[vpn-help] Cisco ASA cannot see internal network
Robert Bourguignon
robertb at plusinc.net
Tue Apr 26 14:22:31 CDT 2011
Hello,
I can connect to the Firewall with tunnel enabled. But I cannot see anything on the inside network. Included is the ASA config and the IPsec Trace. I can't ping, tracert, etc.
Here is the IPsec Trace
11/04/26 15:07:36 ## : IPSEC Daemon, ver 2.1.7
11/04/26 15:07:36 ## : Copyright 2010 Shrew Soft Inc.
11/04/26 15:07:36 ## : This product linked OpenSSL 0.9.8h 28 May 2008
11/04/26 15:07:36 ## : This product linked zlib v1.2.3
11/04/26 15:07:36 ii : network send process thread begin ...
11/04/26 15:07:36 ii : network recv process thread begin ...
11/04/26 15:07:36 ii : vflt send device attached
11/04/26 15:07:36 ii : pfkey server process thread begin ...
11/04/26 15:07:36 ii : vflt recv device attached
11/04/26 15:07:36 ii : pfkey client process thread begin ...
11/04/26 15:07:36 K< : recv DUMP UNSPEC message
11/04/26 15:07:36 K< : recv X_SPDDUMP UNSPEC message
11/04/26 15:07:37 ii : pfkey client process thread begin ...
11/04/26 15:07:37 K< : message REGISTER AH received
11/04/26 15:07:37 K< : message REGISTER ESP received
11/04/26 15:07:37 K< : message REGISTER IPCOMP received
11/04/26 15:07:37 K< : recv X_SPDDUMP UNSPEC message
11/04/26 15:07:43 K< : recv X_SPDADD UNSPEC pfkey message
11/04/26 15:07:43 ii : - id = 0
11/04/26 15:07:43 ii : - type = NONE
11/04/26 15:07:43 ii : - dir = INBOUND
11/04/26 15:07:43 DB : policy ref increment ( ref count = 1, policy count = 0 )
11/04/26 15:07:43 DB : policy added
11/04/26 15:07:43 DB : policy ref decrement ( ref count = 0, policy count = 1 )
11/04/26 15:07:43 K< : recv X_SPDADD UNSPEC pfkey message
11/04/26 15:07:43 ii : - id = 0
11/04/26 15:07:43 ii : - type = NONE
11/04/26 15:07:43 ii : - dir = OUTBOUND
11/04/26 15:07:43 DB : policy ref increment ( ref count = 1, policy count = 1 )
11/04/26 15:07:43 DB : policy added
11/04/26 15:07:43 ii : installed accept rule for 66.83.x.x/255.255.255.255
11/04/26 15:07:43 DB : policy ref decrement ( ref count = 0, policy count = 2 )
11/04/26 15:07:43 ii : removed arp mirror rule ( policycount 2 )
11/04/26 15:07:43 K< : recv X_SPDADD UNSPEC pfkey message
11/04/26 15:07:43 ii : - id = 0
11/04/26 15:07:43 ii : - type = NONE
11/04/26 15:07:43 ii : - dir = INBOUND
11/04/26 15:07:43 DB : policy ref increment ( ref count = 1, policy count = 2 )
11/04/26 15:07:43 DB : policy added
11/04/26 15:07:43 DB : policy ref decrement ( ref count = 0, policy count = 3 )
11/04/26 15:07:43 K< : recv X_SPDADD UNSPEC pfkey message
11/04/26 15:07:43 ii : - id = 0
11/04/26 15:07:43 ii : - type = NONE
11/04/26 15:07:43 ii : - dir = OUTBOUND
11/04/26 15:07:43 DB : policy ref increment ( ref count = 1, policy count = 3 )
11/04/26 15:07:43 DB : policy added
11/04/26 15:07:43 ii : installed accept rule for 192.168.0.1/255.255.255.255
11/04/26 15:07:43 DB : policy ref decrement ( ref count = 0, policy count = 4 )
11/04/26 15:07:43 K< : recv X_SPDADD UNSPEC pfkey message
11/04/26 15:07:43 ii : - id = 0
11/04/26 15:07:43 ii : - type = IPSEC
11/04/26 15:07:43 ii : - dir = INBOUND
11/04/26 15:07:43 ii : - transform #0
11/04/26 15:07:43 ii : -- proto = 50
11/04/26 15:07:43 ii : -- level = REQUIRE
11/04/26 15:07:43 ii : -- mode = TUNNEL
11/04/26 15:07:43 ii : -- reqid = 0
11/04/26 15:07:43 ii : -- tsrc = 66.83.x.x:0
11/04/26 15:07:43 ii : -- tdst = 192.168.0.54:0
11/04/26 15:07:43 DB : policy ref increment ( ref count = 1, policy count = 4 )
11/04/26 15:07:43 DB : policy added
11/04/26 15:07:43 DB : policy ref decrement ( ref count = 0, policy count = 5 )
11/04/26 15:07:43 K< : recv X_SPDADD UNSPEC pfkey message
11/04/26 15:07:43 ii : - id = 0
11/04/26 15:07:43 ii : - type = IPSEC
11/04/26 15:07:43 ii : - dir = OUTBOUND
11/04/26 15:07:43 ii : - transform #0
11/04/26 15:07:43 ii : -- proto = 50
11/04/26 15:07:43 ii : -- level = REQUIRE
11/04/26 15:07:43 ii : -- mode = TUNNEL
11/04/26 15:07:43 ii : -- reqid = 0
11/04/26 15:07:43 ii : -- tsrc = 192.168.0.54:0
11/04/26 15:07:43 ii : -- tdst = 66.83.x.x:0
11/04/26 15:07:43 DB : policy ref increment ( ref count = 1, policy count = 5 )
11/04/26 15:07:43 DB : policy added
11/04/26 15:07:43 ii : installed divert rule for 192.168.1.0/255.255.255.0
11/04/26 15:07:43 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:43 ii : inspecting ARP request ...
11/04/26 15:07:43 DB : policy not found
11/04/26 15:07:43 ii : ignoring ARP request for 192.168.0.1, no policy found
11/04/26 15:07:43 K< : recv GETSPI ESP pfkey message
11/04/26 15:07:43 ii : allocated spi for ESP sa
11/04/26 15:07:43 ii : - spi = 0x6b843a76
11/04/26 15:07:43 ii : - src = 66.83.x.x:4500
11/04/26 15:07:43 ii : - dst = 192.168.0.54:4500
11/04/26 15:07:43 DB : sa ref increment ( ref count = 1, sa count = 0 )
11/04/26 15:07:43 DB : sa added
11/04/26 15:07:43 DB : sa ref increment ( ref count = 2, sa count = 1 )
11/04/26 15:07:43 DB : sa ref decrement ( ref count = 1, sa count = 1 )
11/04/26 15:07:43 K> : sent GETSPI ESP pfkey message
11/04/26 15:07:43 K> : sent GETSPI ESP pfkey message
11/04/26 15:07:43 ii : inspecting ARP request ...
11/04/26 15:07:43 DB : policy not found
11/04/26 15:07:43 ii : ignoring ARP request for 192.168.0.1, no policy found
11/04/26 15:07:43 K< : recv GETSPI ESP pfkey message
11/04/26 15:07:43 ii : allocated spi for ESP sa
11/04/26 15:07:43 ii : - spi = 0x7c8556f3
11/04/26 15:07:43 ii : - src = 192.168.0.54:4500
11/04/26 15:07:43 ii : - dst = 66.83.x.x:4500
11/04/26 15:07:43 DB : sa ref increment ( ref count = 1, sa count = 1 )
11/04/26 15:07:43 DB : sa added
11/04/26 15:07:43 DB : sa ref increment ( ref count = 2, sa count = 2 )
11/04/26 15:07:43 DB : sa ref decrement ( ref count = 1, sa count = 2 )
11/04/26 15:07:43 K> : sent GETSPI ESP pfkey message
11/04/26 15:07:43 K> : sent GETSPI ESP pfkey message
11/04/26 15:07:43 K< : recv UPDATE ESP pfkey message
11/04/26 15:07:43 DB : sa found
11/04/26 15:07:43 DB : sa ref increment ( ref count = 2, sa count = 2 )
11/04/26 15:07:43 DB : sa ref increment ( ref count = 2, sa count = 2 )
11/04/26 15:07:43 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:43 ii : added sa divert rule for 66.83.x.x->192.168.0.54
11/04/26 15:07:43 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:43 ii : updated sa for protocol ESP
11/04/26 15:07:43 ii : - spi = 0x6b843a76
11/04/26 15:07:43 ii : - src = 66.83.x.x:4500
11/04/26 15:07:43 ii : - dst = 192.168.0.54:4500
11/04/26 15:07:43 ii : - encr = 3DES-CBC
11/04/26 15:07:43 ii : - ekey = 192 bits
11/04/26 15:07:43 ii : - auth = HMAC-MD5
11/04/26 15:07:43 ii : - akey = 128 bits
11/04/26 15:07:43 ii : - hard = 3600
11/04/26 15:07:43 ii : - soft = 2880
11/04/26 15:07:43 ii : - natt = ESPINUDP
11/04/26 15:07:43 K< : recv UPDATE ESP pfkey message
11/04/26 15:07:43 DB : sa found
11/04/26 15:07:43 DB : sa ref increment ( ref count = 2, sa count = 2 )
11/04/26 15:07:43 DB : sa ref increment ( ref count = 2, sa count = 2 )
11/04/26 15:07:43 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:43 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:43 ii : updated sa for protocol ESP
11/04/26 15:07:43 ii : - spi = 0x7c8556f3
11/04/26 15:07:43 ii : - src = 192.168.0.54:4500
11/04/26 15:07:43 ii : - dst = 66.83.x.x:4500
11/04/26 15:07:43 ii : - encr = 3DES-CBC
11/04/26 15:07:43 ii : - ekey = 192 bits
11/04/26 15:07:43 ii : - auth = HMAC-MD5
11/04/26 15:07:43 ii : - akey = 128 bits
11/04/26 15:07:43 ii : - hard = 3600
11/04/26 15:07:43 ii : - soft = 2880
11/04/26 15:07:43 ii : - natt = ESPINUDP
11/04/26 15:07:43 ii : inspecting ARP request ...
11/04/26 15:07:43 DB : policy not found
11/04/26 15:07:43 ii : ignoring ARP request for 192.168.2.41, no policy found
11/04/26 15:07:43 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:43 DB : sa found
11/04/26 15:07:43 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:43 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:43 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:43 DB : sa found
11/04/26 15:07:43 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:43 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:44 ii : inspecting ARP request ...
11/04/26 15:07:44 DB : policy not found
11/04/26 15:07:44 ii : ignoring ARP request for 192.168.2.41, no policy found
11/04/26 15:07:44 ii : inspecting ARP request ...
11/04/26 15:07:44 DB : policy not found
11/04/26 15:07:44 ii : ignoring ARP request for 192.168.0.1, no policy found
11/04/26 15:07:44 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:44 DB : sa found
11/04/26 15:07:44 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:44 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:44 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:44 DB : sa found
11/04/26 15:07:44 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:44 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:45 ii : inspecting ARP request ...
11/04/26 15:07:45 DB : policy not found
11/04/26 15:07:45 ii : ignoring ARP request for 192.168.2.41, no policy found
11/04/26 15:07:46 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:46 DB : sa found
11/04/26 15:07:46 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:46 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:46 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:46 DB : sa found
11/04/26 15:07:46 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:46 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:46 ii : inspecting ARP request ...
11/04/26 15:07:46 DB : policy not found
11/04/26 15:07:46 ii : ignoring ARP request for 192.168.0.1, no policy found
11/04/26 15:07:46 ii : inspecting ARP request ...
11/04/26 15:07:46 DB : policy found
11/04/26 15:07:46 DB : policy not found
11/04/26 15:07:46 ii : spoofing ARP response for 192.168.1.1
11/04/26 15:07:46 DB : policy found
11/04/26 15:07:46 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:46 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:46 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:46 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 160 bytes )
11/04/26 15:07:46 ii : inspecting ARP request ...
11/04/26 15:07:46 DB : policy not found
11/04/26 15:07:46 ii : ignoring ARP request for 192.168.0.1, no policy found
11/04/26 15:07:47 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:47 DB : sa found
11/04/26 15:07:47 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:47 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:47 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:47 DB : sa found
11/04/26 15:07:47 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:47 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:47 ii : inspecting ARP request ...
11/04/26 15:07:47 DB : policy found
11/04/26 15:07:47 DB : policy not found
11/04/26 15:07:47 ii : spoofing ARP response for 192.168.1.100
11/04/26 15:07:47 DB : policy found
11/04/26 15:07:47 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:47 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:47 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:47 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 120 bytes )
11/04/26 15:07:47 DB : policy found
11/04/26 15:07:47 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:47 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:47 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:47 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 128 bytes )
11/04/26 15:07:47 DB : policy found
11/04/26 15:07:47 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:47 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:47 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:47 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 120 bytes )
11/04/26 15:07:47 DB : policy found
11/04/26 15:07:47 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:47 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:47 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:47 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 160 bytes )
11/04/26 15:07:47 DB : policy found
11/04/26 15:07:47 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:47 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:47 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:47 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 128 bytes )
11/04/26 15:07:48 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:48 DB : sa found
11/04/26 15:07:48 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:48 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:48 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:48 DB : sa found
11/04/26 15:07:48 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:48 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:48 DB : policy found
11/04/26 15:07:48 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:48 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:48 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:48 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 128 bytes )
11/04/26 15:07:48 DB : policy found
11/04/26 15:07:48 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:48 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:48 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:48 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 120 bytes )
11/04/26 15:07:48 DB : policy found
11/04/26 15:07:48 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:48 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:48 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:48 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 128 bytes )
11/04/26 15:07:48 DB : policy found
11/04/26 15:07:48 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:48 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:48 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:48 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 120 bytes )
11/04/26 15:07:49 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:49 DB : sa found
11/04/26 15:07:49 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:49 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:49 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:49 DB : sa found
11/04/26 15:07:49 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:49 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:49 DB : policy found
11/04/26 15:07:49 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:49 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:49 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:49 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 128 bytes )
11/04/26 15:07:49 DB : policy found
11/04/26 15:07:49 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:49 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:49 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:49 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 120 bytes )
11/04/26 15:07:49 DB : policy found
11/04/26 15:07:49 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:49 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:49 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:49 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 120 bytes )
11/04/26 15:07:49 DB : policy found
11/04/26 15:07:49 DB : policy ref increment ( ref count = 1, policy count = 6 )
11/04/26 15:07:49 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:49 DB : policy ref decrement ( ref count = 0, policy count = 6 )
11/04/26 15:07:49 -> : send NAT-T:ESP packet 192.168.0.54 -> 66.83.x.x ( 160 bytes )
11/04/26 15:07:50 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:50 DB : sa found
11/04/26 15:07:50 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:50 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:50 K< : recv GET UNSPEC pfkey message
11/04/26 15:07:50 DB : sa found
11/04/26 15:07:50 DB : sa ref increment ( ref count = 3, sa count = 2 )
11/04/26 15:07:50 DB : sa ref decrement ( ref count = 2, sa count = 2 )
11/04/26 15:07:50 ii : pfkey server process thread exit ...
11/04/26 15:07:50 ii : pfkey client process thread exit ...
11/04/26 15:07:50 ii : pfkey client process thread exit ...
11/04/26 15:07:50 ii : network send process thread exit ...
11/04/26 15:07:50 ii : network recv process thread exit ...
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 66.83.x.x 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.100
domain-name gapusa
dns server-group GAPVPN
domain-name gapusa
object-group service RDP tcp
description Remote Destip
port-object eq 3389
object-group service FTPS tcp
port-object eq 990
object-group service NetOP tcp
port-object eq 6502
object-group service RDP_InSequence tcp
port-object eq 3390
object-group service IMAPSSL tcp
port-object eq 993
object-group service RDP_NEW tcp
port-object eq 3391
object-group service CameraHTTP8081 tcp
port-object eq 8081
object-group service DVR_32789 tcp
port-object eq 32789
object-group service DVR_37778 udp
port-object eq 37778
object-group network group-inside-vpnclient
description All inside accessible networks
network-object 192.168.1.0 255.255.255.0
object-group network VPN_Group
network-object VPN_Clients 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit tcp any any eq pop3
access-list outside_access_in extended permit tcp any any eq imap4
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any any eq 81
access-list outside_access_in extended permit tcp any any eq 2000
access-list outside_access_in extended permit tcp any any eq ftp
access-list outside_access_in extended permit tcp any any eq 990
access-list outside_access_in extended permit tcp any any eq 3390
access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip object-group VPN_Group any
access-list inside_access_in extended permit ip VPN_Clients 255.255.255.0 any
access-list inside_access_in extended permit udp object-group VPN_Group any
access-list inside_access_in extended permit tcp object-group VPN_Group any
access-list inside_access_in extended permit udp VPN_Clients 255.255.255.0 any
access-list inside_access_in extended permit tcp VPN_Clients 255.255.255.0 any
access-list outside_access_in_1 extended permit tcp any any eq smtp
access-list outside_access_in_1 extended permit tcp any any eq www
access-list outside_access_in_1 extended permit tcp any any eq https
access-list outside_access_in_1 extended permit tcp any any eq imap4
access-list outside_access_in_1 extended permit tcp any any eq pop3
access-list outside_access_in_1 extended permit tcp any any object-group RDP
access-list outside_access_in_1 extended permit tcp any any eq ftp
access-list outside_access_in_1 extended permit tcp any any object-group FTPS
access-list outside_access_in_1 extended permit tcp any any eq pptp
access-list outside_access_in_1 remark Port for InSequence
access-list outside_access_in_1 extended permit tcp any any object-group NetOP
access-list outside_access_in_1 extended permit gre any any
access-list outside_access_in_1 extended permit tcp any any object-group RDP_InS equence
access-list outside_access_in_1 extended permit tcp any any object-group IMAPSSL
access-list outside_access_in_1 extended permit tcp any any object-group RDP_NEW
access-list outside_access_in_1 extended permit tcp any any object-group CameraH TTP8081
access-list outside_access_in_1 extended permit tcp any any object-group DVR_327 89
access-list outside_access_in_1 extended permit udp any any object-group DVR_377 78
access-list outside_access_in_1 extended permit ip object-group VPN_Group any
access-list outside_access_in_1 extended permit ip VPN_Clients 255.255.255.0 any
access-list outside_access_in_1 extended permit tcp VPN_Clients 255.255.255.0 an y
access-list outside_access_in_1 extended permit tcp object-group VPN_Group any
access-list outside_access_in_1 extended permit udp VPN_Clients 255.255.255.0 an y
access-list outside_access_in_1 extended permit udp object-group VPN_Group any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool-vpnclient 192.168.2.40-192.168.2.45 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 VPN_Clients 255.255.255.0 outside
static (inside,outside) tcp interface smtp 192.168.1.100 smtp netmask 255.255.25 5.255
static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255. 255
static (inside,outside) tcp interface pop3 192.168.1.100 pop3 netmask 255.255.25 5.255
static (inside,outside) tcp interface imap4 192.168.1.100 imap4 netmask 255.255. 255.255
static (inside,outside) tcp interface 3389 192.168.1.100 3389 netmask 255.255.25 5.255
static (inside,outside) tcp interface https 192.168.1.100 https netmask 255.255. 255.255
static (inside,outside) tcp interface 6502 InSequence2 6502 netmask 255.255.255. 255
static (inside,outside) tcp interface ftp InSequence1 ftp netmask 255.255.255.25 5
static (inside,outside) tcp interface 990 InSequence1 990 netmask 255.255.255.25 5
static (inside,outside) tcp interface 3390 InSequence1 3389 netmask 255.255.255. 255
static (inside,inside) tcp interface 993 192.168.1.100 993 netmask 255.255.255.2 55
static (inside,outside) tcp interface 3391 NewServer 3389 netmask 255.255.255.25 5
static (inside,outside) tcp interface 8081 Camera_DVR www netmask 255.255.255.25 5
static (inside,outside) tcp interface 32789 Camera_DVR 32789 netmask 255.255.255 .255
static (inside,outside) udp interface 37778 Camera_DVR 37778 netmask 255.255.255 .255
access-group inside_access_in in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 66.83.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set xform-3des-md5 esp-3des esp-md5-hmac
crypto dynamic-map dcmap-vpnclient 1 set transform-set xform-3des-md5
crypto map cmap-vpncient 65535 ipsec-isakmp dynamic dcmap-vpnclient
crypto map cmap-vpncient interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 0.0.0.0 0.0.0.0 inside
telnet 88.217.187.158 255.255.255.255 outside
telnet timeout 50
ssh 0.0.0.0 0.0.0.0 inside
ssh 88.217.187.158 255.255.255.255 outside
ssh timeout 60
console timeout 0
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.1.100 64.89.74.2
vpn-tunnel-protocol l2tp-ipsec
group-policy group-policy-default internal
group-policy group-policy-default attributes
banner value Welcome to GAP USA!
wins-server value 192.168.1.100
dns-server value 192.168.1.1 192.168.1.100
vpn-tunnel-protocol IPSec
password-storage disable
re-xauth disable
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl-vpnclient
default-domain value gapusa.local
split-dns value shrew.net example.com
address-pools value ippool-vpnclient
username sidney password 3NBdDlXmKNSbwdJ4 encrypted
username robert password lNQjmSYxMg2P0UZc encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server 192.168.1.100 timeout 2 retry 2
tunnel-group vpnclient type ipsec-ra
tunnel-group vpnclient general-attributes
address-pool ippool-vpnclient
default-group-policy group-policy-default
tunnel-group vpnclient ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:1249f4d5f805e8ac7db26280a3aeee76
: end
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20110426/a0637524/attachment.html>
More information about the vpn-help
mailing list