Question : Cisco ASA5520: Packet Tracer  - Type: VPN Subtype: encrypt Result: DROP

Hi
I configure In our ASA site-2-site IPSec connections - I add new interface "office"
Need add office network to exist S2S IPSec link
I add exempt rule on office interface and office networks in local networks (remote site do also)

Old networks work OK - S2S link work. but new networks not go to remote site - packet tracer say Phase: 12, Type: VPN Subtype: encrypt Result: DROP
I not understand what is it ?


r-ASA# packet-tracer input office tcp 192.168.10.1 1024 192.168.169.130 80 detail

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc9ec6b88, priority=1, domain=permit, deny=false
        hits=182038, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.169.0 255.255.255.0   outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group office_access_in in interface office
access-list office_access_in extended permit ip any any
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc9ed4300, priority=12, domain=permit, deny=false
        hits=2117, user_data=0xc9ed42c0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc9ec9d60, priority=0, domain=permit-ip-option, deny=true
        hits=5497, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map global-class
 match default-inspection-traffic
policy-map global_policy
 class global-class
  inspect http
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcd487a28, priority=70, domain=inspect-http, deny=false
        hits=289, user_data=0xcd487048, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
             
Phase: 7
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcd702e98, priority=50, domain=ids, deny=false
        hits=718, user_data=0xcd48d1a8, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xca546918, priority=12, domain=ipsec-tunnel-flow, deny=true
        hits=5504, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
             
Phase: 9
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip office 192.168.10.0 255.255.255.0 outside 192.168.169.0 255.255.255.0
    NAT exempt
    translate_hits = 667, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcd6841d8, priority=6, domain=nat-exempt, deny=false
        hits=665, user_data=0xcd6c69d8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=192.168.10.0, mask=255.255.255.0, port=0
        dst ip=192.168.169.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (office) 1 0.0.0.0 0.0.0.0
  match ip office any outside any
    dynamic translation to pool 1 (ASA5520-Outside [Interface PAT])
    translate_hits = 9, untranslate_hits = 48
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc9dd5710, priority=1, domain=nat, deny=false
        hits=673, user_data=0xca4d6720, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (office) 1 0.0.0.0 0.0.0.0
  match ip office any outside any
    dynamic translation to pool 1 (ASA5520-Outside [Interface PAT])
    translate_hits = 9, untranslate_hits = 48
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcd7d5b50, priority=1, domain=host, deny=false
        hits=1031, user_data=0xca4d6720, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 12    
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xc9b4e120, priority=70, domain=encrypt, deny=false
        hits=1668, user_data=0x0, cs_id=0xca4d5988, reverse, flags=0x0, protocol=0
        src ip=192.168.10.0, mask=255.255.255.0, port=0
        dst ip=192.168.169.0, mask=255.255.255.0, port=0, dscp=0x0

Result:
input-interface: office
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule






r-ASA# sh run crypto map
crypto map outside_map 1 match address outside_site2site-cryptomap
crypto map outside_map 1 set peer IPSec-Peer
crypto map outside_map 1 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

r-ASA# sh run access-list outside_site2site-cryptomap
access-list outside_site2site-cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 192.168.169.0 255.255.255.0

r-ASA# sh run object-group network
object-group network DM_INLINE_NETWORK_3
 network-object Office-Prod-3-24 255.255.255.0
 network-object IPSEC-VPN-4 255.255.255.0
 network-object Office-New10-Network 255.255.0.0
 network-object 192.168.10.0 255.255.255.0


r-ASA# sh crypto ipsec sa
peer address: IPSec-Peer
    Crypto map tag: outside_map, seq num: 1, local addr: ASA5520-Outside

      access-list outside_site2site-cryptomap permit ip 172.16.3.0 255.255.255.0 192.168.169.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.169.0/255.255.255.0/0/0)
      current_peer: IPSec-Peer

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: ASA5520-Outside/4500, remote crypto endpt.: IPSec-Peer/4500
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 1CDBC65A

    inbound esp sas:
      spi: 0x71201DA4 (1897930148)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 135168, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373999/27970)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x000000FF
    outbound esp sas:
      spi: 0x1CDBC65A (484165210)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 135168, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4374000/27966)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: outside_map, seq num: 1, local addr: ASA5520-Outside

      access-list outside_site2site-cryptomap permit ip 172.16.4.0 255.255.255.0 192.168.169.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.169.0/255.255.255.0/0/0)
      current_peer: IPSec-Peer

      #pkts encaps: 81947, #pkts encrypt: 81947, #pkts digest: 81947
      #pkts decaps: 87348, #pkts decrypt: 87348, #pkts verify: 87348
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 82035, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: ASA5520-Outside/4500, remote crypto endpt.: IPSec-Peer/4500
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: E5183731

    inbound esp sas:
      spi: 0xF06FC7FA (4033857530)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 135168, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4349588/27883)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xE5183731 (3843569457)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 135168, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4333448/27880)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Code Snippet:

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157: 158: 159: 160: 161: 162: 163: 164: 165: 166: 167: 168: 169: 170: 171: 172: 173: 174: 175: 176: 177: 178: 179: 180: 181: 182: 183: 184: 185: 186: 187: 188: 189: 190: 191: 192: 193: 194: 195: 196: 197: 198: 199: 200: 201: 202: 203: 204: 205: 206: 207: 208: 209: 210: 211: 212: 213: 214: 215: 216: 217: 218: 219: 220: 221: 222: 223: 224: 225: 226: 227: 228: 229: 230: 231: 232: 233: 234: 235: 236: 237: 238: 239: 240: 241: 242: 243: 244: 245: 246: 247: 248: 249: 250: 251: 252: 253: 254: 255: 256: 257: 258: 259: 260: 261: 262: 263: 264: 265: 266: 267: 268: 269: 270: 271: 272: 273: 274: 275: 276: 277: 278: 279: 280: 281: 282: 283: 284: 285: 286: 287: 288: 289: 290: 291: 292: 293: 294: 295: 296: 297: 298: 299: 300: 301: 302: 303: 304: 305: 306: 307: 308: 309: 310: 311: 312: 313: 314: 315: 316: 317: 318: 319: 320: 321: 322: 323: 324: 325: 326: 327: 328: 329: 330: 331: 332: 333: 334: 335: 336: 337: 338: 339: 340: 341: 342: 343: 344: 345: 346: 347: 348: 349: 350: 351: 352: 353: 354: 355: 356: 357: 358: 359: 360: 361: 362: 363: 364: 365: 366: 367: 368: 369: 370: 371: 372: 373: 374: 375: 376: 377: 378: 379: 380: 381: 382: 383: 384: 385: 386: 387: 388: 389: 390: 391: 392: 393: 394: 395: 396: 397: 398: 399: 400: 401: 402: 403: 404: 405: 406: 407: 408: 409: 410: 411: 412: 413: 414: 415: 416: 417: 418: 419: 420: 421: 422: 423: 424: 425: 426: 427: 428: 429: 430: 431: 432: 433: 434: 435: 436: 437: 438: 439: 440: 441: 442: 443: 444: 445: 446: 447: 448: 449: 450: 451: 452: 453: 454: 455: 456: 457: 458: 459: 460: 461: 462: 463: 464: 465: 466: 467: 468: 469: 470: 471: 472: 473: 474: 475: 476: 477: 478: 479: 480: 481: 482: 483: 484: 485: 486: 487: 488: 489: 490: 491: 492: 493: 494: 495: 496: 497: 498: 499: 500: 501: 502: 503: 504: 505: 506: 507: 508: 509: 510: 511: 512: 513: 514: 515: 516: 517: 518: 519: 520: 521: 522: 523: 524: 525: 526: 527: 528: 529: 530: 531: 532: 533: 534: 535: 536: 537: 538: 539: 540: 541: 542: 543: 544: 545: 546: 547: 548: 549: 550: 551: 552: 553: 554: 555: 556: 557: 558: 559: 560: 561: 562: 563: 564: 565: 566: 567: 568: 569: 570: 571: 572: 573: 574: 575: 576: 577: 578: 579: 580: 581: 582: 583: 584: 585: 586: 587: 588: 589: 590: 591: 592: 593: 594: 595: 596: 597: 598: 599: 600: 601: 602: 603: 604: 605: 606: 607: 608: 609: 610: 611: 612: 613: 614: 615: 616: 617: 618: 619: 620: 621: 622: 623: 624: 625: 626: 627: 628: 629: 630: 631: 632: 633: 634: 635: 636: 637: 638: 639: 640: 641: 642: 643: 644: 645: 646: 647: 648: 649: 650: 651: 652: 653: 654: 655: 656: 657: 658: 659: 660: 661: 662: 663: 664: 665: 666: 667: 668: 669: 670: 671: 672: 673: 674: 675: 676: 677: 678: 679: 680: 681: 682: 683: 684: 685: 686: 687: 688: 689: 690: 691: 692: 693: 694: 695: 696: 697: 698: 699: 700: 701: 702: 703: 704: 705: 706: 707: 708: 709: 710: 711: 712: 713: 714: 715: 716: 717: 718: 719: 720: 721: 722: 723: 724: 725: 726: 727: 728: 729: 730: 731: 732: 733: 734: 735: 736: 737: 738: 739: 740: 741: 742: 743: 744: 745: 746: 747: 748: 749: 750: 751: 752: 753: 754: 755: 756: 757: 758: 759: 760: 761: 762: 763: 764: 765: 766: 767: 768: 769: 770: 771: 772: 773: 774: 775: 776: 777: 778: 779: 780: 781: 782: 783: 784: 785: 786: 787: 788: 789: 790: 791: 792: 793: 794: 795: 796: 797: 798: 799: 800: 801: 802: 803: 804: 805: 806: 807: 808: 809: 810: 811: 812: 813: 814: 815: 816: 817: 818: 819: 820: 821: 822: 823: 824: 825: 826: 827: 828: 829: 830: 831: 832: 833: 834: 835: 836: 837: 838: 839: 840: 841: 842: 843: 844: 845: 846: 847: 848: 849: 850: 851: 852: 853: 854: 855: 856: 857: 858: 859: 860: 861: 862: 863: 864: 865: 866: 867: 868: 869: 870: 871: 872: 873: 874: 875: 876: 877: 878: 879: 880: 881: 882: 883: 884: 885: 886: 887: 888: 889: 890: 891: 892: 893: 894: 895: 896: 897: 898: 899: 900: 901: 902: 903: 904: 905: 906: 907: 908: 909: 910: 911: 912: 913: 914: 915: 916: 917: 918: 919: 920: 921: 922: 923: 924: 925: 926: 927: 928: 929: 930: 931: 932: 933: 934: 935: 936: 937: 938: 939: 940: 941: 942: 943: 944: 945: 946: 947: 948: 949: 950: 951: 952: 953: 954: 955: 956: 957: 958: 959: 960: 961: 962: 963: 964: 965: 966: 967: 968: 969: 970: 971: 972: 973: 974: 975: 976: 977: 978: 979: 980: 981: 982: 983: 984: 985: 986: 987: 988: 989: 990: 991: 992: 993: 994: 995: 996: 997: 998: 999: 1000: 1001: 1002: 1003: 1004: 1005: 1006: 1007: 1008: 1009: 1010: 1011: 1012: 1013: 1014: 1015: 1016: 1017: 1018: 1019: 1020: 1021: 1022: 1023: 1024: 1025: 1026: 1027: 1028: 1029: 1030: 1031: 1032: 1033: 1034: 1035: 1036: 1037: 1038: 1039: 1040: 1041: 1042: 1043: 1044: 1045: 1046: 1047: 1048: 1049: 1050: 1051: 1052: 1053: 1054: 1055: 1056: 1057: 1058: 1059: 1060: 1061: 1062: 1063: 1064: 1065: 1066: 1067: 1068: 1069: 1070: 1071: 1072: 1073: 1074: 1075: 1076: 1077: 1078: 1079: 1080: 1081: 1082: 1083: 1084: 1085: 1086: 1087: 1088: 1089: 1090: 1091: 1092: 1093: 1094: 1095: 1096: 1097: 1098: 1099: 1100: 1101: 1102: 1103: 1104: 1105: 1106: 1107: 1108: 1109: 1110: 1111: 1112: 1113: 1114: 1115: 1116: 1117: 1118: 1119: 1120: 1121: 1122: 1123: 1124: 1125: 1126: 1127: 1128: 1129:

ASA Version 8.0(4)16 ! hostname r-ASA names name 172.16.3.194 ASA5520-Ips description IPS name x1.x2.x3.98 ASA5520-Outside name 192.168.169.0 company3-Remote-Net description company3 Network name 192.168.169.74 company3-Test-Pay description PAYMENT Test name 192.168.169.70 company3-Vip-Pay description Payment host name 172.16.3.224 company2-Cisco-NAT-3-224 description ASA-NAT Network name 172.16.5.0 company2-DIS-Prod-5-24 description company2 Prodaction Network name 172.16.3.0 company2-Office-Prod-3-24 name 172.16.4.0 company1-IPSEC-VPN-4 description IPSec VPN Pool name 172.16.6.0 company1-IPSEC-VPN-6 description company1 VPN in DIS name x1.x2.x3.96 company1-Vl33-Internet description Internet in Office company1 name 172.16.4.106 VPN4-CLIENT1 description CLIENT1 name 172.16.4.102 VPN4-CLIENT2 description CLIENT2 name 172.16.4.104 VPN4-CLIENT3 description CLIENT3 name 172.16.4.108 VPN4-CLIENT5 description CLIENT5 name 172.16.4.110 VPN4-CLIENT52 description CLIENT5 Second name 172.16.4.101 VPN4-CLIENT6 description CLIENT6 name 172.16.4.105 VPN4-CLIENT4 description CLIENT4 name 172.16.4.103 VPN4-CLIENT7 description CLIENT7 name 172.16.4.107 VPN4-CLIENT8 name 172.16.4.111 VPN4-CLIENT9 name 172.16.4.109 VPN4-CLIENT10 name 172.16.4.112 VPN4-CLIENT11 name x1.x2.x3.103 ASA5520-VIP-HTTP name 172.16.3.226 company2-CSS-EXT-INT description CSS11503 name 172.16.3.230 company2-CSS-VIP-HOST description VIP_Address name 192.168.116.0 company2-ISP-IPVPN description MyISP IPVPN network name 192.168.116.32 company2-Office-IPVPN description Connected IPVPN network name 172.16.4.113 VPN4-CLIENT6-T name y1.y2.y3.39 company3-IPSec-Peer name x1.x2.x3.105 forum.company2.local name 10.1.7.12 forum.company2.local-dmz1 name 10.1.0.0 Office-New10-Network name 10.1.1.0 company2-ESXs-Net name 10.1.2.0 company2-Servers-Net name 10.1.3.0 company2-Users-Net name 10.0.0.0 RPC-Private-Net-10 name 172.16.0.0 RPC-Private-Net-172 name 192.168.0.0 RPC-Private-Net-192 name a.b.c.96 NET1 name a.b.c.0 NET2 name a.b.c.0 CTC28-NET name a.b.c.0 NET3 name a.b.c.92 CLIENT2-NET name a.b.c.204 ICON-PERSON-31817 description PERSON-31817 through Icon name a.b.c.0 NET4 name z1.z2.z3.80 company2-Int-Vlan6 name a.b.c.124 CLIENT3 name a.b.c.0 NET5-NET name a.b.c.0 SA-Tel-NET name a.b.c.80 CLIENT7-NET name a.b.c.0 TELSERVICE-NET name x1.x2.x3.100 sd.company.local name 10.1.7.2 sd.company.local-dmz1 name x1.x2.x3.101 sd1.company.local name 10.1.7.3 sd1.company.local-dmz1 name x1.x2.x3.104 gate2.company2.local name 10.1.7.5 gate2.company2.local-dmz1 name 10.1.7.1 ASA5520-dmz1 name 10.1.2.2 pl-dc-001 description PDC name 10.1.7.13 jabber.company.local-dmz1 name 10.1.2.30 PL-COM-T-APP01 description Test IIS App Server name x1.x2.x3.106 PL-COM-T-APP01-outside description Test IIS App Server NAT name 192.168.10.0 Office-Old-Network name 192.168.116.64 company2-DIS-IPVPN dns-guard ! interface GigabitEthernet0/0 description to ISP MyISP # nameif outside security-level 0 ip address ASA5520-Outside 255.255.255.240 ospf cost 10 ospf network point-to-point non-broadcast ! interface GigabitEthernet0/1 description to IP VPN nameif ip-vpn security-level 100 ip address 192.168.116.34 255.255.255.224 ospf cost 10 ospf network point-to-point non-broadcast ! interface GigabitEthernet0/2 no nameif no security-level no ip address ! interface GigabitEthernet0/2.4 description company2 & company1 Office vlan 4 nameif office security-level 100 ip address 10.1.4.1 255.255.255.0 ospf cost 10 ! interface GigabitEthernet0/2.7 description DMZ for company1 vlan 7 nameif dmz1 security-level 50 ip address ASA5520-dmz1 255.255.255.0 ! interface GigabitEthernet0/2.34 vlan 34 nameif inside security-level 100 ip address 172.16.3.225 255.255.255.248 ospf cost 10 ospf network point-to-point non-broadcast ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 description to local LAN nameif ips security-level 100 ip address 172.16.3.193 255.255.255.224 ospf cost 10 ospf network point-to-point non-broadcast ! banner login Authorized access only. This system is the property of company1 LLC. Disconnect IMMEDIATELY if you are not an authorized user. boot system disk0:/asa804-16-k8.bin ftp mode passive clock timezone MSK 3 dns domain-lookup outside same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network DM_INLINE_NETWORK_3 network-object company2-Office-Prod-3-24 255.255.255.0 network-object company1-IPSEC-VPN-4 255.255.255.0 network-object Office-New10-Network 255.255.0.0 network-object Office-Old-Network 255.255.255.0 object-group network company2-Networks-Sec100 network-object company2-ESXs-Net 255.255.255.0 network-object company2-Servers-Net 255.255.255.0 network-object company2-Users-Net 255.255.255.0 network-object 10.1.4.0 255.255.255.0 network-object Office-Old-Network 255.255.255.0 object-group network DM_INLINE_NETWORK_4 network-object company2-DIS-Prod-5-24 255.255.255.0 network-object company2-ISP-IPVPN 255.255.255.0 network-object company2-Office-IPVPN 255.255.255.224 group-object company2-Networks-Sec100 object-group service DM_INLINE_SERVICE_1 service-object icmp service-object tcp eq www service-object tcp eq https object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group network DM_INLINE_NETWORK_1 network-object RPC-Private-Net-10 255.0.0.0 network-object RPC-Private-Net-172 255.240.0.0 network-object RPC-Private-Net-192 255.255.0.0 network-object company1-Vl33-Internet 255.255.255.240 object-group network DM_INLINE_NETWORK_2 network-object RPC-Private-Net-10 255.0.0.0 network-object RPC-Private-Net-172 255.240.0.0 network-object RPC-Private-Net-192 255.255.0.0 network-object company1-Vl33-Internet 255.255.255.240 object-group network SD-CLIENTS description Network access to SD portals network-object CTC28-NET 255.255.255.0 network-object NET3 255.255.255.0 network-object NET4 255.255.255.0 network-object TELSERVICE-NET 255.255.254.0 network-object CLIENT3 255.255.255.252 network-object company2-Int-Vlan6 255.255.255.240 network-object NET1 255.255.255.240 network-object CLIENT2-NET 255.255.255.252 network-object NET5-NET 255.255.255.0 network-object SA-Tel-NET 255.255.255.192 network-object CLIENT7-NET 255.255.255.248 network-object ICON-PERSON-31817 255.255.255.252 network-object NET2 255.255.255.192 object-group network DM_INLINE_NETWORK_5 network-object host sd.company.local network-object host sd1.company.local object-group service untangle-openvpn service-object tcp eq https service-object udp eq 1194 object-group service openvpn udp port-object eq 1194 object-group network SOFT-Group description SOFT Development group network-object host 212.112.102.90 network-object host 212.112.105.210 object-group service msrdp tcp port-object eq 3389 object-group service DM_INLINE_TCP_1 tcp group-object msrdp port-object eq www object-group network DM_INLINE_NETWORK_7 network-object Office-New10-Network 255.255.0.0 network-object Office-Old-Network 255.255.255.0 object-group network DM_INLINE_NETWORK_8 network-object Office-New10-Network 255.255.0.0 network-object company2-Office-Prod-3-24 255.255.255.0 network-object company1-IPSEC-VPN-4 255.255.255.0 network-object Office-Old-Network 255.255.255.0 object-group network DM_INLINE_NETWORK_9 network-object Office-New10-Network 255.255.0.0 network-object company2-Office-Prod-3-24 255.255.255.0 network-object company1-IPSEC-VPN-4 255.255.255.0 network-object Office-Old-Network 255.255.255.0 access-list INTERNET_INBOUND extended permit udp any any eq ntp access-list INTERNET_INBOUND extended permit icmp any host ASA5520-Outside unreachable access-list INTERNET_INBOUND extended permit icmp any host ASA5520-Outside echo-reply access-list INTERNET_INBOUND extended permit icmp any host ASA5520-Outside echo access-list INTERNET_INBOUND extended permit icmp any host ASA5520-Outside time-exceeded access-list INTERNET_INBOUND extended permit tcp any host ASA5520-VIP-HTTP eq www access-list INTERNET_INBOUND extended permit tcp any host ASA5520-VIP-HTTP eq https access-list INTERNET_INBOUND extended permit tcp any host ASA5520-Outside eq https access-list INTERNET_INBOUND extended permit tcp any host ASA5520-Outside eq 881 inactive access-list INTERNET_INBOUND extended permit tcp any host ASA5520-Outside eq ssh access-list INTERNET_INBOUND extended permit object-group DM_INLINE_SERVICE_1 any host forum.company2.local access-list INTERNET_INBOUND extended permit tcp object-group SD-CLIENTS object-group DM_INLINE_NETWORK_5 eq www access-list INTERNET_INBOUND extended permit object-group untangle-openvpn any host gate2.company2.local access-list INTERNET_INBOUND extended permit tcp object-group SOFT-Group host PL-COM-T-APP01-outside object-group DM_INLINE_TCP_1 access-list VPN-STAFF_splitTunnelAcl standard permit company3-Remote-Net 255.255.255.0 access-list VPN-STAFF_splitTunnelAcl standard permit company2-Office-Prod-3-24 255.255.255.0 access-list VPN-STAFF_splitTunnelAcl standard permit company1-IPSEC-VPN-4 255.255.255.0 access-list VPN-STAFF_splitTunnelAcl standard permit company2-DIS-Prod-5-24 255.255.255.0 access-list VPN-STAFF_splitTunnelAcl standard permit company1-IPSEC-VPN-6 255.255.255.0 access-list inside_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 company3-Remote-Net 255.255.255.0 access-list inside_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0 access-list inside_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company3-Remote-Net 255.255.255.0 access-list inside_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0 access-list inside_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0 access-list inside_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0 access-list inside_nat0_outbound extended permit ip company2-ISP-IPVPN 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0 access-list inside_nat0_outbound extended permit ip company2-ISP-IPVPN 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0 access-list inside_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company2-ISP-IPVPN 255.255.255.0 access-list inside_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 company2-ISP-IPVPN 255.255.255.0 access-list inside_nat0_outbound extended permit ip company2-ISP-IPVPN 255.255.255.0 Office-Old-Network 255.255.255.0 access-list inside_nat0_outbound extended permit ip company2-ISP-IPVPN 255.255.255.0 192.168.11.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip Office-Old-Network 255.255.255.0 company2-ISP-IPVPN 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 company2-ISP-IPVPN 255.255.255.0 access-list inside_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 Office-Old-Network 255.255.255.0 access-list inside_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 192.168.11.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip Office-Old-Network 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0 access-list inside_nat0_outbound extended permit ip Office-Old-Network 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0 access-list inside_nat0_outbound extended permit ip company2-DIS-Prod-5-24 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0 access-list inside_nat0_outbound extended permit ip company2-DIS-Prod-5-24 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0 access-list inside_nat0_outbound extended permit ip company1-IPSEC-VPN-6 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0 access-list inside_nat0_outbound extended permit ip company1-IPSEC-VPN-6 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0 access-list inside_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company2-DIS-Prod-5-24 255.255.255.0 access-list inside_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company1-IPSEC-VPN-6 255.255.255.0 access-list outside_site2site-cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 company3-Remote-Net 255.255.255.0 access-list office-qos-in-policy-acl extended deny ip object-group DM_INLINE_NETWORK_2 any access-list office-qos-in-policy-acl extended permit ip any any access-list CLIENT6_splitTunnelAcl standard permit host company3-Vip-Pay access-list CLIENT6_splitTunnelAcl standard permit host company3-Test-Pay access-list CLIENT2_splitTunnelAcl standard permit host company3-Vip-Pay access-list CLIENT2_splitTunnelAcl standard permit host company3-Test-Pay access-list CLIENT7_splitTunnelAcl standard permit host company3-Vip-Pay access-list CLIENT7_splitTunnelAcl standard permit host company3-Test-Pay access-list CLIENT3_splitTunnelAcl standard permit host company3-Vip-Pay access-list CLIENT3_splitTunnelAcl standard permit host company3-Test-Pay access-list CLIENT4_splitTunnelAcl standard permit host company3-Vip-Pay access-list CLIENT4_splitTunnelAcl standard permit host company3-Test-Pay access-list CLIENT1_splitTunnelAcl standard permit host company3-Vip-Pay access-list CLIENT1_splitTunnelAcl standard permit host company3-Test-Pay access-list CLIENT8_splitTunnelAcl standard permit host company3-Vip-Pay access-list CLIENT8_splitTunnelAcl standard permit host company3-Test-Pay access-list CLIENT5_splitTunnelAcl standard permit host company3-Vip-Pay access-list CLIENT5_splitTunnelAcl standard permit host company3-Test-Pay access-list SFTCLIENT10_splitTunnelAcl standard permit host company3-Vip-Pay access-list SFTCLIENT10_splitTunnelAcl standard permit host company3-Test-Pay access-list CLIENT5SECOND_splitTunnelAcl standard permit host company3-Vip-Pay access-list CLIENT5SECOND_splitTunnelAcl standard permit host company3-Test-Pay access-list VPN-CLIENT6-ACL extended permit tcp host VPN4-CLIENT6 host company3-Vip-Pay eq 3002 access-list VPN-CLIENT6-ACL extended permit tcp host VPN4-CLIENT6 host company3-Test-Pay eq 3002 access-list VPN-CLIENT2-ACL extended permit tcp host VPN4-CLIENT2 host company3-Vip-Pay eq 3001 access-list VPN-CLIENT2-ACL extended permit tcp host VPN4-CLIENT2 host company3-Test-Pay eq 3001 access-list VPN-CLIENT7-ACL extended permit tcp host VPN4-CLIENT7 host company3-Vip-Pay eq 3003 access-list VPN-CLIENT7-ACL extended permit tcp host VPN4-CLIENT7 host company3-Test-Pay eq 3003 access-list VPN-CLIENT3-ACL extended permit tcp host VPN4-CLIENT3 host company3-Vip-Pay eq 3007 access-list VPN-CLIENT3-ACL extended permit tcp host VPN4-CLIENT3 host company3-Test-Pay eq 3007 access-list VPN-CLIENT4-ACL extended permit tcp host VPN4-CLIENT4 host company3-Vip-Pay eq 3005 access-list VPN-CLIENT4-ACL extended permit tcp host VPN4-CLIENT4 host company3-Test-Pay eq 3005 access-list VPN-CLIENT1-ACL extended permit tcp host VPN4-CLIENT1 host company3-Vip-Pay eq cifs access-list VPN-CLIENT1-ACL extended permit tcp host VPN4-CLIENT1 host company3-Test-Pay eq cifs access-list VPN-CLIENT1-ACL extended permit tcp host VPN4-CLIENT1 host company3-Vip-Pay eq 4102 access-list VPN-CLIENT1-ACL extended permit tcp host VPN4-CLIENT1 host company3-Test-Pay eq 4102 access-list VPN-CLIENT8-ACL extended permit tcp host VPN4-CLIENT8 host company3-Vip-Pay eq 3004 access-list VPN-CLIENT8-ACL extended permit tcp host VPN4-CLIENT8 host company3-Test-Pay eq 3004 access-list VPN-CLIENT5-ACL extended permit tcp host VPN4-CLIENT5 host company3-Vip-Pay eq 3022 access-list VPN-CLIENT5-ACL extended permit tcp host VPN4-CLIENT5 host company3-Test-Pay eq 3022 access-list VPN-CLIENT5-ACL extended permit tcp host VPN4-CLIENT5 host company3-Vip-Pay eq 4102 access-list VPN-CLIENT5-ACL extended permit tcp host VPN4-CLIENT5 host company3-Test-Pay eq 4102 access-list VPN-SFTCLIENT10-ACL extended permit tcp host VPN4-CLIENT10 host company3-Vip-Pay eq 3001 access-list VPN-SFTCLIENT10-ACL extended permit tcp host VPN4-CLIENT10 host company3-Test-Pay eq 3002 access-list VPN-CLIENT52-ACL extended permit tcp host VPN4-CLIENT52 host company3-Test-Pay eq 3022 access-list VPN-CLIENT52-ACL extended permit tcp host VPN4-CLIENT52 host company3-Vip-Pay eq 3022 access-list VPN-CLIENT52-ACL extended permit tcp host VPN4-CLIENT52 host company3-Test-Pay eq 4102 access-list VPN-CLIENT52-ACL extended permit tcp host VPN4-CLIENT52 host company3-Vip-Pay eq 4102 access-list IPS extended permit ip any any access-list traffic_for_ips extended permit ip any any access-list ips_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 company3-Remote-Net 255.255.255.0 access-list ips_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0 access-list ips_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company3-Remote-Net 255.255.255.0 access-list ips_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0 access-list ips_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0 access-list ips_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0 access-list ips_nat0_outbound extended permit ip company2-DIS-Prod-5-24 255.255.255.0 company2-ISP-IPVPN 255.255.255.0 access-list ips_nat0_outbound extended permit ip company2-ISP-IPVPN 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0 access-list ips_nat0_outbound extended permit ip company2-ISP-IPVPN 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0 access-list ips_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company2-ISP-IPVPN 255.255.255.0 access-list ips_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 company2-ISP-IPVPN 255.255.255.0 access-list ips_nat0_outbound extended permit ip company2-ISP-IPVPN 255.255.255.0 Office-Old-Network 255.255.255.0 access-list ips_nat0_outbound extended permit ip company2-ISP-IPVPN 255.255.255.0 192.168.11.0 255.255.255.0 access-list ips_nat0_outbound extended permit ip Office-Old-Network 255.255.255.0 company2-ISP-IPVPN 255.255.255.0 access-list ips_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 company2-ISP-IPVPN 255.255.255.0 access-list ips_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 Office-Old-Network 255.255.255.0 access-list ips_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 192.168.11.0 255.255.255.0 access-list ips_nat0_outbound extended permit ip Office-Old-Network 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0 access-list ips_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0 access-list ips_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0 access-list ips_nat0_outbound extended permit ip Office-Old-Network 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0 access-list ips_nat0_outbound extended permit ip company2-DIS-Prod-5-24 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0 access-list ips_nat0_outbound extended permit ip company2-DIS-Prod-5-24 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0 access-list ips_nat0_outbound extended permit ip company1-IPSEC-VPN-6 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0 access-list ips_nat0_outbound extended permit ip company1-IPSEC-VPN-6 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0 access-list ips_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company2-DIS-Prod-5-24 255.255.255.0 access-list ips_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company1-IPSEC-VPN-6 255.255.255.0 access-list CASPYSFT_splitTunnelAcl standard permit host company3-Vip-Pay access-list CASPYSFT_splitTunnelAcl standard permit host company3-Test-Pay access-list VPN-CASPYSFT-ACL extended permit ip host VPN4-CLIENT9 host company3-Vip-Pay access-list VPN-CASPYSFT-ACL extended permit ip host VPN4-CLIENT9 host company3-Test-Pay access-list CLIENT11_splitTunnelAcl standard permit host company3-Vip-Pay access-list CLIENT11_splitTunnelAcl standard permit host company3-Test-Pay access-list VPN-CLIENT11-ACL extended permit tcp host VPN4-CLIENT11 host company3-Vip-Pay eq 4102 access-list VPN-CLIENT11-ACL extended permit tcp host VPN4-CLIENT11 host company3-Test-Pay eq 4102 access-list CLIENT6_TEST_splitTunnelAcl standard permit host company3-Vip-Pay access-list CLIENT6_TEST_splitTunnelAcl standard permit host company3-Test-Pay access-list VPN-CLIENT6-TEST-ACL extended permit tcp host VPN4-CLIENT6-T host company3-Vip-Pay eq 4102 access-list VPN-CLIENT6-TEST-ACL extended permit tcp host VPN4-CLIENT6-T host company3-Test-Pay eq 4102 access-list inside_nat0_exempt remark untranslated traffic to company3 access-list inside_nat0_exempt extended permit ip company2-Cisco-NAT-3-224 255.255.255.248 company3-Remote-Net 255.255.255.0 access-list inside_nat0_exempt remark Untranslated traffic to DIS and IP-VPN-P2P access-list inside_nat0_exempt extended permit ip company2-Cisco-NAT-3-224 255.255.255.248 object-group DM_INLINE_NETWORK_4 access-list inside_nat0_exempt extended permit ip object-group DM_INLINE_NETWORK_8 company3-Remote-Net 255.255.255.0 access-list inside_access_in extended permit ip any any access-list dmz1_access_in extended permit tcp host jabber.company.local-dmz1 host ASA5520-dmz1 eq ldap inactive access-list dmz1_access_in extended permit ip any any access-list dmz1_nat0_outbound extended permit ip 10.1.7.0 255.255.255.0 company3-Remote-Net 255.255.255.0 access-list office_access_in extended deny udp any host gate2.company2.local-dmz1 object-group openvpn access-list office_access_in extended permit ip any 10.1.7.0 255.255.255.0 access-list office_access_in extended permit ip any any access-list office_access_in extended permit ip object-group DM_INLINE_NETWORK_7 company3-Remote-Net 255.255.255.0 access-list dmz-qos-in-policy-acl extended deny ip object-group DM_INLINE_NETWORK_1 10.1.7.0 255.255.255.0 access-list dmz-qos-in-policy-acl extended permit ip any any access-list dmz1_access_in_1 extended permit tcp host jabber.company.local-dmz1 host ASA5520-dmz1 eq ldap access-list dmz1_access_in_1 extended permit ip any any access-list office_nat_static extended permit tcp host pl-dc-001 eq ldap host jabber.company.local-dmz1 access-list office_nat_static_2 extended permit tcp host PL-COM-T-APP01 eq www object-group SOFT-Group access-list office_nat_static_1 extended permit tcp host PL-COM-T-APP01 eq 3389 object-group SOFT-Group access-list office_nat0_outbound extended permit ip Office-Old-Network 255.255.255.0 company3-Remote-Net 255.255.255.0 access-list office_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_9 company3-Remote-Net 255.255.255.0 pager lines 24 logging enable logging timestamp logging buffered warnings logging trap debugging logging asdm informational logging host dmz1 10.1.7.14 mtu outside 1500 mtu ip-vpn 1500 mtu office 1500 mtu dmz1 1500 mtu inside 1500 mtu ips 1500 ip local pool CLIENT7pool VPN4-CLIENT7 mask 255.255.255.255 ip local pool CLIENT3pool VPN4-CLIENT3 mask 255.255.255.255 ip local pool CLIENT4pool VPN4-CLIENT4 mask 255.255.255.255 ip local pool CLIENT1pool VPN4-CLIENT1 mask 255.255.255.255 ip local pool CLIENT8pool VPN4-CLIENT8 mask 255.255.255.255 ip local pool CLIENT5pool VPN4-CLIENT5 mask 255.255.255.255 ip local pool SFTCLIENT10pool VPN4-CLIENT10 mask 255.255.255.255 ip local pool CLIENT5SECONDpool VPN4-CLIENT52 mask 255.255.255.255 ip local pool CLIENT6pool VPN4-CLIENT6 mask 255.255.255.255 ip local pool CLIENT2pool VPN4-CLIENT2 mask 255.255.255.255 ip local pool VPN-STAFFpool 172.16.3.100-172.16.3.150 mask 255.255.255.0 ip local pool CLIENT11 VPN4-CLIENT11 mask 255.255.255.255 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any office icmp permit any inside asdm image disk0:/asdm-61557.bin asdm history enable arp inside 172.16.3.227 0013.80f0.7d41 arp inside company2-CSS-VIP-HOST 0013.80f0.7d41 arp timeout 14400 global (outside) 1 interface global (ip-vpn) 1 interface global (dmz1) 1 interface nat (office) 0 access-list office_nat0_outbound nat (office) 1 0.0.0.0 0.0.0.0 nat (dmz1) 1 0.0.0.0 0.0.0.0 nat (inside) 0 access-list inside_nat0_exempt nat (inside) 1 0.0.0.0 0.0.0.0 nat (ips) 0 access-list ips_nat0_outbound nat (ips) 1 ASA5520-Ips 255.255.255.255 nat (ips) 1 0.0.0.0 0.0.0.0 static (ips,outside) tcp interface 881 ASA5520-Ips 881 netmask 255.255.255.255 static (inside,outside) tcp ASA5520-VIP-HTTP www company2-CSS-VIP-HOST www netmask 255.255.255.255 dns static (office,dmz1) tcp interface ldap access-list office_nat_static static (office,outside) tcp PL-COM-T-APP01-outside 3389 access-list office_nat_static_1 tcp 2 2 static (office,outside) tcp PL-COM-T-APP01-outside www access-list office_nat_static_2 tcp 10 10 static (dmz1,dmz1) sd.company.local sd.company.local-dmz1 netmask 255.255.255.255 dns static (dmz1,outside) sd.company.local sd.company.local-dmz1 netmask 255.255.255.255 dns static (dmz1,dmz1) sd1.company.local sd1.company.local-dmz1 netmask 255.255.255.255 dns static (dmz1,outside) sd1.company.local sd1.company.local-dmz1 netmask 255.255.255.255 dns static (dmz1,dmz1) gate2.company2.local gate2.company2.local-dmz1 netmask 255.255.255.255 dns static (dmz1,outside) gate2.company2.local gate2.company2.local-dmz1 netmask 255.255.255.255 dns static (dmz1,dmz1) forum.company2.local forum.company2.local-dmz1 netmask 255.255.255.255 dns static (dmz1,outside) forum.company2.local forum.company2.local-dmz1 netmask 255.255.255.255 dns access-group INTERNET_INBOUND in interface outside access-group office_access_in in interface office access-group dmz1_access_in_1 in interface dmz1 access-group inside_access_in in interface inside access-group IPS in interface ips ! router ospf 100 router-id company1-Vl33-Internet network 10.1.4.0 255.255.255.0 area 0 network 10.1.7.0 255.255.255.0 area 2 network company2-Cisco-NAT-3-224 255.255.255.248 area 1 area 0 range company1-IPSEC-VPN-4 255.255.255.0 area 1 area 2 stub log-adj-changes ! route outside 0.0.0.0 0.0.0.0 x1.x2.x3.97 1 route inside 10.1.35.0 255.255.255.0 company2-CSS-EXT-INT 1 route inside 10.1.36.0 255.255.255.0 company2-CSS-EXT-INT 1 route inside 10.1.37.0 255.255.255.0 company2-CSS-EXT-INT 1 route inside 10.1.38.0 255.255.255.0 company2-CSS-EXT-INT 1 route ip-vpn company2-DIS-Prod-5-24 255.255.255.0 192.168.116.33 1 route ip-vpn company1-IPSEC-VPN-6 255.255.255.0 192.168.116.33 1 route office Office-Old-Network 255.255.255.0 10.1.4.2 1 route ip-vpn company2-ISP-IPVPN 255.255.255.224 192.168.116.33 1 route ip-vpn company2-DIS-IPVPN 255.255.255.224 192.168.116.33 1 route outside company3-Remote-Net 255.255.255.0 x1.x2.x3.97 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication telnet console LOCAL aaa authorization command LOCAL aaa authorization exec authentication-server http server enable http 0.0.0.0 0.0.0.0 outside http 0.0.0.0 0.0.0.0 office crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 1 match address outside_site2site-cryptomap crypto map outside_map 1 set peer company3-IPSec-Peer crypto map outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 crypto map outside_map 1 set phase1-mode aggressive crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map office_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map office_map interface office crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 telnet 0.0.0.0 0.0.0.0 office telnet timeout 5 ssh x1.x2.x3.90 255.255.255.255 outside ssh PL-COM-T-APP01-outside 255.255.255.255 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 office ssh timeout 60 ssh version 2 console timeout 0 threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 193.124.11.11 source outside ntp server 193.125.143.173 source outside ntp server 193.125.143.172 source outside ntp server 193.41.86.177 source outside group-policy CLIENT11 internal group-policy CLIENT11 attributes banner none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter value VPN-CLIENT11-ACL vpn-tunnel-protocol IPSec password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value CLIENT11_splitTunnelAcl secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout none ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config address-pools value CLIENT11 client-access-rule none group-policy DfltGrpPolicy attributes vpn-idle-timeout none vpn-tunnel-protocol IPSec svc group-policy VPN-STAFF internal group-policy VPN-STAFF attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 50 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage enable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value VPN-STAFF_splitTunnelAcl default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none group-policy SFTCLIENT10 internal group-policy SFTCLIENT10 attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter value VPN-SFTCLIENT10-ACL vpn-tunnel-protocol IPSec password-storage enable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value SFTCLIENT10_splitTunnelAcl default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none group-policy CLIENT7 internal group-policy CLIENT7 attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter value VPN-CLIENT7-ACL vpn-tunnel-protocol IPSec password-storage enable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value CLIENT7_splitTunnelAcl default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none group-policy CLIENT2 internal group-policy CLIENT2 attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter value VPN-CLIENT2-ACL vpn-tunnel-protocol IPSec password-storage enable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value CLIENT2_splitTunnelAcl default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none group-policy CLIENT8 internal group-policy CLIENT8 attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter value VPN-CLIENT8-ACL vpn-tunnel-protocol IPSec password-storage enable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value CLIENT8_splitTunnelAcl default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none group-policy CLIENT5SECOND internal group-policy CLIENT5SECOND attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter value VPN-CLIENT52-ACL vpn-tunnel-protocol IPSec password-storage enable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value CLIENT5SECOND_splitTunnelAcl default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none group-policy CLIENT5 internal group-policy CLIENT5 attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter value VPN-CLIENT5-ACL vpn-tunnel-protocol IPSec password-storage enable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value CLIENT5_splitTunnelAcl default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none group-policy CLIENT6 internal group-policy CLIENT6 attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter value VPN-CLIENT6-ACL vpn-tunnel-protocol IPSec password-storage enable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value CLIENT6_splitTunnelAcl default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none group-policy CLIENT1 internal group-policy CLIENT1 attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter value VPN-CLIENT1-ACL vpn-tunnel-protocol IPSec password-storage enable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value CLIENT1_splitTunnelAcl default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none group-policy CLIENT3 internal group-policy CLIENT3 attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter value VPN-CLIENT3-ACL vpn-tunnel-protocol IPSec password-storage enable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value CLIENT3_splitTunnelAcl default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none group-policy CLIENT4 internal group-policy CLIENT4 attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter value VPN-CLIENT4-ACL vpn-tunnel-protocol IPSec password-storage enable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value CLIENT4_splitTunnelAcl default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none tunnel-group VPN-STAFF type remote-access tunnel-group VPN-STAFF general-attributes address-pool VPN-STAFFpool default-group-policy VPN-STAFF tunnel-group VPN-STAFF ipsec-attributes pre-shared-key * isakmp keepalive threshold 10 retry 2 tunnel-group y1.y2.y3.39 type ipsec-l2l tunnel-group y1.y2.y3.39 ipsec-attributes pre-shared-key * tunnel-group CLIENT6 type remote-access tunnel-group CLIENT6 general-attributes address-pool CLIENT6pool default-group-policy CLIENT6 tunnel-group CLIENT6 ipsec-attributes pre-shared-key * isakmp keepalive threshold 10 retry 2 tunnel-group CLIENT2 type remote-access tunnel-group CLIENT2 general-attributes address-pool CLIENT2pool default-group-policy CLIENT2 tunnel-group CLIENT2 ipsec-attributes pre-shared-key * isakmp keepalive threshold 10 retry 2 tunnel-group CLIENT7 type remote-access tunnel-group CLIENT7 general-attributes address-pool CLIENT7pool default-group-policy CLIENT7 tunnel-group CLIENT7 ipsec-attributes pre-shared-key * isakmp keepalive threshold 10 retry 2 tunnel-group CLIENT3 type remote-access tunnel-group CLIENT3 general-attributes address-pool CLIENT3pool default-group-policy CLIENT3 tunnel-group CLIENT3 ipsec-attributes pre-shared-key * isakmp keepalive threshold 10 retry 2 tunnel-group CLIENT4 type remote-access tunnel-group CLIENT4 general-attributes address-pool CLIENT4pool default-group-policy CLIENT4 tunnel-group CLIENT4 ipsec-attributes pre-shared-key * isakmp keepalive threshold 10 retry 2 tunnel-group CLIENT1 type remote-access tunnel-group CLIENT1 general-attributes address-pool CLIENT1pool default-group-policy CLIENT1 tunnel-group CLIENT1 ipsec-attributes pre-shared-key * isakmp keepalive threshold 10 retry 2 tunnel-group CLIENT8 type remote-access tunnel-group CLIENT8 general-attributes address-pool CLIENT8pool default-group-policy CLIENT8 tunnel-group CLIENT8 ipsec-attributes pre-shared-key * isakmp keepalive threshold 10 retry 2 tunnel-group CLIENT5 type remote-access tunnel-group CLIENT5 general-attributes address-pool CLIENT5pool default-group-policy CLIENT5 tunnel-group CLIENT5 ipsec-attributes pre-shared-key * isakmp keepalive threshold 10 retry 2 tunnel-group SFTCLIENT10 type remote-access tunnel-group SFTCLIENT10 general-attributes address-pool SFTCLIENT10pool default-group-policy SFTCLIENT10 tunnel-group SFTCLIENT10 ipsec-attributes pre-shared-key * isakmp keepalive threshold 10 retry 2 tunnel-group CLIENT5SECOND type remote-access tunnel-group CLIENT5SECOND general-attributes address-pool CLIENT5SECONDpool default-group-policy CLIENT5SECOND tunnel-group CLIENT5SECOND ipsec-attributes pre-shared-key * isakmp keepalive threshold 10 retry 2 tunnel-group CLIENT11 type remote-access tunnel-group CLIENT11 general-attributes address-pool CLIENT11 default-group-policy CLIENT11 tunnel-group CLIENT11 ipsec-attributes pre-shared-key * isakmp keepalive threshold 10 retry 2 ! class-map global-class match default-inspection-traffic class-map office-in-qos-class match access-list office-qos-in-policy-acl class-map inspection_default match default-inspection-traffic class-map dmz1-in-qos-class match access-list dmz-qos-in-policy-acl class-map ips_class_map match access-list traffic_for_ips ! ! policy-map dmz1-qos-in-policy class dmz1-in-qos-class police output 512000 128000 policy-map office-qos-in-policy class office-in-qos-class police output 512000 128000 policy-map global_policy class global-class inspect dns inspect ftp inspect http inspect icmp inspect icmp error inspect snmp inspect tftp class ips_class_map ips inline fail-open policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 ! service-policy global_policy global service-policy office-qos-in-policy interface office privilege cmd level 3 mode exec command perfmon privilege cmd level 3 mode exec command ping privilege cmd level 3 mode exec command who privilege cmd level 3 mode exec command logging privilege cmd level 3 mode exec command failover privilege show level 5 mode exec command import privilege show level 5 mode exec command running-config privilege show level 3 mode exec command reload privilege show level 3 mode exec command mode privilege show level 3 mode exec command firewall privilege show level 3 mode exec command asp privilege show level 3 mode exec command cpu privilege show level 3 mode exec command interface privilege show level 3 mode exec command clock privilege show level 3 mode exec command dns-hosts privilege show level 3 mode exec command access-list privilege show level 3 mode exec command logging privilege show level 3 mode exec command vlan privilege show level 3 mode exec command ip privilege show level 3 mode exec command ipv6 privilege show level 3 mode exec command failover privilege show level 3 mode exec command asdm privilege show level 3 mode exec command arp privilege show level 3 mode exec command route privilege show level 3 mode exec command ospf privilege show level 3 mode exec command aaa-server privilege show level 3 mode exec command aaa privilege show level 3 mode exec command eigrp privilege show level 3 mode exec command crypto privilege show level 3 mode exec command vpn-sessiondb privilege show level 3 mode exec command ssh privilege show level 3 mode exec command dhcpd privilege show level 3 mode exec command vpn privilege show level 3 mode exec command blocks privilege show level 3 mode exec command wccp privilege show level 3 mode exec command webvpn privilege show level 3 mode exec command module privilege show level 3 mode exec command uauth privilege show level 3 mode exec command compression privilege show level 3 mode configure command interface privilege show level 3 mode configure command clock privilege show level 3 mode configure command access-list privilege show level 3 mode configure command logging privilege show level 3 mode configure command ip privilege show level 3 mode configure command failover privilege show level 5 mode configure command asdm privilege show level 3 mode configure command arp privilege show level 3 mode configure command route privilege show level 3 mode configure command aaa-server privilege show level 3 mode configure command aaa privilege show level 3 mode configure command crypto privilege show level 3 mode configure command ssh privilege show level 3 mode configure command dhcpd privilege show level 5 mode configure command privilege privilege clear level 3 mode exec command dns-hosts privilege clear level 3 mode exec command logging privilege clear level 3 mode exec command arp privilege clear level 3 mode exec command aaa-server privilege clear level 3 mode exec command crypto privilege cmd level 3 mode configure command failover privilege clear level 3 mode configure command logging privilege clear level 3 mode configure command arp privilege clear level 3 mode configure command crypto privilege clear level 3 mode configure command aaa-server prompt hostname context Cryptochecksum:646a5dbf4909e88526399e9341ba25e4 : end asdm image disk0:/asdm-61557.bin asdm location company1-IPSEC-VPN-4 255.255.255.0 ip-vpn asdm location company3-Remote-Net 255.255.255.0 ip-vpn asdm location company3-IPSec-Peer 255.255.255.255 ip-vpn asdm location forum.company2.local-dmz1 255.255.255.255 ip-vpn asdm location forum.company2.local 255.255.255.255 ip-vpn asdm location Office-New10-Network 255.255.0.0 ip-vpn asdm location RPC-Private-Net-10 255.0.0.0 ip-vpn asdm location RPC-Private-Net-172 255.240.0.0 ip-vpn asdm location RPC-Private-Net-192 255.255.0.0 ip-vpn asdm location sd.company.local-dmz1 255.255.255.255 ip-vpn asdm location sd1.company.local-dmz1 255.255.255.255 ip-vpn asdm location sd.company.local 255.255.255.255 ip-vpn asdm location sd1.company.local 255.255.255.255 ip-vpn asdm location gate2.company2.local-dmz1 255.255.255.255 ip-vpn asdm location gate2.company2.local 255.255.255.255 ip-vpn asdm location pl-dc-001 255.255.255.255 ip-vpn asdm location ASA5520-dmz1 255.255.255.255 ip-vpn asdm location jabber.company.local-dmz1 255.255.255.255 ip-vpn asdm location PL-COM-T-APP01 255.255.255.255 ip-vpn asdm location PL-COM-T-APP01-outside 255.255.255.255 ip-vpn asdm location company2-DIS-IPVPN 255.255.255.224 ip-vpn asdm history enable

Open in New Window

Select All

Answer : Cisco ASA5520: Packet Tracer  - Type: VPN Subtype: encrypt Result: DROP

Call them and compare the ACL, 50% of the problems related with VPN is that people does not have the same VPN traffic. (Gold rule! it needs to match)

B) Where is this network located DM_INLINE_NETWORK_3?

This is the VPn traffic
Source
DM_INLINE_NETWORK_3
Destination
192.168.169.0 255.255.255.0

I mean make sure that you have the correct NAT bypass when your internal network wants to communicate with the 192.168.169.0 255.255.255.0 remote network.