|
Question : Cisco ASA5520: Packet Tracer - Type: VPN Subtype: encrypt Result: DROP
|
|
Hi
I configure In our ASA site-2-site IPSec connections - I add new interface "office"
Need add office network to exist S2S IPSec link
I add exempt rule on office interface and office networks in local networks (remote site do also)
Old networks work OK - S2S link work. but new networks not go to remote site - packet tracer say Phase: 12, Type: VPN Subtype: encrypt Result: DROP
I not understand what is it ?
r-ASA# packet-tracer input office tcp 192.168.10.1 1024 192.168.169.130 80 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9ec6b88, priority=1, domain=permit, deny=false
hits=182038, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.169.0 255.255.255.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group office_access_in in interface office
access-list office_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9ed4300, priority=12, domain=permit, deny=false
hits=2117, user_data=0xc9ed42c0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9ec9d60, priority=0, domain=permit-ip-option, deny=true
hits=5497, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global_policy
class global-class
inspect http
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcd487a28, priority=70, domain=inspect-http, deny=false
hits=289, user_data=0xcd487048, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
Phase: 7
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcd702e98, priority=50, domain=ids, deny=false
hits=718, user_data=0xcd48d1a8, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca546918, priority=12, domain=ipsec-tunnel-flow, deny=true
hits=5504, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip office 192.168.10.0 255.255.255.0 outside 192.168.169.0 255.255.255.0
NAT exempt
translate_hits = 667, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcd6841d8, priority=6, domain=nat-exempt, deny=false
hits=665, user_data=0xcd6c69d8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.10.0, mask=255.255.255.0, port=0
dst ip=192.168.169.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (office) 1 0.0.0.0 0.0.0.0
match ip office any outside any
dynamic translation to pool 1 (ASA5520-Outside [Interface PAT])
translate_hits = 9, untranslate_hits = 48
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9dd5710, priority=1, domain=nat, deny=false
hits=673, user_data=0xca4d6720, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (office) 1 0.0.0.0 0.0.0.0
match ip office any outside any
dynamic translation to pool 1 (ASA5520-Outside [Interface PAT])
translate_hits = 9, untranslate_hits = 48
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcd7d5b50, priority=1, domain=host, deny=false
hits=1031, user_data=0xca4d6720, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 12
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc9b4e120, priority=70, domain=encrypt, deny=false
hits=1668, user_data=0x0, cs_id=0xca4d5988, reverse, flags=0x0, protocol=0
src ip=192.168.10.0, mask=255.255.255.0, port=0
dst ip=192.168.169.0, mask=255.255.255.0, port=0, dscp=0x0
Result:
input-interface: office
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
r-ASA# sh run crypto map
crypto map outside_map 1 match address outside_site2site-cryptomap
crypto map outside_map 1 set peer IPSec-Peer
crypto map outside_map 1 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
r-ASA# sh run access-list outside_site2site-cryptomap
access-list outside_site2site-cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 192.168.169.0 255.255.255.0
r-ASA# sh run object-group network
object-group network DM_INLINE_NETWORK_3
network-object Office-Prod-3-24 255.255.255.0
network-object IPSEC-VPN-4 255.255.255.0
network-object Office-New10-Network 255.255.0.0
network-object 192.168.10.0 255.255.255.0
r-ASA# sh crypto ipsec sa
peer address: IPSec-Peer
Crypto map tag: outside_map, seq num: 1, local addr: ASA5520-Outside
access-list outside_site2site-cryptomap permit ip 172.16.3.0 255.255.255.0 192.168.169.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.169.0/255.255.255.0/0/0)
current_peer: IPSec-Peer
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: ASA5520-Outside/4500, remote crypto endpt.: IPSec-Peer/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 1CDBC65A
inbound esp sas:
spi: 0x71201DA4 (1897930148)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 135168, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373999/27970)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000000FF
outbound esp sas:
spi: 0x1CDBC65A (484165210)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 135168, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/27966)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 1, local addr: ASA5520-Outside
access-list outside_site2site-cryptomap permit ip 172.16.4.0 255.255.255.0 192.168.169.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.169.0/255.255.255.0/0/0)
current_peer: IPSec-Peer
#pkts encaps: 81947, #pkts encrypt: 81947, #pkts digest: 81947
#pkts decaps: 87348, #pkts decrypt: 87348, #pkts verify: 87348
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 82035, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: ASA5520-Outside/4500, remote crypto endpt.: IPSec-Peer/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: E5183731
inbound esp sas:
spi: 0xF06FC7FA (4033857530)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 135168, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4349588/27883)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE5183731 (3843569457)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 135168, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4333448/27880)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Code Snippet:
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:
437:
438:
439:
440:
441:
442:
443:
444:
445:
446:
447:
448:
449:
450:
451:
452:
453:
454:
455:
456:
457:
458:
459:
460:
461:
462:
463:
464:
465:
466:
467:
468:
469:
470:
471:
472:
473:
474:
475:
476:
477:
478:
479:
480:
481:
482:
483:
484:
485:
486:
487:
488:
489:
490:
491:
492:
493:
494:
495:
496:
497:
498:
499:
500:
501:
502:
503:
504:
505:
506:
507:
508:
509:
510:
511:
512:
513:
514:
515:
516:
517:
518:
519:
520:
521:
522:
523:
524:
525:
526:
527:
528:
529:
530:
531:
532:
533:
534:
535:
536:
537:
538:
539:
540:
541:
542:
543:
544:
545:
546:
547:
548:
549:
550:
551:
552:
553:
554:
555:
556:
557:
558:
559:
560:
561:
562:
563:
564:
565:
566:
567:
568:
569:
570:
571:
572:
573:
574:
575:
576:
577:
578:
579:
580:
581:
582:
583:
584:
585:
586:
587:
588:
589:
590:
591:
592:
593:
594:
595:
596:
597:
598:
599:
600:
601:
602:
603:
604:
605:
606:
607:
608:
609:
610:
611:
612:
613:
614:
615:
616:
617:
618:
619:
620:
621:
622:
623:
624:
625:
626:
627:
628:
629:
630:
631:
632:
633:
634:
635:
636:
637:
638:
639:
640:
641:
642:
643:
644:
645:
646:
647:
648:
649:
650:
651:
652:
653:
654:
655:
656:
657:
658:
659:
660:
661:
662:
663:
664:
665:
666:
667:
668:
669:
670:
671:
672:
673:
674:
675:
676:
677:
678:
679:
680:
681:
682:
683:
684:
685:
686:
687:
688:
689:
690:
691:
692:
693:
694:
695:
696:
697:
698:
699:
700:
701:
702:
703:
704:
705:
706:
707:
708:
709:
710:
711:
712:
713:
714:
715:
716:
717:
718:
719:
720:
721:
722:
723:
724:
725:
726:
727:
728:
729:
730:
731:
732:
733:
734:
735:
736:
737:
738:
739:
740:
741:
742:
743:
744:
745:
746:
747:
748:
749:
750:
751:
752:
753:
754:
755:
756:
757:
758:
759:
760:
761:
762:
763:
764:
765:
766:
767:
768:
769:
770:
771:
772:
773:
774:
775:
776:
777:
778:
779:
780:
781:
782:
783:
784:
785:
786:
787:
788:
789:
790:
791:
792:
793:
794:
795:
796:
797:
798:
799:
800:
801:
802:
803:
804:
805:
806:
807:
808:
809:
810:
811:
812:
813:
814:
815:
816:
817:
818:
819:
820:
821:
822:
823:
824:
825:
826:
827:
828:
829:
830:
831:
832:
833:
834:
835:
836:
837:
838:
839:
840:
841:
842:
843:
844:
845:
846:
847:
848:
849:
850:
851:
852:
853:
854:
855:
856:
857:
858:
859:
860:
861:
862:
863:
864:
865:
866:
867:
868:
869:
870:
871:
872:
873:
874:
875:
876:
877:
878:
879:
880:
881:
882:
883:
884:
885:
886:
887:
888:
889:
890:
891:
892:
893:
894:
895:
896:
897:
898:
899:
900:
901:
902:
903:
904:
905:
906:
907:
908:
909:
910:
911:
912:
913:
914:
915:
916:
917:
918:
919:
920:
921:
922:
923:
924:
925:
926:
927:
928:
929:
930:
931:
932:
933:
934:
935:
936:
937:
938:
939:
940:
941:
942:
943:
944:
945:
946:
947:
948:
949:
950:
951:
952:
953:
954:
955:
956:
957:
958:
959:
960:
961:
962:
963:
964:
965:
966:
967:
968:
969:
970:
971:
972:
973:
974:
975:
976:
977:
978:
979:
980:
981:
982:
983:
984:
985:
986:
987:
988:
989:
990:
991:
992:
993:
994:
995:
996:
997:
998:
999:
1000:
1001:
1002:
1003:
1004:
1005:
1006:
1007:
1008:
1009:
1010:
1011:
1012:
1013:
1014:
1015:
1016:
1017:
1018:
1019:
1020:
1021:
1022:
1023:
1024:
1025:
1026:
1027:
1028:
1029:
1030:
1031:
1032:
1033:
1034:
1035:
1036:
1037:
1038:
1039:
1040:
1041:
1042:
1043:
1044:
1045:
1046:
1047:
1048:
1049:
1050:
1051:
1052:
1053:
1054:
1055:
1056:
1057:
1058:
1059:
1060:
1061:
1062:
1063:
1064:
1065:
1066:
1067:
1068:
1069:
1070:
1071:
1072:
1073:
1074:
1075:
1076:
1077:
1078:
1079:
1080:
1081:
1082:
1083:
1084:
1085:
1086:
1087:
1088:
1089:
1090:
1091:
1092:
1093:
1094:
1095:
1096:
1097:
1098:
1099:
1100:
1101:
1102:
1103:
1104:
1105:
1106:
1107:
1108:
1109:
1110:
1111:
1112:
1113:
1114:
1115:
1116:
1117:
1118:
1119:
1120:
1121:
1122:
1123:
1124:
1125:
1126:
1127:
1128:
1129:
|
ASA Version 8.0(4)16
!
hostname r-ASA
names
name 172.16.3.194 ASA5520-Ips description IPS
name x1.x2.x3.98 ASA5520-Outside
name 192.168.169.0 company3-Remote-Net description company3 Network
name 192.168.169.74 company3-Test-Pay description PAYMENT Test
name 192.168.169.70 company3-Vip-Pay description Payment host
name 172.16.3.224 company2-Cisco-NAT-3-224 description ASA-NAT Network
name 172.16.5.0 company2-DIS-Prod-5-24 description company2 Prodaction Network
name 172.16.3.0 company2-Office-Prod-3-24
name 172.16.4.0 company1-IPSEC-VPN-4 description IPSec VPN Pool
name 172.16.6.0 company1-IPSEC-VPN-6 description company1 VPN in DIS
name x1.x2.x3.96 company1-Vl33-Internet description Internet in Office company1
name 172.16.4.106 VPN4-CLIENT1 description CLIENT1
name 172.16.4.102 VPN4-CLIENT2 description CLIENT2
name 172.16.4.104 VPN4-CLIENT3 description CLIENT3
name 172.16.4.108 VPN4-CLIENT5 description CLIENT5
name 172.16.4.110 VPN4-CLIENT52 description CLIENT5 Second
name 172.16.4.101 VPN4-CLIENT6 description CLIENT6
name 172.16.4.105 VPN4-CLIENT4 description CLIENT4
name 172.16.4.103 VPN4-CLIENT7 description CLIENT7
name 172.16.4.107 VPN4-CLIENT8
name 172.16.4.111 VPN4-CLIENT9
name 172.16.4.109 VPN4-CLIENT10
name 172.16.4.112 VPN4-CLIENT11
name x1.x2.x3.103 ASA5520-VIP-HTTP
name 172.16.3.226 company2-CSS-EXT-INT description CSS11503
name 172.16.3.230 company2-CSS-VIP-HOST description VIP_Address
name 192.168.116.0 company2-ISP-IPVPN description MyISP IPVPN network
name 192.168.116.32 company2-Office-IPVPN description Connected IPVPN network
name 172.16.4.113 VPN4-CLIENT6-T
name y1.y2.y3.39 company3-IPSec-Peer
name x1.x2.x3.105 forum.company2.local
name 10.1.7.12 forum.company2.local-dmz1
name 10.1.0.0 Office-New10-Network
name 10.1.1.0 company2-ESXs-Net
name 10.1.2.0 company2-Servers-Net
name 10.1.3.0 company2-Users-Net
name 10.0.0.0 RPC-Private-Net-10
name 172.16.0.0 RPC-Private-Net-172
name 192.168.0.0 RPC-Private-Net-192
name a.b.c.96 NET1
name a.b.c.0 NET2
name a.b.c.0 CTC28-NET
name a.b.c.0 NET3
name a.b.c.92 CLIENT2-NET
name a.b.c.204 ICON-PERSON-31817 description PERSON-31817 through Icon
name a.b.c.0 NET4
name z1.z2.z3.80 company2-Int-Vlan6
name a.b.c.124 CLIENT3
name a.b.c.0 NET5-NET
name a.b.c.0 SA-Tel-NET
name a.b.c.80 CLIENT7-NET
name a.b.c.0 TELSERVICE-NET
name x1.x2.x3.100 sd.company.local
name 10.1.7.2 sd.company.local-dmz1
name x1.x2.x3.101 sd1.company.local
name 10.1.7.3 sd1.company.local-dmz1
name x1.x2.x3.104 gate2.company2.local
name 10.1.7.5 gate2.company2.local-dmz1
name 10.1.7.1 ASA5520-dmz1
name 10.1.2.2 pl-dc-001 description PDC
name 10.1.7.13 jabber.company.local-dmz1
name 10.1.2.30 PL-COM-T-APP01 description Test IIS App Server
name x1.x2.x3.106 PL-COM-T-APP01-outside description Test IIS App Server NAT
name 192.168.10.0 Office-Old-Network
name 192.168.116.64 company2-DIS-IPVPN
dns-guard
!
interface GigabitEthernet0/0
description to ISP MyISP #
nameif outside
security-level 0
ip address ASA5520-Outside 255.255.255.240
ospf cost 10
ospf network point-to-point non-broadcast
!
interface GigabitEthernet0/1
description to IP VPN
nameif ip-vpn
security-level 100
ip address 192.168.116.34 255.255.255.224
ospf cost 10
ospf network point-to-point non-broadcast
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.4
description company2 & company1 Office
vlan 4
nameif office
security-level 100
ip address 10.1.4.1 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/2.7
description DMZ for company1
vlan 7
nameif dmz1
security-level 50
ip address ASA5520-dmz1 255.255.255.0
!
interface GigabitEthernet0/2.34
vlan 34
nameif inside
security-level 100
ip address 172.16.3.225 255.255.255.248
ospf cost 10
ospf network point-to-point non-broadcast
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description to local LAN
nameif ips
security-level 100
ip address 172.16.3.193 255.255.255.224
ospf cost 10
ospf network point-to-point non-broadcast
!
banner login Authorized access only. This system is the property of company1 LLC. Disconnect IMMEDIATELY if you are not an authorized user.
boot system disk0:/asa804-16-k8.bin
ftp mode passive
clock timezone MSK 3
dns domain-lookup outside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_3
network-object company2-Office-Prod-3-24 255.255.255.0
network-object company1-IPSEC-VPN-4 255.255.255.0
network-object Office-New10-Network 255.255.0.0
network-object Office-Old-Network 255.255.255.0
object-group network company2-Networks-Sec100
network-object company2-ESXs-Net 255.255.255.0
network-object company2-Servers-Net 255.255.255.0
network-object company2-Users-Net 255.255.255.0
network-object 10.1.4.0 255.255.255.0
network-object Office-Old-Network 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object company2-DIS-Prod-5-24 255.255.255.0
network-object company2-ISP-IPVPN 255.255.255.0
network-object company2-Office-IPVPN 255.255.255.224
group-object company2-Networks-Sec100
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp eq www
service-object tcp eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object RPC-Private-Net-10 255.0.0.0
network-object RPC-Private-Net-172 255.240.0.0
network-object RPC-Private-Net-192 255.255.0.0
network-object company1-Vl33-Internet 255.255.255.240
object-group network DM_INLINE_NETWORK_2
network-object RPC-Private-Net-10 255.0.0.0
network-object RPC-Private-Net-172 255.240.0.0
network-object RPC-Private-Net-192 255.255.0.0
network-object company1-Vl33-Internet 255.255.255.240
object-group network SD-CLIENTS
description Network access to SD portals
network-object CTC28-NET 255.255.255.0
network-object NET3 255.255.255.0
network-object NET4 255.255.255.0
network-object TELSERVICE-NET 255.255.254.0
network-object CLIENT3 255.255.255.252
network-object company2-Int-Vlan6 255.255.255.240
network-object NET1 255.255.255.240
network-object CLIENT2-NET 255.255.255.252
network-object NET5-NET 255.255.255.0
network-object SA-Tel-NET 255.255.255.192
network-object CLIENT7-NET 255.255.255.248
network-object ICON-PERSON-31817 255.255.255.252
network-object NET2 255.255.255.192
object-group network DM_INLINE_NETWORK_5
network-object host sd.company.local
network-object host sd1.company.local
object-group service untangle-openvpn
service-object tcp eq https
service-object udp eq 1194
object-group service openvpn udp
port-object eq 1194
object-group network SOFT-Group
description SOFT Development group
network-object host 212.112.102.90
network-object host 212.112.105.210
object-group service msrdp tcp
port-object eq 3389
object-group service DM_INLINE_TCP_1 tcp
group-object msrdp
port-object eq www
object-group network DM_INLINE_NETWORK_7
network-object Office-New10-Network 255.255.0.0
network-object Office-Old-Network 255.255.255.0
object-group network DM_INLINE_NETWORK_8
network-object Office-New10-Network 255.255.0.0
network-object company2-Office-Prod-3-24 255.255.255.0
network-object company1-IPSEC-VPN-4 255.255.255.0
network-object Office-Old-Network 255.255.255.0
object-group network DM_INLINE_NETWORK_9
network-object Office-New10-Network 255.255.0.0
network-object company2-Office-Prod-3-24 255.255.255.0
network-object company1-IPSEC-VPN-4 255.255.255.0
network-object Office-Old-Network 255.255.255.0
access-list INTERNET_INBOUND extended permit udp any any eq ntp
access-list INTERNET_INBOUND extended permit icmp any host ASA5520-Outside unreachable
access-list INTERNET_INBOUND extended permit icmp any host ASA5520-Outside echo-reply
access-list INTERNET_INBOUND extended permit icmp any host ASA5520-Outside echo
access-list INTERNET_INBOUND extended permit icmp any host ASA5520-Outside time-exceeded
access-list INTERNET_INBOUND extended permit tcp any host ASA5520-VIP-HTTP eq www
access-list INTERNET_INBOUND extended permit tcp any host ASA5520-VIP-HTTP eq https
access-list INTERNET_INBOUND extended permit tcp any host ASA5520-Outside eq https
access-list INTERNET_INBOUND extended permit tcp any host ASA5520-Outside eq 881 inactive
access-list INTERNET_INBOUND extended permit tcp any host ASA5520-Outside eq ssh
access-list INTERNET_INBOUND extended permit object-group DM_INLINE_SERVICE_1 any host forum.company2.local
access-list INTERNET_INBOUND extended permit tcp object-group SD-CLIENTS object-group DM_INLINE_NETWORK_5 eq www
access-list INTERNET_INBOUND extended permit object-group untangle-openvpn any host gate2.company2.local
access-list INTERNET_INBOUND extended permit tcp object-group SOFT-Group host PL-COM-T-APP01-outside object-group DM_INLINE_TCP_1
access-list VPN-STAFF_splitTunnelAcl standard permit company3-Remote-Net 255.255.255.0
access-list VPN-STAFF_splitTunnelAcl standard permit company2-Office-Prod-3-24 255.255.255.0
access-list VPN-STAFF_splitTunnelAcl standard permit company1-IPSEC-VPN-4 255.255.255.0
access-list VPN-STAFF_splitTunnelAcl standard permit company2-DIS-Prod-5-24 255.255.255.0
access-list VPN-STAFF_splitTunnelAcl standard permit company1-IPSEC-VPN-6 255.255.255.0
access-list inside_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 company3-Remote-Net 255.255.255.0
access-list inside_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0
access-list inside_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company3-Remote-Net 255.255.255.0
access-list inside_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0
access-list inside_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0
access-list inside_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0
access-list inside_nat0_outbound extended permit ip company2-ISP-IPVPN 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0
access-list inside_nat0_outbound extended permit ip company2-ISP-IPVPN 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0
access-list inside_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company2-ISP-IPVPN 255.255.255.0
access-list inside_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 company2-ISP-IPVPN 255.255.255.0
access-list inside_nat0_outbound extended permit ip company2-ISP-IPVPN 255.255.255.0 Office-Old-Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip company2-ISP-IPVPN 255.255.255.0 192.168.11.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip Office-Old-Network 255.255.255.0 company2-ISP-IPVPN 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 company2-ISP-IPVPN 255.255.255.0
access-list inside_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 Office-Old-Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 192.168.11.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip Office-Old-Network 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0
access-list inside_nat0_outbound extended permit ip Office-Old-Network 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0
access-list inside_nat0_outbound extended permit ip company2-DIS-Prod-5-24 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0
access-list inside_nat0_outbound extended permit ip company2-DIS-Prod-5-24 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0
access-list inside_nat0_outbound extended permit ip company1-IPSEC-VPN-6 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0
access-list inside_nat0_outbound extended permit ip company1-IPSEC-VPN-6 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0
access-list inside_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company2-DIS-Prod-5-24 255.255.255.0
access-list inside_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company1-IPSEC-VPN-6 255.255.255.0
access-list outside_site2site-cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 company3-Remote-Net 255.255.255.0
access-list office-qos-in-policy-acl extended deny ip object-group DM_INLINE_NETWORK_2 any
access-list office-qos-in-policy-acl extended permit ip any any
access-list CLIENT6_splitTunnelAcl standard permit host company3-Vip-Pay
access-list CLIENT6_splitTunnelAcl standard permit host company3-Test-Pay
access-list CLIENT2_splitTunnelAcl standard permit host company3-Vip-Pay
access-list CLIENT2_splitTunnelAcl standard permit host company3-Test-Pay
access-list CLIENT7_splitTunnelAcl standard permit host company3-Vip-Pay
access-list CLIENT7_splitTunnelAcl standard permit host company3-Test-Pay
access-list CLIENT3_splitTunnelAcl standard permit host company3-Vip-Pay
access-list CLIENT3_splitTunnelAcl standard permit host company3-Test-Pay
access-list CLIENT4_splitTunnelAcl standard permit host company3-Vip-Pay
access-list CLIENT4_splitTunnelAcl standard permit host company3-Test-Pay
access-list CLIENT1_splitTunnelAcl standard permit host company3-Vip-Pay
access-list CLIENT1_splitTunnelAcl standard permit host company3-Test-Pay
access-list CLIENT8_splitTunnelAcl standard permit host company3-Vip-Pay
access-list CLIENT8_splitTunnelAcl standard permit host company3-Test-Pay
access-list CLIENT5_splitTunnelAcl standard permit host company3-Vip-Pay
access-list CLIENT5_splitTunnelAcl standard permit host company3-Test-Pay
access-list SFTCLIENT10_splitTunnelAcl standard permit host company3-Vip-Pay
access-list SFTCLIENT10_splitTunnelAcl standard permit host company3-Test-Pay
access-list CLIENT5SECOND_splitTunnelAcl standard permit host company3-Vip-Pay
access-list CLIENT5SECOND_splitTunnelAcl standard permit host company3-Test-Pay
access-list VPN-CLIENT6-ACL extended permit tcp host VPN4-CLIENT6 host company3-Vip-Pay eq 3002
access-list VPN-CLIENT6-ACL extended permit tcp host VPN4-CLIENT6 host company3-Test-Pay eq 3002
access-list VPN-CLIENT2-ACL extended permit tcp host VPN4-CLIENT2 host company3-Vip-Pay eq 3001
access-list VPN-CLIENT2-ACL extended permit tcp host VPN4-CLIENT2 host company3-Test-Pay eq 3001
access-list VPN-CLIENT7-ACL extended permit tcp host VPN4-CLIENT7 host company3-Vip-Pay eq 3003
access-list VPN-CLIENT7-ACL extended permit tcp host VPN4-CLIENT7 host company3-Test-Pay eq 3003
access-list VPN-CLIENT3-ACL extended permit tcp host VPN4-CLIENT3 host company3-Vip-Pay eq 3007
access-list VPN-CLIENT3-ACL extended permit tcp host VPN4-CLIENT3 host company3-Test-Pay eq 3007
access-list VPN-CLIENT4-ACL extended permit tcp host VPN4-CLIENT4 host company3-Vip-Pay eq 3005
access-list VPN-CLIENT4-ACL extended permit tcp host VPN4-CLIENT4 host company3-Test-Pay eq 3005
access-list VPN-CLIENT1-ACL extended permit tcp host VPN4-CLIENT1 host company3-Vip-Pay eq cifs
access-list VPN-CLIENT1-ACL extended permit tcp host VPN4-CLIENT1 host company3-Test-Pay eq cifs
access-list VPN-CLIENT1-ACL extended permit tcp host VPN4-CLIENT1 host company3-Vip-Pay eq 4102
access-list VPN-CLIENT1-ACL extended permit tcp host VPN4-CLIENT1 host company3-Test-Pay eq 4102
access-list VPN-CLIENT8-ACL extended permit tcp host VPN4-CLIENT8 host company3-Vip-Pay eq 3004
access-list VPN-CLIENT8-ACL extended permit tcp host VPN4-CLIENT8 host company3-Test-Pay eq 3004
access-list VPN-CLIENT5-ACL extended permit tcp host VPN4-CLIENT5 host company3-Vip-Pay eq 3022
access-list VPN-CLIENT5-ACL extended permit tcp host VPN4-CLIENT5 host company3-Test-Pay eq 3022
access-list VPN-CLIENT5-ACL extended permit tcp host VPN4-CLIENT5 host company3-Vip-Pay eq 4102
access-list VPN-CLIENT5-ACL extended permit tcp host VPN4-CLIENT5 host company3-Test-Pay eq 4102
access-list VPN-SFTCLIENT10-ACL extended permit tcp host VPN4-CLIENT10 host company3-Vip-Pay eq 3001
access-list VPN-SFTCLIENT10-ACL extended permit tcp host VPN4-CLIENT10 host company3-Test-Pay eq 3002
access-list VPN-CLIENT52-ACL extended permit tcp host VPN4-CLIENT52 host company3-Test-Pay eq 3022
access-list VPN-CLIENT52-ACL extended permit tcp host VPN4-CLIENT52 host company3-Vip-Pay eq 3022
access-list VPN-CLIENT52-ACL extended permit tcp host VPN4-CLIENT52 host company3-Test-Pay eq 4102
access-list VPN-CLIENT52-ACL extended permit tcp host VPN4-CLIENT52 host company3-Vip-Pay eq 4102
access-list IPS extended permit ip any any
access-list traffic_for_ips extended permit ip any any
access-list ips_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 company3-Remote-Net 255.255.255.0
access-list ips_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0
access-list ips_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company3-Remote-Net 255.255.255.0
access-list ips_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0
access-list ips_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0
access-list ips_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0
access-list ips_nat0_outbound extended permit ip company2-DIS-Prod-5-24 255.255.255.0 company2-ISP-IPVPN 255.255.255.0
access-list ips_nat0_outbound extended permit ip company2-ISP-IPVPN 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0
access-list ips_nat0_outbound extended permit ip company2-ISP-IPVPN 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0
access-list ips_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company2-ISP-IPVPN 255.255.255.0
access-list ips_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 company2-ISP-IPVPN 255.255.255.0
access-list ips_nat0_outbound extended permit ip company2-ISP-IPVPN 255.255.255.0 Office-Old-Network 255.255.255.0
access-list ips_nat0_outbound extended permit ip company2-ISP-IPVPN 255.255.255.0 192.168.11.0 255.255.255.0
access-list ips_nat0_outbound extended permit ip Office-Old-Network 255.255.255.0 company2-ISP-IPVPN 255.255.255.0
access-list ips_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 company2-ISP-IPVPN 255.255.255.0
access-list ips_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 Office-Old-Network 255.255.255.0
access-list ips_nat0_outbound extended permit ip company1-IPSEC-VPN-4 255.255.255.0 192.168.11.0 255.255.255.0
access-list ips_nat0_outbound extended permit ip Office-Old-Network 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0
access-list ips_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0
access-list ips_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0
access-list ips_nat0_outbound extended permit ip Office-Old-Network 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0
access-list ips_nat0_outbound extended permit ip company2-DIS-Prod-5-24 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0
access-list ips_nat0_outbound extended permit ip company2-DIS-Prod-5-24 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0
access-list ips_nat0_outbound extended permit ip company1-IPSEC-VPN-6 255.255.255.0 company2-Office-Prod-3-24 255.255.255.0
access-list ips_nat0_outbound extended permit ip company1-IPSEC-VPN-6 255.255.255.0 company1-IPSEC-VPN-4 255.255.255.0
access-list ips_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company2-DIS-Prod-5-24 255.255.255.0
access-list ips_nat0_outbound extended permit ip company2-Office-Prod-3-24 255.255.255.0 company1-IPSEC-VPN-6 255.255.255.0
access-list CASPYSFT_splitTunnelAcl standard permit host company3-Vip-Pay
access-list CASPYSFT_splitTunnelAcl standard permit host company3-Test-Pay
access-list VPN-CASPYSFT-ACL extended permit ip host VPN4-CLIENT9 host company3-Vip-Pay
access-list VPN-CASPYSFT-ACL extended permit ip host VPN4-CLIENT9 host company3-Test-Pay
access-list CLIENT11_splitTunnelAcl standard permit host company3-Vip-Pay
access-list CLIENT11_splitTunnelAcl standard permit host company3-Test-Pay
access-list VPN-CLIENT11-ACL extended permit tcp host VPN4-CLIENT11 host company3-Vip-Pay eq 4102
access-list VPN-CLIENT11-ACL extended permit tcp host VPN4-CLIENT11 host company3-Test-Pay eq 4102
access-list CLIENT6_TEST_splitTunnelAcl standard permit host company3-Vip-Pay
access-list CLIENT6_TEST_splitTunnelAcl standard permit host company3-Test-Pay
access-list VPN-CLIENT6-TEST-ACL extended permit tcp host VPN4-CLIENT6-T host company3-Vip-Pay eq 4102
access-list VPN-CLIENT6-TEST-ACL extended permit tcp host VPN4-CLIENT6-T host company3-Test-Pay eq 4102
access-list inside_nat0_exempt remark untranslated traffic to company3
access-list inside_nat0_exempt extended permit ip company2-Cisco-NAT-3-224 255.255.255.248 company3-Remote-Net 255.255.255.0
access-list inside_nat0_exempt remark Untranslated traffic to DIS and IP-VPN-P2P
access-list inside_nat0_exempt extended permit ip company2-Cisco-NAT-3-224 255.255.255.248 object-group DM_INLINE_NETWORK_4
access-list inside_nat0_exempt extended permit ip object-group DM_INLINE_NETWORK_8 company3-Remote-Net 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list dmz1_access_in extended permit tcp host jabber.company.local-dmz1 host ASA5520-dmz1 eq ldap inactive
access-list dmz1_access_in extended permit ip any any
access-list dmz1_nat0_outbound extended permit ip 10.1.7.0 255.255.255.0 company3-Remote-Net 255.255.255.0
access-list office_access_in extended deny udp any host gate2.company2.local-dmz1 object-group openvpn
access-list office_access_in extended permit ip any 10.1.7.0 255.255.255.0
access-list office_access_in extended permit ip any any
access-list office_access_in extended permit ip object-group DM_INLINE_NETWORK_7 company3-Remote-Net 255.255.255.0
access-list dmz-qos-in-policy-acl extended deny ip object-group DM_INLINE_NETWORK_1 10.1.7.0 255.255.255.0
access-list dmz-qos-in-policy-acl extended permit ip any any
access-list dmz1_access_in_1 extended permit tcp host jabber.company.local-dmz1 host ASA5520-dmz1 eq ldap
access-list dmz1_access_in_1 extended permit ip any any
access-list office_nat_static extended permit tcp host pl-dc-001 eq ldap host jabber.company.local-dmz1
access-list office_nat_static_2 extended permit tcp host PL-COM-T-APP01 eq www object-group SOFT-Group
access-list office_nat_static_1 extended permit tcp host PL-COM-T-APP01 eq 3389 object-group SOFT-Group
access-list office_nat0_outbound extended permit ip Office-Old-Network 255.255.255.0 company3-Remote-Net 255.255.255.0
access-list office_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_9 company3-Remote-Net 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap debugging
logging asdm informational
logging host dmz1 10.1.7.14
mtu outside 1500
mtu ip-vpn 1500
mtu office 1500
mtu dmz1 1500
mtu inside 1500
mtu ips 1500
ip local pool CLIENT7pool VPN4-CLIENT7 mask 255.255.255.255
ip local pool CLIENT3pool VPN4-CLIENT3 mask 255.255.255.255
ip local pool CLIENT4pool VPN4-CLIENT4 mask 255.255.255.255
ip local pool CLIENT1pool VPN4-CLIENT1 mask 255.255.255.255
ip local pool CLIENT8pool VPN4-CLIENT8 mask 255.255.255.255
ip local pool CLIENT5pool VPN4-CLIENT5 mask 255.255.255.255
ip local pool SFTCLIENT10pool VPN4-CLIENT10 mask 255.255.255.255
ip local pool CLIENT5SECONDpool VPN4-CLIENT52 mask 255.255.255.255
ip local pool CLIENT6pool VPN4-CLIENT6 mask 255.255.255.255
ip local pool CLIENT2pool VPN4-CLIENT2 mask 255.255.255.255
ip local pool VPN-STAFFpool 172.16.3.100-172.16.3.150 mask 255.255.255.0
ip local pool CLIENT11 VPN4-CLIENT11 mask 255.255.255.255
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any office
icmp permit any inside
asdm image disk0:/asdm-61557.bin
asdm history enable
arp inside 172.16.3.227 0013.80f0.7d41
arp inside company2-CSS-VIP-HOST 0013.80f0.7d41
arp timeout 14400
global (outside) 1 interface
global (ip-vpn) 1 interface
global (dmz1) 1 interface
nat (office) 0 access-list office_nat0_outbound
nat (office) 1 0.0.0.0 0.0.0.0
nat (dmz1) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_exempt
nat (inside) 1 0.0.0.0 0.0.0.0
nat (ips) 0 access-list ips_nat0_outbound
nat (ips) 1 ASA5520-Ips 255.255.255.255
nat (ips) 1 0.0.0.0 0.0.0.0
static (ips,outside) tcp interface 881 ASA5520-Ips 881 netmask 255.255.255.255
static (inside,outside) tcp ASA5520-VIP-HTTP www company2-CSS-VIP-HOST www netmask 255.255.255.255 dns
static (office,dmz1) tcp interface ldap access-list office_nat_static
static (office,outside) tcp PL-COM-T-APP01-outside 3389 access-list office_nat_static_1 tcp 2 2
static (office,outside) tcp PL-COM-T-APP01-outside www access-list office_nat_static_2 tcp 10 10
static (dmz1,dmz1) sd.company.local sd.company.local-dmz1 netmask 255.255.255.255 dns
static (dmz1,outside) sd.company.local sd.company.local-dmz1 netmask 255.255.255.255 dns
static (dmz1,dmz1) sd1.company.local sd1.company.local-dmz1 netmask 255.255.255.255 dns
static (dmz1,outside) sd1.company.local sd1.company.local-dmz1 netmask 255.255.255.255 dns
static (dmz1,dmz1) gate2.company2.local gate2.company2.local-dmz1 netmask 255.255.255.255 dns
static (dmz1,outside) gate2.company2.local gate2.company2.local-dmz1 netmask 255.255.255.255 dns
static (dmz1,dmz1) forum.company2.local forum.company2.local-dmz1 netmask 255.255.255.255 dns
static (dmz1,outside) forum.company2.local forum.company2.local-dmz1 netmask 255.255.255.255 dns
access-group INTERNET_INBOUND in interface outside
access-group office_access_in in interface office
access-group dmz1_access_in_1 in interface dmz1
access-group inside_access_in in interface inside
access-group IPS in interface ips
!
router ospf 100
router-id company1-Vl33-Internet
network 10.1.4.0 255.255.255.0 area 0
network 10.1.7.0 255.255.255.0 area 2
network company2-Cisco-NAT-3-224 255.255.255.248 area 1
area 0 range company1-IPSEC-VPN-4 255.255.255.0
area 1
area 2 stub
log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 x1.x2.x3.97 1
route inside 10.1.35.0 255.255.255.0 company2-CSS-EXT-INT 1
route inside 10.1.36.0 255.255.255.0 company2-CSS-EXT-INT 1
route inside 10.1.37.0 255.255.255.0 company2-CSS-EXT-INT 1
route inside 10.1.38.0 255.255.255.0 company2-CSS-EXT-INT 1
route ip-vpn company2-DIS-Prod-5-24 255.255.255.0 192.168.116.33 1
route ip-vpn company1-IPSEC-VPN-6 255.255.255.0 192.168.116.33 1
route office Office-Old-Network 255.255.255.0 10.1.4.2 1
route ip-vpn company2-ISP-IPVPN 255.255.255.224 192.168.116.33 1
route ip-vpn company2-DIS-IPVPN 255.255.255.224 192.168.116.33 1
route outside company3-Remote-Net 255.255.255.0 x1.x2.x3.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 office
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_site2site-cryptomap
crypto map outside_map 1 set peer company3-IPSec-Peer
crypto map outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map office_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map office_map interface office
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 office
telnet timeout 5
ssh x1.x2.x3.90 255.255.255.255 outside
ssh PL-COM-T-APP01-outside 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 office
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 193.124.11.11 source outside
ntp server 193.125.143.173 source outside
ntp server 193.125.143.172 source outside
ntp server 193.41.86.177 source outside
group-policy CLIENT11 internal
group-policy CLIENT11 attributes
banner none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value VPN-CLIENT11-ACL
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CLIENT11_splitTunnelAcl
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
address-pools value CLIENT11
client-access-rule none
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec svc
group-policy VPN-STAFF internal
group-policy VPN-STAFF attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 50
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage enable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-STAFF_splitTunnelAcl
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy SFTCLIENT10 internal
group-policy SFTCLIENT10 attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value VPN-SFTCLIENT10-ACL
vpn-tunnel-protocol IPSec
password-storage enable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SFTCLIENT10_splitTunnelAcl
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy CLIENT7 internal
group-policy CLIENT7 attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value VPN-CLIENT7-ACL
vpn-tunnel-protocol IPSec
password-storage enable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CLIENT7_splitTunnelAcl
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy CLIENT2 internal
group-policy CLIENT2 attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value VPN-CLIENT2-ACL
vpn-tunnel-protocol IPSec
password-storage enable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CLIENT2_splitTunnelAcl
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy CLIENT8 internal
group-policy CLIENT8 attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value VPN-CLIENT8-ACL
vpn-tunnel-protocol IPSec
password-storage enable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CLIENT8_splitTunnelAcl
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy CLIENT5SECOND internal
group-policy CLIENT5SECOND attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value VPN-CLIENT52-ACL
vpn-tunnel-protocol IPSec
password-storage enable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CLIENT5SECOND_splitTunnelAcl
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy CLIENT5 internal
group-policy CLIENT5 attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value VPN-CLIENT5-ACL
vpn-tunnel-protocol IPSec
password-storage enable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CLIENT5_splitTunnelAcl
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy CLIENT6 internal
group-policy CLIENT6 attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value VPN-CLIENT6-ACL
vpn-tunnel-protocol IPSec
password-storage enable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CLIENT6_splitTunnelAcl
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy CLIENT1 internal
group-policy CLIENT1 attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value VPN-CLIENT1-ACL
vpn-tunnel-protocol IPSec
password-storage enable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CLIENT1_splitTunnelAcl
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy CLIENT3 internal
group-policy CLIENT3 attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value VPN-CLIENT3-ACL
vpn-tunnel-protocol IPSec
password-storage enable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CLIENT3_splitTunnelAcl
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy CLIENT4 internal
group-policy CLIENT4 attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value VPN-CLIENT4-ACL
vpn-tunnel-protocol IPSec
password-storage enable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CLIENT4_splitTunnelAcl
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
tunnel-group VPN-STAFF type remote-access
tunnel-group VPN-STAFF general-attributes
address-pool VPN-STAFFpool
default-group-policy VPN-STAFF
tunnel-group VPN-STAFF ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group y1.y2.y3.39 type ipsec-l2l
tunnel-group y1.y2.y3.39 ipsec-attributes
pre-shared-key *
tunnel-group CLIENT6 type remote-access
tunnel-group CLIENT6 general-attributes
address-pool CLIENT6pool
default-group-policy CLIENT6
tunnel-group CLIENT6 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group CLIENT2 type remote-access
tunnel-group CLIENT2 general-attributes
address-pool CLIENT2pool
default-group-policy CLIENT2
tunnel-group CLIENT2 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group CLIENT7 type remote-access
tunnel-group CLIENT7 general-attributes
address-pool CLIENT7pool
default-group-policy CLIENT7
tunnel-group CLIENT7 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group CLIENT3 type remote-access
tunnel-group CLIENT3 general-attributes
address-pool CLIENT3pool
default-group-policy CLIENT3
tunnel-group CLIENT3 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group CLIENT4 type remote-access
tunnel-group CLIENT4 general-attributes
address-pool CLIENT4pool
default-group-policy CLIENT4
tunnel-group CLIENT4 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group CLIENT1 type remote-access
tunnel-group CLIENT1 general-attributes
address-pool CLIENT1pool
default-group-policy CLIENT1
tunnel-group CLIENT1 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group CLIENT8 type remote-access
tunnel-group CLIENT8 general-attributes
address-pool CLIENT8pool
default-group-policy CLIENT8
tunnel-group CLIENT8 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group CLIENT5 type remote-access
tunnel-group CLIENT5 general-attributes
address-pool CLIENT5pool
default-group-policy CLIENT5
tunnel-group CLIENT5 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group SFTCLIENT10 type remote-access
tunnel-group SFTCLIENT10 general-attributes
address-pool SFTCLIENT10pool
default-group-policy SFTCLIENT10
tunnel-group SFTCLIENT10 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group CLIENT5SECOND type remote-access
tunnel-group CLIENT5SECOND general-attributes
address-pool CLIENT5SECONDpool
default-group-policy CLIENT5SECOND
tunnel-group CLIENT5SECOND ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group CLIENT11 type remote-access
tunnel-group CLIENT11 general-attributes
address-pool CLIENT11
default-group-policy CLIENT11
tunnel-group CLIENT11 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
!
class-map global-class
match default-inspection-traffic
class-map office-in-qos-class
match access-list office-qos-in-policy-acl
class-map inspection_default
match default-inspection-traffic
class-map dmz1-in-qos-class
match access-list dmz-qos-in-policy-acl
class-map ips_class_map
match access-list traffic_for_ips
!
!
policy-map dmz1-qos-in-policy
class dmz1-in-qos-class
police output 512000 128000
policy-map office-qos-in-policy
class office-in-qos-class
police output 512000 128000
policy-map global_policy
class global-class
inspect dns
inspect ftp
inspect http
inspect icmp
inspect icmp error
inspect snmp
inspect tftp
class ips_class_map
ips inline fail-open
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
service-policy office-qos-in-policy interface office
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:646a5dbf4909e88526399e9341ba25e4
: end
asdm image disk0:/asdm-61557.bin
asdm location company1-IPSEC-VPN-4 255.255.255.0 ip-vpn
asdm location company3-Remote-Net 255.255.255.0 ip-vpn
asdm location company3-IPSec-Peer 255.255.255.255 ip-vpn
asdm location forum.company2.local-dmz1 255.255.255.255 ip-vpn
asdm location forum.company2.local 255.255.255.255 ip-vpn
asdm location Office-New10-Network 255.255.0.0 ip-vpn
asdm location RPC-Private-Net-10 255.0.0.0 ip-vpn
asdm location RPC-Private-Net-172 255.240.0.0 ip-vpn
asdm location RPC-Private-Net-192 255.255.0.0 ip-vpn
asdm location sd.company.local-dmz1 255.255.255.255 ip-vpn
asdm location sd1.company.local-dmz1 255.255.255.255 ip-vpn
asdm location sd.company.local 255.255.255.255 ip-vpn
asdm location sd1.company.local 255.255.255.255 ip-vpn
asdm location gate2.company2.local-dmz1 255.255.255.255 ip-vpn
asdm location gate2.company2.local 255.255.255.255 ip-vpn
asdm location pl-dc-001 255.255.255.255 ip-vpn
asdm location ASA5520-dmz1 255.255.255.255 ip-vpn
asdm location jabber.company.local-dmz1 255.255.255.255 ip-vpn
asdm location PL-COM-T-APP01 255.255.255.255 ip-vpn
asdm location PL-COM-T-APP01-outside 255.255.255.255 ip-vpn
asdm location company2-DIS-IPVPN 255.255.255.224 ip-vpn
asdm history enable
|
|
Answer : Cisco ASA5520: Packet Tracer - Type: VPN Subtype: encrypt Result: DROP
|
|
Call them and compare the ACL, 50% of the problems related with VPN is that people does not have the same VPN traffic. (Gold rule! it needs to match)
B) Where is this network located DM_INLINE_NETWORK_3?
This is the VPn traffic
Source
DM_INLINE_NETWORK_3
Destination
192.168.169.0 255.255.255.0
I mean make sure that you have the correct NAT bypass when your internal network wants to communicate with the 192.168.169.0 255.255.255.0 remote network.
|
|
|
|
|
