L2l 1941 to ASA VPN

Similar Questions

• ASA, VPN Site-to-Site

  Hello

  I would like to VPN site-to-site using ASA 5520 and I have some question if you don't mind:

  Site A:

  Peer IP address: aaa.aaa.aaa.aaa/32

  Local network: bbb.bbb.bbb.bbb/32

  Site b:

  Peer IP address: xxx.xxx.xxx.xxx/32

  Local network: yyy.yyy.yyy.yyy/32

  on the site to site vpn Wizard (site B), the network of peers should be site A and the LAN must be site B and remote network must be the site one right?

  the IP address of the local network should be not be used right by other devices on the right? I can use use a unique IP address instead of the beach of network on the LAN and remotely? from the client on site give me a unique IP address?

  can I allow on site A browse only a single IP address on my site B and allowing only ports 80 and 443, please can you give me example I prefer ASDM.

  Thank you and waiting for your help.

  Hello

  I can only really give an example of this using the CLI (or I rather do as I do not use ASDM almost at all)

  You have all already existing L2L / Site to Site VPN connections on the SAA?

  Could you share your current configuration (delete all sensitive information) so we can take into account all existing configurations you have

  Did you agree on what will be the settings phase 1 VPN L2L and Phase2 with the other sites technical contact who will set up their side of the L2L VPN?

  -Jouni

• ASA VPN with Fortgate

  Hello people!

  I still have the problem with VPN... Laughing out loud

  I have to create a new VPN site to site between ASA 5510 (8.42 IOS) and Fortgate, but something is very strange, Don t VPN came and I see in the debug crypto 10 ikev1 the newspaper to follow:

  [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2

  But if I ask the other peer to change in Group 2, the msg in the SAA is:

  [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1

  Fortgate is possible to activate the two specific groups of VPN 1 and 2, and I would ask the other peer left this way and the ASA show:

  [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1
  [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2

  The show isakmp his:

  9 counterpart IKE: 179.124.32.181
  Type: user role: answering machine
  Generate a new key: no State: MM_WAIT_MSG3

  I have delete and creat VPN 3 x and the same error occurs.

  Everyone has seen this kind of problem?

  Is it using Fortigate version 5 by chance?

  I saw Cisco ASA VPN problems repeatedly with this code Fortigate, but above all it has been a problem of Phase 2 and defining KB life maximally on the side of the ASA has solved it... However this seems not to be your problem here.

  The first thing in your config I see you have PFS enabled - have you insured it is located on the side of Fortinet or tried to turn it off on the side of Cisco to see if it happens?

  Be stuck at MM_WAIT_MSG3 means that you sent your return policy, but then you have not received the third package in the ISAKMP riding so either the Fortigate is unhappy with something or there's a routing problem (however unlikely given that you have already had communication)

  Try on the side of the ASA:

  debug crypto isakmp 7

  You can also confrm your external interface is 'outside1 '? You can see this "see intellectual property."

• ASA VPN - allow user based on LDAP Group

  Hello friends

  I have create a configuration to allow connection based on LDAP Group.

  I m not specialize in the firewall and I tried to follow the links above, but both seem old, commanded several is not available.

  http://www.tunnelsup.com/Cisco-ASA-VPN-authorize-user-based-on-LDAP-group

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

  Anyone know how I can do?

  Thank you

  Marcio

  I like to use the Protocol DAP (dynamic access policies) to control this.  Follow this guide:

  https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-policies-DAP-deployment-guide

• Assign the static IP address by ISE, ASA VPN clients

  We will integrate the remote access ASA VPN service with a new 1.2 ISE.

  Authentication is performed in Active directory. After authentication, can address assigned to a specific user of VPN by ISE IP?

  This means that the same VPN user will always get the same IP address. Thank you.

  Daniel,

  You can override the IETF-RADIUS-Framed-IP-Address in the authorization policy.

  However if I may make a suggestion:

  Unless you have only a handful of users to do so, it may be appropriate to assign the address of ISE pool or perform the mapping of LDAP attributes on ASA itself.

  In the latter case, the IP addresses are kept on the server as LDAP attributes and ASA will map the IP address. You don't want to keep address IP DB in several places.

  M.

• Device behind a Firewall other, ASA VPN

  I have a client who wants to put their VPN / behind the ASA ASA main connected to the Internet.  Both devices have an inside leg for the internal network, but the ASA VPN connects directly to the Internet ASA.

  Topology:

  Outisde FW: Internet transfer Procedure > ASA/FW > leg DMZ to ASA/VPN

  ASA VPN: Outside the L3 Interface interface DMZ of ASA/FW link

  On the outside NAT FW I would be the external address of the VPN / ASA outside the public IP address is available and I have a rule that allows all IP from outside to outside the private IP VPN.  Inside = 192.168.254.1 outside = public IP address.

  Configured on the VPN / ASA, ASA standard SSL Remote Access.

  When I hit the NAT public IP address, nothing happens.  I've run packet - trace on the FW outside, and everything seems good.

  Someone at - it a sampling plan / config for a similar topology?     Internet > ASA/FW > dmz-leg > ASA/VPN

  Thanks in advance,
  Bob

  Can share you your NAT and routing configuration? Of these two ASAs

• ASDM conc (ASA) VPN access

  I have the script like this:

  an ASA, which is the FW, TR making static NAT from the public to the private IP and private IP address add is add conc (another ASA) VPN. I am accessing these devices via the VPN client and I get the address IP of VPN pool set on VPN conc. VPN conc. is in a DMZ VLAN, but it also has connection to the local network segment. Purposes of mgmt, I connect to this VPN through SSH conc via a switch in the local network segment. To use the http access, I have to be on one of the servers that are in the local network segment. Since then, when I set up the VPN connection, I'm sure VPN conc., what can do to access http directly from my PC?

  This sets up on the conc VPN:

  management-access inside
  
  After that you should be able to use ASDM over the VPN tunnel, by connecting to its inside ip address.
  hth
  
      Herbert
  
      (note, I assume the name of the interface connected to the LAN is named "inside", if not adapt at will )

• ASA VPN positive = SSL VPN?

  Hello

  I have a pair of FO, I need to exchange an ASA5520 who owns a license of VPN over 750

  Can I use an ASA5520 with ASA5500-SSL-750 instead

  Regards Tony

  Yes, it is always available on order. Part number: ASA5520-VPN-PL =

  In addition, this more ASA VPN would be much much cheaper than the SSL VPN license.

  Thank you

  Kiran

• New ASA/VPN configuration

  So, I am looking to add one of my spare 5510 firewall to my secondary network as a vpn connection.

  All I want this new ASA to do is handle my site anyconnect VPN connections.  I'm pretty new to ASAs if any help would be great.  I know how to create a new access VPN on my ASA and I added a NAT for my inside and outside traffic to my new Pool of IP VPN.

  My question is, since it's only for the VPN and I want all my current internal traffic to continue to the asa 5510 existing routing, do I have to enter the ACL to my new single AAS of VPN?  ACLs are used for VPN traffic and do I need them to traffic the route via VPN?

  I'll put up inside interface of connection to one of my main Cisco switches and the outside interface connects to my DMZ switch on the new ASA only VPN.

  Thank you

  I don't know if I am how you connect to the external interface of single ASA VPN. Normally, in this type of installation, we would see the ASA VPN "in parallel" with the perimeter firewall.

  You mention the DMZ switch that threw me a little. If you are in France through your main firewall and go to single ASA VPN via the DMZ then Yes you will need to allow several open ports (protocol 50, udp/500, tcp/443 among others) and may have to do some other techniques (NAT - T, etc.) depending on the type of remote you are implementing. That's why we rarely see this configuration used - it adds a good dose of complexity without significant benefit.

  When the old facility is used, you need to switch internal to know to route traffic to the pool VPN through the only ASA VPN inside the interface. A static route is more often used, although you can use OSPF or EIGRP if you wanted to.

  Should generally not be any access list that VPN traffic around the Bank access lists incoming interface. Back to remote clients traffic is coming from inside and out through (and is usually part of anestablished connection) so no access list is necessary inside.

• ASA VPN on physical IP address only?

  Hello

  Is it possible to set up a virtual IP address dedicated to endpoint on ASA VPN version 8.3 and later?

  I don't want to use the physical IP address on my external interface.

  Thank you

  No problem. Mark pls kindly responded to this post like so that others may learn from your post. Thank you.

• ASA Vpn load balancing and failover

  Hi all.

  We have two asa5520 configured as main unit and emergency in failover configuration, and everything works fine.

  Is it possible with this configuration (switch), configure the vpn load balancing/grouping?

  Thank you

  Daniele

  Hi Daniele,

  You cannot run two of them on two firewalls ASA, VPN feature load balancing or failover functionality.

  Where you need to use the two feature, you must use more than three ASA firewall, two first ASAs will work as the failover and the ASA third will work as cluster VPN for them, the following example uses four firewalls:

  ASA1 (active FO) - ASA2 (TF Standby)

  (VPN virtual master)

  |

  |

  |

  |

  (Backup VPN device)

  ASA3 (active FO) - ASA4 (TF Standby)

  Kind regards

  Wajih

• 8.2 ASA vpn filter for connections l2l

  I have a vpn-filter set to my police L2L. The remote site uses a Cisco 1811 router and the main hub is a Cisco 5580. I already have an acl of vpn-filter in place on an existing L2L connection which works fine. The only question is, when I make changes to the ACLs for add/remove access, I have to reload the whole of the tunnel until the changes take place.

  My question is, are at - it a command to reload the access control without destroying the tunnel?

  Hi Jeffrey,.

  Design whenever there are changes in the attributes of Group Policy (including the vpn-filter, dns ip of victories or vpn-Protocol etc.), you need to reset the respective tunnel while phase 2 is negotiating with the newly added policy. The command to clear a specific tunnel is: -.

  his clear crypto ipsec peer

  For more details on the command, please see the link below

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/C3.html#wp2133652

  So, to answer your query wasn't there command is not to reset the access control. There had been such a command you would still back the tunnel to trigger negotiations ipsec with the new group policy settings.

  HTH...

  Concerning
  Mohit

• l2l ASA vpn issues

  Hi all

  I have two firewalls that I'm trying to implement VPNs l2l between them. Once of them is an old wall of sonic and the other 5505.

  I put in all and ends the phase 1/2 and the tunnel rises however no traffic passes through

  Here is my configuration

  ASA (outside, 192.168.30.1) asa internal 192.168.10.0/25

  (Outside 192.168.30.2) SonicWALL sonicwall 192.168.20.0/24

  I have an accesslist that is configured on the asa and applied to the cypto card using card crypto XXXX 1, atch address YYY

  However when I watch the news ebugging on the console it says: "cannot locate the output for UDP of XXXX interface: 192.168.10.10/1 to 192.178.20.1/0.

  any ideas why this is?

  I just need a static route to say all traffic on asa with 192 source... 10.0 should go through 192.168.30.2?

  I guess it's the work of crypto card

  Am I wrong?

  Hello

  Begins to seems to me you have a filter ACL configured for your L2L VPN VPN and also the ACL filter of VPN and Crypto ACLs are the same things, which means you use a simple both ACL.

  Why I think it's like this is the fact that you say that your VPN L2L cross trading in the "packet-tracer" VPN Phase means Crypto VPN L2L ACL was correct. At the same time say you that the connection was stopped to the Phase of the VPN USER. He points to a VPN filter ACL being configured.

  In view of the foregoing, I also know that the ACL of filter for the L2L VPN behave with a logic different than typical ACL interface. In VPN L2L the ACL filter ALWAYS mention the remote network as the source ALWAYS and your Local network as the destination.

  If add you an ACL rule with order switched networks appears this fixes the VPN filter ACL problems and finally allowed traffic. Naturally I can only guess that I saw actual configurations at this point (which, usually with release "packet - trace", help to solve a problem faster just guessing)

  If you indeed filter VPN, you may be able to track him down with the following commands

  See the tunnel-group race

  Check if a "group policy" is defined then the command

  See establishing group policy enforcement

  This output should list the name of the ACL filter VPN if its game

  Regarding the installantion auto road. The default setting for ASA, is that it will create NO static routes automatically depending on the VPN configurations. This must be enabled manually in "crypto map" configurations, or you can configure static routes manually.

  ASA tracking to default TCP and UDP connections. ICMP is inspected only if his permit. By default, it is NOT inspected.

  Hope this helps

  Remember to mark a reply as the answer if it answered your question.

  Feel free to ask more if necessary.

  -Jouni

• Problem with Tunnel VPN L2L between 2 ASA´s

  Hi guys,.

  I have some problems with my VPN Site to site tunnel between 2 ASA (5520/5505).

  I watched a lot of videos on youtube, but I can't find out why the tunnel does not...

  Both devices can ping eachothers WAN IP address (outside interfaces), but I don't see any traffic between the 2 sites. It seems that the tunnel is not open to everyone. When i PING from the local to the Remote LAN (which should be an interesting traffic for the tunnel...), the its IKEv1 remains empty...

  Am I missing something? I can't understand it more why same phase 1 is not engaged.

  You NAT won't. In your config file traffic is NATted initially and then does not match any more crypto ACL. You must move the rule dynamic NAT/PAT until the end of the table on two ASAs NAT:

   no nat (INSIDE,OUTSIDE) source dynamic any interface nat (INSIDE,OUTSIDE) after-auto source dynamic any interface

• The ASA VPN help

  Hello

  The ASA is not my strong point.  I had to make some changes to my ASA clients when the provider has changed.  The ASA has been NAT would be an NTU gave us the previous provider, the new provider of the SAA is NAT had a modem.  The only thing that does not work right is the VPN.

  When IPSec VPN connects we cannot ping, telnet/ssh or RDP to one of imagine.  My guess is that the ACL are not quite right.  Could someone take a look at the config and propose something?

  WAN - ASA - LAN (192.168.20.x)

  I deleted the names of user and password and changed the public IP address around security.

  ASA # sh run
  : Saved
  :
  ASA Version 8.2 (5)
  !
  host name asa
  domain afpo.local
  activate the encrypted password of JCdTyvBk.ia9GKSj
  d/TIM/v60pVIbiEg encrypted passwd
  names of
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  address 192.168.20.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  PPPoE client vpdn group idnet
  IP address pppoe setroute
  !
  banner exec *****************************************************
  exec banner * SCP backup enabled *.
  exec banner * SYSLOG enabled *.
  banner exec *****************************************************
  passive FTP mode
  clock timezone GMT/UTC 0
  summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00
  DNS lookup field inside
  DNS server-group DefaultDNS
  Server name 192.168.20.201
  domain afpo.local
  permit same-security-traffic intra-interface
  object-group network GFI-SERVERS
  object-network 5.11.77.0 255.255.255.0
  object-network 93.57.176.0 255.255.255.0
  object-network 94.186.192.0 255.255.255.0
  object-network 184.36.144.0 255.255.255.0
  network-object 192.67.16.0 255.255.252.0
  object-network 208.43.37.0 255.255.255.0
  network-object 228.70.81.0 255.255.252.0
  network-object 98.98.51.176 255.255.255.240
  allowed extended INCOMING tcp access list any interface outside eq https inactive
  allowed extended INCOMING tcp access list any interface outside eq 987
  interface of access inactive list allowed extended object-group GFI SERVERS off eq smtp tcp INBOUND
  interface to access extended permitted list INCOMING tcp object-group GFI SERVERS off eq ldaps
  access-list SHEEP extended ip 192.168.20.0 allow 255.255.255.0 10.0.0.0 255.255.0.0
  access-list SHEEP extended ip 192.168.20.0 allow 255.255.255.0 172.16.0.0 255.255.255.0
  access-list SHEEP extended ip 192.168.20.0 allow 255.255.255.0 172.16.0.0 255.255.255.128
  IP 10.71.79.0 allow Access - list extended RITM 255.255.255.0 10.0.0.0 255.255.0.0
  CLIENT_VPN list of allowed ip extended access any 172.16.0.0 255.255.255.128
  Standard access list SPLIT_TUNNEL allow 10.71.79.0 255.255.255.0
  Standard access list TSadmin_splitTunnelAcl allow 10.71.79.0 255.255.255.0
  pager lines 24
  Enable logging
  logging trap information
  asdm of logging of information
  host of logging inside the 10.71.79.2
  Within 1500 MTU
  Outside 1500 MTU
  local pool CLIENT_VPN_POOL 172.16.0.1 - 172.16.0.126 255.255.255.128 IP mask
  local pool SSL_VPN_POOL 172.16.0.129 - 172.16.0.254 255.255.255.128 IP mask
  IP verify reverse path to the outside interface
  IP audit attack alarm drop action
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow 10.71.79.0 255.255.255.0 echo inside
  ICMP allow any inside
  ICMP allow any inaccessible outside
  ICMP allow 86.84.144.144 255.255.255.240 echo outside
  ICMP allow all outside
  ASDM image disk0: / asdm - 645.bin
  enable ASDM history
  ARP timeout 14400
  NAT-control
  Global 1 interface (outside)
  NAT (inside) 0 access-list SHEEP
  NAT (inside) 1 192.168.20.0 255.255.255.0
  public static tcp (indoor, outdoor) interface smtp 10.71.79.2 smtp netmask 255.255.255.255
  public static tcp (indoor, outdoor) interface https 10.71.79.2 https netmask 255.255.255.255
  public static tcp (indoor, outdoor) interface 987 10.71.79.2 987 netmask 255.255.255.255
  public static tcp (indoor, outdoor) interface ldaps 10.71.79.2 ldaps netmask 255.255.255.255
  Access-group ENTERING into the interface outside
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  RADIUS protocol AAA-server Serveur_RADIUS
  AAA-server host 10.71.79.2 Serveur_RADIUS (inside)
  key *.
  RADIUS-common-pw *.
  not compatible mschapv2
  the ssh LOCAL console AAA authentication
  Enable http server
  Server of http session-timeout 60
  http 0.0.0.0 0.0.0.0 inside
  http 87.84.164.144 255.255.255.240 outside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  resetinbound of service inside interface
  resetinbound of the outside service interface
  Service resetoutside
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  address DYN_CLIENT_VPN 10 of the crypto dynamic-map CLIENT_VPN
  Crypto dynamic-map DYN_CLIENT_VPN 10 the value transform-set ESP-AES-256-SHA ESP-3DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  crypto IPSEC_VPN 10 card matches the address RITM
  card crypto IPSEC_VPN 10 set peer 88.98.52.177
  card crypto IPSEC_VPN 10 the value transform-set ESP-AES-256-SHA ESP-3DES-MD5
  card crypto IPSEC_VPN 100-isakmp dynamic ipsec DYN_CLIENT_VPN
  card crypto IPSEC_VPN 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  IPSEC_VPN interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 5
  life 86400
  crypto ISAKMP policy 20
  preshared authentication
  aes-192 encryption
  sha hash
  Group 5
  life 86400
  crypto ISAKMP policy 30
  preshared authentication
  aes encryption
  sha hash
  Group 5
  life 86400
  crypto ISAKMP policy 40
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH enable ibou
  SSH 0.0.0.0 0.0.0.0 inside
  SSH 88.98.52.176 255.255.255.240 outside
  SSH 175.171.144.58 255.255.255.255 outside
  SSH 89.187.81.30 255.255.255.255 outside
  SSH timeout 60
  SSH version 2
  Console timeout 30
  management-access inside
  VPDN group idnet request dialout pppoe
  VPDN group idnet localname
  VPDN group idnet ppp authentication chap
  VPDN username password *.

  a basic threat threat detection
  scanning-threat shun except ip 10.0.0.0 address threat detection 255.255.0.0
  scanning-threat time shun 360 threat detection
  threat detection statistics
  a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
  NTP server 130.88.202.49 prefer external source
  TFTP server outside 86.84.174.157 /Aberdeen_Fishing_Producers_ (ASA5505) .config
  WebVPN
  port 4443
  allow outside
  DTLS port 4443
  SVC disk0:/anyconnect-win-2.4.0202-k9.pkg 1 image
  SVC disk0:/anyconnect-macosx-i386-2.4.0202-k9.pkg 2 image
  Picture disk0:/anyconnect-macosx-powerpc-2.4.0202-k9.pkg 3 SVC
  SVC profiles ANYCONNECT_PROFILE disk0: / AnyConnectProfile.xml
  enable SVC
  attributes of Group Policy DfltGrpPolicy
  value of server WINS 10.71.79.2
  value of server DNS 10.71.79.2
  VPN - 10 concurrent connections
  Protocol-tunnel-VPN IPSec svc
  enable IP-comp
  enable PFS
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list SPLIT_TUNNEL
  afpo.local value by default-field
  WebVPN
  time to generate a new key of SVC 60
  SVC generate a new method ssl key
  profiles of SVC value ANYCONNECT_PROFILE
  SVC request no svc default
  internal TSadmin group strategy
  Group Policy attributes TSadmin
  value of server WINS 10.71.79.2
  value of server DNS 10.71.79.2
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list TSadmin_splitTunnelAcl
  afpo.local value by default-field
  username password backup encrypted qwzcxbPwKZ7WiiEC privilege 15
  backup attributes username
  type of remote access service
  admin Cg9KcOsN6Wl24jnz encrypted privilege 15 password username
  attributes of user admin name
  type of remote access service
  tsadmin encrypted v./oXn.idbhaKhwk privilege 15 password username
  R60CY/username password 7AzpFEsR ritm. O encrypted privilege 15
  ritm username attributes
  type of remote access service
  attributes global-tunnel-group DefaultWEBVPNGroup
  address SSL_VPN_POOL pool
  authentication-server-group LOCAL Serveur_RADIUS
  type tunnel-group RemoteVPN remote access
  attributes global-tunnel-group RemoteVPN
  address CLIENT_VPN_POOL pool
  authentication-server-group LOCAL Serveur_RADIUS
  IPSec-attributes tunnel-group RemoteVPN
  pre-shared key *.
  tunnel-group 87.91.52.177 type ipsec-l2l
  IPSec-attributes tunnel-group 89.78.52.177
  pre-shared key *.
  tunnel-group TSadmin type remote access
  tunnel-group TSadmin General attributes
  address CLIENT_VPN_POOL pool
  strategy-group-by default TSadmin
  tunnel-group TSadmin ipsec-attributes
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the icmp
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:9ddde99467420daf7c1b8d414dd04cf3
  : end
  ASA #.

  Doug,

  The nat will knit from inside to out if the LAN is 192.168.20.0 nat should be like this:

  access-list SHEEP extended ip 192.168.20.0 allow 255.255.255.0 172.16.0.129 255.255.255.128

  Just to get this clear you use remote VPN, you must add the 192.168.20.0 to split ACL road tunnel:

  SPLIT_TUNNEL list standard access allowed 192.168.20.0 255.255.255.0

  -JP-