Review of the ASA 5510 Config

Similar Questions

• Cisco ASA 5510 config with SSM

  I was tasked to replace our old sonicwall tz170 firewall with an ASA 5510 and configure it (that I never did, only routers and switches) and I have a few questions.  I'm inside the ASDM and I am trying to configure my external interface...  The 5510 provided with a map of the SSM, and I assumed it would be my external interface, but I guess I'm wrong because it is not an option when running through the wizard.  I know what the SSM card for, I do not understand why there is not an external interface.  Whence this connect (just for my LAN?)?

  Currently, I have implemented the management interface to our ip and the subnet and connected through that.  I see the management interface and eth0 - eth 3.

  It's as simple as it can get, I just need the external interface to our public ip address, configure access rules to match my sonicwall.

  Also on the version, its operation ASA 8.2.1.  Should I upgrade to 8.3.1?  What is the ED after the version (not familiar with it).

  Thank you!

  These rules on the SAA are default rules, that is to say whatever it is initiated from the inside is allowed, but anything launched from outside is allowed in. Sorry, but I'm not familiar with SonicWall at all to give you advice on the rules, you will need installation. But what if all you have is an external interface and inside then will need you a nat.pat to ensure that internal addresses can go out and access list to restrict these internal if necessary networks. If you have incoming traffic is according to mail, web server, etc, then you will again be a nat and an access list to allow traffic.

  The document attached (you can ignore the router configs) should hopefully give you a better idea of how incoming transport works and how to apply access lists to the interface.

  Let me know if it helps.

• The ASA 5510 IOS version

  Hi.I have a small question. I just got an ASA 5510 7.0 update and on the accompanying CD, there is what is called an ASA 7.2 update but it's only 5 large Mbs while on the SAA is also great 5 Mbs.

  As I've never worked with a firewall which is a valid version of IOS and if so how can I upgrade ASA with her? Thanks in advance for any help.

  Igor

  It is likely that it is a valid version of the image for the SAA. I have an image for 7.1.2 is slightly more than 6 MB and an image for 7.2.2 who is a little more than 8 MB. To upgrade the image you put the image of the CD on a TFTP server TFTP image of the SAA. You may need to configure a start-up on the SAA statement to point to the new image. Save the config and reload. He should come to run the new image.

  HTH

  Rick

• The ASA 5510 DMZ configuration

  I currently have an ASA 5510 with which I am configuring a HTTP/FTP host on a demilitarized zone. Currently the DMZ host is accessible outside but the hosts on the internal network can not access. I have a dedicated IP address for the host (1.1.1.228) DMZ and another IP for the PAT interface for internal clients (1.1.1.238). I know I'm missing a piece, either a statement nat() or a static(), please advise.

  interface Ethernet0/0

  Description Interface Outside

  nameif outside

  security-level 0

  IP 1.1.1.238 255.255.255.240

  !

  interface Ethernet0/1

  Inside the Interface Description

  nameif inside

  security-level 100

  the IP 10.0.0.1 255.255.0.0

  !

  interface Ethernet0/2

  DMZ Interface Description

  nameif dmz

  security-level 50

  the IP 192.168.0.1 255.255.255.0

  -partial outside the inbound ACL.

  outside_access_in list extended access permit tcp any host 1.1.1.228 eq www

  outside_access_in list extended access permit tcp any host 1.1.1.228 eq https

  -ACL DMZ-

  DMZ list extended access permit icmp any one

  access-list extended DMZ permit tcp host 192.168.0.11 eq www everything

  access-list extended DMZ permit tcp host 192.168.0.11 eq https all

  access-list extended DMZ permit tcp host 192.168.0.11 eq ftp - data all

  DMZ list extended access permit tcp host 192.168.0.11 eq ftp everything

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_outbound_nat0_acl

  NAT (inside) 1 0.0.0.0 0.0.0.0

  public static 1.1.1.231 (Interior, exterior) 10.0.0.85 netmask 255.255.255.255

  static (dmz, outside) 1.1.1.228 192.168.0.11 netmask 255.255.255.255

  Access-group outside_access_in in interface outside

  Access-group interface dmz DMZ

  Add:

  static (inside, dmz) 10.0.0.0 mask 10.0.0.0 subnet 255.255.0.0

  The statement above will allow the host to access DMZ hosts inside using DMZ devices own IPs and vice versa.

  And, if necessary, use the ACL to restrict access to inside the DMZ, or DMZ inside.

  See you soon!

  AK

• How can I hold the public IP address on a specific profile on the asa 5510

  Hi guys

  How can I hold the public IP address on my session NAT VPN cisco customer for no one else can use it? I have a cisco ASA 5510

  the Interior is 172.10.20.86

  public 166.245.192.90

  Need to call my ISP?

  Thank you

  Sorry to say but your qustion is not very clear. Can you please post what you are trying to achieve?

  Thank you

  Ajay

• Connection IPsec via ASDM ASA 5510 config

  Hello, I have a problem finishing (IKEv1) IPSec connection to be used with Chromebooks. I crossed the config and think it's okay, but with a connection attempt I get: rejected AAA user authentication: reason = invalid password: local database: user = xxxxx

  I try to use the user account local for current tests and have confirmed and confirmed the password is correct.  No idea why authentication is not passed?

  Tony,

  In case you are using MS-CHAPv2, the user account should be like:

  username, password cisco123 mschap cisco

  Let me know.

  Thank you.

  Please note all useful messages.

• ASA 5510 - possible to fill the 2 interfaces in routed mode

  Cisco ASA 5510 with security more license, version 9.1 (5) running in routed mode.

  I want to fill two interfaces for example: eth0/2 and 3/eth0 and configure an IP address / network while leaving the ASA 5510 in routed mode. I know that this is possible in transparent mode, but I need to keep this in routed mode. I know I could configure a single interface and connect a switch but my client does not want to do.

  Otherwise, my only thought would be to configure each interface eth0/2 and eth0/3 as a network traffic and the route of subnet separate between the two.

  Any help would be appreciated!

  Thank you

  Andrew

  Andrew

  That would help us answer you better if we understood more about what your client and you want to accomplish. But to answer the specific question you asked, I don't think it is possible in an ASA5510 in routed mode configuration Eth2 and Eth3 to share a single IP address.

  Linking to Eth2 and linking to Eth3 Are they really the same subnet?

  HTH

  Rick

• ASA 5510 worm. 8.2 (5) access through VPN without client management?

  Hi all

  I am completely new to networking Cisco and virtual private networks, I'm working on to the ASA 5510 8.2 (5) 46.  Currently, the unit is set up very very little.  Access to the administration are accessible from my home network to 192.168.2.1.  I'm trying to enable management access remotely by VPN.  I created a clientless SSL VPN, which, during the wizard process, access to the specified administration was the/admin adding to the VPN https url.  Add the/admin in the url for VPN is not me the VPN connection, and by using the/admin url from the portal returns a message "not available".  Also, from the portal I can't access the ASDM using inside IP network management, it also returns the message as "unavailable".  Again, I'm new to this, any help would be greatly appreciated.  Here is my config.  and thank you!

  : Saved : ASA Version 8.2(5)46 ! hostname ALP5510 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 99.66.203.148 255.255.255.248 ! interface Ethernet0/1 shutdown no nameif no security-level no ip address ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! boot system disk0:/asa825-46-k8.bin ftp mode passive dns domain-lookup inside dns server-group DefaultDNS name-server 68.94.156.1 name-server 68.94.157.1 same-security-traffic permit inter-interface pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 ip local pool vpn 192.168.2.10 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-714.bin no asdm history enable arp timeout 14400 global (outside) 101 interface nat (inside) 101 0.0.0.0 0.0.0.0 nat (management) 101 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 99.66.203.150 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http server session-timeout 20 http 192.168.1.0 255.255.255.0 management http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh 192.168.2.0 255.255.255.0 inside ssh timeout 5 console timeout 0 management-access inside dhcpd address 192.168.2.3-192.168.2.10 inside dhcpd dns 68.94.156.1 68.94.157.1 interface inside dhcpd enable inside ! dhcpd address 192.168.1.3-192.168.1.10 management dhcpd dns 68.94.156.1 68.94.157.1 interface management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable outside enable inside group-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn webvpn   svc ask enable group-policy eng internal group-policy eng attributes vpn-tunnel-protocol webvpn webvpn   url-list value EngineerBookmarks username user1 password mbO2jYs13AXlIAGa encrypted privilege 15 username user1 attributes vpn-group-policy eng webvpn   url-list value EngineerBookmarks tunnel-group test type remote-access tunnel-group test general-attributes address-pool vpn tunnel-group Engineering type remote-access tunnel-group Engineering general-attributes default-group-policy eng ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum client auto   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options   inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:05f3afe3383542c8f62b1873421a7484 : end asdm image disk0:/asdm-714.bin asdm location 99.66.203.150 255.255.255.255 inside no asdm history enable 
  
  
  			 
  I'm TAC if you give me a number I can help you, I think we will extend that if we continue on the support forum
  		   

• Site to Site VPN ASA 5510

  OK my forehead is painful to all keyboard strokes that I know that it must be something simple, but I am brand new to the SAA.  I had a site to site VPN configuration via routers 1751 that worked very well, but we're looking to add some more remote field offices, and I felt that it would be easier to maintain several sites is on the ASA 5510.  I have the VPN configured on the SAA and he said that the tunnel is up.  I can telnet to the ASA and ping the remote gateway on the even side of VPN and it pings fine.  If I try to ping on a local computer, I get a "Request timed out".  If I makes no changes apart from go to the computer room and replace the network cable the 1751 and then through the 1751 I can now ping the remote door way to my computer.  The remote router works obviously very well, my statement of route on my router for vpn push through the ASA (same ip address) IP traffic that has been used by the 1751 works obviously. It seems so just like ASA is not being pushed in the ethernet0/0 VPN traffic or at least it is not encrypted.  I also noticed that the ACL for NAT seems to increase in number of access either it seems, there is really just one small thing missing to make the ASA except and encrypt incoming traffic on ethernet0/0:

  My network is not configured with a DMZ is something like that, the ASA ethernet0/0 and my local network on the same subnet:

  Router (Cisco 2811)

  |

  Layer switch 2 (ProCurve)

  |                                      |

  ASA5510 LAN computers

  I'm trying to except both sides of the VPN in and out on Ethernet0/0 traffic I saw there was a framework for this "permit communication between VPN peers connected to the same interface' and I've activated this option.

  In short, I need to understand why the VPN tunnel shows that upward and I can ping the remote of the SAA, but peripheral gateway on my network can not ping to the remote gateway through the int Ethernet0/0 on the SAA.

  From the console of the ASA, I get this:

  ASA5510 # ping 192.52.128.1
  Send 5, echoes ICMP 100 bytes to 192.52.128.1, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 100/108/120 ms

  ASA5510 # show crypto ipsec his
  Interface: *.
  Tag crypto map: * _map, local addr: 10.52.120.23

  local ident (addr, mask, prot, port): (10.52.120.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.52.128.0/255.255.255.0/0/0)
  current_peer: x.x.x.204

  program #pkts: 9, #pkts encrypt: 9, #pkts digest: 9
  decaps #pkts: 9, #pkts decrypt: 9, #pkts check: 9
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 9, #pkts comp failed: 0, #pkts Dang failed: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 10.52.120.23, remote Start crypto. : x.x.x.204

  Path mtu 1500, fresh ipsec generals 60, media, mtu 1500
  current outbound SPI: C49EF75F

  SAS of the esp on arrival:
  SPI: 0x21FDBB9D (570276765)
  transform: esp-3des esp-md5-hmac
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 1, crypto-map: * _map
  calendar of his: service life remaining (KB/s) key: (3824999/3529)
  Size IV: 8 bytes
  support for replay detection: Y
  outgoing esp sas:
  SPI: 0xC49EF75F (3298752351)
  transform: esp-3des esp-md5-hmac
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 1, crypto-map: * _map
  calendar of his: service life remaining (KB/s) key: (3824999/3527)
  Size IV: 8 bytes
  support for replay detection: Y

  From my office on the 10.52.120.0 even the etherenet0/0 interface on the ASA network I get this:

  C:\Users\***>ping 192.52.128.1

  Ping 192.52.128.1 with 32 bytes of data:
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.

  Ping statistics for 192.52.128.1:
  Packets: Sent = 4, received = 0, lost = 4 (100% loss)

  C:\Users\***>ping 10.52.120.23

  Ping 10.52.120.23 with 32 bytes of data:
  Reply from 10.52.120.23: bytes = 32 time = 5ms TTL = 255
  Reply from 10.52.120.23: bytes = 32 time = 3ms TTL = 255
  Reply from 10.52.120.23: bytes = 32 time = 1ms TTL = 255
  Reply from 10.52.120.23: bytes = 32 time = 1ms TTL = 255

  Ping statistics for 10.52.120.23:
  Packets: Sent = 4, received = 4, lost = 0 (0% loss),
  Time approximate round trip in milli-seconds:
  Minimum = 1ms, Maximum = 5ms, average = 2ms

  Count on VPN Tunnel ACL does not increase when I try to ping the address of the remote gateway.

  Here is the running of the ASA configuration:

  ASA Version 7.0 (2)
  names of
  !
  interface Ethernet0/0
  nameif InsideNetwork
  security-level 100
  IP 10.52.120.23 255.255.255.0
  !
  interface Ethernet0/1
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  Shutdown
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  management only
  !
  activate the encrypted password of XXXXXXXXXXXXXXXX
  passwd encrypted XXXXXXXXXXXXXXXXXXX
  ciscoasa hostname
  domain default.domain.invalid
  passive FTP mode
  permit same-security-traffic intra-interface
  Access extensive list ip 10.52.120.0 InsideNetwork_nat0_outbound allow 255.255.25
  5.0 192.52.128.0 255.255.255.0
  Access extensive list ip 10.52.120.0 InsideNetwork_cryptomap_20 allow 255.255.255
  .0 192.52.128.0 255.255.255.0
  pager lines 24
  asdm of logging of information
  management of MTU 1500
  MTU 1500 InsideNetwork
  management of the interface of the monitor
  the interface of the monitor InsideNetwork
  ASDM image disk0: / asdm - 502.bin
  don't allow no asdm history
  ARP timeout 14400
  NAT (InsideNetwork) 0-list of access InsideNetwork_nat0_outbound
  Route InsideNetwork 0.0.0.0 0.0.0.0 10.52.120.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00
  Timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
  Timeout, uauth 0:05:00 absolute
  Enable http server
  http 192.168.1.0 255.255.255.0 management
  http 10.52.120.0 255.255.255.0 InsideNetwork
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  card crypto InsideNetwork_map 20 corresponds to the address InsideNetwork_cryptomap_20
  card crypto InsideNetwork_map 20 set peer x.x.x.204
  InsideNetwork_map 20 transform-set ESP-3DES-MD5 crypto card game
  InsideNetwork_map InsideNetwork crypto map interface
  ISAKMP enable InsideNetwork
  part of pre authentication ISAKMP policy 10
  ISAKMP policy 10 3des encryption
  ISAKMP policy 10 md5 hash
  10 2 ISAKMP policy group
  ISAKMP life duration strategy 10 86400
  Telnet 10.52.120.0 255.255.255.0 InsideNetwork
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  dhcpd lease 3600
  dhcpd ping_timeout 50
  enable dhcpd management
  tunnel-group x.x.x.204 type ipsec-l2l
  x.x.x.204 group of tunnel ipsec-attributes
  pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  Policy-map global_policy
  class inspection_default
  inspect the dns-length maximum 512
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  !
  global service-policy global_policy
  Cryptochecksum:7e478b60b3e406091de466675c52eaaa
  : end

  I haven't added anything to the config except what seemed necessary to get the job of VPN tunnel.  It should be fairly clean.

  Thanks in advance for any help... I really hope that it is something really simple as a recruit ASA just forgot

  Strange, but good news. Thanks for the update. I'm glad everything is working.

  THX

  MS

• Automatic update AIP-SSM-10 and ASA 5510 (Beginner)

  I see that it is possible to automate the updates of the ASA 5510 and AIP SSM via FTP on my own server. Is it possible to automate the download directly from Cisco.com?

  Thank you!

  Jeremy

  Jeremy, the answer to your question is correct, as far as the Cisco products are concerned. So I wrote a PERL app that does exactly that, and I published an article about it in the June 2007 issue of Sys Admin magazine. Here's the article online: http://www.samag.com/documents/s=10128/sam0706a/0706a.htm

  And it is also on my site, with a tar of scripts to:

  http://www.LHB-consulting.com/pages/apps/index.html

  Good luck.

  -Lisa

• ASA 5510 Firewall ACLs HITCOUNT

  I have a simple question, but I'm having a hard time getting a response. When you show command access-list on the ASA 5510 there are a number of access... .i know clearly but I want to knowis it a default timer which will clearly be the number of accesses? Or the number of access remains until I have clear the County? I'm trying to clean up ACLs and for future troubleshooting I would like to know that. I don't want to remove an ACL entry with hitcount 0 and then it is necessary.

  The counters are there until one of two things will happen; you delete them manually or you restart the device. There is no timers to clear the counters. Usually, clear us the counters, let it run for a month or so to clean it up.

  Hope that helps.

• Allow specific access through the Interfaces ASA 5510

  Hi all

  In my quest to learn Cisco IOS and devices, I need help in smoothing traffic, or access lists, allowing traffic between internal interfaces on the SAA specifically.

  I have an ASA 5510:

  WAN/LAN/DMZ ports labled E0/0 (LAN), E0/1 (WAN), E0/2 (DMZ).

  Connected to the port E0/0 is a 2811 router

  Connected to the port E0/1 is the (external) Internet

  Connected to the port E0/2 is a 2821

  (I'll add a 3745 for VOIP) port E0/3, but it has not yet happened.

  I want to allow traffic between the 2821 and the 2811 routers so that devices on the networks behind them can talk to each other.

  I've specified specific subnets between the ASA and the routers because I want to learn how to shape traffic behind routers, as well as on the ASA. So behind the routers I have different VLANS, but I'm not restrict access between them, still, at least I don't think I am. But as it is, behind the 2821 devices cannot access the DNS / DOMAIN SERVER that is located behind the 2811. Right now I have the routers DHCP power, who works there. Currently devices behind the router 2821-3560 switch cannot access the domain server, primary dns server.

  How can I set the ASA to allow traffic to flow between the two routers and their VLANS?

  Here's the configs of each device and I have also included my switch configs, incase something should be set on them. I only removed the passwords and the parts of the external IP address. I appreciate the help in which States to create and on which devices.

  I think it is best that I put the links to the files of text here.

  Thank you!

  You must remove the following statements on the two routers:
  -# ip nat inside source... overload
  -for each # ip nat inside/outside interface, if they have configured.

  Remove ads rip of the networks that are not directly connected:
  -2821: 172.16.0.0, 192.168.1.0, 199.195.xxx.0
  -2811: 199.195.xxx.0
  -ASA: 128.0.0.0

  No way should be added to the routers, since he is the one by default, put in scene to ASA.

  Check the tables of routing on routers and the ASA.

  On ASA:

  -Remove:
  object-group network # PAT - SOURCE
  # nat (indoor, outdoor) automatic interface after PAT-SOURCE dynamic source

  -create objects of the networks behind the LAN router and enable dynamic NAT:
  network object #.
  subnet
  NAT (inside, outside) dynamic interface

  -review remains NAT rules.

  -to set/adjust the lists access penetration on the interfaces. Do not forget to allow the rip on the LAN and DMZ interfaces.

  -Disable rip on the outside interface.

• % 7-ASA-710005: request TCP thrown error in the Client VPN Site to CISCO ASA 5510

  Hi friends,

  I am trying to built customer to site VPN CISCO ASA 5510 8.4 (4) and get error below when connecting to a cisco VPN client software. Also, I'm below ASA, log. Please help me to reslove.

  Error in CISCO VPN Client software:

  Secure VPN connection terminated locally by the client.

  Reason: 414: unable to establish a TCP connection.

  Error in CISCO ASA 5510

  7-ASA-710005%: TCP request and eliminated from 49276 outward: 10000

  The ASA configuration:

  XYZ # sh run
  : Saved
  :
  ASA Version 8.4 (4)
  !
  hostname XYZ
  domain XYZ
  activate the password encrypted 3uLkVc9JwRA1/OXb N3
  activate the encrypted password of R/x90UjisGVJVlh2
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  !
  interface Ethernet0/0
  nameif outside_rim
  security-level 0
  IP 1.1.1.1 255.255.255.252
  !
  interface Ethernet0/1
  full duplex
  nameif XYZ_DMZ
  security-level 50
  IP 172.1.1.1 255.255.255.248
  !
  interface Ethernet0/2
  Speed 100
  full duplex
  nameif outside
  security-level 0
  IP address 2.2.2.2 255.255.255.252
  !
  interface Ethernet0/3
  Speed 100
  full duplex
  nameif inside
  security-level 100
  IP 3.3.3.3 255.255.255.224
  !
  interface Management0/0
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  boot system Disk0: / asa844 - k8.bin
  passive FTP mode
  DNS domain-lookup outside
  DNS server-group DefaultDNS
  Server name xx.xx.xx.xx
  Server name xx.xx.xx.xx
  Server name xx.xx.xx.xx
  Server name xx.xx.xx.xx
  domain XYZ
  network object obj - 172.17.10.3
  Home 172.17.10.3
  network object obj - 10.1.134.0
  10.1.134.0 subnet 255.255.255.0
  network object obj - 208.75.237.0
  208.75.237.0 subnet 255.255.255.0
  network object obj - 10.7.0.0
  10.7.0.0 subnet 255.255.0.0
  network object obj - 172.17.2.0
  172.17.2.0 subnet 255.255.255.0
  network object obj - 172.17.3.0
  172.17.3.0 subnet 255.255.255.0
  network object obj - 172.19.2.0
  172.19.2.0 subnet 255.255.255.0
  network object obj - 172.19.3.0
  172.19.3.0 subnet 255.255.255.0
  network object obj - 172.19.7.0
  172.19.7.0 subnet 255.255.255.0
  network object obj - 10.1.0.0
  10.1.0.0 subnet 255.255.0.0
  network object obj - 10.2.0.0
  10.2.0.0 subnet 255.255.0.0
  network object obj - 10.3.0.0
  10.3.0.0 subnet 255.255.0.0
  network object obj - 10.4.0.0
  10.4.0.0 subnet 255.255.0.0
  network object obj - 10.6.0.0
  10.6.0.0 subnet 255.255.0.0
  network object obj - 10.9.0.0
  10.9.0.0 subnet 255.255.0.0
  network object obj - 10.11.0.0
  10.11.0.0 subnet 255.255.0.0
  network object obj - 10.12.0.0
  10.12.0.0 subnet 255.255.0.0
  network object obj - 172.19.1.0
  172.19.1.0 subnet 255.255.255.0
  network object obj - 172.21.2.0
  172.21.2.0 subnet 255.255.255.0
  network object obj - 172.16.2.0
  172.16.2.0 subnet 255.255.255.0
  network object obj - 10.19.130.201
  Home 10.19.130.201
  network object obj - 172.30.2.0
  172.30.2.0 subnet 255.255.255.0
  network object obj - 172.30.3.0
  172.30.3.0 subnet 255.255.255.0
  network object obj - 172.30.7.0
  172.30.7.0 subnet 255.255.255.0
  network object obj - 10.10.1.0
  10.10.1.0 subnet 255.255.255.0
  network object obj - 10.19.130.0
  10.19.130.0 subnet 255.255.255.0
  network of object obj-XXXXXXXX
  host XXXXXXXX
  network object obj - 145.248.194.0
  145.248.194.0 subnet 255.255.255.0
  network object obj - 10.1.134.100
  Home 10.1.134.100
  network object obj - 10.9.124.100
  Home 10.9.124.100
  network object obj - 10.1.134.101
  Home 10.1.134.101
  network object obj - 10.9.124.101
  Home 10.9.124.101
  network object obj - 10.1.134.102
  Home 10.1.134.102
  network object obj - 10.9.124.102
  Home 10.9.124.102
  network object obj - 115.111.99.133
  Home 115.111.99.133
  network object obj - 10.8.108.0
  10.8.108.0 subnet 255.255.255.0
  network object obj - 115.111.99.129
  Home 115.111.99.129
  network object obj - 195.254.159.133
  Home 195.254.159.133
  network object obj - 195.254.158.136
  Home 195.254.158.136
  network object obj - 209.164.192.0
  subnet 209.164.192.0 255.255.224.0
  network object obj - 209.164.208.19
  Home 209.164.208.19
  network object obj - 209.164.192.126
  Home 209.164.192.126
  network object obj - 10.8.100.128
  subnet 10.8.100.128 255.255.255.128
  network object obj - 115.111.99.130
  Home 115.111.99.130
  network object obj - 10.10.0.0
  subnet 10.10.0.0 255.255.0.0
  network object obj - 115.111.99.132
  Home 115.111.99.132
  network object obj - 10.10.1.45
  Home 10.10.1.45
  network object obj - 10.99.132.0
  10.99.132.0 subnet 255.255.255.0
  the Serversubnet object-group network
  object-network 10.10.1.0 255.255.255.0
  network-object 10.10.5.0 255.255.255.192
  the XYZ_destinations object-group network
  object-network 10.1.0.0 255.255.0.0
  object-network 10.2.0.0 255.255.0.0
  network-object 10.3.0.0 255.255.0.0
  network-object 10.4.0.0 255.255.0.0
  network-object 10.6.0.0 255.255.0.0
  network-object 10.7.0.0 255.255.0.0
  network-object 10.11.0.0 255.255.0.0
  object-network 10.12.0.0 255.255.0.0
  object-network 172.19.1.0 255.255.255.0
  object-network 172.19.2.0 255.255.255.0
  object-network 172.19.3.0 255.255.255.0
  object-network 172.19.7.0 255.255.255.0
  object-network 172.17.2.0 255.255.255.0
  object-network 172.17.3.0 255.255.255.0
  object-network 172.16.2.0 255.255.255.0
  object-network 172.16.3.0 255.255.255.0
  host of the object-Network 10.50.2.206
  the XYZ_us_admin object-group network
  network-object 10.3.1.245 255.255.255.255
  network-object 10.5.33.7 255.255.255.255
  network-object 10.211.5.7 255.255.255.255
  network-object 10.3.33.7 255.255.255.255
  network-object 10.211.3.7 255.255.255.255
  the XYZ_blr_networkdevices object-group network
  object-network 10.200.10.0 255.255.255.0
  access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 145.248.194.0 255.255.255.0
  access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host 172.16.2.21
  access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host 172.16.2.22
  access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host XXXXXXXX
  Access extensive list ip 10.19.130.0 XYZ_PAT allow 255.255.255.0 any
  Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 195.254.159.133
  Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 195.254.158.136
  Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 any
  Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 209.164.192.0 255.255.224.0
  Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 209.164.208.19
  Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 209.164.192.126
  IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 208.75.237.0 255.255.255.0
  Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.7.0.0 255.255.0.0
  IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.17.2.0 255.255.255.0
  IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.17.3.0 255.255.255.0
  IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.2.0 255.255.255.0
  IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.3.0 255.255.255.0
  IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.7.0 255.255.255.0
  10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.0.0 255.255.0.0
  10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.2.0.0 255.255.0.0
  Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.3.0.0 255.255.0.0
  10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.4.0.0 255.255.0.0
  10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.6.0.0 255.255.0.0
  Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.9.0.0 255.255.0.0
  Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.11.0.0 255.255.0.0
  10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.12.0.0 255.255.0.0
  IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.1.0 255.255.255.0
  IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.21.2.0 255.255.255.0
  10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 172.16.2.0 255.255.255.0
  access-list extended sheep allowed host ip 10.19.130.201 172.30.2.0 255.255.255.0
  access-list extended sheep allowed host ip 10.19.130.201 172.30.3.0 255.255.255.0
  access-list extended sheep allowed host ip 10.19.130.201 172.30.7.0 255.255.255.0
  access-list extended sheep allowed ip object-group Serversubnet-group of objects XYZ_destinations
  10.10.1.0 IP Access-list extended sheep 255.255.255.0 allow 10.2.0.0 255.255.0.0
  10.19.130.0 IP Access-list extended sheep 255.255.255.0 allow host XXXXXXXX
  IP 10.19.130.0 allow Access-list extended sheep 255.255.255.0 145.248.194.0 255.255.255.0
  Access extensive list ip 10.8.108.0 Guest_PAT allow 255.255.255.0 any
  CACIB list extended access permitted ip 10.8.100.128 255.255.255.128 145.248.194.0 255.255.255.0
  Access extensive list ip 10.8.100.128 Cacib_PAT allow 255.255.255.128 all
  Access extensive list ip 10.1.134.0 New_Edge allow 255.255.255.0 208.75.237.0 255.255.255.0
  Allow XYZ_global to access extended list ip 10.7.0.0 255.255.0.0 10.1.134.0 255.255.255.0
  Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.7.0.0 255.255.0.0
  Access extensive list ip 172.17.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
  Access extensive list ip 172.17.3.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
  Access extensive list ip 172.19.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
  Access extensive list ip 172.19.3.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
  Access extensive list ip 172.19.7.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
  Access extensive list ip 10.1.0.0 XYZ_global allow 255.255.0.0 10.1.134.0 255.255.255.0
  Access extensive list 10.2.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
  Allow XYZ_global to access extended list ip 10.3.0.0 255.255.0.0 10.1.134.0 255.255.255.0
  Access extensive list 10.4.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
  Access extensive list 10.6.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
  Access extensive list ip 10.9.0.0 XYZ_global allow 255.255.0.0 10.1.134.0 255.255.255.0
  Allow XYZ_global to access extended list ip 10.11.0.0 255.255.0.0 10.1.134.0 255.255.255.0
  Access extensive list 10.12.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
  Access extensive list ip 172.19.1.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
  Access extensive list ip 172.21.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
  Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.17.2.0 255.255.255.0
  Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.17.3.0 255.255.255.0
  Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.2.0 255.255.255.0
  Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.3.0 255.255.255.0
  Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.7.0 255.255.255.0
  Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.1.0.0 255.255.0.0
  Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.2.0.0 255.255.0.0
  Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.3.0.0 255.255.0.0
  Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.4.0.0 255.255.0.0
  Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.6.0.0 255.255.0.0
  Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.9.0.0 255.255.0.0
  Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.11.0.0 255.255.0.0
  Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.12.0.0 255.255.0.0
  Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.1.0 255.255.255.0
  Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.21.2.0 255.255.255.0
  XYZ_global to access extended list ip 172.16.2.0 allow 255.255.255.0 10.1.134.0 255.255.255.0
  Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.16.2.0 255.255.255.0
  Access extensive list ip 172.30.2.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
  XYZ_global list extended access allowed host ip 10.19.130.201 172.30.2.0 255.255.255.0
  Access extensive list ip 172.30.3.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
  XYZ_global list extended access allowed host ip 10.19.130.201 172.30.3.0 255.255.255.0
  Access extensive list ip 172.30.7.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
  XYZ_global list extended access allowed host ip 10.19.130.201 172.30.7.0 255.255.255.0
  XYZ_global list extended access permitted ip object-group Serversubnet-group of objects XYZ_destinations
  XYZ_global list extended access permitted ip object-group XYZ_destinations-group of objects Serversubnet
  ML_VPN list extended access allowed host ip 115.111.99.129 209.164.192.0 255.255.224.0
  permit access list extended ip host 115.111.99.129 ML_VPN 209.164.208.19
  permit access list extended ip host 115.111.99.129 ML_VPN 209.164.192.126
  permit access list extended ip host 10.9.124.100 Da_VPN 10.125.81.88
  permit access list extended ip host 10.9.124.101 Da_VPN 10.125.81.88
  permit access list extended ip host 10.9.124.102 Da_VPN 10.125.81.88
  Da_VPN list extended access allowed host ip 10.9.124.100 10.125.81.0 255.255.255.0
  Da_VPN list extended access allowed host ip 10.9.124.101 10.125.81.0 255.255.255.0
  Da_VPN list extended access allowed host ip 10.9.124.102 10.125.81.0 255.255.255.0
  Sr_PAT to access extended list ip 10.10.0.0 allow 255.255.0.0 any
  Da_Pd_VPN list extended access allowed host ip 10.9.124.100 10.125.80.64 255.255.255.192
  Da_Pd_VPN list extended access allowed host ip 10.9.124.100 10.125.64.0 255.255.240.0
  permit access list extended ip host 10.9.124.100 Da_Pd_VPN 10.125.85.46
  permit access list extended ip host 10.9.124.100 Da_Pd_VPN 10.125.86.46
  Da_Pd_VPN list extended access allowed host ip 10.9.124.101 10.125.80.64 255.255.255.192
  Da_Pd_VPN list extended access allowed host ip 10.9.124.101 10.125.64.0 255.255.240.0
  permit access list extended ip host 10.9.124.101 Da_Pd_VPN 10.125.85.46
  permit access list extended ip host 10.9.124.101 Da_Pd_VPN 10.125.86.46
  Da_Pd_VPN list extended access allowed host ip 10.9.124.102 10.125.80.64 255.255.255.192
  Da_Pd_VPN list extended access allowed host ip 10.9.124.102 10.125.64.0 255.255.240.0
  permit access list extended ip host 10.9.124.102 Da_Pd_VPN 10.125.85.46
  permit access list extended ip host 10.9.124.102 Da_Pd_VPN 10.125.86.46
  Access extensive list ip 10.19.130.0 XYZ_reliance allow 255.255.255.0 145.248.194.0 255.255.255.0
  access-list coextended permit ip host 2.2.2.2 XXXXXXXX
  access-list coextended allow the host ip XXXXXXXXhost 2.2.2.2
  permitted this access list extended ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
  permitted this access list extended ip 208.75.237.0 255.255.255.0 10.1.134.0 255.255.255.0
  access list acl-outside extended permit ip host 57.66.81.159 172.17.10.3
  access list acl-outside extended permit ip host 80.169.223.179 172.17.10.3
  access list acl-outside scope permit ip any host 172.17.10.3
  access list acl-outside extended permitted tcp any host 10.10.1.45 eq https
  access list acl-outside extended permit tcp any any eq 10000
  access list acl-outside extended deny ip any any newspaper
  pager lines 10
  Enable logging
  debug logging in buffered memory
  outside_rim MTU 1500
  MTU 1500 XYZ_DMZ
  Outside 1500 MTU
  Within 1500 MTU
  IP pool local XYZ_c2s_vpn_pool 172.30.10.51 - 172.30.10.254
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow all outside
  ICMP allow any inside
  don't allow no asdm history
  ARP timeout 14400
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 208.75.237.0 obj - 208.75.237.0 no-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.7.0.0 obj - 10.7.0.0 no-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.17.2.0 obj - 172.17.2.0 no-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.17.3.0 obj - 172.17.3.0 no-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.2.0 obj - 172.19.2.0 no-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.3.0 obj - 172.19.3.0 no-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.7.0 obj - 172.19.7.0 no-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.1.0.0 obj - 10.1.0.0 non-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.2.0.0 obj - 10.2.0.0 non-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.3.0.0 obj - 10.3.0.0 no-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.4.0.0 obj - 10.4.0.0 non-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.6.0.0 obj - 10.6.0.0 non-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.9.0.0 obj - 10.9.0.0 no-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.11.0.0 obj - 10.11.0.0 no-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.12.0.0 obj - 10.12.0.0 non-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.1.0 obj - 172.19.1.0 no-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.21.2.0 obj - 172.21.2.0 no-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.16.2.0 obj - 172.16.2.0 non-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.2.0 obj - 172.30.2.0 no-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.3.0 obj - 172.30.3.0 no-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.7.0 obj - 172.30.7.0 no-proxy-arp-search to itinerary
  NAT (inside, all) static source Serversubnet Serversubnet XYZ_destinations XYZ_destinations non-proxy-arp-search of route static destination
  NAT (inside, all) source static obj - 10.10.1.0 obj - 10.10.1.0 destination static obj - 10.2.0.0 obj - 10.2.0.0 non-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.19.130.0 obj - 10.19.130.0 destination static obj-XXXXXXXX XXXXXXXX - obj non-proxy-arp-search to itinerary
  NAT (inside, all) source static obj - 10.19.130.0 obj - 10.19.130.0 destination static obj - 145.248.194.0 obj - 145.248.194.0 no-proxy-arp-search to itinerary
  NAT source (indoor, outdoor), obj static obj - 10.1.134.100 - 10.9.124.100
  NAT source (indoor, outdoor), obj static obj - 10.1.134.101 - 10.9.124.101
  NAT source (indoor, outdoor), obj static obj - 10.1.134.102 - 10.9.124.102
  NAT interface dynamic obj - 10.8.108.0 source (indoor, outdoor)
  NAT (inside, outside) source dynamic obj - 10.19.130.0 obj - 115.111.99.129
  NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 195.254.159.133 obj - 195.254.159.133
  NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 195.254.158.136 obj - 195.254.158.136
  NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129
  NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.192.0 obj - 209.164.192.0
  NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.208.19 obj - 209.164.208.19
  NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.192.126 obj - 209.164.192.126
  NAT (inside, outside) source dynamic obj - 10.8.100.128 obj - 115.111.99.130
  NAT (inside, outside) source dynamic obj - 10.10.0.0 obj - 115.111.99.132
  NAT source (indoor, outdoor), obj static obj - 10.10.1.45 - 115.111.99.133
  NAT (inside, outside) source dynamic obj - 10.99.132.0 obj - 115.111.99.129
  !
  network object obj - 172.17.10.3
  NAT (XYZ_DMZ, outside) static 115.111.99.134
  Access-group acl-outside in external interface
  Route outside 0.0.0.0 0.0.0.0 115.111.23.129 1
  Route outside 0.0.0.0 0.0.0.0 115.254.127.130 10
  Route inside 10.10.0.0 255.255.0.0 10.8.100.1 1
  Route inside 10.10.1.0 255.255.255.0 10.8.100.1 1
  Route inside 10.10.5.0 255.255.255.192 10.8.100.1 1
  Route inside 10.8.100.128 255.255.255.128 10.8.100.1 1
  Route inside 10.8.108.0 255.255.255.0 10.8.100.1 1
  Route inside 10.19.130.0 255.255.255.0 10.8.100.1 1
  Route inside 10.99.4.0 255.255.255.0 10.99.130.254 1
  Route inside 10.99.132.0 255.255.255.0 10.8.100.1 1
  Route inside 10.1.134.0 255.255.255.0 10.8.100.1 1
  Route outside 208.75.237.0 255.255.255.0 115.111.23.129 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  AAA authentication LOCAL telnet console
  LOCAL AAA authorization command
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn2
  Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac vpn6
  Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn5
  Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac vpn7
  Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn4
  Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn1
  Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn_reliance
  Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 c2s_vpn
  86400 seconds, duration of life crypto ipsec security association
  Crypto-map dynamic dyn1 ikev1 transform-set c2s_vpn 1 set
  Crypto-map dynamic dyn1 1jeu reverse-road
  card crypto vpn 1 corresponds to the address XYZ
  card 1 set of peer XYZ Peer IP vpn crypto
  1 set transform-set vpn1 ikev1 vpn crypto card
  card crypto vpn 1 lifetime of security set association, 3600 seconds
  card crypto vpn 1 set security-association life kilobytes 4608000
  correspondence vpn crypto card address 2 DON'T
  2 peer NE_Peer IP vpn crypto card game
  2 set transform-set vpn2 ikev1 vpn crypto card
  3600 seconds, duration of life card crypto vpn 2 set security-association
  card crypto vpn 2 set security-association life kilobytes 4608000
  card crypto vpn 4 corresponds to the address ML_VPN
  card crypto vpn 4 set pfs
  vpn crypto card game 4 peers ML_Peer IP
  4 set transform-set vpn4 ikev1 vpn crypto card
  3600 seconds, duration of life card crypto vpn 4 set - the security association
  card crypto vpn 4 set security-association life kilobytes 4608000
  vpn crypto card 5 corresponds to the address XYZ_global
  vpn crypto card game 5 peers XYZ_globa_Peer IP
  5 set transform-set vpn5 ikev1 vpn crypto card
  3600 seconds, duration of life card crypto vpn 5 set - the security association
  card 5 security-association life set vpn crypto kilobytes 4608000
  vpn crypto card 6 corresponds to the address Da_VPN
  vpn crypto card game 6 peers Da_VPN_Peer IP
  6 set transform-set vpn6 ikev1 vpn crypto card
  3600 seconds, duration of life card crypto vpn 6 set - the security association
  card crypto vpn 6 set security-association life kilobytes 4608000
  vpn crypto card 7 corresponds to the address Da_Pd_VPN
  7 peer Da_Pd_VPN_Peer IP vpn crypto card game
  7 set transform-set vpn6 ikev1 vpn crypto card
  3600 seconds, duration of life card crypto vpn 7 set - the security association
  card crypto vpn 7 set security-association life kilobytes 4608000
  vpn outside crypto map interface
  crypto map vpn_reliance 1 corresponds to the address XYZ_rim
  card crypto vpn_reliance 1 set of peer XYZ_rim_Peer IP
  card crypto 1 ikev1 transform-set vpn_reliance set vpn_reliance
  vpn_reliance card crypto 1 lifetime of security set association, 3600 seconds
  card crypto vpn_reliance 1 set security-association life kilobytes 4608000
  card crypto vpn_reliance interface outside_rim
  dynamic mymap 1 dyn1 ipsec-isakmp crypto map
  crypto isakmp identity address
  No encryption isakmp nat-traversal
  Crypto ikev1 enable outside_rim
  Crypto ikev1 allow outside
  IKEv1 crypto policy 1
  preshared authentication
  aes-256 encryption
  sha hash
  Group 5
  lifetime 28800
  IKEv1 crypto policy 2
  preshared authentication
  aes-256 encryption
  sha hash
  Group 5
  life 86400
  IKEv1 crypto policy 4
  preshared authentication
  aes-256 encryption
  sha hash
  Group 5
  life 28000
  IKEv1 crypto policy 5
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 100
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 43200
  IKEv1 crypto policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet 10.8.100.0 255.255.255.224 inside
  Telnet timeout 5
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  no basic threat threat detection
  no statistical access list - a threat detection
  no statistical threat detection tcp-interception
  internal XYZ_c2s_vpn group strategy
  username testadmin encrypted password oFJjANE3QKoA206w
  tunnel-group XXXXXXXX type ipsec-l2l
  tunnel-group ipsec-attributes XXXXXXXX
  IKEv1 pre-shared-key *.
  tunnel-group XXXXXXXXtype ipsec-l2l
  tunnel-group XXXXXXXXipsec-attributes
  IKEv1 pre-shared-key *.
  tunnel-group XXXXXXXX type ipsec-l2l
  tunnel-group ipsec-attributes XXXXXXXX
  IKEv1 pre-shared-key *.
  tunnel-group XXXXXXXX type ipsec-l2l
  tunnel-group ipsec-attributes XXXXXXXX
  IKEv1 pre-shared-key *.
  tunnel-group XXXXXXXX type ipsec-l2l
  tunnel-group ipsec-attributes XXXXXXXX
  IKEv1 pre-shared-key *.
  tunnel-group XXXXXXXX type ipsec-l2l
  tunnel-group ipsec-attributes XXXXXXXX
  IKEv1 pre-shared-key *.
  tunnel-group XXXXXXXX type ipsec-l2l
  tunnel-group ipsec-attributes XXXXXXXX
  IKEv1 pre-shared-key *.
  type tunnel-group XYZ_c2s_vpn remote access
  attributes global-tunnel-group XYZ_c2s_vpn
  address pool XYZ_c2s_vpn_pool
  IPSec-attributes tunnel-group XYZ_c2s_vpn
  IKEv1 pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the netbios
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  inspect the icmp
  Review the ip options
  !
  global service-policy global_policy
  level 3 privilege see the running-config command exec mode
  logging of orders privilege see the level 3 exec mode
  privilege see the level 3 exec mode command crypto
  context of prompt hostname
  no remote anonymous reporting call
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:caa7476cd348ed89b95d37d4e3c9e1d8
  : end

  XYZ #.

  Good news

  Follow these steps:

  network object obj - 172.30.10.0_24

  172.30.10.0 subnet 255.255.255.0

  !

  the LOCAL_NETWORKS_VPN object-group network

  object-network 1.1.1.0 255.255.255.0

  !

  NAT (inside, outside) 1 static source LOCAL_NETWORKS_VPN destination LOCAL_NETWORKS_VPN static obj - 172.30.10.0_24 obj - 172.30.10.0_24 - route search

  * Where 1.1.1.0/24 is the internal network that you want to reach through the tunnel.

  Keep me posted.

  Thank you.

  Please note all messages that will be useful.

• Cisco ASA 5510 - Cisco Client can connect to the VPN but cannot Ping!

  Hello

  I have an ASA 5510 with the configuration below. I have configure the ASA as vpn server for remote access with cisco vpn client, now my problem is that I can connect but I can not ping.

  Config

  ciscoasa # sh run

  : Saved

  :

  ASA Version 8.0 (3)

  !

  ciscoasa hostname

  activate the 5QB4svsHoIHxXpF password / encrypted

  names of

  xxx.xxx.xxx.xxx SAP_router_IP_on_SAP name

  xxx.xxx.xxx.xxx ISA_Server_second_external_IP name

  xxx.xxx.xxx.xxx name Mail_Server

  xxx.xxx.xxx.xxx IncomingIP name

  xxx.xxx.xxx.xxx SAP name

  xxx.xxx.xxx.xxx Web server name

  xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold name

  isa_server_outside name 192.168.2.2

  !

  interface Ethernet0/0

  nameif outside

  security-level 0

  address IP IncomingIP 255.255.255.248

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  IP 192.168.2.1 255.255.255.0

  !

  interface Ethernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.1.253 255.255.255.0

  management only

  !

  passwd 123

  passive FTP mode

  clock timezone IS 2

  clock summer-time EEDT recurring last Sun Mar 03:00 last Sun Oct 04:00

  TCP_8081 tcp service object-group

  EQ port 8081 object

  DM_INLINE_TCP_1 tcp service object-group

  EQ port 3389 object

  port-object eq ftp

  port-object eq www

  EQ object of the https port

  EQ smtp port object

  EQ Port pop3 object

  port-object eq 3200

  port-object eq 3300

  port-object eq 3600

  port-object eq 3299

  port-object eq 3390

  EQ port 50000 object

  port-object eq 3396

  port-object eq 3397

  port-object eq 3398

  port-object eq imap4

  EQ port 587 object

  port-object eq 993

  port-object eq 8000

  EQ port 8443 object

  port-object eq telnet

  port-object eq 3901

  purpose of group TCP_8081

  EQ port 1433 object

  port-object eq 3391

  port-object eq 3399

  EQ object of port 8080

  EQ port 3128 object

  port-object eq 3900

  port-object eq 3902

  port-object eq 7777

  port-object eq 3392

  port-object eq 3393

  port-object eq 3394

  Equalizer object port 3395

  port-object eq 92

  port-object eq 91

  port-object eq 3206

  port-object eq 8001

  EQ port 8181 object

  object-port 7778 eq

  port-object eq 8180

  port-object 22222 eq

  port-object eq 11001

  port-object eq 11002

  port-object eq 1555

  port-object eq 2223

  port-object eq 2224

  object-group service RDP - tcp

  EQ port 3389 object

  3901 tcp service object-group

  3901 description

  port-object eq 3901

  object-group service tcp 50000

  50000 description

  EQ port 50000 object

  Enable_Transparent_Tunneling_UDP udp service object-group

  port-object eq 4500

  access-list connection to SAP Note inside_access_in

  inside_access_in to access extended list ip 192.168.2.0 allow 255.255.255.0 host SAP_router_IP_on_SAP

  access-list inside_access_in note outgoing VPN - PPTP

  inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any eq pptp

  access-list inside_access_in note outgoing VPN - GRE

  inside_access_in list extended access allow accord 192.168.2.0 255.255.255.0 any

  Comment from inside_access_in-list of access VPN - GRE

  inside_access_in list extended access will permit a full

  access-list inside_access_in note outgoing VPN - Client IKE

  inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any isakmp eq

  Comment of access outgoing VPN - IPSecNAT - inside_access_in-list T

  inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any eq 4500

  Note to inside_access_in of outgoing DNS list access

  inside_access_in list extended access udp allowed any any eq field

  Note to inside_access_in of outgoing DNS list access

  inside_access_in list extended access permit tcp any any eq field

  Note to inside_access_in to access list carried forward Ports

  inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any DM_INLINE_TCP_1 object-group

  access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 any

  outside_access_in of access allowed any ip an extended list

  outside_access_in list extended access permit tcp any any eq pptp

  outside_access_in list extended access will permit a full

  outside_access_in list extended access allowed grateful if any host Mail_Server

  outside_access_in list extended access permit tcp any host Mail_Server eq pptp

  outside_access_in list extended access allow esp a whole

  outside_access_in ah allowed extended access list a whole

  outside_access_in list extended access udp allowed any any eq isakmp

  outside_access_in list of permitted udp access all all Enable_Transparent_Tunneling_UDP object-group

  list of access allowed standard VPN 192.168.2.0 255.255.255.0

  corp_vpn to access extended list ip 192.168.2.0 allow 255.255.255.0 172.16.1.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  management of MTU 1500

  pool POOL 172.16.1.10 - 172.16.1.20 255.255.255.0 IP mask

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 603.bin

  don't allow no asdm history

  ARP timeout 14400

  NAT-control

  Global (outside) 2 Mail_Server netmask 255.0.0.0

  Global 1 interface (outside)

  Global interface (2 inside)

  NAT (inside) 0-list of access corp_vpn

  NAT (inside) 1 0.0.0.0 0.0.0.0

  static (inside, outside) tcp Mail_Server 8001 8001 ISA_Server_second_external_IP netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server pptp pptp netmask 255.255.255.255 isa_server_outside

  public static tcp (indoor, outdoor) Mail_Server smtp smtp isa_server_outside mask 255.255.255.255 subnet

  static (inside, outside) tcp 587 Mail_Server isa_server_outside 587 netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255

  static (inside, outside) tcp 9443 Mail_Server 9443 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp 3389 3389 netmask 255.255.255.255 isa_server_outside Mail_Server

  static (inside, outside) tcp 3390 Mail_Server 3390 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255

  static (inside, outside) tcp SAP 50000 50000 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp SAP 3200 3200 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) SAP 3299 isa_server_outside 3299 netmask 255.255.255.255 tcp

  static (inside, outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server pop3 pop3 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp imap4 Mail_Server imap4 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp cms_eservices_projects_sharepointold 9999 9999 netmask 255.255.255.255 isa_server_outside

  public static 192.168.2.0 (inside, outside) - corp_vpn access list

  Access-group outside_access_in in interface outside

  inside_access_in access to the interface inside group

  Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.2.0 255.255.255.0 inside

  http 192.168.1.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp - esp-md5-hmac transet

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto-map dynamic dynmap 10 set pfs

  Crypto-map dynamic dynmap 10 transform-set ESP-3DES-SHA transet

  cryptomap 10 card crypto ipsec-isakmp dynamic dynmap

  cryptomap interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  No encryption isakmp nat-traversal

  Telnet 192.168.2.0 255.255.255.0 inside

  Telnet 192.168.1.0 255.255.255.0 management

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside

  dhcpd domain.local domain inside interface

  !

  a basic threat threat detection

  host of statistical threat detection

  Statistics-list of access threat detection

  Management Server TFTP 192.168.1.123.

  internal group mypolicy strategy

  mypolicy group policy attributes

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value VPN

  Pseudo vpdn password 123

  vpdn username attributes

  VPN-group-policy mypolicy

  type of remote access service

  type mypolicy tunnel-group remote access

  tunnel-group mypolicy General attributes

  address-pool

  strategy-group-by default mypolicy

  tunnel-group mypolicy ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  inspect the pptp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac

  : end

  Thank you very much.

  Hello

  You probably need

  Policy-map global_policy

  class inspection_default

  inspect the icmp

  inspect the icmp error

  Your Tunnel of Split and NAT0 configurations seem to.

  -Jouni

• Cisco ASA 5510 L2L VPN on the backup interface

  OK, here is what I have and I even if I knew how to do this, but it has not worked for me.  I hope someone out there can help you.

  I have an ASA 5510 running 8.4 with double configuration of ISPs on 2 different interfaces: outside (primary), backup (backup).  I also have a site to site VPN ASA another in another city.  The VPN is now configured on the external interface and works very well.  What I wanted to do, is to make the VPN running on backup interface only.

  So, I changed the card encryption on the remote side to use the backup interface IP and created a tunnel-group for her.  Then, I created a map encryption for backup interface and activated ikev1 on it.  The default route is configured to use the external interface, so I created a static route that routes traffic destined for the external interface of the remote side to the backup interface default gateway.  I can get to establish tunnels, but no traffic passes through them.  I have however while I need a NAT device for the tunnel traffic to I created a NAT so but still no transmitted traffic.  I tried the packet - trace and he said: the traffic was allowed and show its crypto ipsec command, I see the configuration of the tunnel, but no traffic will pass through it.  Can anyone help?

  Ben,

  you use a code to version 8.4, I recommend starting by removing the config NAT statements at both ends. This version does not have the NAT and control, and if you don't need... I've seen instances with 8.4 (3) where a NAT even though apparently correct was causing not to pass through the traffic.

  Site A:

  NAT (inside, backup) source static obj-SiteALAN obj-SiteALAN static obj-SiteBLAN obj-SiteBLAN

  Site b:

  NAT (inside, outside) source static obj - 192.168.5.0 obj - 192.168.5.0 destination static obj - 192.168.3.0 obj - 192.168.3.0

  If possible, you should increase your AES encryption, but this is a personal point of view and should not stop the traffic through the links. You should be able to see the counters for the data transmitted / received are these incrementing?

  Do you have the ACLs that are from the inside to the outside and internal interface to the Interface of backup (duplicated.

  In this model, the control is the routing.

  Best regards

  Ju

  http://helpamunky.WordPress.com/