 DB : policy added
11/04/26 15:07:43 DB : policy ref decrement ( ref count = 0, policy count = 1 )
11/04/26 15:07:43 K< : recv X_SPDADD UNSPEC pfkey message
11/04/26 15:07:43 ii : - id   = 0
11/04/26 15:07:43 ii : - type = NONE
11/04/26 15:07:43 ii : - dir  = OUTBOUND
11/04/26 15:07:43 DB : policy ref increment ( ref count = 1, policy count = 1 )
11/04/26 15:07:43 DB : policy added
11/04/26 15:07:43 ii : installed accept rule for 66.83.x.x/255.255.255.255
11/04/26 15:07:43 DB : policy ref decrement ( ref count = 0, policy count = 2 )
11/04/26 15:07:43 ii : removed arp mirror rule ( policycount 2 )
11/04/26 15:07:43 K< : recv X_SPDADD UNSPEC pfkey message
11/04/26 15:07:43 ii : - id   = 0
11/04/26 15:07:43 ii : - type = NONE
11/04/26 15:07:43 ii : - dir  = INBOUND
11/04/26 15:07:43 DB : policy ref increment ( ref count = 1, policy count = 2 )
11/04/26 15:07:43 DB : policy added
11/04/26 15:07:43 DB : policy ref decrement ( ref count = 0, policy count = 3 )
11/04/26 15:07:43 K< : recv X_SPDADD UNSPEC pfkey message
11/04/26 15:07:43 ii : - id   = 0
11/04/26 15:07:43 ii : - type = NONE
11/04/26 15:07:43 ii : - dir  = OUTBOUND
11/04/26 15:07:43 DB : policy ref increment ( ref count = 1, policy count = 3 )
11/04/26 15:07:43 DB : policy added
11/04/26 15:07:43 ii : installed accept rule for 192.168.0.1/255.255.255.255
11/04/26 15:07:43 DB : policy ref decrement ( ref count = 0, policy count = 4 )
11/04/26 15:07:43 K< : recv X_SPDADD UNSPEC pfkey message
11/04/26 15:07:43 ii : - id   = 0
11/04/26 15:07:43 ii : - type = IPSEC
11/04/26 15:07:43 ii : - dir  = INBOUND
11/04/26 15:07:43 ii : - transform #0
11/04/26 15:07:43 ii : -- proto = 50
11/04/26 15:07:43 ii : -- level = REQUIRE
11/04/26 15:07:43 ii : -- mode  = TUNNEL
11/04/26 15:07:43 ii : -- reqid = 0
11/04/26 15:07:43 ii : -- tsrc  = 66.83.x.x:0
11/04/26 15:07:43 ii : -- tdst  = 192.168.0.54:0
11/04/26 15:07:43 DB : policy ref increment ( ref count = 1, policy count = 4 )
11/04/26 15:07:43 DB : policy added
11/04/26 15:07:43 DB : policy ref decrement ( ref count = 0, policy count = 5 )
11/04/26 15:07:43 K< : recv X_SPDADD UNSPEC pfkey message
11/04/26 15:07:43 ii : - id   = 0
11/04/26 15:07:43 ii : - type = IPSEC
11/04/26 15:07:43 ii : - dir  = OUTBOUND
11/04/26 15:07:43 ii : - transform #0
11/04/26 15:07:43 ii : -- proto = 50
11/04/26 15:07:43 ii : -- level = REQUIRE
11/04/26 15:07:43 ii : -- mode  = TUNNEL
11/04/26 15:07:43 ii : -- reqid = 0
11/04/26 15:07:43 ii : -- tsrc  = 192.168.0.54:0
11/04/26 15:07:43 ii : -- tdst  = 66.83.x.x:0
11/04/26 15:07:43 DB : policy ref increment ( ref count = 1, policy count = 5 )
11/04/26 15:07:43 DB : policy added
11/04/26 15:07:43 ii : installed divert rule for 192.168.1.0/255.255.255.0
11/04/26 15:07:43 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:43 ii : inspecting ARP request ...
11/04/26 15:07:43 DB : policy not found
11/04/26 15:07:43 ii : ignoring ARP request for 192.168.0.1, no policy found
11/04/26 15:07:43 K< : recv GETSPI ESP pfkey message
11/04/26 15:07:43 ii : allocated spi for ESP sa
11/04/26 15:07:43 ii : - spi  = 0x6b843a76
11/04/26 15:07:43 ii : - src  = 66.83.x.x:4500
11/04/26 15:07:43 ii : - dst  = 192.168.0.54:4500
11/04/26 15:07:43 DB : sa ref increment ( ref count = 1, sa count = 0 )
11/04/26 15:07:43 DB : sa added
11/04/26 15:07:43 DB : sa ref increment ( ref count = 2, sa count = 1 )
11/04/26 15:07:43 DB : sa ref decrement ( ref count = 1, sa count = 1 )
11/04/26 15:07:43 K> : sent GETSPI ESP pfkey message
11/04/26 15:07:43 K> : sent GETSPI ESP pfkey message
11/04/26 15:07:43 ii : inspecting ARP request ...
11/04/26 15:07:43 DB : policy not found
11/04/26 15:07:43 ii : ignoring ARP request for 192.168.0.1, no policy found
11/04/26 15:07:43 K< : recv GETSPI ESP pfkey message
11/04/26 15:07:43 ii : allocated spi for ESP sa
11/04/26 15:07:43 ii : - spi  = 0x7c8556f3
11/04/26 15:07:43 ii : - src  = 192.168.0.54:4500
11/04/26 15:07:43 ii : - dst  = 66.83.x.x:4500
11/04/26 15:07:43 DB : sa ref increment ( ref count = 1, sa count = 1 )
11/04/26 15:07:43 DB : sa added
11/04/26 15:07:43 DB : sa ref increment ( ref count = 2, sa count = 2 )
11/04/26 15:07:43 DB : sa ref decrement ( ref count = 1, sa count = 2 )
11/04/26 15:07:43 K> : sent GETSPI ESP pfkey message
11/04/26 15:07:43 K> : sent GETSPI ESP pfkey message
11/04/26 15:07:43 K< : recv UPDATE ESP pfkey message
11/04/26 15:07:43 DB : sa found
11/04/26 15:07:43 DB : sa ref increment ( ref count = 2, sa count = 2 )
11/04/26 15:07:43 DB : sa ref increment ( ref count = 2, sa count = 2 )
11/04/26 15:07:43 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:43 ii : added sa divert rule for 66.83.x.x->192.168.0.54
11/04/26 15:07:43 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:43 ii : updated sa for protocol ESP
11/04/26 15:07:43 ii : - spi  = 0x6b843a76
11/04/26 15:07:43 ii : - src  = 66.83.x.x:4500
11/04/26 15:07:43 ii : - dst  = 192.168.0.54:4500
11/04/26 15:07:43 ii : - encr = 3DES-CBC
11/04/26 15:07:43 ii : - ekey = 192 bits
11/04/26 15:07:43 ii : - auth = HMAC-MD5
11/04/26 15:07:43 ii : - akey = 128 bits
11/04/26 15:07:43 ii : - hard = 3600
11/04/26 15:07:43 ii : - soft = 2880
11/04/26 15:07:43 ii : - natt = ESPINUDP
11/04/26 15:07:43 K< : recv UPDATE ESP pfkey message
11/04/26 15:07:43 DB : sa found
11/04/26 15:07:43 DB : sa ref increment ( ref count = 2, sa count = 2 )
11/04/26 15:07:43 DB : sa ref increment ( ref count = 2, sa count = 2 )
11/04/26 15:07:43 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:43 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:43 ii : updated sa for protocol ESP
11/04/26 15:07:43 ii : - spi  = 0x7c8556f3
11/04/26 15:07:43 ii : - src  = 192.168.0.54:4500
11/04/26 15:07:43 ii : - dst  = 66.83.x.x:4500
11/04/26 15:07:43 ii : - encr = 3DES-CBC
11/04/26 15:07:43 ii : - ekey = 192 bits
11/04/26 15:07:43 ii : - auth = HMAC-MD5
11/04/26 15:07:43 ii : - akey = 128 bits
11/04/26 15:07:43 ii : - hard = 3600
11/04/26 15:07:43 ii : - soft = 2880
11/04/26 15:07:43 ii : - natt = ESPINUDP
11/04/26 15:07:43 ii : inspecting ARP request ...
11/04/26 15:07:43 DB : policy not found
11/04/26 15:07:43 ii : ignoring ARP request for 192.168.2.41, no policy found
11/04/26 15:07:43 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:43 DB : sa found
11/04/26 15:07:43 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:43 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:43 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:43 DB : sa found
11/04/26 15:07:43 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:43 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:44 ii : inspecting ARP request ...
11/04/26 15:07:44 DB : policy not found
11/04/26 15:07:44 ii : ignoring ARP request for 192.168.2.41, no policy found
11/04/26 15:07:44 ii : inspecting ARP request ...
11/04/26 15:07:44 DB : policy not found
11/04/26 15:07:44 ii : ignoring ARP request for 192.168.0.1, no policy found
11/04/26 15:07:44 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:44 DB : sa found
11/04/26 15:07:44 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:44 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:44 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:44 DB : sa found
11/04/26 15:07:44 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:44 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:45 ii : inspecting ARP request ...
11/04/26 15:07:45 DB : policy not found
11/04/26 15:07:45 ii : ignoring ARP request for 192.168.2.41, no policy found
11/04/26 15:07:46 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:46 DB : sa found
11/04/26 15:07:46 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:46 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:46 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:46 DB : sa found
11/04/26 15:07:46 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:46 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:46 ii : inspecting ARP request ...
11/04/26 15:07:46 DB : policy not found
11/04/26 15:07:46 ii : ignoring ARP request for 192.168.0.1, no policy found
11/04/26 15:07:46 ii : inspecting ARP request ...
11/04/26 15:07:46 DB : policy found
11/04/26 15:07:46 DB : policy not found
11/04/26 15:07:46 ii : spoofing ARP response for 192.168.1.1
11/04/26 15:07:46 DB : policy found
11/04/26 15:07:46 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:46 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:46 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:46 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 160 bytes )
11/04/26 15:07:46 ii : inspecting ARP request ...
11/04/26 15:07:46 DB : policy not found
11/04/26 15:07:46 ii : ignoring ARP request for 192.168.0.1, no policy found
11/04/26 15:07:47 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:47 DB : sa found
11/04/26 15:07:47 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:47 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:47 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:47 DB : sa found
11/04/26 15:07:47 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:47 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:47 ii : inspecting ARP request ...
11/04/26 15:07:47 DB : policy found
11/04/26 15:07:47 DB : policy not found
11/04/26 15:07:47 ii : spoofing ARP response for 192.168.1.100
11/04/26 15:07:47 DB : policy found
11/04/26 15:07:47 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:47 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:47 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:47 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 120 bytes )
11/04/26 15:07:47 DB : policy found
11/04/26 15:07:47 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:47 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:47 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:47 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 128 bytes )
11/04/26 15:07:47 DB : policy found
11/04/26 15:07:47 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:47 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:47 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:47 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 120 bytes )
11/04/26 15:07:47 DB : policy found
11/04/26 15:07:47 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:47 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:47 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:47 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 160 bytes )
11/04/26 15:07:47 DB : policy found
11/04/26 15:07:47 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:47 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:47 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:47 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 128 bytes )
11/04/26 15:07:48 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:48 DB : sa found
11/04/26 15:07:48 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:48 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:48 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:48 DB : sa found
11/04/26 15:07:48 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:48 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:48 DB : policy found
11/04/26 15:07:48 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:48 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:48 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:48 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 128 bytes )
11/04/26 15:07:48 DB : policy found
11/04/26 15:07:48 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:48 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:48 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:48 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 120 bytes )
11/04/26 15:07:48 DB : policy found
11/04/26 15:07:48 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:48 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:48 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:48 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 128 bytes )
11/04/26 15:07:48 DB : policy found
11/04/26 15:07:48 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:48 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:48 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:48 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 120 bytes )
11/04/26 15:07:49 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:49 DB : sa found
11/04/26 15:07:49 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:49 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:49 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:49 DB : sa found
11/04/26 15:07:49 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:49 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:49 DB : policy found
11/04/26 15:07:49 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:49 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:49 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:49 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 128 bytes )
11/04/26 15:07:49 DB : policy found
11/04/26 15:07:49 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:49 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:49 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:49 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 120 bytes )
11/04/26 15:07:49 DB : policy found
11/04/26 15:07:49 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:49 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:49 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:49 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 120 bytes )
11/04/26 15:07:49 DB : policy found
11/04/26 15:07:49 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:49 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:49 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:49 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 160 bytes )
11/04/26 15:07:50 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:50 DB : sa found
11/04/26 15:07:50 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:50 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:50 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:50 DB : sa found
11/04/26 15:07:50 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:50 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:50 ii : pfkey server process thread exit ...
11/04/26 15:07:50 ii : pfkey client process thread exit ...
11/04/26 15:07:50 ii : pfkey client process thread exit ...
11/04/26 15:07:50 ii : network send process thread exit ...
11/04/26 15:07:50 ii : network recv process thread exit ...



interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 66.83.x.x 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 192.168.1.100

domain-name gapusa

dns server-group GAPVPN

domain-name gapusa

object-group service RDP tcp

description Remote Destip

port-object eq 3389

object-group service FTPS tcp

port-object eq 990

object-group service NetOP tcp

port-object eq 6502

object-group service RDP_InSequence tcp

port-object eq 3390

object-group service IMAPSSL tcp

port-object eq 993

object-group service RDP_NEW tcp

port-object eq 3391

object-group service CameraHTTP8081 tcp

port-object eq 8081

object-group service DVR_32789 tcp

port-object eq 32789

object-group service DVR_37778 udp

port-object eq 37778

object-group network group-inside-vpnclient

description All inside accessible networks

network-object 192.168.1.0 255.255.255.0

object-group network VPN_Group

network-object VPN_Clients 255.255.255.0

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit tcp any any eq smtp

access-list outside_access_in extended permit tcp any any eq www

access-list outside_access_in extended permit tcp any any eq pop3

access-list outside_access_in extended permit tcp any any eq imap4

access-list outside_access_in extended permit tcp any any eq https

access-list outside_access_in extended permit tcp any any eq 3389

access-list outside_access_in extended permit tcp any any eq 81

access-list outside_access_in extended permit tcp any any eq 2000

access-list outside_access_in extended permit tcp any any eq ftp

access-list outside_access_in extended permit tcp any any eq 990

access-list outside_access_in extended permit tcp any any eq 3390

access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit ip object-group VPN_Group any

access-list inside_access_in extended permit ip VPN_Clients 255.255.255.0 any

access-list inside_access_in extended permit udp object-group VPN_Group any

access-list inside_access_in extended permit tcp object-group VPN_Group any

access-list inside_access_in extended permit udp VPN_Clients 255.255.255.0 any

access-list inside_access_in extended permit tcp VPN_Clients 255.255.255.0 any

access-list outside_access_in_1 extended permit tcp any any eq smtp

access-list outside_access_in_1 extended permit tcp any any eq www

access-list outside_access_in_1 extended permit tcp any any eq https

access-list outside_access_in_1 extended permit tcp any any eq imap4

access-list outside_access_in_1 extended permit tcp any any eq pop3

access-list outside_access_in_1 extended permit tcp any any object-group RDP

access-list outside_access_in_1 extended permit tcp any any eq ftp

access-list outside_access_in_1 extended permit tcp any any object-group FTPS

access-list outside_access_in_1 extended permit tcp any any eq pptp

access-list outside_access_in_1 remark Port for InSequence

access-list outside_access_in_1 extended permit tcp any any object-group NetOP

access-list outside_access_in_1 extended permit gre any any

access-list outside_access_in_1 extended permit tcp any any object-group RDP_InS equence

access-list outside_access_in_1 extended permit tcp any any object-group IMAPSSL

access-list outside_access_in_1 extended permit tcp any any object-group RDP_NEW

access-list outside_access_in_1 extended permit tcp any any object-group CameraH TTP8081

access-list outside_access_in_1 extended permit tcp any any object-group DVR_327 89

access-list outside_access_in_1 extended permit udp any any object-group DVR_377 78

access-list outside_access_in_1 extended permit ip object-group VPN_Group any

access-list outside_access_in_1 extended permit ip VPN_Clients 255.255.255.0 any

access-list outside_access_in_1 extended permit tcp VPN_Clients 255.255.255.0 an y

access-list outside_access_in_1 extended permit tcp object-group VPN_Group any

access-list outside_access_in_1 extended permit udp VPN_Clients 255.255.255.0 an y

access-list outside_access_in_1 extended permit udp object-group VPN_Group any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool ippool-vpnclient 192.168.2.40-192.168.2.45 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 VPN_Clients 255.255.255.0 outside

static (inside,outside) tcp interface smtp 192.168.1.100 smtp netmask 255.255.25 5.255

static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255. 255

static (inside,outside) tcp interface pop3 192.168.1.100 pop3 netmask 255.255.25 5.255

static (inside,outside) tcp interface imap4 192.168.1.100 imap4 netmask 255.255. 255.255

static (inside,outside) tcp interface 3389 192.168.1.100 3389 netmask 255.255.25 5.255

static (inside,outside) tcp interface https 192.168.1.100 https netmask 255.255. 255.255

static (inside,outside) tcp interface 6502 InSequence2 6502 netmask 255.255.255. 255

static (inside,outside) tcp interface ftp InSequence1 ftp netmask 255.255.255.25 5

static (inside,outside) tcp interface 990 InSequence1 990 netmask 255.255.255.25 5

static (inside,outside) tcp interface 3390 InSequence1 3389 netmask 255.255.255. 255

static (inside,inside) tcp interface 993 192.168.1.100 993 netmask 255.255.255.2 55

static (inside,outside) tcp interface 3391 NewServer 3389 netmask 255.255.255.25 5

static (inside,outside) tcp interface 8081 Camera_DVR www netmask 255.255.255.25 5

static (inside,outside) tcp interface 32789 Camera_DVR 32789 netmask 255.255.255 .255

static (inside,outside) udp interface 37778 Camera_DVR 37778 netmask 255.255.255 .255

access-group inside_access_in in interface inside

access-group outside_access_in_1 in interface outside

route outside 0.0.0.0 0.0.0.0 66.83.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set xform-3des-md5 esp-3des esp-md5-hmac

crypto dynamic-map dcmap-vpnclient 1 set transform-set xform-3des-md5

crypto map cmap-vpncient 65535 ipsec-isakmp dynamic dcmap-vpnclient

crypto map cmap-vpncient interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 20

telnet 0.0.0.0 0.0.0.0 inside

telnet 88.217.187.158 255.255.255.255 outside

telnet timeout 50

ssh 0.0.0.0 0.0.0.0 inside

ssh 88.217.187.158 255.255.255.255 outside

ssh timeout 60

console timeout 0

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.1.100 64.89.74.2

vpn-tunnel-protocol l2tp-ipsec

group-policy group-policy-default internal

group-policy group-policy-default attributes

banner value Welcome to GAP USA!

wins-server value 192.168.1.100

dns-server value 192.168.1.1 192.168.1.100

vpn-tunnel-protocol IPSec

password-storage disable

re-xauth disable

pfs disable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value acl-vpnclient

default-domain value gapusa.local

split-dns value shrew.net example.com

address-pools value ippool-vpnclient

username sidney password 3NBdDlXmKNSbwdJ4 encrypted

username robert password lNQjmSYxMg2P0UZc encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultWEBVPNGroup webvpn-attributes

nbns-server 192.168.1.100 timeout 2 retry 2

tunnel-group vpnclient type ipsec-ra

tunnel-group vpnclient general-attributes

address-pool ippool-vpnclient

default-group-policy group-policy-default

tunnel-group vpnclient ipsec-attributes

pre-shared-key *

!

!

prompt hostname context

Cryptochecksum:1249f4d5f805e8ac7db26280a3aeee76

: end






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20110426/a0637524/attachment.html>


More information about the vpn-help mailing list