8.2 ASA vpn filter for connections l2l

Similar Questions

• clarification of vpn-filter ASA/pix necessary

  Hello

  at the moment I have a few vpn filters applied to remote access VPN groups defined and everything works as expected (sysopt connection permit VPN is enabled).

  Now I need to install a few L2L tunnels and I want to limit traffic beyond the level of crypto-acl. I think I have 2 options here

  1. disable sysopt connection VPN-enabled and set the ACEs on the external ACL for all my RA and L2L tunnels (preferably not by me)

  2. it is sufficient to use vpn-filter for the L2L tunnels too

  Option 2 is possible? Regarding my IPSec experience goes I think that it is a VPN for remote access only option, but the documentation is very vague on the subject.

  Thanks in advance!

  Christian

  This is a known bug CSCsg60095 and is supposed to be fixed in version 7.2.2.7.

  -Kanishka

• Should I apply a single to several L2L VPN VPN filter, or each VPN tunnel have their own VPN on an ASA filter?

  Currently, I am trying to decide if what VPN creation filters, if I just create one and apply to multiple VPN tunnels or if each must have their own VPN tunnel filter VPN. Creating a VPN filter for each VPN tunnel seems like extra work but do not know if this is the best choice. I looked through the documentation, but they never mention the VPN application filters to several tunnels.

  Hello Jork,

  If you add filters for each VPN tunnel group, it will be more work, but at the same, you will have more control over the external users trying to connect to your network.

  I would say that you have different groups tunnel (each of them will have their own funcionallity) therefore its depends on what you're trying to implement.

  If the people who are going to use X tunnel-group are the same as those who use the tunnel-group is then you can use the same than that.

  I hope I understood your question.

  Kind regards.

  Julio

  M Note all the useful po

• l2l ASA vpn issues

  Hi all

  I have two firewalls that I'm trying to implement VPNs l2l between them. Once of them is an old wall of sonic and the other 5505.

  I put in all and ends the phase 1/2 and the tunnel rises however no traffic passes through

  Here is my configuration

  ASA (outside, 192.168.30.1) asa internal 192.168.10.0/25

  (Outside 192.168.30.2) SonicWALL sonicwall 192.168.20.0/24

  I have an accesslist that is configured on the asa and applied to the cypto card using card crypto XXXX 1, atch address YYY

  However when I watch the news ebugging on the console it says: "cannot locate the output for UDP of XXXX interface: 192.168.10.10/1 to 192.178.20.1/0.

  any ideas why this is?

  I just need a static route to say all traffic on asa with 192 source... 10.0 should go through 192.168.30.2?

  I guess it's the work of crypto card

  Am I wrong?

  Hello

  Begins to seems to me you have a filter ACL configured for your L2L VPN VPN and also the ACL filter of VPN and Crypto ACLs are the same things, which means you use a simple both ACL.

  Why I think it's like this is the fact that you say that your VPN L2L cross trading in the "packet-tracer" VPN Phase means Crypto VPN L2L ACL was correct. At the same time say you that the connection was stopped to the Phase of the VPN USER. He points to a VPN filter ACL being configured.

  In view of the foregoing, I also know that the ACL of filter for the L2L VPN behave with a logic different than typical ACL interface. In VPN L2L the ACL filter ALWAYS mention the remote network as the source ALWAYS and your Local network as the destination.

  If add you an ACL rule with order switched networks appears this fixes the VPN filter ACL problems and finally allowed traffic. Naturally I can only guess that I saw actual configurations at this point (which, usually with release "packet - trace", help to solve a problem faster just guessing)

  If you indeed filter VPN, you may be able to track him down with the following commands

  See the tunnel-group race

  Check if a "group policy" is defined then the command

  See establishing group policy enforcement

  This output should list the name of the ACL filter VPN if its game

  Regarding the installantion auto road. The default setting for ASA, is that it will create NO static routes automatically depending on the VPN configurations. This must be enabled manually in "crypto map" configurations, or you can configure static routes manually.

  ASA tracking to default TCP and UDP connections. ICMP is inspected only if his permit. By default, it is NOT inspected.

  Hope this helps

  Remember to mark a reply as the answer if it answered your question.

  Feel free to ask more if necessary.

  -Jouni

• VPN-filter seems to work in both directions

  I have ASA 5520, Version 8.4 (3)

  I set up VPN site to site vpn-filter for filtering of communications

  I use this example:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#configs

  VPN connection did not work, so I applied last line to my vpn-filter ACL:

  access list acl-L2L-ORANGE extended deny ip any any interval notification log 60

  I am very confused, because I heard syslog message:

  % 5-ASA-106102: acl-L2L-ORANGE access list denied tcp to the user "" inside/10.1.61.51(60748)-> outside/213.151.208.154(4490)

  It seems to me, this vpn filter filter my indoor to outdoor advertising.

  Communication which is sent from inside the TUNNEL.

  Worse still, my ACL include this line

  access list acl-L2L-ORANGE line 1 scope permitted tcp 10.1.61.51 host 213.151.208.154 (hitcnt = 0)

  How can it be possible?

  Hello

  If you want to get rid of the problems and complexity can be used access VPN filter lists you can run the following command

  No vpn sysopt connection permit

  It would make is that all connections from the remote site VPN L2L would be subject to check rule access-list on the external interface of your ASA in the same way your local network traffic heading for the remote site VPN L2L is checked by your inside of the access list interfaces

  But if you go this route, you will need to consider that you will need to open the traffic for possible existing (Client and VPN L2L) VPN connections on your external interface to access list before running the above command.

  At least in this way you encounter the problem that you actually more open that you expect with the type of VPN ACL filter. And as I said it is not quite as complicated to manage.

  I must say however that I do not use the two ways depending on the environment that I am setting up.

  -Jouni

• Site to Site VPN filter

  I've set up a site to site VPN and I can't seem to get the VPN filter works. I've followed this document:

  http://www.Cisco.com/image/gif/paws/99103/PIX-ASA-VPN-filter.PDF

  I created an ACL and created an ACE with only traffic I want to allow. Then, I went to the site to site group policy and apply this filter. However, I can still ping remote network from a customer who should not be allowed. Remote network is 192.168.2.0/24.Here is my partial config:

  permit Test access extended list ip 192.168.2.0 255.255.255.0 192.168.1.2 host
  Trying to deny a range ip extended access list

  Group Policy internal Test
  Test group policy attributes
  value of VPN-Filter Test

  tunnel-group Test_tunnel type ipsec-l2l
  attributes global-tunnel-group Test_tunnel
  Group Policy - by default-Test

  Hello

  First of all I would like to clarify that the group name used for one site to the other tunnel tunnel must be the ip address of the host "at least for the tunnels l2l static" it's tunnel-g were you must apply this "Test" group policy, configuring the filter seems perfect, but you must make sure that you apply the strategy of Group accordingly. Now, once you apply group policy to the correct you have to bounce the tunnel tunnel-g otherwise the new filter will not take effect, you can use the command "erase the crypto ipsec his counterpart x.x.x.x" generate some traffic and bring up the tunnel is again he should have the filter.

  If you apply correctly and bounce the tunnel it will work.

  You can check if the filter is applied with the command "show vpn-sessiondb detail l2l" and find the name of the ACL

  Best regards, please rate.

• What VPN Client for ASA 5550 AnyConnect Premium connection?

  We have version9 a couple of ASA550 I want to put in place a VPN client for use with remote access to administration.  We have included AnyConnect VPN, Premium license peers 2 so I guess we can just use of Cisco AnyConnect VPN client.  I went to Cisco's Web site and it says that I don't have right to the last Anyconnect VPN Client 4.x but I don't have access to the version 3.x.

  The 3.x client is compatible with the ASA and also Windows 10?

  If Yes, what is the correct file to use, there are many files listed for download in AnyConnect 3.x?

  In addition, what is the difference between the AnyConnect 3.x and 4.x customer and why Cisco restricting 4.x?

  Jim

  AnyConnect 4.x has changed the licensing model. AnyConnect 4.x licenses are term based licensing vs perpetual 3.x. There are a number of other differences, mainly due to there being only two license types - more and Apex - no Mobile plus, Advanced Endpoint Assessment, shared VPN etc. Cisco offers a nominal or no license cost of migration until the end of 2015. (depending on what you have: positive Essentials or Apex at premium)

  AnyConnect 3.1 will work with Windows 10 and the latest version of the Software ASA (since Version 3.1.10010). Reference:

  http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/ANYC...

  There are two ways it is distributed - as a stand-alone installation or package for the distribution of the ASA station. Both come in Windows, Mac OS X and Linux distributions. For a Windows client, you must use either:

  AnyConnect-Win-3.1.12020-pre-deploy-K9.ISO

  AnyConnect-victory - 3.1.12020 - k9.pkg

  .. .to the current version of these respective form factors.

• Filter for the VPN VPN hairpin

  We have a business with a Cisco ASA 5580 (8.1) site, a remote office with a Cisco ASA 5510 (8.2) with a VPN L2L of company.

  A seller has a L2L VPN to ASA company with access to the desktop remotely through virtual private networks (crossed).

  Headquarters agreed to a request the supplier on port 23. Everything works with respect to the provider of access to resources at the remote office and the Head Office of the access to the application at the supplier. Our goal now is to restrict the seller on the 23 of the corporate network and port 9100 for remote desktop. About the ASA company I set up a VPN filter and applied to the vpn L2L seller, but when I apply the filter (see below) all traffic stops at the seller such as telnet. I'd appreciate any help.

  Headquarters: 10.0.0.0 255.0.0.0

  Remote Desktop: 172.20.1.0 255.255.255.0

  Provider network: 192.168.0.0 255.255.0.0

  list of access provider-filter allowed extended tcp 192.168.0.0 255.255.0.0 10.0.0.0 255.0.0.0 eq 23

  list of access provider-filter allowed extended tcp 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0 eq 9100

  strategy of the seller-filter-policy group interns

  attributes of the seller-filter-policy-group policy

  VPN-filter of the seller-filter value

  tunnel-group xxx.xxx.xxx.xxx General attributes

  by default-group-supplier-filter-policy

  VPN filter ACl must be as follows:

  list of access provider-filter allowed extended tcp 192.168.0.0 255.255.0.0 eq 23 10.0.0.0 255.0.0.0

  list of access provider-filter allowed extended tcp 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0 eq 9100

• Unable to connect to the ASA vpn Android client

  secHello, I have problem with android client. So I've solved many problems and finally could get the PHASE 1 and PHASE 1 COMPLETED messages in newspapers :). In any case, I have a problem different, even if the client of the phase 1 and 2 completed failed to connect again. Here are the logs:

  | 21456 | *** | 500 | Built of UDP connection entrants for outdoor 600577524: * / 21456 (* / 21456) identity: * / 500 (* / 500)
  | 27262 | *** | 4500 | Built of UDP connection entrants for outdoor 600577567: * / 27262 (* / 27262) identity: * / 4500 (* / 4500)
  Group = ANDROID_PROF, IP = *, automatic NAT detection status: remote endpoint IS behind a NAT device this end is behind a NAT device
  Group = ANDROID_PROF, IP = *, floating NAT - T of * port 21456 to * port 27262
  Group = ANDROID_PROF, IP = *, PHASE 1 COMPLETED
  Group = ANDROID_PROF, IP = *, IPSec initiator of the substitution of regeneration of the key time of 0 to 4608000 Kbs
  IPSEC: Remote access out HIS (SPI = 0x0429CEA7) between * and * (user = ANDROID_PROF) was created.
  Group = ANDROID_PROF, IP = *, the security negotiation is complete for user (Responder), Inbound SPI = 0xc95803fc outbound SPI = 0x0429cea7
  IPSEC: Incoming remote access between HIS (SPI = 0xC95803FC) * and * (user = ANDROID_PROF) was created.
  Group = ANDROID_PROF, IP = *, PHASE 2 COMPLETED (msgid = 9aab13ed)
  | 27262 | *** | 1701 | Built of UDP connection entrants for outdoor 600577657: * / 27262 (* / 27262) identity: * / 1701 (* / 1701)
  L2TP tunnel created, tunnel_id 24, remote_peer_ip is *, 1/ppp_virtual_interface_id, client_dynamic_ip is 0.0.0.0, user name is *.
  Tunnel L2TP deleted, tunnel_id = 24, remote_peer_ip = *.
  IPSEC: Remote access out HIS (SPI = 0x0429CEA7) between * and * (user = ANDROID_PROF) has been removed.
  IPSEC: Incoming remote access between HIS (SPI = 0xC95803FC) * and * (user = ANDROID_PROF) has been removed.
  Group = ANDROID_PROF, IP = *, Session is to be demolished. Reason: The user has requested
  Group = ANDROID_PROF, user name =, IP = *, disconnected Session. Session type: IPsecOverNatT, duration: 0 h: 00 m: 07 s, xmt bytes: 1021, RRs bytes: 955, reason: the user has requested

  As you can see session was demolished immediately, said Android failure. The Android settings:
  Name: ANDROID_PROF

  Type: L2TP/IPsec Psk

  The IPsec identifier: ANDROID_PROF

  Pre-shared key IPsec: cisco

  The ASA config:

  attributes global-tunnel-group ANDROID_PROF
  address IPSEC_RA_POOL pool
  Group-LDAP LOCAL authentication server
  LDAP authorization-server-group
  NOACCESS by default-group-policy
  IPSec-attributes tunnel-group ANDROID_PROF
  IKEv1 pre-shared-key *.
  tunnel-group ANDROID_PROF ppp-attributes
  CHAP Authentication
  ms-chap-v2 authentication

  ANDROID_PROF_GP group policy attributes
  value of DNS server *.
  VPN - 4 concurrent connections
  Protocol-tunnel-VPN l2tp ipsec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list ANDROID_PROF_USERS
  Cisco.local value by default-field
  the address value IPSEC_RA_POOL pools

  Hello

  Your problem is with Android L2TP/IPsec client that connects to the AAS has been caused by: CSCug60492 (Android phone disconnected from l2tpoveripsec and reconnect asa hung)

  It is Android actually issue, not a bug of the SAA. This resolution is based on Android.

  I hope this helps.

  Thank you

  Vishnu

• Binds two ISP ASA to remote VPN Client to connect to instead of creating two profiles on the remote client

  Hello

  just a quick,

  TOPOLOGY

  ASA isps1 - 197.1.1.1 - outside

  ASA ISP2 - 196.1.1.1 - backup

  LAN IP - 192.168.202.100 - inside

  I have configured Tunnel on the interfaces (external and backup), but is to link both legs public to serve a thare as redundancy for vpn users and users of the vpn tunnel leave pointing inside IP whenever they want to establish vpn sssion, we want it to be one, so if an interface fails vpn users will not know , but he will try the second for the connection. instead of creating the profile for the two outside of the leg on the vpn client.

  is this possible?

  Hi Rammany.

  In your case, you have only an ASA that connects with 2 ISP in another segment IP... 196.x.x.x (Link1) & 197.x.x.x (Link2). What your condition is you want to have the VPN client who must be consulted with backup. If 196.x.x.x link fails, it should automatically take 197.x.x.x link. That too we should not have the config set in the VPN client backup server. You don have the possibility of having standby active also in asa single.

  I think n so it will work with your current design.

  This option is if your VPN client supports host name resolution (DNS). You can have the VPN created for both the public IP address share the same host name keeping the bond as the primary address 1 and 2 a secondary address. It will work alone.

  Hope someother experts in our forum can help you with that.

• VPN site to Site with restrictions (vpn-filter)

  VPN site to site, I installed and it works fine and two site can meet but I question after the vpn enforcement - run under Group Policy

  restrict users in the local site for dial-up networking with specific tcp ports, the vpn does not not like after order question «sh l2l vpn-sessiondb»

  This works but users can't access something in the remote site

  Note > after rising online in ACL at the end with this

  US_SITE ip access list allow a whole

  new to works well again

  example of a line of Access-List

  US_SITE list extended access permit tcp host 10.68.22.50 host 192.168.10.23 HTTP_HTTPS object-group
  US_SITE list extended access permit tcp host 10.68.22.50 host 192.168.10.24 HTTP_HTTPS object-group

  local network: 10.68.22.50

  remote network: 192.168.10.24

  is that correct or not?

  attributes of the strategy group x.x.x.x
  value of VPN-filer US_SITE

  tunnel-group General y.y.y.y
  x.x.x.x by default-group-policy

  Note: allowed sysopt active vpn connection

  The syntax on ACL that is used as a vpn-filter is different from what is normally expected. These VPN filters is not a direction, it should be noted the traffic we want to allow incoming and outgoing of the VPN in an ACL. The syntax for this is:

  access-list X permit/deny REMOTE-DEFINITION LOCAL-DEFINITION

  Example: You want to allow local users to access the RDP on the remote site:

  access-list VPN-ACL permit tcp host 192.168.10.24 eq 3389 10.68.22.0 255.255.255.0

  Disadvantage: This is all really confusing, and you can't afford things like Ping in one direction.

• Cisco ASA vpn site to site with access internet, error

  Hello

  I have two offises, Central and removed, with the external IP addresses. They are connected to the site to site vpn, LAN works fine, then NAT is disable, but then there is no internet access, then I Internet in NAT is working well, but then there is no access to the local network.
  Where would be the problem?

  There's config:

  ASA Version 8.4(4)1
!
hostname SalSK-ASA
domain-name ld.lt
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 81.X.X.X 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.204.254 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EET 2
dns server-group DefaultDNS
 domain-name lietuvosdujos.lt
object network LAN
 subnet 192.168.204.0 255.255.255.0
 description Local Area Network
object network LD_Lanai
 subnet 192.168.0.0 255.255.0.0
 description LD lanai
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list vpn extended permit ip any 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 any
access-list vpn extended permit ip object LD_Lanai 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 object LD_Lanai
access-list outside_cryptomap_1 extended permit ip object LAN any
access-list outside extended permit ip any any
pager lines 24
logging enable
logging list VPN_events level informational class auth
logging list VPN_events level informational class vpdn
logging list VPN_events level informational class vpn
logging list VPN_events level informational class vpnc
logging list VPN_events_ID message 713120
logging list VPN_events_ID message 713167
logging list VPN_events_ID message 602303
logging list VPN_events_ID message 713228
logging list VPN_events_ID message 113012
logging list VPN_events_ID message 113015
logging list VPN_events_ID message 713184
logging list VPN_events_ID message 713119
logging list VPN_events_ID message 602304
logging monitor debugging
logging buffered debugging
logging trap VPN_events_ID
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic LAN interface inactive
access-group outside in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 81.7.77.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ISE protocol radius
aaa-server ISE (inside) host 192.168.200.48
 key *****
user-identity default-domain LOCAL
aaa authentication enable console ISE LOCAL
aaa authentication http console ISE LOCAL
aaa authentication serial console ISE LOCAL
aaa authentication ssh console ISE LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set tripledes esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 213.X.X.X
crypto map outside_map 1 set ikev1 transform-set tripledes
crypto map outside_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.201.200 source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy SalGP internal
group-policy SalGP attributes
 vpn-filter value vpn
 vpn-tunnel-protocol ikev1 l2tp-ipsec
username Admin password LVPpyc4ATztEAWtq encrypted privilege 15
tunnel-group 213.X.X.X type ipsec-l2l
tunnel-group 213.X.X.X general-attributes
 default-group-policy SalGP
tunnel-group 213.X.X.X ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect dns
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip 
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
 class class-default
  user-statistics accounting
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]/* */
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d8c29755eff807b1530e38b9ead9edd5
: end

  Two things are here according to you needs.

  First you encrypt all the traffic on the network 192.168.204.0/24... do you intend to send all traffic on that subnet via the VPN? If this isn't the case, specify the remote subnet instead of using all the crypto ACL.

  object network LAN
 subnet 192.168.204.0 255.255.255.0access-list outside_cryptomap_1 extended permit ip object LAN any

  Second, you have not an exempt statement NAT so that encrypted traffic should not be translated.  This statement would look like the following:
  the object of the LAN network
  192.168.204.0 subnet 255.255.255.0

  being REMOTE-LAN network
  255.255.255.0 subnet 192.168.100.0

  Static NAT LAN LAN (inside, outside) destination static REMOTE - LAN LAN

  --

  Please do not forget to choose a good response and the rate

• 8.3 ASA VPN access rules

  Hi, I recently bought an ASA 5520 to use as a VPN gateway for several tunnells site to site VPN. I've upgraded to version 8.3, and set up a lab environment. I implemented a simple VPN with a rule of intellectual property general permit to stert with and everything works fine. I'm having trouble tightenign access now, if I change the access on the SAA for ICMP I can ping both directions, if I add tcp I can telnet from a computer at the other end of the VPN, but if I change the tcp protocol to telnet, I can't connect. the other end on the VPN is a cisco 2620XM and I match the lists of access for each of the changes. I also do not understand the meaning of the ASA access list, it seems that if I want to allow the remote tcp host behind the ASA access I have the host behind the ASA as the source, it appears backward? Anyone can shed some light on this? very much appreciated.

  Yes, you are supposed to only configure 'IP' to your ACL (ACL applied to your crypto card) crypto and crypto ACL supposed to mirror image on each peer, so when you change to specific TCP/UDP ports, is not mirror image of the other side/peer more.

  I thought that you use ACL applied to "vpn-filter".

  But in the previous post, actually configure you ACL on each interface.

  The above is 3 different ACL you have applied differently (crypto ACL--> apply to the card crypto, vpn ACL--> apply to vpn-filter and your normal ACL interface).

• Only way ASA Vpn access

  Hello:

  I have configured ASA 5505 to acept Cisco VPN Clients on IP-SEC and access internal subnet of tuneling (added a rule exempt NAT too) and the VPN Clients can connect and work without problems.

  But no internal network or the ASA I can ping or conect to the VPN Clients.

  My configuration:

  Internal network: 172.26.1.0 255.255.255.0

  The VPN Clients network 172.26.2.0 255.255.255.0

  Can you help me?

  Here is my configuration:

  : Saved : ASA Version 7.2(4) ! hostname ciscoasa domain-name ftf.es enable password xxxxxxx encrypted passwd xxxxx encrypted names name 217.125.44.23 IP_publica name 172.26.1.100 Servidor name 192.168.1.3 IP_externa name 192.168.2.3 IP_Externa2 name 172.26.2.0 VPN_Clients ! interface Vlan1 nameif inside security-level 100 ip address 172.26.1.89 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address IP_externa 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 12 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 switchport access vlan 13 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name ftf.es same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service terminal-server tcp port-object eq 3389 object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list FTFVPN_splitTunnelAcl standard permit 172.26.1.0 255.255.255.0 access-list FTFVPN_Group_splitTunnelAcl standard permit 172.26.1.0 255.255.255.0 access-list outside_access_in extended permit tcp any host IP_externa eq 3389 access-list outside_access_in extended permit object-group TCPUDP any host IP_externa eq www access-list FTF_ADSL2_splitTunnelAcl standard permit any access-list inside_nat0_outbound extended permit ip 172.26.1.0 255.255.255.0 VPN_Clients 255.255.255.0 access-list inside_nat0_outbound extended permit ip 172.26.1.0 255.255.255.0 host 172.26.1.199 access-list outside_nat0_outbound extended permit ip VPN_Clients 255.255.255.0 172.26.1.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool vpn 172.26.1.180-172.26.1.200 mask 255.255.255.0 ip local pool vpn2 172.26.2.100-172.26.2.200 mask 255.255.255.0 ip local pool vpn3 172.26.3.100-172.26.4.150 mask 255.255.255.0 ip local pool vpn4 172.26.1.240-172.26.1.250 mask 255.255.255.0 ip local pool FTFVPN_Pool 176.26.1.150-176.26.1.170 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface 3389 Servidor 3389 netmask 255.255.255.255 static (inside,outside) tcp interface www Servidor www netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute http server enable http 172.26.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs group1 crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 60 set pfs group1 crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 80 set pfs group1 crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 100 set pfs group1 crypto dynamic-map outside_dyn_map 100 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 120 set pfs group1 crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal  20 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 172.26.1.90-172.26.1.217 inside ! webvpn enable outside url-list FTFVLC "DYNAMICS" cifs://172.26.1.100 1 port-forward TEST 3389 172.26.1.100 3389 Terminal Server group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes banner value Bienvenido a la red de FTF dns-server value 172.26.1.100 80.58.32.97 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn split-tunnel-policy tunnelall default-domain value ftf.es group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools value vpn2 smartcard-removal-disconnect enable client-firewall none client-access-rule none webvpn   functions url-entry   html-content-filter none   homepage none   keep-alive-ignore 4   http-comp gzip   filter none   url-list none   customization value DfltCustomization   port-forward value TEST   port-forward-name value Acceso a aplicaciones   sso-server none   deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information   svc none   svc keep-installer installed   svc keepalive none   svc rekey time none   svc rekey method none   svc dpd-interval client none   svc dpd-interval gateway none   svc compression deflate group-policy FTFVPN_Group internal group-policy FTFVPN_Group attributes dns-server value 172.26.1.100 vpn-tunnel-protocol IPSec l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value FTFVPN_Group_splitTunnelAcl default-domain value ftf.es address-pools value vpn2 group-policy VPNSSL internal group-policy VPNSSL attributes vpn-tunnel-protocol IPSec l2tp-ipsec webvpn webvpn   functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download citrix username raul password xxxxxx encrypted privilege 0 username raul attributes vpn-group-policy FTFVPN_Group tunnel-group DefaultRAGroup general-attributes address-pool vpn2 default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group DefaultWEBVPNGroup general-attributes default-group-policy VPNSSL tunnel-group DefaultWEBVPNGroup webvpn-attributes nbns-server Servidor master timeout 5 retry 3 tunnel-group FTFVPN_Group type ipsec-ra tunnel-group FTFVPN_Group general-attributes address-pool vpn2 default-group-policy FTFVPN_Group tunnel-group FTFVPN_Group ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny   inspect sunrpc   inspect xdmcp   inspect sip   inspect netbios   inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:f5e713652d4a2e2623248d7e49086105 : end asdm image disk0:/asdm-524.bin asdm location Servidor 255.255.255.255 inside asdm location IP_publica 255.255.255.255 inside asdm location IP_externa 255.255.255.255 inside asdm location IP_Externa2 255.255.255.255 inside asdm location VPN_Clients 255.255.255.0 inside no asdm history enable 

  Raul,

  I don't see to apply ACLs inside the interface or as vpn-filter that will prevent the PING of the SAA within the intellectual property to the VPN client.

  Are you sure that the VPN client does not have the Windows Firewall on or antivirus software that prevents to respond to PING?

  Federico.

• The ASA VPN help

  Hello

  The ASA is not my strong point.  I had to make some changes to my ASA clients when the provider has changed.  The ASA has been NAT would be an NTU gave us the previous provider, the new provider of the SAA is NAT had a modem.  The only thing that does not work right is the VPN.

  When IPSec VPN connects we cannot ping, telnet/ssh or RDP to one of imagine.  My guess is that the ACL are not quite right.  Could someone take a look at the config and propose something?

  WAN - ASA - LAN (192.168.20.x)

  I deleted the names of user and password and changed the public IP address around security.

  ASA # sh run
  : Saved
  :
  ASA Version 8.2 (5)
  !
  host name asa
  domain afpo.local
  activate the encrypted password of JCdTyvBk.ia9GKSj
  d/TIM/v60pVIbiEg encrypted passwd
  names of
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  address 192.168.20.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  PPPoE client vpdn group idnet
  IP address pppoe setroute
  !
  banner exec *****************************************************
  exec banner * SCP backup enabled *.
  exec banner * SYSLOG enabled *.
  banner exec *****************************************************
  passive FTP mode
  clock timezone GMT/UTC 0
  summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00
  DNS lookup field inside
  DNS server-group DefaultDNS
  Server name 192.168.20.201
  domain afpo.local
  permit same-security-traffic intra-interface
  object-group network GFI-SERVERS
  object-network 5.11.77.0 255.255.255.0
  object-network 93.57.176.0 255.255.255.0
  object-network 94.186.192.0 255.255.255.0
  object-network 184.36.144.0 255.255.255.0
  network-object 192.67.16.0 255.255.252.0
  object-network 208.43.37.0 255.255.255.0
  network-object 228.70.81.0 255.255.252.0
  network-object 98.98.51.176 255.255.255.240
  allowed extended INCOMING tcp access list any interface outside eq https inactive
  allowed extended INCOMING tcp access list any interface outside eq 987
  interface of access inactive list allowed extended object-group GFI SERVERS off eq smtp tcp INBOUND
  interface to access extended permitted list INCOMING tcp object-group GFI SERVERS off eq ldaps
  access-list SHEEP extended ip 192.168.20.0 allow 255.255.255.0 10.0.0.0 255.255.0.0
  access-list SHEEP extended ip 192.168.20.0 allow 255.255.255.0 172.16.0.0 255.255.255.0
  access-list SHEEP extended ip 192.168.20.0 allow 255.255.255.0 172.16.0.0 255.255.255.128
  IP 10.71.79.0 allow Access - list extended RITM 255.255.255.0 10.0.0.0 255.255.0.0
  CLIENT_VPN list of allowed ip extended access any 172.16.0.0 255.255.255.128
  Standard access list SPLIT_TUNNEL allow 10.71.79.0 255.255.255.0
  Standard access list TSadmin_splitTunnelAcl allow 10.71.79.0 255.255.255.0
  pager lines 24
  Enable logging
  logging trap information
  asdm of logging of information
  host of logging inside the 10.71.79.2
  Within 1500 MTU
  Outside 1500 MTU
  local pool CLIENT_VPN_POOL 172.16.0.1 - 172.16.0.126 255.255.255.128 IP mask
  local pool SSL_VPN_POOL 172.16.0.129 - 172.16.0.254 255.255.255.128 IP mask
  IP verify reverse path to the outside interface
  IP audit attack alarm drop action
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow 10.71.79.0 255.255.255.0 echo inside
  ICMP allow any inside
  ICMP allow any inaccessible outside
  ICMP allow 86.84.144.144 255.255.255.240 echo outside
  ICMP allow all outside
  ASDM image disk0: / asdm - 645.bin
  enable ASDM history
  ARP timeout 14400
  NAT-control
  Global 1 interface (outside)
  NAT (inside) 0 access-list SHEEP
  NAT (inside) 1 192.168.20.0 255.255.255.0
  public static tcp (indoor, outdoor) interface smtp 10.71.79.2 smtp netmask 255.255.255.255
  public static tcp (indoor, outdoor) interface https 10.71.79.2 https netmask 255.255.255.255
  public static tcp (indoor, outdoor) interface 987 10.71.79.2 987 netmask 255.255.255.255
  public static tcp (indoor, outdoor) interface ldaps 10.71.79.2 ldaps netmask 255.255.255.255
  Access-group ENTERING into the interface outside
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  RADIUS protocol AAA-server Serveur_RADIUS
  AAA-server host 10.71.79.2 Serveur_RADIUS (inside)
  key *.
  RADIUS-common-pw *.
  not compatible mschapv2
  the ssh LOCAL console AAA authentication
  Enable http server
  Server of http session-timeout 60
  http 0.0.0.0 0.0.0.0 inside
  http 87.84.164.144 255.255.255.240 outside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  resetinbound of service inside interface
  resetinbound of the outside service interface
  Service resetoutside
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  address DYN_CLIENT_VPN 10 of the crypto dynamic-map CLIENT_VPN
  Crypto dynamic-map DYN_CLIENT_VPN 10 the value transform-set ESP-AES-256-SHA ESP-3DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  crypto IPSEC_VPN 10 card matches the address RITM
  card crypto IPSEC_VPN 10 set peer 88.98.52.177
  card crypto IPSEC_VPN 10 the value transform-set ESP-AES-256-SHA ESP-3DES-MD5
  card crypto IPSEC_VPN 100-isakmp dynamic ipsec DYN_CLIENT_VPN
  card crypto IPSEC_VPN 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  IPSEC_VPN interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 5
  life 86400
  crypto ISAKMP policy 20
  preshared authentication
  aes-192 encryption
  sha hash
  Group 5
  life 86400
  crypto ISAKMP policy 30
  preshared authentication
  aes encryption
  sha hash
  Group 5
  life 86400
  crypto ISAKMP policy 40
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH enable ibou
  SSH 0.0.0.0 0.0.0.0 inside
  SSH 88.98.52.176 255.255.255.240 outside
  SSH 175.171.144.58 255.255.255.255 outside
  SSH 89.187.81.30 255.255.255.255 outside
  SSH timeout 60
  SSH version 2
  Console timeout 30
  management-access inside
  VPDN group idnet request dialout pppoe
  VPDN group idnet localname
  VPDN group idnet ppp authentication chap
  VPDN username password *.

  a basic threat threat detection
  scanning-threat shun except ip 10.0.0.0 address threat detection 255.255.0.0
  scanning-threat time shun 360 threat detection
  threat detection statistics
  a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
  NTP server 130.88.202.49 prefer external source
  TFTP server outside 86.84.174.157 /Aberdeen_Fishing_Producers_ (ASA5505) .config
  WebVPN
  port 4443
  allow outside
  DTLS port 4443
  SVC disk0:/anyconnect-win-2.4.0202-k9.pkg 1 image
  SVC disk0:/anyconnect-macosx-i386-2.4.0202-k9.pkg 2 image
  Picture disk0:/anyconnect-macosx-powerpc-2.4.0202-k9.pkg 3 SVC
  SVC profiles ANYCONNECT_PROFILE disk0: / AnyConnectProfile.xml
  enable SVC
  attributes of Group Policy DfltGrpPolicy
  value of server WINS 10.71.79.2
  value of server DNS 10.71.79.2
  VPN - 10 concurrent connections
  Protocol-tunnel-VPN IPSec svc
  enable IP-comp
  enable PFS
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list SPLIT_TUNNEL
  afpo.local value by default-field
  WebVPN
  time to generate a new key of SVC 60
  SVC generate a new method ssl key
  profiles of SVC value ANYCONNECT_PROFILE
  SVC request no svc default
  internal TSadmin group strategy
  Group Policy attributes TSadmin
  value of server WINS 10.71.79.2
  value of server DNS 10.71.79.2
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list TSadmin_splitTunnelAcl
  afpo.local value by default-field
  username password backup encrypted qwzcxbPwKZ7WiiEC privilege 15
  backup attributes username
  type of remote access service
  admin Cg9KcOsN6Wl24jnz encrypted privilege 15 password username
  attributes of user admin name
  type of remote access service
  tsadmin encrypted v./oXn.idbhaKhwk privilege 15 password username
  R60CY/username password 7AzpFEsR ritm. O encrypted privilege 15
  ritm username attributes
  type of remote access service
  attributes global-tunnel-group DefaultWEBVPNGroup
  address SSL_VPN_POOL pool
  authentication-server-group LOCAL Serveur_RADIUS
  type tunnel-group RemoteVPN remote access
  attributes global-tunnel-group RemoteVPN
  address CLIENT_VPN_POOL pool
  authentication-server-group LOCAL Serveur_RADIUS
  IPSec-attributes tunnel-group RemoteVPN
  pre-shared key *.
  tunnel-group 87.91.52.177 type ipsec-l2l
  IPSec-attributes tunnel-group 89.78.52.177
  pre-shared key *.
  tunnel-group TSadmin type remote access
  tunnel-group TSadmin General attributes
  address CLIENT_VPN_POOL pool
  strategy-group-by default TSadmin
  tunnel-group TSadmin ipsec-attributes
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the icmp
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:9ddde99467420daf7c1b8d414dd04cf3
  : end
  ASA #.

  Doug,

  The nat will knit from inside to out if the LAN is 192.168.20.0 nat should be like this:

  access-list SHEEP extended ip 192.168.20.0 allow 255.255.255.0 172.16.0.129 255.255.255.128

  Just to get this clear you use remote VPN, you must add the 192.168.20.0 to split ACL road tunnel:

  SPLIT_TUNNEL list standard access allowed 192.168.20.0 255.255.255.0

  -JP-