CSM Securemode no ping access to reals?

We have dual CSM's in separate 6509 chassis and are using it in bridge mode. However last week we had created a new instance in secure mode and worked great. Until the CSM's failed over now in the standby switch and now the secured mode RIPS are non-accessible the configs are synced in both chassis. Any Ideas?

Hi Joe,
well one possible solution is that you have the real adresses routed elsewhere loosing the CSM in between (guess not wanted)
The other one is if all servers are in the same network ie 10.0.0.0/24 and this network is only reachable via the CSM you could use vserver like this (I do not write down everything as I guess you can complete the syntax and so on...)
vserver directaccess
virtual 10.0.0.0 mask 255.255.255.0
serverfarm direct
inservice
serverfarm direct
client nat SRCNAT <- depending if the servers have another gateway back to the workstations if not you do not need this
no server nat
predictor forward
inservice
natpool SRCNAT 10.0.0.1 10.0.0.1 mask 255.255.255.0
(compare with http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_installation_and_configuration_guide_chapter09186a00801c58a5.html#1038253)
Well I'm not sure if this solves all your problems as I do not know you exact topolgie... If you want to discuss feel free to send me a quick and dirty drawing with the recommendations and I'll try to answer asap..
Kind Regards,
Joerg.

Similar Messages

  • AnyConnect to ASA 5505 ver 8.4 unable to ping/access Inside network

    My AnyConnect VPN connect to the ASA, however I cannot access my inside network hosts (tried Split Tunnel and it didn't work either). I plan to use a Split Tunnel configuration but I thought I would get this working before I implemented that configuration. My inside hosts are on a 10.0.1.0/24 network and 10.1.0.0/16 networks. My AnyConnect hosts are using 192.168.60.0/24 addresses.
    I have seen other people that appeared to have similar posts but none of those solutions have worked for me.  I have also tried several NAT and ACL configurations to allow traffic form my Inside network to the ANYConnect hosts and back, but apparently I did it incorrectly.  I undestand that this ver 8.4 is supposed to be easier to perform NAT and such, but I now in the router IOS it was much simpler.
    My configuration is included below.
    Thank you in advance for your assistance.
    Jerry
    ASA Version 8.4(4)
    hostname mxfw
    domain-name moxiefl.com
    enable password (removed)
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    shutdown
    interface Ethernet0/5
    switchport trunk allowed vlan 20,22
    switchport mode trunk
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    shutdown
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Vlan20
    nameif dmz
    security-level 50
    ip address 172.26.20.1 255.255.255.0
    interface Vlan22
    nameif dmz2
    security-level 50
    ip address 172.26.22.1 255.255.255.0
    ftp mode passive
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 208.67.222.222
    name-server 208.67.220.220
    domain-name moxiefl.com
    same-security-traffic permit inter-interface
    object network Generic_All_Network
    subnet 0.0.0.0 0.0.0.0
    object network INSIDE_Hosts
    subnet 10.1.0.0 255.255.0.0
    object network AnyConnect_Hosts
    subnet 192.168.60.0 255.255.255.0
    object network NETWORK_OBJ_192.168.60.0_26
    subnet 192.168.60.0 255.255.255.192
    object network DMZ_Network
    subnet 172.26.20.0 255.255.255.0
    object network DMZ2_Network
    subnet 172.26.22.0 255.255.255.0
    pager lines 24
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    mtu dmz2 1500
    ip local pool VPN_POOL 192.168.60.20-192.168.60.40 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source dynamic Generic_All_Network interface
    nat (inside,outside) source static INSIDE_Hosts INSIDE_Hosts destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
    nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.60.0_26 NETWORK_OBJ_192.168.60.0_26 no-proxy-arp route-lookup
    nat (dmz,outside) source dynamic Generic_All_Network interface
    nat (dmz2,outside) source dynamic Generic_All_Network interface
    route inside 10.1.0.0 255.255.0.0 10.0.1.2 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 10.0.0.0 255.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    fqdn anyconnect.moxiefl.com
    subject-name CN=AnyConnect.moxiefl.com
    keypair AnyConnect
    proxy-ldc-issuer
    crl configure
    crypto ca certificate chain ASDM_TrustPoint0
    certificate 439a4452
        3082026c 308201d5 a0030201 02020443 9a445230 0d06092a 864886f7 0d010105
        05003048 311f301d 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566
        6c2e636f 6d312530 2306092a 864886f7 0d010902 1616616e 79636f6e 6e656374
        2e6d6f78 6965666c 2e636f6d 301e170d 31333039 32373037 32353331 5a170d32
        33303932 35303732 3533315a 3048311f 301d0603 55040313 16416e79 436f6e6e
        6563742e 6d6f7869 65666c2e 636f6d31 25302306 092a8648 86f70d01 09021616
        616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092a8648
        86f70d01 01010500 03818d00 30818902 8181009a d9f320ff e93d4fdd cb707a4c
        b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d5
        fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7
        6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76
        1d56d11d da3d039a 0e714849 e6841ff2 5483b102 03010001 a3633061 300f0603
        551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
        03551d23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d
        0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06
        092a8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a8348
        5e62d6cd 47257243 e430a758 2b367543 065d4ceb 582bf666 08ff7be1 f89287a2
        ac527824 b11c2048 7fd2b50d 35ca3902 6aa00675 e4df7859 f3590596 b1d52426
        1e97a52c 4e77f4b0 226dec09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba
        0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35
      quit
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
    telnet timeout 5
    ssh 10.0.0.0 255.0.0.0 inside
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    dhcpd dns 208.67.222.222 208.67.220.220
    dhcpd auto_config outside
    dhcpd address 10.0.1.20-10.0.1.40 inside
    dhcpd dns 208.67.222.222 208.67.220.220 interface inside
    dhcpd enable inside
    dhcpd address 172.26.20.21-172.26.20.60 dmz
    dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
    dhcpd enable dmz
    dhcpd address 172.26.22.21-172.26.22.200 dmz2
    dhcpd dns 208.67.222.222 208.67.220.220 interface dmz2
    dhcpd enable dmz2
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    anyconnect-essentials
    anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
    anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
    anyconnect enable
    tunnel-group-list enable
    group-policy GroupPolicy_AnyConnect internal
    group-policy GroupPolicy_AnyConnect attributes
    wins-server none
    dns-server value 208.67.222.222 208.67.220.220
    vpn-tunnel-protocol ikev2 ssl-client
    default-domain value moxiefl.com
    webvpn
      anyconnect profiles value AnyConnect_client_profile type user
    username user1 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
    username user2 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
    tunnel-group AnyConnect type remote-access
    tunnel-group AnyConnect general-attributes
    address-pool VPN_POOL
    default-group-policy GroupPolicy_AnyConnect
    tunnel-group AnyConnect webvpn-attributes
    group-alias AnyConnect enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:f2c7362097b71bcada023c6bbfc45121
    : end

    Hi,
    Yes, I have saved the config and did a write erase and reloaded the config, no difference. I rebuilt it once a couple of weeks ago, but that was before I had gotten this far with your assistance.  I'll include my ASA and switches configs after this. Here is a little background (took it form the Firewall section issue just because it gives a little insight for the network). I have 2 3560s, one as a L3 switch the other L2 with an etherchannel between them (one of the cables was bad so I am waiting on the replacement to have 2 - Gigabit channels between the switches).
    I think our issue with the VPN not getting to the Inside is posibly related to my DMZ issue not getting to the internet.
    I am using 2 VLANs on my switch for Guests - one is wired and the other is wireless. I am trying to keep them separate because the wireless are any guest that might be at our restaurant that is getting on WiFi. The wired is for our Private Dining Rooms that vendors may need access and I don't want the wireless being able to see the wired network in that situation.
    I have ports on my 3560s that are assigned to VLAN 20 (Guest Wired) and VLAN 22 (Guest Wireless). I am not routing those addresses within the 3560s (one 3560 is setup as a L3 switch). Those VLANs are being L2 switched to the ASA via the trunk to save ports (I tried separating them and used 2 ports on the ASA and it still didn't work). The ASA is providing DCHP for those VLANs and the routing for the DMZ VLANs. I can ping each of the gateways (which are the VLANs on the ASA from devices on the 3560s - 172.26.20.1 and 172.26.22.1. I have those in my DMZ off the ASA so it can control and route the data.
    The 3560 is routing for my Corp VLANs. So far I have tested the Wired VLAN 10 (10.1.10.0/24) and it is working and gets to the Internet.  I have a default route (0.0.0.0 0.0.0.0) from the L3 switch to e0/1 on the ASA and e0/1 is an Inside interface.
    E0/0 on the ASA is my Outside interface and gets it IP from the upstream router (will be an AT&T router/modem when I move it to the building).
    So for a simple diagram:
    PC (172.26.20.21/24) -----3560 (L2) ------Trunk----(VLAN 20 - DMZ/ VLAN 22 - DMZ2)---- ASA -----Outside ------- Internet (via router/modem)
    I will be back at this tomorrow morning - I've been up since 4pm yesterday and it is almost 3pm.
    Thank you for all of your assistance.
    Jerry
    Current ASA Config:
    ASA Version 8.4(4)
    hostname mxfw
    domain-name moxiefl.com
    enable password $$$$$$$$$$$$$$$ encrypted
    passwd $$$$$$$$$$$$$$$$ encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    switchport access vlan 20
    interface Ethernet0/5
    switchport trunk allowed vlan 20,22
    switchport mode trunk
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    shutdown
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Vlan20
    nameif dmz
    security-level 50
    ip address 172.26.20.1 255.255.255.0
    interface Vlan22
    nameif dmz2
    security-level 50
    ip address 172.26.22.1 255.255.255.0
    ftp mode passive
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 208.67.222.222
    name-server 208.67.220.220
    domain-name moxiefl.com
    same-security-traffic permit inter-interface
    object network Generic_All_Network
    subnet 0.0.0.0 0.0.0.0
    object network INSIDE_Hosts
    subnet 10.1.0.0 255.255.0.0
    object network AnyConnect_Hosts
    subnet 192.168.60.0 255.255.255.0
    object network NETWORK_OBJ_192.168.60.0_26
    subnet 192.168.60.0 255.255.255.192
    object network DMZ_Network
    subnet 172.26.20.0 255.255.255.0
    object network DMZ2_Network
    subnet 172.26.22.0 255.255.255.0
    object network INSIDE
    subnet 10.0.1.0 255.255.255.0
    access-list capdmz extended permit icmp host 172.26.20.22 host 208.67.222.222
    access-list capdmz extended permit icmp host 208.67.222.222 host 172.26.20.22
    access-list capout extended permit icmp host 192.168.1.231 host 208.67.222.222
    access-list capout extended permit icmp host 208.67.222.222 host 192.168.1.231
    access-list capvpn extended permit icmp host 192.168.60.20 host 10.1.10.23
    access-list capvpn extended permit icmp host 10.1.10.23 host 192.168.60.20
    access-list AnyConnect_Client_Local_Print extended deny ip any any
    access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
    access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
    access-list AnyConnect_Client_Local_Print remark Windows' printing port
    access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
    access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
    access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
    access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
    access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
    access-list SPLIT-TUNNEL standard permit 10.0.1.0 255.255.255.0
    access-list SPLIT-TUNNEL standard permit 10.1.0.0 255.255.0.0
    access-list capins extended permit icmp host 10.1.10.23 host 10.0.1.1
    access-list capins extended permit icmp host 10.0.1.1 host 10.1.10.23
    pager lines 24
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    mtu dmz2 1500
    ip local pool VPN_POOL 192.168.60.20-192.168.60.40 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static INSIDE INSIDE destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
    nat (inside,outside) source static INSIDE_Hosts INSIDE_Hosts destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
    nat (dmz,outside) source dynamic Generic_All_Network interface
    nat (dmz2,outside) source dynamic Generic_All_Network interface
    nat (inside,outside) after-auto source dynamic Generic_All_Network interface
    route inside 10.1.0.0 255.255.0.0 10.0.1.2 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 10.0.0.0 255.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    fqdn anyconnect.moxiefl.com
    subject-name CN=AnyConnect.moxiefl.com
    keypair AnyConnect
    proxy-ldc-issuer
    crl configure
    crypto ca certificate chain ASDM_TrustPoint0
    certificate 439a4452
        3082026c 308201d5 a0030201 02020443 9a445230 0d06092a 864886f7 0d010105
        05003048 311f301d 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566
        6c2e636f 6d312530 2306092a 864886f7 0d010902 1616616e 79636f6e 6e656374
        2e6d6f78 6965666c 2e636f6d 301e170d 31333039 32373037 32353331 5a170d32
        33303932 35303732 3533315a 3048311f 301d0603 55040313 16416e79 436f6e6e
        6563742e 6d6f7869 65666c2e 636f6d31 25302306 092a8648 86f70d01 09021616
        616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092a8648
        86f70d01 01010500 03818d00 30818902 8181009a d9f320ff e93d4fdd cb707a4c
        b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d5
        fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7
        6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76
        1d56d11d da3d039a 0e714849 e6841ff2 5483b102 03010001 a3633061 300f0603
        551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
        03551d23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d
        0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06
        092a8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a8348
        5e62d6cd 47257243 e430a758 2b367543 065d4ceb 582bf666 08ff7be1 f89287a2
        ac527824 b11c2048 7fd2b50d 35ca3902 6aa00675 e4df7859 f3590596 b1d52426
        1e97a52c 4e77f4b0 226dec09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba
        0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35
      quit
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
    telnet timeout 5
    ssh 10.0.0.0 255.0.0.0 inside
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    dhcpd dns 208.67.222.222 208.67.220.220
    dhcpd auto_config outside
    dhcpd address 10.0.1.20-10.0.1.40 inside
    dhcpd dns 208.67.222.222 208.67.220.220 interface inside
    dhcpd enable inside
    dhcpd address 172.26.20.21-172.26.20.60 dmz
    dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
    dhcpd enable dmz
    dhcpd address 172.26.22.21-172.26.22.200 dmz2
    dhcpd dns 208.67.222.222 208.67.220.220 interface dmz2
    dhcpd enable dmz2
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    anyconnect-essentials
    anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
    anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
    anyconnect enable
    tunnel-group-list enable
    group-policy GroupPolicy_AnyConnect internal
    group-policy GroupPolicy_AnyConnect attributes
    wins-server none
    dns-server value 208.67.222.222 208.67.220.220
    vpn-tunnel-protocol ikev2 ssl-client
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value SPLIT-TUNNEL
    default-domain value moxiefl.com
    webvpn
      anyconnect profiles value AnyConnect_client_profile type user
    username user1 password $$$$$$$$$$$$$ encrypted privilege 15
    username user2 password $$$$$$$$$$$ encrypted privilege 15
    tunnel-group AnyConnect type remote-access
    tunnel-group AnyConnect general-attributes
    address-pool VPN_POOL
    default-group-policy GroupPolicy_AnyConnect
    tunnel-group AnyConnect webvpn-attributes
    group-alias AnyConnect enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:f6d9bbacca2a5c8b5af946a8ddc12550
    : end
    L3 3560 connects to ASA via port f0/3 routed port 10.0.1.0/24 network
    Connects to second 3560 via G0/3 & G0/4
    version 12.2
    no service pad
    no service timestamps debug uptime
    no service timestamps log uptime
    service password-encryption
    hostname mx3560a
    boot-start-marker
    boot-end-marker
    enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
    no aaa new-model
    system mtu routing 1500
    authentication mac-move permit
    ip subnet-zero
    ip routing
    ip dhcp excluded-address 10.1.10.1 10.1.10.20
    ip dhcp excluded-address 10.1.12.1 10.1.12.20
    ip dhcp excluded-address 10.1.14.1 10.1.14.20
    ip dhcp excluded-address 10.1.16.1 10.1.16.20
    ip dhcp excluded-address 10.1.30.1 10.1.30.20
    ip dhcp excluded-address 10.1.35.1 10.1.35.20
    ip dhcp excluded-address 10.1.50.1 10.1.50.20
    ip dhcp excluded-address 10.1.80.1 10.1.80.20
    ip dhcp excluded-address 10.1.90.1 10.1.90.20
    ip dhcp excluded-address 10.1.100.1 10.1.100.20
    ip dhcp excluded-address 10.1.101.1 10.1.101.20
    ip dhcp pool VLAN10
       network 10.1.10.0 255.255.255.0
       default-router 10.1.10.1
       dns-server 208.67.222.222 208.67.220.220
    ip dhcp pool VLAN12
       network 10.1.12.0 255.255.255.0
       default-router 10.1.12.1
       dns-server 208.67.222.222 208.67.220.220
    ip dhcp pool VLAN14
       network 10.1.14.0 255.255.255.0
       default-router 10.1.14.1
       option 150 ip 10.1.13.1
    ip dhcp pool VLAN16
       network 10.1.16.0 255.255.255.0
       default-router 10.1.16.1
       dns-server 208.67.222.222 208.67.220.220
    ip dhcp pool VLAN30
       network 10.1.30.0 255.255.255.0
       default-router 10.1.30.1
       dns-server 208.67.222.222 208.67.220.220
    ip dhcp pool VLAN35
       network 10.1.35.0 255.255.255.0
       default-router 10.1.35.1
       dns-server 208.67.222.222 208.67.220.220
    ip dhcp pool VLAN50
       network 10.1.50.0 255.255.255.0
       default-router 10.1.50.1
       option 43 hex f104.0a01.6564
    ip dhcp pool VLAN80
       network 10.1.80.0 255.255.255.0
       default-router 10.1.80.1
       dns-server 208.67.222.222 208.67.220.220
    ip dhcp pool VLAN90
       network 10.1.90.0 255.255.255.0
       default-router 10.1.90.1
       dns-server 208.67.222.222 208.67.220.220
    ip dhcp pool VLAN100
       network 10.1.100.0 255.255.255.0
       default-router 10.1.100.1
    ip dhcp pool VLAN101
       network 10.1.101.0 255.255.255.0
       default-router 10.1.101.1
    ip dhcp pool VLAN40
       dns-server 208.67.222.222 208.67.220.220
    port-channel load-balance src-dst-mac
    spanning-tree mode pvst
    spanning-tree etherchannel guard misconfig
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    interface Port-channel1
    switchport trunk encapsulation dot1q
    switchport mode trunk
    link state group 1 downstream
    interface FastEthernet0/1
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 100
    switchport mode trunk
    power inline never
    interface FastEthernet0/2
    switchport access vlan 10
    switchport mode access
    power inline never
    interface FastEthernet0/3
    description Interface to MXFW E0/1
    no switchport
    ip address 10.0.1.2 255.255.255.0
    power inline never
    interface FastEthernet0/4
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/5
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/6
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/7
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 30
    switchport mode trunk
    switchport voice vlan 14
    power inline never
    spanning-tree portfast
    interface FastEthernet0/8
    switchport access vlan 30
    switchport mode access
    power inline never
    interface FastEthernet0/9
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/10
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/11
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/12
    switchport access vlan 40
    switchport mode access
    interface FastEthernet0/13
    switchport access vlan 40
    switchport mode access
    interface FastEthernet0/14
    switchport access vlan 40
    switchport mode access
    interface FastEthernet0/15
    switchport access vlan 40
    switchport mode access
    shutdown
    interface FastEthernet0/16
    switchport access vlan 40
    switchport mode access
    shutdown
    interface FastEthernet0/17
    switchport access vlan 50
    switchport mode access
    interface FastEthernet0/18
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/19
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/20
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 14
    spanning-tree portfast
    interface FastEthernet0/21
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/22
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/23
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 30
    switchport mode trunk
    switchport voice vlan 14
    spanning-tree portfast
    interface FastEthernet0/24
    switchport access vlan 35
    switchport mode access
    power inline never
    interface FastEthernet0/25
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/26
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/27
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/28
    switchport access vlan 40
    switchport mode access
    interface FastEthernet0/29
    switchport access vlan 40
    switchport mode access
    interface FastEthernet0/30
    switchport access vlan 40
    switchport mode access
    interface FastEthernet0/31
    switchport access vlan 40
    switchport mode access
    shutdown
    interface FastEthernet0/32
    switchport access vlan 40
    switchport mode access
    shutdown
    interface FastEthernet0/33
    switchport access vlan 50
    switchport mode access
    interface FastEthernet0/34
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/35
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/36
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 14
    spanning-tree portfast
    interface FastEthernet0/37
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/38
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/39
    switchport access vlan 30
    switchport mode access
    power inline never
    interface FastEthernet0/40
    switchport access vlan 90
    switchport mode access
    power inline never
    interface FastEthernet0/41
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/42
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/43
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/44
    switchport access vlan 40
    switchport mode access
    interface FastEthernet0/45
    switchport access vlan 40
    switchport mode access
    interface FastEthernet0/46
    switchport access vlan 40
    switchport mode access
    shutdown
    interface FastEthernet0/47
    switchport access vlan 40
    switchport mode access
    shutdown
    interface FastEthernet0/48
    switchport mode access
    shutdown
    power inline never
    interface GigabitEthernet0/1
    description Interface to MXC2911 Port G0/0
    no switchport
    ip address 10.1.13.2 255.255.255.0
    interface GigabitEthernet0/2
    shutdown
    interface GigabitEthernet0/3
    switchport trunk encapsulation dot1q
    switchport mode trunk
    channel-group 1 mode on
    interface GigabitEthernet0/4
    switchport trunk encapsulation dot1q
    switchport mode trunk
    channel-group 1 mode on
    interface Vlan1
    no ip address
    shutdown
    interface Vlan10
    ip address 10.1.10.1 255.255.255.0
    interface Vlan12
    ip address 10.1.12.1 255.255.255.0
    interface Vlan14
    ip address 10.1.14.1 255.255.255.0
    interface Vlan16
    ip address 10.1.16.1 255.255.255.0
    interface Vlan20
    ip address 172.26.20.1 255.255.255.0
    interface Vlan22
    ip address 172.26.22.1 255.255.255.0
    interface Vlan30
    ip address 10.1.30.1 255.255.255.0
    interface Vlan35
    ip address 10.1.35.1 255.255.255.0
    interface Vlan40
    ip address 10.1.40.1 255.255.255.0
    interface Vlan50
    ip address 10.1.50.1 255.255.255.0
    interface Vlan80
    ip address 172.16.80.1 255.255.255.0
    interface Vlan86
    no ip address
    shutdown
    interface Vlan90
    ip address 10.1.90.1 255.255.255.0
    interface Vlan100
    ip address 10.1.100.1 255.255.255.0
    interface Vlan101
    ip address 10.1.101.1 255.255.255.0
    router eigrp 1
    network 10.0.0.0
    network 10.1.13.0 0.0.0.255
    network 10.1.14.0 0.0.0.255
    passive-interface default
    no passive-interface GigabitEthernet0/1
    ip classless
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/3 10.0.1.1
    ip route 192.168.60.0 255.255.255.0 FastEthernet0/3 10.0.1.1 2
    ip http server
    ip sla enable reaction-alerts
    line con 0
    logging synchronous
    line vty 0 4
    login
    line vty 5 15
    login
    end
    L3 3560 Route Table (I added 192.168.60.0/24 instead of just using the default route just in case it wasn't routing for some reason - no change)
    mx3560a#sho ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is 10.0.1.1 to network 0.0.0.0
    S    192.168.60.0/24 [2/0] via 10.0.1.1, FastEthernet0/3
         172.16.0.0/24 is subnetted, 1 subnets
    C       172.16.80.0 is directly connected, Vlan80
         172.26.0.0/24 is subnetted, 2 subnets
    C       172.26.22.0 is directly connected, Vlan22
    C       172.26.20.0 is directly connected, Vlan20
         10.0.0.0/8 is variably subnetted, 14 subnets, 2 masks
    C       10.1.10.0/24 is directly connected, Vlan10
    D       10.1.13.5/32 [90/3072] via 10.1.13.1, 4d02h, GigabitEthernet0/1
    C       10.1.14.0/24 is directly connected, Vlan14
    C       10.1.13.0/24 is directly connected, GigabitEthernet0/1
    C       10.1.12.0/24 is directly connected, Vlan12
    C       10.0.1.0/24 is directly connected, FastEthernet0/3
    C       10.1.30.0/24 is directly connected, Vlan30
    C       10.1.16.0/24 is directly connected, Vlan16
    C       10.1.40.0/24 is directly connected, Vlan40
    C       10.1.35.0/24 is directly connected, Vlan35
    C       10.1.50.0/24 is directly connected, Vlan50
    C       10.1.90.0/24 is directly connected, Vlan90
    C       10.1.101.0/24 is directly connected, Vlan101
    C       10.1.100.0/24 is directly connected, Vlan100
    S*   0.0.0.0/0 [1/0] via 10.0.1.1, FastEthernet0/3
    I have a C2911 for CME on G0/1 - using it only for that purpose at this time.
    L2 3560 Config it connects to the ASA as a trunk on e0/5 of the ASA and port f0/3 of the switch - I am using L2 switching for the DMZ networks from the switches to the ASA and allowing the ASA to provide the DHCP and routing out of the network. DMZ networks: 172.26.20.0/24 and 172.26.22.0/24.
    version 12.2
    no service pad
    no service timestamps debug uptime
    no service timestamps log uptime
    service password-encryption
    hostname mx3560b
    boot-start-marker
    boot-end-marker
    enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
    no aaa new-model
    system mtu routing 1500
    crypto pki trustpoint TP-self-signed-3877365632
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-3877365632
    revocation-check none
    rsakeypair TP-self-signed-3877365632
    crypto pki certificate chain TP-self-signed-3877365632
    certificate self-signed 01
      30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 33383737 33363536 3332301E 170D3933 30333031 30303031
      30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373733
      36353633 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100DF81 DA515E0B 7FC760CF 2CC98400 42DCA007 215E4DDE D0C3FBF2 D974CE85
      C46A8700 6AE44C2C 79D9BD2A A9297FA0 2D9C2BE4 B3941A2F 435AC4EA 17E89DFE
      34EC8E93 63BD4CDF 784E91D7 2EE0093F 06CC97FD 83CB818B 1ED624E6 F0F5DA51
      1DE4B8A7 169EED2B 40575B81 BADDE052 85BA9D19 4C206DCB 00878FF3 89E74028
      B3F30203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
      551D1104 0C300A82 086D7833 35363062 2E301F06 03551D23 04183016 80147125
      78CE8540 DB95D852 3C0BD975 5D9C6EB7 58FC301D 0603551D 0E041604 14712578
      CE8540DB 95D8523C 0BD9755D 9C6EB758 FC300D06 092A8648 86F70D01 01040500
      03818100 94B98410 2D9CD602 4BD16181 BCB7C515 77C8F947 7C4AF5B8 281E3131
      59298655 B12FAB1D A6AAA958 8473483C E993D896 5251770B 557803C0 531DEB62
      A349C057 CB473F86 DCEBF8B8 7DDE5728 048A49D0 AB18CE8C 8257C00A C2E06A63
      B91F872C 5F169FF9 77DC523B AB1E3965 C6B67FCC 84AE11E9 02DD10F0 C45EAFEA 41D7FA6C
      quit
    port-channel load-balance src-dst-mac
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    interface Port-channel1
    switchport trunk encapsulation dot1q
    switchport mode trunk
    interface FastEthernet0/1
    switchport access vlan 50
    switchport mode access
    interface FastEthernet0/2
    switchport access vlan 30
    switchport mode access
    power inline never
    interface FastEthernet0/3
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 20,22
    switchport mode trunk
    power inline never
    interface FastEthernet0/4
    switchport mode access
    shutdown
    power inline never
    interface FastEthernet0/5
    shutdown
    power inline never
    interface FastEthernet0/6
    shutdown
    power inline never
    interface FastEthernet0/7
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 30
    switchport mode trunk
    switchport voice vlan 14
    spanning-tree portfast
    interface FastEthernet0/8
    switchport access vlan 30
    switchport mode access
    power inline never
    interface FastEthernet0/9
    shutdown
    power inline never
    interface FastEthernet0/10
    switchport access vlan 20
    switchport mode access
    power inline never
    interface FastEthernet0/11
    shutdown
    power inline never
    interface FastEthernet0/12
    switchport access vlan 40
    switchport mode access
    interface FastEthernet0/13
    switchport access vlan 40
    switchport mode access
    interface FastEthernet0/14
    switchport access vlan 40
    switchport mode access
    shutdown
    interface FastEthernet0/15
    switchport access vlan 40
    switchport mode access
    shutdown
    interface FastEthernet0/16
    switchport access vlan 40
    switchport mode access
    shutdown
    interface FastEthernet0/17
    switchport access vlan 10
    switchport mode access
    power inline never
    interface FastEthernet0/18
    shutdown
    power inline never
    interface FastEthernet0/19
    shutdown
    power inline never
    interface FastEthernet0/20
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 14
    spanning-tree portfast
    interface FastEthernet0/21
    shutdown
    power inline never
    interface FastEthernet0/22
    shutdown
    power inline never
    interface FastEthernet0/23
    switchport access vlan 30
    switchport mode access
    power inline never
    interface FastEthernet0/24
    shutdown
    power inline never
    interface FastEthernet0/25
    switchport access vlan 20
    switchport mode access
    power inline never
    interface FastEthernet0/26
    shutdown
    power inline never
    interface FastEthernet0/27
    shutdown
    power inline never
    interface FastEthernet0/28
    switchport access vlan 40
    switchport mode access
    interface FastEthernet0/29
    switchport access vlan 40
    switchport mode access
    interface FastEthernet0/30
    switchport access vlan 40
    switchport mode access
    shutdown
    interface FastEthernet0/31
    switchport access vlan 40
    switchport mode access
    shutdown
    interface FastEthernet0/32
    switchport access vlan 40
    switchport mode access
    shutdown
    interface FastEthernet0/33
    switchport access vlan 20
    switchport mode access
    power inline never
    interface FastEthernet0/34
    shutdown
    power inline never
    interface FastEthernet0/35
    shutdown
    power inline never
    interface FastEthernet0/36
    switchport mode access
    switchport voice vlan 14
    spanning-tree portfast
    interface FastEthernet0/37
    shutdown
    power inline never
    interface FastEthernet0/38
    shutdown
    power inline never
    interface FastEthernet0/39
    switchport access vlan 30
    switchport mode access
    power inline never
    interface FastEthernet0/40
    switchport access vlan 90
    switchport mode access
    power inline never
    interface FastEthernet0/41
    shutdown
    power inline never
    interface FastEthernet0/42
    shutdown
    power inline never
    interface FastEthernet0/43
    shutdown
    power inline never
    interface FastEthernet0/44
    switchport access vlan 40
    switchport mode access
    interface FastEthernet0/45
    switchport access vlan 40
    switchport mode access
    interface FastEthernet0/46
    switchport access vlan 40
    switchport mode access
    shutdown
    interface FastEthernet0/47
    switchport access vlan 40
    switchport mode access
    shutdown
    interface FastEthernet0/48
    switchport access vlan 40
    switchport mode access
    shutdown
    interface GigabitEthernet0/1
    shutdown
    interface GigabitEthernet0/2
    switchport access vlan 40
    switchport mode access
    interface GigabitEthernet0/3
    switchport trunk encapsulation dot1q
    switchport mode trunk
    channel-group 1 mode on
    interface GigabitEthernet0/4
    switchport trunk encapsulation dot1q
    switchport mode trunk
    channel-group 1 mode on
    interface Vlan1
    no ip address
    ip classless
    ip http server
    ip http secure-server
    ip sla enable reaction-alerts
    line con 0
    logging synchronous
    line vty 0 4
    login
    line vty 5 15
    login
    end

  • I can connect my cisco mobile vpn but can't ping & access internal IP

    Hi somebody,
    i've configured mobile vpn configuration in cisco 7200 with GNS3. i can connect VPN to my cisco router with cisco vpn client software from outside. but i can't ping to internal ip and can't access internal resources.
    My Internal IP is 192.168.1.x . And IP for mobile VPN client from outside is 172.60.1.x.
    Your advise will be appreciate.
    here is my configuration with cisco 7200 in GNS 3,
    OfficeVPN_Router#sh run
    Building configuration...
    Current configuration : 2186 bytes
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname OfficeVPN_Router
    boot-start-marker
    boot-end-marker
    enable secret 5 $1$E0Gz$U8UzNtHOXy2CeoEFj30by0
    aaa new-model
    aaa authentication login userlist local
    aaa authorization network grouplist local
    aaa session-id common
    ip cef
    no ip domain lookup
    username asm privilege 15 password 0 pncsadmin
    username user privilege 15 password 0 pncsadmin
    username user1 privilege 15 password 0 pncsadmin
    username cisco123 secret 5 $1$lCOc$Db.e8AFd/0f02ZI4/aeV./
    crypto isakmp policy 10
    encr aes
    authentication pre-share
    group 2
    crypto isakmp client configuration group MWG
    key cisco
    dns 165.21.83.88
    pool vpnpool
    acl 101
    netmask 255.255.0.0
    crypto ipsec transform-set myset esp-aes esp-sha-hmac
    crypto dynamic-map dynmap 10
    set transform-set myset
    reverse-route
    crypto map mymap client authentication list userlist
    crypto map mymap isakmp authorization list grouplist
    crypto map mymap client configuration address initiate
    crypto map mymap client configuration address respond
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    interface FastEthernet0/0
    no ip address
    shutdown
    duplex half
    interface FastEthernet1/0
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex full
    speed 100
    interface FastEthernet1/1
    ip address 200.200.200.200 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map mymap
    ip local pool vpnpool 172.60.1.10 172.60.1.100
    no ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 200.200.200.201
    no ip http server
    no ip http secure-server
    ip nat inside source list 111 interface FastEthernet1/1 overload
    access-list 101 permit ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
    access-list 111 deny   ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
    access-list 111 permit ip any any
    control-plane
    gatekeeper
    shutdown
    line con 0
    exec-timeout 0 0
    password cisco123
    logging synchronous
    stopbits 1
    line aux 0
    stopbits 1
    line vty 0 4
    password cisco123
    end
    OfficeVPN_Router#sh ver
    Cisco IOS Software, 7200 Software (C7200-A3JK9S-M), Version 12.4(25), RELEASE SOFTWARE (fc2)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2009 by Cisco Systems, Inc.
    Compiled Tue 21-Apr-09 18:50 by prod_rel_team
    ROM: ROMMON Emulation Microcode
    BOOTLDR: 7200 Software (C7200-A3JK9S-M), Version 12.4(25), RELEASE SOFTWARE (fc2)
    OfficeVPN_Router uptime is 30 minutes
    System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
    System image file is "tftp://255.255.255.255/unknown"
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    [email protected].
    Cisco 7206VXR (NPE400) processor (revision A) with 245760K/16384K bytes of memory.
    Processor board ID 4279256517
    R7000 CPU at 150MHz, Implementation 39, Rev 2.1, 256KB L2 Cache
    6 slot VXR midplane, Version 2.1
    Last reset from power-on
    PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth points.
    Current configuration on bus mb0_mb1 has a total of 600 bandwidth points.
    This configuration is within the PCI bus capacity and is supported.
    PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points.
    Current configuration on bus mb2 has a total of 0 bandwidth points
    This configuration is within the PCI bus capacity and is supported.
    Please refer to the following document "Cisco 7200 Series Port Adaptor
    Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
    for c7200 bandwidth points oversubscription and usage guidelines.
    3 FastEthernet interfaces
    125K bytes of NVRAM.
    65536K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
    8192K bytes of Flash internal SIMM (Sector size 256K).
    Configuration register is 0x2102
    OfficeVPN_Router#

    Dear Javier ,
    Thanks for your info. i already tested as you say. but still i can't use & ping to my internal IP which is behind cisco VPN router. i posted my config file.
    OfficeVPN_Router(config)#ip access-list resequence 111 10 10
    OfficeVPN_Router(config)#do sh run
    Building configuration...
    Current configuration : 2201 bytes
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname OfficeVPN_Router
    boot-start-marker
    boot-end-marker
    enable secret 5 $1$E0Gz$U8UzNtHOXy2CeoEFj30by0
    aaa new-model
    aaa authentication login userlist local
    aaa authorization network grouplist local
    aaa session-id common
    ip cef
    no ip domain lookup
    username asm privilege 15 password 0 pncsadmin
    username user privilege 15 password 0 pncsadmin
    username user1 privilege 15 password 0 pncsadmin
    username cisco123 secret 5 $1$lCOc$Db.e8AFd/0f02ZI4/aeV./
    crypto isakmp policy 10
    encr aes
    authentication pre-share
    group 2
    crypto isakmp client configuration group MWG
    key cisco
    dns 165.21.83.88
    pool vpnpool
    acl 101
    netmask 255.255.0.0
    crypto ipsec transform-set myset esp-aes esp-sha-hmac
    crypto dynamic-map dynmap 10
    set transform-set myset
    reverse-route
    crypto map mymap client authentication list userlist
    crypto map mymap isakmp authorization list grouplist
    crypto map mymap client configuration address initiate
    crypto map mymap client configuration address respond
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    interface FastEthernet0/0
    no ip address
    shutdown
    duplex half
    interface FastEthernet1/0
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex full
    speed 100
    interface FastEthernet1/1
    ip address 200.200.200.200 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map mymap
    ip local pool vpnpool 172.60.1.10 172.60.1.100
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 200.200.200.201
    no ip http server
    no ip http secure-server
    ip nat inside source list 111 interface FastEthernet1/1 overload
    access-list 101 permit ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
    access-list 111 deny   ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
    access-list 111 permit ip 192.168.1.0 0.0.0.255 any
    control-plane
    gatekeeper
    shutdown
    line con 0
    exec-timeout 0 0
    password cisco123
    logging synchronous
    stopbits 1
    line aux 0
    stopbits 1
    line vty 0 4
    password cisco123
    end

  • CSM : Sorry server and Stickyness when reals are overloaded

    Hi,
    I have a portal of eight real servers and one sorry server, which should redirect new user to another portal, in case of an overload condition of all eight real servers. Server load is measured on each real server using a custom developed agent, which basically measures the real CPU load. If a real server experiences an overload, the local agent uses the CSM XML interface to set the maxcons value in the CSM to stop accepting new connections. However, I want to continue accepting sticky connections (request with a valid cookie). The experience shows that the CSM does accept to create new connections to real server reaching maxcons, even if a cookie exist.
    This causes a problem if we want to redirect NEW users to another portal in case of overload, but to keep EXISTING users in the server farm, even if the number of connections could increase slightly above maxconns...
    How can I solve the problem ?
    Thank you
    Yves Haemmerli

    Hi Thomas,
    Thank you for your comment. I also understand this behaviour like you, however this can have a devastating effect in a global portal environment. Imagine, you have three portals distributed over the world, each having let say 8 real servers. In the real life, it is seldom to replicate data in real time between data centers, due to the distance. However, the user roles and customized bookmarks and other user-specific settings are replicated. This allows to provide a global portal to users. But if a user connects to one particular regional portal, he has to stay on this portal for the duration of the whole browser session, do you follow me ? OK, now imagine that all 8 real servers in a portal reach the maxconns, because 10'000 users are connected to the portal. For new users (users with no sticky cookie), we want to send them to another regional portal. This is achieved with the global site selection provided by the GSS for example. But for existing user already connected to the overloaded portal, we want to KEEP them on the portal ! else, as the user browser continuously opens and closes TCP sessions, all 10'000 users will be immediately transferred to the other regional portal! This means the the other regional portal will becom overloaded as well, while the first portal load will be droped to zero very quickly ! Then, we not only create a situation where users loose their data by being transferred to another portal, but we also create a oscillations in the portal load !
    I really don't know if there is a mean to solve this problem...Do you have any idea ?
    Regards,
    Yves Haemmerli

  • Cannot ping/access iphone from pc via wifi connection

    Hi! Im trying to ping my iphone from my pc, they are in the same subnet/network, and they are both connected to same wifi/wireless network, but I cannot ping my iphone, is there other things i need to do on my iphone for it to ping-able/accessable from my pc wirelessly? Thank you.

    Yes that worked thank you and has taken me back to the start of the migration assistant. Unless there is anything else I should do, very many thanks! I will try the full process again shortly, having turned off all window updates include virus checker updates which may have caused the problem and I will use the Ethernet cable method. It would have taken hours via wifi,  4 hours to transfer music alone.
    Thank yu
    Ljs

  • ASA5520 - Management0/0 Telnet/SSH/Ping Access

    hey all, hope this is an easy one.
    - how can i setup the management interface so that we can ping to the mgmt interface from a subnet that is on a different subnet than the Management0/0 interface (source ip would be 192.168.100.0/24 which may conflict with the inside interface)
    - i am able to telnet/ssh from the 192.168.100.0/24 subnet connected to a router behind the mgmt interface
    - i am not able to ping the mgmt interface from the 192.168.100.0/24 subnet connected to a router behind the mgmt interface
    - is a security level required on the mgmt interface? it does not  work unless we put one. if so, what are you guys setting it to?
    interface Ethernet0/0.101
    description Outside
    vlan 101
    nameif outside
    security-level 0
    ip address 101.1.1.100 255.255.255.0
    interface Ethernet0/1.102
    description Inside Cat3750-VM G1/0/24 (PRI) G2/0/24 (STB)
    vlan 102
    nameif inside
    security-level 100
    ip address 192.168.100.100 255.255.252.0
    interface Management0/0
    nameif mgmt
    security-level 90
    ip address 192.168.253.100 255.255.255.0
    management-only
    ssh 192.168.100.0 255.255.255.0 mgmt
    telnet 192.168.100.0 255.255.255.0 mgmt
    I try to add a static route but get an error:
    ASA5520(config)# route mgmt 192.168.0.0 255.255.252.0 192.168.253.1
    ERROR: Cannot add route, connected route exists

    Hello Robert,
    by default the Managment interface of an ASA is going to be used just for managment traffic only.
    Now in order to be able to use it as any other interface you will need to use the following command:
         -     Interface managment 0/0
         -     no managment-only
    And just to let you know it is imposible to ping a distant interface as an example from a inside subnet to the outside interface ip .This as security measure.
    Regards,
    Julio

  • Cannot ping Real IP, but can ping Virtual IP, what is the issue?

    Hi
    I have load balancing for some servers on CSM, i can ping to VIP but cannot ping to Real IP of servers behind CSM. I need it for some testing and management pupose, Can anyone help to spot the issue? thanx
    Topology
    MSFC--FWSM--CSM--servers

    in routed mode, by default, the CSM does not allow client to connect directly to the servers.
    To allow this traffic you need to create a vserver for the subnet with a predictor forward serverfarm
    ie:
    serverfarm route
    no nat server
    predictor forward
    vserver vlanX
    vip x.x.x.0 /24 any
    serverfarm route
    inservice
    Gilles.

  • SDK 3.1 UIImagePickerController access real time image

    Hi,
    SDK 3.1 has a much better UIImagePickerController. It claims that you can access the real time image without closing the controller. Could anyone tell me exactly how to access the image?
    Thanks
    ff

    Hi,
    SDK 3.1 has a much better UIImagePickerController. It claims that you can access the real time image without closing the controller. Could anyone tell me exactly how to access the image?
    Thanks
    ff

  • CSM Server LB across L3 Devices

    I have a pair of 6513's with a CSM in each. These are port-channelled together to provide FT.
    I have a number of server vlan's defined on the 6500 and 2 of these need to be LB through the CSM.
    Do I define these servers as CSM server vlans (which I have now done) or define the servers as 6500 server vlans with L3 interfaces defined on the 6500's and add route commands to the CSM server VLAN's to route back to these servers via the 6500 L3. I am concerned on this last point about Nat requirements for client connections and how to guage the number of nat pool addresses I need.
    My reason for this question is that I am having trouble getting ping access to these LB servers through the CSM even though I have defined server farms with a predictor of forward. Cisco give information on forwarding using TCP / UDP but give no indication of whether the CSM predictor forward supports ICMP.

    I am having trouble pinging from an interface on the sup720 / switch fabric on a different subnet to a server on a vlan defined in the CSM as a server vlan.
    Not seeing any hits on the csm for this serverfarm.
    You said the servers can be on either the CSM or MSFC, but if put the servers to be load balanced on the MSFC, I will need to put in client Nat on the serverfarm to ensure the real server does not attempt to reply directly back to the requestee. If this is the case, does the CSS use a 1 to 1 Nat relationship or does it essentially do a many to 1 address (PAT)

  • Fault Tolerance not working between CSMs

    I have two CSM modules in two differnt switches (Bridge mode) configured for high availability. After noticing one of the CSM modules was in failed mode, I reset the module. While the module reboots I get the following messages: %CSM_SLB-4-REDUNDANCY_WARN: Module 3 FT warning: LRP: no ACK from standby.. standby may be down
    %CSM_SLB-4-TOPOLOGY: Module 3 warning: IP address conflict: ARP frame from 170.41.228.10 with MAC 00:01:64:f9:
    1a:07 received on VLAN 2.
    With both online a "show mod csm 3 ft" shows both modules active.
    I can no longer access the real servers.
    When I remove the module that I reset (Primary) I can access the servers using the backup CSM.
    Whe I remove the backup CSM and insert the Primary, I cannot acces the servers once again.
    The FT vlan is VLAN 7 configured on both switches and is the only allowed VLAN on the trunk.
    The config for the Primary CSM is:redundancy
    mode sso
    main-cpu
    auto-sync running-config
    spanning-tree mode pvst
    module ContentSwitchingModule 3
    ft group 7 vlan 7
    priority 30
    preempt
    vlan 2 client
    ip address 170.41.228.20 255.255.255.192
    gateway 170.41.228.1
    vlan 8 server
    ip address 170.41.228.20 255.255.255.192
    probe CARMENWEBPROBE tcp
    interval 10
    failed 100
    probe HTTPS tcp
    interval 10
    failed 100
    port 443
    serverfarm CARMENWEBFARM
    nat server
    no nat client
    real 170.41.228.15
    inservice
    real 170.41.228.16
    inservice
    probe HTTPS
    vserver CARMENVSERVER
    virtual 170.41.228.10 tcp 0
    serverfarm CARMENWEBFARM
    persistent rebalance
    inservice
    Trunk for VLAN 7 config :
    interface GigabitEthernet4/2
    switchport
    switchport trunk encapsulation isl
    switchport trunk allowed vlan 7
    switchport mode trunk
    no ip address
    logging event link-status
    logging event spanning-tree status
    logging event trunk-status
    Has anyone had this problem?
    Thanks, Donald

    The plan is to take a working CSM from a DR site with the same config to try in place of the not working active. I did not want to risk taking the working stanby and moving it and possibly having an outage at this time since this is a production switch being heavily utilized at the moment. I wanted to verify there was not something in the config that was not configured properly.

  • 5520 to 5525 all access rules being ignored.

    I copied my config from my old 5520 to our new 5525 and when I cut over to it from the inside out I could get to the internet no problem but from the outside in none of our access rules were working.  Could someone take a look at our config and maybe inlighten me on the problem please.  Thanks,
    http://www.ebay.com/itm/290951611556?ssPageName=STRK:MEWNX:IT&_trksid=p3984.m1497.l2649
    : Saved
    : Written by admin at 02:33:30.875 EDT Mon Sep 30 2013
    ASA Version 8.6(1)2
    hostname ColASA01-HA
    domain-name corp.COMPANY.com
    names
    name 172.22.5.133 ColBarracuda description Colo Barracuda Internal
    name 74.XXX.XXX.133 ColBarracuda- description Colo Barracuda External
    name 74.XXX.XXX.132 ColVPN- description Colo VPN External
    name 172.22.5.138 ww2 description ww2 Internal
    name 74.XXX.XXX.138 ww2- description ww2 External
    name 172.22.5.139 www1 description www1 Internal
    name 74.XXX.XXX.139 www1- description www1 External
    name 172.22.5.140 www1-COMPANY.co.uk description www1 COMPANY.co.uk Internal
    name 172.22.5.143 ColSysAid description ColSysAid Internal
    name 74.XXX.XXX.143 ColSysAid- description ColSysAid External
    name 172.22.5.141 Colww3 description Colww3 Internal
    name 74.XXX.XXX.141 Colww3- description Colww3 External
    name 10.1.1.100 Facts description Facts Internal
    name 74.XXX.XXX.135 Facts- description Facts External
    name 74.XXX.XXX.144 ftp.boundree.co.uk- description ftp.COMPANY.co.uk External
    name 172.22.5.144 ftp.COMPANY.co.uk description ftp.COMPANY.co.uk Internal
    name 10.101.0.24 Dubmss01 description Voicemail Server - Internal
    name 74.XXX.XXX.145 Dubmss01- description Voicemail Sever - External
    name 172.22.5.146 ColBI01 description ColBI01 Internal
    name 74.XXX.XXX.146 ColBI01- description ColBI01 External
    name 172.22.5.147 ColMOSS01 description ColMOSS01 Internal
    name 74.XXX.XXX.147 ColMOSS01- description ColMOSS01 External
    name 172.22.5.149 ambutrak description AmbuTRAK Internal
    name 74.XXX.XXX.149 ambutrak- description AmbuTRAK External
    name 172.22.5.136 NSTrax description NSTrax Internal
    name 74.XXX.XXX.136 NSTrax- description NSTrax External
    name 172.22.5.150 btmu description BTMU Internal
    name 74.XXX.XXX.150 btmu- description BTMU External
    name 172.22.5.155 w2k-isoft description w2k-isoft Internal
    name 74.XXX.XXX.155 w2k-isoft- description w2k-isoft External
    name 172.22.5.142 Colexch01 description Colexch01 Internal
    name 172.22.5.151 Coltixdb description Coltxdb Internal
    name 74.XXX.XXX.151 Coltixdb- description Coltixdb External
    name 172.22.5.156 colexcas description colexcas Internal
    name 74.XXX.XXX.156 colexcas- description colexcas External
    name 172.22.3.74 colexcas01 description colexcas01 Internal
    name 172.22.3.75 colexcas02 description colexcas02 Internal
    name 172.22.5.157 ColFTP01 description ColFTP01 Internal
    name 74.XXX.XXX.157 ColFTP01- description ColFTP01 External
    name 172.22.5.158 www.COMPANY.com description www.COMPANY.com Internal
    name 74.XXX.XXX.158 www.COMPANY.com- description www.COMPANY.com External
    name 172.22.5.159 act.COMPANY.com description COMPANY ACT Internal - colww4
    name 74.XXX.XXX.159 act.COMPANY.com- description COMPANY ACT External
    name 172.22.3.93 test.COMPANY.com description test.COMPANY.com Internal
    name 172.22.5.161 ColdevAS2 description ColdevAS2 Internal
    name 74.XXX.XXX.160 Rewards.COMPANY.com- description COMPANY Rewards External
    name 74.XXX.XXX.153 as2.COMPANY.com- description as2.COMPANY.com External
    name 74.XXX.XXX.161 as2test.COMPANY.com- description as2test.COMPANY.com External
    name 172.22.5.153 colas2 description colas2 Internal
    name 172.22.5.160 colww5 description colww5 Internal
    name 172.22.3.91 colexcas01NLB description colexcas01 NLB Interface
    name 172.22.3.92 colexcas02NLB description colexcas02 NLB Interface
    name 172.22.3.100 ColVPN description Colo VPN Internal
    name 172.22.5.134 intra.COMPANY.com description on NewPortal
    name 74.XXX.XXX.134 intra.COMPANY.com- description It's on NewPortal
    name 10.1.0.80 asgard description asgard Internal
    name 74.XXX.XXX.163 www.COMPANY.net- description www.COMPANY.net External
    name 172.22.5.165 crmws.COMPANY.com description ColCrmRouter01 Internal
    name 74.XXX.XXX.165 crmws.COMPANY.com- description ColCrmRouter01 External
    name 10.1.5.137 dubngwt description Test Next Gen Web Farm Internal
    name 74.XXX.XXX.137 dubngwt- description Test Next Gen Web Farm External
    name 10.1.0.87 dubexcas description Dublin CAS NLB
    name 10.1.0.85 dubexcas01 description Dublin CAS Server
    name 10.1.0.86 dubexcas02 description Dublin CAS Server
    name 74.XXX.XXX.166 collync01- description Lync Edge Server External
    name 74.XXX.XXX.167 coltmg01- description TMG Server External
    name 172.23.2.166 collync01 description Lync Edge Server DMZ
    name 172.23.2.167 coltmg01 description TMG Server DMZ
    name 172.22.5.168 COMPANYfed.com description COMPANYfed.com Internal
    name 74.XXX.XXX.168 COMPANYfed.com- description COMPANYfed.com External
    name 172.22.3.60 www1.COMPANY.com description www1.COMPANY.com Internal
    name 74.XXX.XXX.169 www1.COMPANY.com- description www1.COMPANY.com External
    name 172.22.3.63 www1.COMPANYfed.com description www1.COMPANYfed.com Internal
    name 74.XXX.XXX.171 www1.COMPANYfed.com- description www1.COMPANYfed.com External
    name 172.22.3.61 www2.COMPANY.com description www2.COMPANY.com Internal
    name 74.XXX.XXX.170 www2.COMPANY.com- description www2.COMPANY.com External
    name 172.22.3.64 www2.COMPANYfed.com description www2.COMPANYfed.com Internal
    name 74.XXX.XXX.172 www2.COMPANYfed.com- description www2.COMPANYfed.com External
    name 172.22.5.154 COMPANY.com description COMPANY.com Web Farm Production
    name 74.XXX.XXX.154 COMPANY.com- description COMPANY.com Web Farm Outside
    name 184.XXX.XXX.226 PMISonicWALL description PMI SonicWALL
    name 10.10.0.0 PMI_SonicWALL-Subnet description PMI LAN
    name 10.1.0.0 DublinData description Dublin Data Network
    name 10.2.0.0 SouthavenData description Southaven Data Network
    name 10.0.0.0 BrentwoodData description Brentwood Data Network
    name 10.8.0.0 GilbertData description Gilbert Data Network
    name 10.101.0.0 DublinVoIP description Dublin VoIP Network
    name 10.110.0.0 PMI_SonicWALL-VOICSubnet
    name 172.24.3.50 ColUT04-PCITrust
    name 172.22.3.31 coldc01
    name 172.22.3.4 coldc02
    name 172.22.3.23 ColWSUS02 description Windows Update Server
    name 74.XXX.XXX.175 monitor.COMPANY.com- description PRTG Network Monitor
    name 172.22.3.150 ColPRTG01 description PRTG Monitor
    dns-guard
    interface GigabitEthernet0/0
    description Connected to Internet via COLRTR01
    speed 100
    duplex full
    shutdown
    nameif outside
    security-level 0
    ip address 74.XXX.XXX.130 255.255.255.192 standby 74.XXX.XXX.176
    ospf cost 10
    interface GigabitEthernet0/1
    description Connected to Colo LAN
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 172.22.1.8 255.255.0.0 standby 172.22.1.50
    ospf cost 10
    authentication key eigrp 10 Fiyalt1 key-id 1
    authentication mode eigrp 10 md5
    interface GigabitEthernet0/2
    nameif DMZ
    security-level 10
    ip address 172.23.2.1 255.255.255.0 standby 172.23.2.50
    ospf cost 10
    interface GigabitEthernet0/3
    description Connected to COLSW01 port 9 - PCI Trust Area (no internet)
    nameif Colo_PCI_Trust
    security-level 100
    ip address 172.24.3.1 255.255.255.0 standby ColUT04-PCITrust
    ospf cost 10
    interface GigabitEthernet0/4
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/5
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/6
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/7
    description LAN/STATE Failover Interface
    interface Management0/0
    nameif management
    security-level 100
    ip address 10.1.200.20 255.255.0.0 standby 10.1.200.21
    ospf cost 10
    management-only
    boot system disk0:/asa861-2-smp-k8.bin
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name corp.COMPANY.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network obj-172.22.255.0
    subnet 172.22.255.0 255.255.255.0
    object network PMI_SonicWALL-Subnet
    subnet 10.10.0.0 255.255.0.0
    object network obj-172.24.3.0
    subnet 172.24.3.0 255.255.255.0
    object network ColWSUS02
    host 172.22.3.23
    object network ambutrak
    host 172.22.5.149
    object network ambutrak-
    host 74.XXX.XXX.149
    object network btmu
    host 172.22.5.150
    object network btmu-
    host 74.XXX.XXX.150
    object network ColBarracuda
    host 172.22.5.133
    object network ColBarracuda-
    host 74.XXX.XXX.133
    object network ColBI01
    host 172.22.5.146
    object network ColBI01-
    host 74.XXX.XXX.146
    object network colexcas
    host 172.22.5.156
    object network colexcas-
    host 74.XXX.XXX.156
    object network ColMOSS01
    host 172.22.5.147
    object network ColMOSS01-
    host 74.XXX.XXX.147
    object network COMPANY.com
    host 172.22.5.154
    object network COMPANY.com-
    host 74.XXX.XXX.154
    object network Coltixdb
    host 172.22.5.151
    object network Coltixdb-
    host 74.XXX.XXX.151
    object network Colww3
    host 172.22.5.141
    object network Colww3-
    host 74.XXX.XXX.141
    object network ColSysAid
    host 172.22.5.143
    object network ColSysAid-
    host 74.XXX.XXX.143
    object network ColVPN
    host 172.22.3.100
    object network ColVPN-
    host 74.XXX.XXX.132
    object network colas2
    host 172.22.5.153
    object network as2.COMPANY.com-
    host 74.XXX.XXX.153
    object network Dubmss01
    host 10.101.0.24
    object network Dubmss01-
    host 74.XXX.XXX.145
    object network Facts
    host 10.1.1.100
    object network Facts-
    host 74.XXX.XXX.135
    object network ftp.COMPANY.co.uk
    host 172.22.5.144
    object network ftp.boundree.co.uk-
    host 74.XXX.XXX.144
    object network NSTrax
    host 172.22.5.136
    object network NSTrax-
    host 74.XXX.XXX.136
    object network w2k-isoft
    host 172.22.5.155
    object network w2k-isoft-
    host 74.XXX.XXX.155
    object network www1
    host 172.22.5.139
    object network www1-
    host 74.XXX.XXX.139
    object network ww2
    host 172.22.5.138
    object network ww2-
    host 74.XXX.XXX.138
    object network ColFTP01
    host 172.22.5.157
    object network ColFTP01-
    host 74.XXX.XXX.157
    object network www.COMPANY.com
    host 172.22.5.158
    object network www.COMPANY.com-
    host 74.XXX.XXX.158
    object network act.COMPANY.com
    host 172.22.5.159
    object network act.COMPANY.com-
    host 74.XXX.XXX.159
    object network colww5
    host 172.22.5.160
    object network Rewards.COMPANY.com-
    host 74.XXX.XXX.160
    object network ColdevAS2
    host 172.22.5.161
    object network as2test.COMPANY.com-
    host 74.XXX.XXX.161
    object network intra.COMPANY.com
    host 172.22.5.134
    object network intra.COMPANY.com-
    host 74.XXX.XXX.134
    object network asgard
    host 10.1.0.80
    object network www.COMPANY.net-
    host 74.XXX.XXX.163
    object network crmws.COMPANY.com
    host 172.22.5.165
    object network crmws.COMPANY.com-
    host 74.XXX.XXX.165
    object network dubngwt
    host 10.1.5.137
    object network dubngwt-
    host 74.XXX.XXX.137
    object network COMPANYfed.com
    host 172.22.5.168
    object network COMPANYfed.com-
    host 74.XXX.XXX.168
    object network www1.COMPANYfed.com
    host 172.22.3.63
    object network www1.COMPANYfed.com-
    host 74.XXX.XXX.171
    object network www2.COMPANYfed.com
    host 172.22.3.64
    object network www2.COMPANYfed.com-
    host 74.XXX.XXX.172
    object network www1.COMPANY.com
    host 172.22.3.60
    object network www1.COMPANY.com-
    host 74.XXX.XXX.169
    object network www2.COMPANY.com
    host 172.22.3.61
    object network www2.COMPANY.com-
    host 74.XXX.XXX.170
    object network ColPRTG01
    host 172.22.3.150
    object network monitor.COMPANY.com-
    host 74.XXX.XXX.175
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network collync01
    host 172.23.2.166
    object network collync01-
    host 74.XXX.XXX.166
    object network coltmg01
    host 172.23.2.167
    object network coltmg01-
    host 74.XXX.XXX.167
    object-group service DM_INLINE_SERVICE_1
    service-object gre
    service-object tcp destination eq pptp
    object-group service Barracuda tcp
    port-object eq 8000
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq www
    port-object eq https
    port-object eq smtp
    port-object eq ssh
    group-object Barracuda
    object-group service DM_INLINE_TCP_2 tcp
    port-object eq www
    port-object eq https
    port-object eq smtp
    object-group service DM_INLINE_TCP_3 tcp
    port-object eq www
    port-object eq https
    port-object eq smtp
    object-group service DM_INLINE_TCP_5 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_7 tcp
    port-object eq www
    port-object eq https
    object-group service mySQL tcp
    description mySQL Database
    port-object eq 3306
    object-group service DM_INLINE_TCP_9 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_10 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_11 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_12 tcp
    port-object eq www
    port-object eq https
    object-group service as2 tcp
    description as2
    port-object eq 4080
    port-object eq 5080
    port-object eq https
    port-object eq 6080
    object-group network DM_INLINE_NETWORK_2
    network-object host ColBarracuda
    network-object host ww2
    network-object host www1
    network-object host colexcas01
    network-object host colexcas02
    network-object host colexcas
    network-object host test.COMPANY.com
    network-object host colexcas01NLB
    network-object host colexcas02NLB
    network-object host dubexcas01
    network-object host dubexcas02
    network-object host dubexcas
    object-group service SQLServer tcp
    description Microsoft SQL Server
    port-object eq 1433
    object-group service DM_INLINE_TCP_13 tcp
    port-object eq www
    port-object eq https
    port-object eq smtp
    object-group service DM_INLINE_TCP_14 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_15 tcp
    port-object eq www
    port-object eq https
    object-group network DM_INLINE_NETWORK_1
    network-object host as2.COMPANY.com-
    network-object host as2test.COMPANY.com-
    object-group service DM_INLINE_TCP_6 tcp
    port-object eq www
    port-object eq https
    object-group service rdp tcp
    description Remote Desktop Protocol
    port-object eq 3389
    object-group service DM_INLINE_TCP_8 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_16 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_17 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_4 tcp
    port-object eq www
    port-object eq https
    object-group service LyncEdge tcp-udp
    description sip-tls, 443, 444, rtp 50000-59999, stun udp 3478
    port-object eq 3478
    port-object eq 443
    port-object eq 444
    port-object range 50000 59999
    port-object eq 5061
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_TCP_18 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_19 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_20 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_21 tcp
    port-object eq www
    port-object eq https
    object-group service DM_INLINE_TCP_22 tcp
    port-object eq www
    port-object eq https
    object-group network PMIVPNNetworks
    description VPN Networks to PMI
    network-object BrentwoodData 255.255.0.0
    network-object DublinData 255.255.0.0
    network-object SouthavenData 255.255.0.0
    network-object GilbertData 255.255.0.0
    network-object 172.22.0.0 255.255.0.0
    network-object DublinVoIP 255.255.0.0
    object-group network PMI_SonicWALL-Subnets
    network-object PMI_SonicWALL-Subnet 255.255.0.0
    network-object PMI_SonicWALL-VOICSubnet 255.255.0.0
    object-group network COLDCs
    network-object host coldc01
    network-object host coldc02
    access-list inside_access_in remark Allow SMTP from certain servers.
    access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any eq smtp
    access-list inside_access_in remark No SMTP except from allowed servers
    access-list inside_access_in extended deny tcp any any eq smtp log errors
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in remark For debugging (can enable logging)
    access-list inside_access_in extended deny ip any any
    access-list outside_access_in remark Allow Ping
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in remark Allow VPN
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object ColVPN-
    access-list outside_access_in remark Allow SMTP, HTTP, and HTTPS to the Exchange CAS NLB Cluster
    access-list outside_access_in extended permit tcp any object colexcas- object-group DM_INLINE_TCP_13
    access-list outside_access_in remark Allow SMTP, SSH, and Web
    access-list outside_access_in extended permit tcp any object ColBarracuda- object-group DM_INLINE_TCP_1
    access-list outside_access_in remark Allow HTTP and HTTPS to AmbuTRAK
    access-list outside_access_in extended permit tcp any object ambutrak- object-group DM_INLINE_TCP_10
    access-list outside_access_in remark Allow SMTP, HTTP and HTTPS to ww2
    access-list outside_access_in extended permit tcp any object ww2- object-group DM_INLINE_TCP_2
    access-list outside_access_in remark Allow SMTP, HTTP and HTTPS to www1
    access-list outside_access_in extended permit tcp any object www1- object-group DM_INLINE_TCP_3
    access-list outside_access_in remark Allow portal.bouindtree.com to COLMOSS01
    access-list outside_access_in extended permit tcp any object ColMOSS01- object-group DM_INLINE_TCP_9
    access-list outside_access_in remark Allow HTTP and HTTPS to ems.COMPANY.com
    access-list outside_access_in extended permit tcp any object Colww3- object-group DM_INLINE_TCP_5
    access-list outside_access_in remark Allow HTTP and HTTPS to helpdesk.COMPANY.com
    access-list outside_access_in extended permit tcp any object ColSysAid- object-group DM_INLINE_TCP_7
    access-list outside_access_in remark Allow SSH to Facts
    access-list outside_access_in extended permit tcp any object Facts- eq ssh inactive
    access-list outside_access_in remark Allow mySQL to NSTrax for IQ
    access-list outside_access_in extended permit tcp any object NSTrax- object-group mySQL inactive
    access-list outside_access_in remark Allow FTP to ftp.COMPANY.co.uk
    access-list outside_access_in extended permit tcp any object ftp.boundree.co.uk- eq ftp inactive
    access-list outside_access_in remark Allow IMAP to the Voice Mail Server
    access-list outside_access_in extended permit tcp any object Dubmss01- eq imap4
    access-list outside_access_in remark Permit HTTPS to ColBI01 for https://reports.COMPANY.com
    access-list outside_access_in extended permit tcp any object ColBI01- eq https inactive
    access-list outside_access_in remark Allow FTP to btmu.COMPANY.com
    access-list outside_access_in extended permit tcp any object btmu- eq ftp
    access-list outside_access_in remark Allow HTTP and HTTPS to colngwt - the Test Next Gen Web Farm
    access-list outside_access_in extended permit tcp any object dubngwt- object-group DM_INLINE_TCP_17 inactive
    access-list outside_access_in remark Allow HTTP and HTTPS to COMPANYfed.com
    access-list outside_access_in extended permit tcp any object COMPANYfed.com- object-group DM_INLINE_TCP_18
    access-list outside_access_in remark Allow HTTP and HTTPS to colngwp - the Next Gen Web Farm
    access-list outside_access_in extended permit tcp any object COMPANY.com- object-group DM_INLINE_TCP_11
    access-list outside_access_in remark Allow HTTP and HTTPS to Colww5, which is one of our web servers.
    access-list outside_access_in remark rewards.COMPANY.com is going live first on this web server.
    access-list outside_access_in extended permit tcp any object Rewards.COMPANY.com- object-group DM_INLINE_TCP_12
    access-list outside_access_in remark Allow HTTP and HTTPS to act.COMPANY.com
    access-list outside_access_in extended permit tcp any object act.COMPANY.com- object-group DM_INLINE_TCP_15
    access-list outside_access_in remark Allow AS2 (443, 4080, 5080, 6080) to the AS2 Production and Test Machines
    access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group as2
    access-list outside_access_in remark Allow HTTP and HTTPS to www.COMPANY.com
    access-list outside_access_in extended permit tcp any object www.COMPANY.com- object-group DM_INLINE_TCP_14
    access-list outside_access_in remark Allow AS2 to w2k-isoft
    access-list outside_access_in extended permit tcp any object w2k-isoft- object-group as2
    access-list outside_access_in remark All SQL Server (SSL) to Coltixdb
    access-list outside_access_in extended permit tcp any object Coltixdb- object-group SQLServer
    access-list outside_access_in remark Allow FTP to ColFTP01
    access-list outside_access_in extended permit tcp any object ColFTP01- eq ftp
    access-list outside_access_in remark allow http/https access in intra.COMPANY.com
    access-list outside_access_in extended permit tcp any object intra.COMPANY.com- object-group DM_INLINE_TCP_6
    access-list outside_access_in remark Allow http and https to asgard
    access-list outside_access_in extended permit tcp any object www.COMPANY.net- object-group DM_INLINE_TCP_8
    access-list outside_access_in remark Allow HTTP and HTTPS to ColCrmRouter01 (crmws.COMPANY.com)
    access-list outside_access_in extended permit tcp any object crmws.COMPANY.com- object-group DM_INLINE_TCP_16
    access-list outside_access_in remark Allow HTTP and HTTPS to coltmg01
    access-list outside_access_in extended permit tcp any object coltmg01- object-group DM_INLINE_TCP_4
    access-list outside_access_in remark Allow Lync Edgel traffic to collync01
    access-list outside_access_in extended permit object-group TCPUDP any object collync01- object-group LyncEdge
    access-list outside_access_in remark Allow HTTP and HTTPS to www1.COMPANY.com
    access-list outside_access_in extended permit tcp any object www1.COMPANY.com- object-group DM_INLINE_TCP_19
    access-list outside_access_in remark Allow HTTP and HTTPS to www2.COMPANY.com
    access-list outside_access_in extended permit tcp any object www2.COMPANY.com- object-group DM_INLINE_TCP_20
    access-list outside_access_in remark Allow HTTP and HTTPS to www1.COMPANYfed.com
    access-list outside_access_in extended permit tcp any object www1.COMPANYfed.com- object-group DM_INLINE_TCP_21
    access-list outside_access_in remark Allow HTTP and HTTPS to www2.COMPANYfed.com
    access-list outside_access_in extended permit tcp any object www2.COMPANYfed.com- object-group DM_INLINE_TCP_22
    access-list outside_access_in extended permit tcp any object monitor.COMPANY.com- eq www
    access-list outside_access_in remark For debugging (can enable logging)
    access-list outside_access_in extended deny ip any any
    access-list inside_nat0_outbound extended permit ip any 172.22.255.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip object-group PMIVPNNetworks object PMI_SonicWALL-Subnet
    access-list inside_nat0_outbound remark Domain Controller one to many rule so PCI Trust servers can reslove DNS names and authenticate.
    access-list inside_nat0_outbound extended permit ip object-group COLDCs 172.24.3.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip object ColWSUS02 172.24.3.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip object-group PMIVPNNetworks object-group PMI_SonicWALL-Subnets
    access-list Colo_PCI_Trust_access_in extended permit ip any any
    pager lines 24
    logging enable
    logging asdm warnings
    logging mail critical
    logging from-address [email protected]
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    mtu Colo_PCI_Trust 1500
    mtu management 1500
    ip local pool vpnphone-ip-pool 172.22.255.1-172.22.255.254 mask 255.255.255.0
    failover
    failover lan unit primary
    failover lan interface HA GigabitEthernet0/7
    failover key Fiyalt!
    failover link HA GigabitEthernet0/7
    failover interface ip HA 172.16.200.1 255.255.255.248 standby 172.16.200.2
    no monitor-interface DMZ
    no monitor-interface Colo_PCI_Trust
    no monitor-interface management
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit 172.24.3.0 255.255.255.0 Colo_PCI_Trust
    asdm image disk0:/asdm-66114.bin
    asdm location ColVPN- 255.255.255.255 inside
    asdm location ColBarracuda- 255.255.255.255 inside
    asdm location ColBarracuda 255.255.255.255 inside
    asdm location ww2- 255.255.255.255 inside
    asdm location www1- 255.255.255.255 inside
    asdm location ww2 255.255.255.255 inside
    asdm location www1 255.255.255.255 inside
    asdm location Colww3- 255.255.255.255 inside
    asdm location Colww3 255.255.255.255 inside
    asdm location ColSysAid- 255.255.255.255 inside
    asdm location ColSysAid 255.255.255.255 inside
    asdm location Facts 255.255.255.255 inside
    asdm location Facts- 255.255.255.255 inside
    asdm location NSTrax- 255.255.255.255 inside
    asdm location ftp.boundree.co.uk- 255.255.255.255 inside
    asdm location ftp.COMPANY.co.uk 255.255.255.255 inside
    asdm location Dubmss01 255.255.255.255 inside
    asdm location Dubmss01- 255.255.255.255 inside
    asdm location ColBI01- 255.255.255.255 inside
    asdm location ColBI01 255.255.255.255 inside
    asdm location ColMOSS01 255.255.255.255 inside
    asdm location ColMOSS01- 255.255.255.255 inside
    asdm location ambutrak- 255.255.255.255 inside
    asdm location ambutrak 255.255.255.255 inside
    asdm location NSTrax 255.255.255.255 inside
    asdm location btmu- 255.255.255.255 inside
    asdm location btmu 255.255.255.255 inside
    asdm location COMPANY.com- 255.255.255.255 inside
    asdm location COMPANY.com 255.255.255.255 inside
    asdm location as2.COMPANY.com- 255.255.255.255 inside
    asdm location colas2 255.255.255.255 inside
    asdm location w2k-isoft- 255.255.255.255 inside
    asdm location w2k-isoft 255.255.255.255 inside
    asdm location Coltixdb- 255.255.255.255 inside
    asdm location Coltixdb 255.255.255.255 inside
    asdm location colexcas- 255.255.255.255 inside
    asdm location colexcas01 255.255.255.255 inside
    asdm location colexcas02 255.255.255.255 inside
    asdm location colexcas 255.255.255.255 inside
    asdm location ColFTP01- 255.255.255.255 inside
    asdm location ColFTP01 255.255.255.255 inside
    asdm location www.COMPANY.com- 255.255.255.255 inside
    asdm location www.COMPANY.com 255.255.255.255 inside
    asdm location act.COMPANY.com- 255.255.255.255 inside
    asdm location act.COMPANY.com 255.255.255.255 inside
    asdm location Rewards.COMPANY.com- 255.255.255.255 inside
    asdm location colww5 255.255.255.255 inside
    asdm location as2test.COMPANY.com- 255.255.255.255 inside
    asdm location ColdevAS2 255.255.255.255 inside
    asdm location test.COMPANY.com 255.255.255.255 inside
    asdm location colexcas01NLB 255.255.255.255 inside
    asdm location colexcas02NLB 255.255.255.255 inside
    asdm location ColVPN 255.255.255.255 inside
    asdm location intra.COMPANY.com- 255.255.255.255 inside
    asdm location intra.COMPANY.com 255.255.255.255 inside
    asdm location asgard 255.255.255.255 inside
    asdm location www.COMPANY.net- 255.255.255.255 inside
    asdm location crmws.COMPANY.com- 255.255.255.255 inside
    asdm location crmws.COMPANY.com 255.255.255.255 inside
    asdm location dubngwt- 255.255.255.255 inside
    asdm location dubngwt 255.255.255.255 inside
    asdm location dubexcas01 255.255.255.255 inside
    asdm location dubexcas02 255.255.255.255 inside
    asdm location dubexcas 255.255.255.255 inside
    asdm location collync01- 255.255.255.255 inside
    asdm location coltmg01- 255.255.255.255 inside
    asdm location collync01 255.255.255.255 inside
    asdm location coltmg01 255.255.255.255 inside
    asdm location COMPANYfed.com- 255.255.255.255 inside
    asdm location COMPANYfed.com 255.255.255.255 inside
    asdm location www1.COMPANY.com- 255.255.255.255 inside
    asdm location www2.COMPANY.com- 255.255.255.255 inside
    asdm location www1.COMPANYfed.com- 255.255.255.255 inside
    asdm location www2.COMPANYfed.com- 255.255.255.255 inside
    asdm location www1.COMPANY.com 255.255.255.255 inside
    asdm location www2.COMPANY.com 255.255.255.255 inside
    asdm location www1.COMPANYfed.com 255.255.255.255 inside
    asdm location www2.COMPANYfed.com 255.255.255.255 inside
    asdm location PMI_SonicWALL-Subnet 255.255.0.0 inside
    asdm location PMISonicWALL 255.255.255.255 inside
    asdm location BrentwoodData 255.255.0.0 inside
    asdm location GilbertData 255.255.0.0 inside
    asdm location coldc01 255.255.255.255 inside
    asdm location coldc02 255.255.255.255 inside
    asdm location ColWSUS02 255.255.255.255 inside
    asdm location monitor.COMPANY.com- 255.255.255.255 inside
    asdm location ColPRTG01 255.255.255.255 inside
    no asdm history enable
    arp timeout 14400
    nat (inside,any) source static any any destination static obj-172.22.255.0 obj-172.22.255.0 no-proxy-arp
    nat (inside,any) source static PMIVPNNetworks PMIVPNNetworks destination static PMI_SonicWALL-Subnet PMI_SonicWALL-Subnet no-proxy-arp
    nat (inside,any) source static COLDCs COLDCs destination static obj-172.24.3.0 obj-172.24.3.0 no-proxy-arp
    nat (inside,any) source static ColWSUS02 ColWSUS02 destination static obj-172.24.3.0 obj-172.24.3.0 no-proxy-arp
    object network ambutrak
    nat (inside,outside) static ambutrak-
    object network btmu
    nat (inside,outside) static btmu-
    object network ColBarracuda
    nat (inside,outside) static ColBarracuda-
    object network ColBI01
    nat (inside,outside) static ColBI01-
    object network colexcas
    nat (inside,outside) static colexcas-
    object network ColMOSS01
    nat (inside,outside) static ColMOSS01-
    object network COMPANY.com
    nat (inside,outside) static COMPANY.com-
    object network Coltixdb
    nat (inside,outside) static Coltixdb-
    object network Colww3
    nat (inside,outside) static Colww3-
    object network ColSysAid
    nat (inside,outside) static ColSysAid-
    object network ColVPN
    nat (inside,outside) static ColVPN-
    object network colas2
    nat (inside,outside) static as2.COMPANY.com-
    object network Dubmss01
    nat (inside,outside) static Dubmss01-
    object network Facts
    nat (inside,outside) static Facts-
    object network ftp.COMPANY.co.uk
    nat (inside,outside) static ftp.COMPANY.co.uk-
    object network NSTrax
    nat (inside,outside) static NSTrax-
    object network w2k-isoft
    nat (inside,outside) static w2k-isoft-
    object network www1
    nat (inside,outside) static www1-
    object network ww2
    nat (inside,outside) static ww2-
    object network ColFTP01
    nat (inside,outside) static ColFTP01-
    object network www.COMPANY.com
    nat (inside,outside) static www.COMPANY.com-
    object network act.COMPANY.com
    nat (inside,outside) static act.COMPANY.com-
    object network colww5
    nat (inside,outside) static Rewards.COMPANY.com-
    object network ColdevAS2
    nat (inside,outside) static as2test.COMPANY.com-
    object network intra.COMPANY.com
    nat (inside,outside) static intra.COMPANY.com-
    object network asgard
    nat (inside,outside) static www.COMPANY.net-
    object network crmws.COMPANY.com
    nat (inside,outside) static crmws.COMPANY.com-
    object network dubngwt
    nat (inside,outside) static dubngwt-
    object network COMPANYfed.com
    nat (inside,outside) static COMPANYfed.com-
    object network www1.COMPANYfed.com
    nat (inside,outside) static www1.COMPANYfed.com-
    object network www2.COMPANYfed.com
    nat (inside,outside) static www2.COMPANYfed.com-
    object network www1.COMPANY.com
    nat (inside,outside) static www1.COMPANY.com-
    object network www2.COMPANY.com
    nat (inside,outside) static www2.COMPANY.com-
    object network ColPRTG01
    nat (inside,outside) static monitor.COMPANY.com-
    object network obj_any
    nat (inside,outside) dynamic 74.XXX.XXX.131
    object network collync01
    nat (DMZ,outside) static collync01-
    object network coltmg01
    nat (DMZ,outside) static coltmg01-
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group Colo_PCI_Trust_access_in in interface Colo_PCI_Trust
    router eigrp 10
    no auto-summary
    eigrp router-id 172.22.1.8
    network 172.22.0.0 255.255.0.0
    route outside 0.0.0.0 0.0.0.0 74.XXX.XXX.129 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server Colo protocol radius
    aaa-server Colo (inside) host coldc02
    timeout 5
    key Bound/\Tree
    radius-common-pw Bound/\Tree
    aaa-server Colo (inside) host coldc01
    timeout 5
    key Bound/\Tree
    user-identity default-domain LOCAL
    http server enable
    http 172.22.0.0 255.255.0.0 inside
    http DublinData 255.255.0.0 inside
    http DublinData 255.255.0.0 management
    snmp-server host inside 10.1.0.59 community public
    snmp-server host inside ColPRTG01 community public
    snmp-server location Columbus, OH - Colo
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer PMISonicWALL
    crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
    crypto map outside_map 1 set nat-t-disable
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 enable inside
    crypto ikev1 policy 30
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
    telnet BrentwoodData 255.0.0.0 inside
    telnet coldc02 255.255.255.255 inside
    telnet DublinData 255.255.0.0 management
    telnet timeout 5
    ssh 172.22.0.0 255.255.0.0 inside
    ssh DublinData 255.255.0.0 inside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 74.14.179.211 source outside prefer
    ntp server 69.64.72.238 source outside prefer
    ntp server coldc02 source inside
    ntp server 74.120.8.2 source outside prefer
    ntp server 108.61.56.35 source outside prefer
    ntp server coldc01 source inside
    webvpn
    group-policy GroupPolicy_74.XXX.XXX.130 internal
    group-policy GroupPolicy_74.XXX.XXX.130 attributes
    vpn-tunnel-protocol ikev1
    group-policy VPNPHONE internal
    group-policy VPNPHONE attributes
    dns-server value 172.22.3.4 172.22.3.31
    vpn-tunnel-protocol ikev1
    default-domain value corp.COMPANY.com
    tunnel-group VPNPHONE type remote-access
    tunnel-group VPNPHONE general-attributes
    address-pool vpnphone-ip-pool
    authentication-server-group Colo
    default-group-policy VPNPHONE
    tunnel-group VPNPHONE ipsec-attributes
    ikev1 pre-shared-key *
    tunnel-group 184.XXX.XXX.226 type ipsec-l2l
    tunnel-group 184.XXX.XXX.226 ipsec-attributes
    ikev1 pre-shared-key *
    peer-id-validate nocheck
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns migrated_dns_map_1
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns migrated_dns_map_1
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect tftp
      inspect http
      inspect icmp
      inspect pptp
      inspect icmp error
      inspect ip-options
    class class-default
    service-policy global_policy global
    smtp-server 172.22.5.156
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly 18
      subscribe-to-alert-group configuration periodic monthly 18
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:65e78911eefb94bd98892700b143f716
    : end

    Hi,
    Any ASA using software 8.3 or above that does Static NAT between private and public IP addresses (or any NAT at all) and you want to allow traffic from public network to those Static NATed servers you will need to use the local/real IP address in the ACL statements.
    If your ASA5520 was running 8.3 or above software levels then there should be no major changes compared to an ASA5525-X running 8.6 software level.
    The only situation I can think of right now is if you had used ASA5520 with software 8.2 or below BUT in that case you WOULD NOT have been able to directly copy/paste the configuration to the ASA5525-X device as the lowest software level that the ASA5525-X supports is 8.6(1)
    So I am kind of wondering what the situation has actually been.
    But one thing is certain. You need to use the real/local IP address of the server in the ACL rules even if you are allowing traffic from the public/external network.
    The "packet-tracer" test used to simulate a connection coming to one of your Static NAT public IP address should also tell if your ACLs are configured correctly, among other things.
    - Jouni

  • How to Configure Transparent caching on Cat 6500 with CSM in routed mode

    I am trying to configure Transparent caching on Cat 6500 with CSM in routed mode, but facing some problems in it , also I have gone thru the example config on cisco site for transparent caching using CSM on Cat 6500 , but the above does not fit my clients requirement.
    The scenario is like
    Access Switches - Cat6500 with MSFC & CSM - Internet Router
    |
    Cache Engines and Real servers
    The clients as well as real servers are on seperate VLANs (L3) and the requirement is to load balance the internet traffic using cache engines.
    I'd really appreciate any helpful suggestions or any useful links/docs/info on this.
    Thanks
    kumar

    Hello Joerg,
    Thanks for the reply.
    I have already gone thru the sample config shown by this weblink, however this link refers to configuring transparent caching on the CSM in BRIDGED MODE ( i.e both the client and server vlans are having the same IP address ) but in our case , we have multiple L3 VLANS on the CAT6509 having IP addresses in different SUBNETS , and the Real servers to be used for caching also exist on one of these VLANS. Thus, the scenario described by the Weblink does not apply here. Also , in the configuration referred by the above weblink, the VLAN 100 is configured as client , however the endusers are shown to be on vlan200 which is configured as SERVER VLAN in the CSM.
    Dont you think there is something wrong here, I mean the endusers should be on VLAN 100 (Client) and real servers on VLAN 200 (SERVER).
    So, I have to configure CSM in routed mode ( i.e both the client and server vlans will have seperate IP addresses in different subnets ) and the endusers will be on all VLANS .
    Pls let me know , how I can implement this solution.
    Thanks again
    Sudhir

  • CSM is stripping tcp options when stickyness is configured

    Hello,
    I've found, what i think is a bug, in our CSM and want to share, and hopefully you've something to add (or solve?)
    cisco CSM software 4.2.11 on a 6509 chassis, software 12.2.18 SXF15a
    When configured a VIP with either ssl stickiness or regular stickiness, i noticed that the CSM is stripping all tcp options (except mss) in the first tcp/ip syn packet.
    so, loosing tcp options like: Selective ACK, window scaling, tcp timestamps, which are the basics of high performance TCP/IP.
    Without stickness, the tcp options are not touched.
    Does anyone recognize this phenomena ?
    Any Idea's?
    PS: i noticed this after a complaint of a very slow website hosted by us in combination of some packetloss at the client.
    Regards,
    Arjan Filius

    Hello,
    Thanks for your reaction and questions.
    I took only some "random samples" and noticed the difference (finally after "some hours" that:
    -Sticki configured VIP/serverfarm, accessed on the VIP will strip all tcp options.
    -accessing the real servers not.
    as it concerns (in hour case) all same NIC's, NIC/server/client issues are excluded.
    In our case there is no other device involved (with the two cases, via VIP and direct to real) othere then die CSM itself.
    Regards,
    Arjan Filius
    PS: i'm a month on holiday after today, a colleague will attend this thread.

  • Remote Access VPN - add new internal IP

    Hi 
    I have a existing Cisco VPN client configuration into ASA 5510 for remote access.
    Group name : ISETANLOT10
    Group password  : xxxx
    IP pool : lot10ippool, 172.27.17.240 - 172.27.17.245
    enycrption : 3DES
    authentication : SHA
    the connection was successful and i was able to ping to the internal server of 172.47.1.10.
    Now there is request for the same VPN remote access to be able to ping access a new server inside LAN, 172.57.1.10 & 172.57.1.20
    But with the same VPN access, i was unable to ping both new IP.
    How can i add in the both IP to be able to ping using the same remote access VPN config?
    I attached below existing config (edited version)
    ===
    : Saved
    ASA Version 8.0(4) 
    hostname asalot10
    names
    name 172.17.100.22 NAVNew
    name 172.27.17.215 NECUser
    name 172.47.1.10 NarayaServer description Naraya Server
    name 62.80.122.172 NarayaTelco1
    name 62.80.122.178 NarayaTelco2
    name 172.57.1.10 IPVSSvr description IPVSSvr
    name 122.152.181.147 Japan01
    name 122.152.181.0 Japan02
    name 175.139.156.174 Outside_Int
    name 178.248.228.121 NarayaTelco3
    name 172.67.1.0 VCGroup
    name 172.57.1.20 IPVSSvr2
    object-group service NECareService
     description Remote NECareService
     service-object tcp eq https 
     service-object tcp eq ssh 
     service-object icmp echo-reply
    access-list inside_access_in extended deny ip any Japan02 255.255.255.0 
    access-list inside_access_in extended permit ip VCGroup 255.255.255.0 any 
    access-list inside_access_in extended deny tcp object-group PermitInternet any object-group torrent1 
    access-list inside_access_in extended permit ip object-group PermitInternet any log disable 
    access-list inside_access_in extended permit ip host NarayaServer any log disable 
    access-list inside_access_in extended permit ip host IPVSSvr any 
    access-list inside_access_in extended permit ip host NAVNew any log disable 
    access-list inside_access_in extended permit ip host 172.17.100.30 any 
    access-list outside_access_in extended permit object-group NECareService object-group NECare any 
    access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 host NarayaServer 
    access-list outsidein extended permit tcp any host Outside_Int eq https 
    access-list outsidein extended permit object-group rdp any host Outside_Int log debugging 
    access-list outsidein extended permit tcp object-group DM_INLINE_NETWORK_2 host Outside_Int eq 8080 
    access-list outsidein extended permit ip object-group DM_INLINE_NETWORK_3 host IPVSSvr 
    access-list inside_mpc extended permit object-group TCPUDP any any eq www 
    access-list inside_mpc extended permit tcp any any eq www 
    access-list inside_nat0_outbound extended permit ip any 172.27.17.240 255.255.255.248 
    access-list inside_nat0_outbound extended permit ip host NarayaServer object-group Nry_Png 
    access-list inside_nat0_outbound extended permit ip host IPVSSvr2 172.27.17.240 255.255.255.248 
    access-list outside_cryptomap extended permit ip object-group Naraya_Png object-group Nry_Png 
    global (outside) 10 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 10 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface 8080 NarayaServer 8080 netmask 255.255.255.255 
    static (inside,outside) tcp interface 3389 NAVNew 3389 netmask 255.255.255.255 
    static (inside,outside) tcp interface ssh IPVSSvr2 ssh netmask 255.255.255.255 
    access-group outsidein in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 175.139.156.173 1
    route inside 172.17.100.20 255.255.255.255 172.27.17.100 1
    route inside NAVNew 255.255.255.255 172.27.17.100 1
    route inside 172.17.100.30 255.255.255.255 172.27.17.100 1
    route inside NarayaServer 255.255.255.255 172.27.17.100 1
    route inside 172.47.1.11 255.255.255.255 172.27.17.100 1
    route inside VCGroup 255.255.255.0 172.27.17.100 1
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set peer 218.x.x.105 
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map 1 set security-association lifetime seconds 28800
    crypto map outside_map 1 set security-association lifetime kilobytes 4608000
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 30
     authentication pre-share
     encryption 3des
     hash md5
     group 2
     lifetime 86400
    group-policy ISETANLOT10 internal
    group-policy ISETANLOT10 attributes
     dns-server value 172.27.17.100
     vpn-tunnel-protocol IPSec l2tp-ipsec 
    username nectier3 password dPFBFnrViJi/LGbT encrypted privilege 0
    username nectier3 attributes
     vpn-group-policy ISETANLOT10
    username necare password BkPn6VQ0VwTy7MY7 encrypted privilege 0
    username necare attributes
     vpn-group-policy ISETANLOT10
    username naraya password pcGKDau9jtKgFWSc encrypted
    username naraya attributes
     vpn-group-policy ISETANLOT10
     service-type nas-prompt
    tunnel-group ISETANLOT10 type remote-access
    tunnel-group ISETANLOT10 general-attributes
     address-pool lot10ippool
     default-group-policy ISETANLOT10
    tunnel-group ISETANLOT10 ipsec-attributes
     pre-shared-key *
    tunnel-group 218.x.x.105 type ipsec-l2l
    tunnel-group 218.x.x.105 ipsec-attributes
     pre-shared-key *
    tunnel-group ivmstunnel type remote-access
    tunnel-group ivmstunnel general-attributes
     address-pool lot10ippool
    tunnel-group ivmstunnel ipsec-attributes
     pre-shared-key *
    !=====

    The remote access VPN should allow the connection but I am guessing your ASA doesn't know how to route to the two new destinations.
    You have a name and static route for the working server at 172.47.1.10:
    name 172.47.1.10 NarayaServer description Naraya Server
    route inside NarayaServer 255.255.255.255 172.27.17.100 1
    ..but no equivalent for the two new hosts. As a result, any traffic from the ASA destined for them will attempt to use the default route (via the outside interface).
    If you add:
    route inside 172.57.1.10 255.255.255.255 172.27.17.100
    route inside 172.57.1.20 255.255.255.255 172.27.17.100
    (assuming that's your correct gateway), it should work.

  • How to install the NI-DAQmx driver on a real time target PC?

    Hi, I’m painful about how I can install a PCI-6363 DAQmx on my real time desktop PC target. The PCI-6363 is directly connected to the real time PC. And I’m using LabVIEW 2011 and MAX 5.0. 
    The DAQmx device driver can be seen in software lIst in the host PC, but it can not be found in the install wizard. Is there something wrong with my host PC? or is that wrong to connect PCI-6363 with real time desktop PC?
    I would be grateful for any advice that I could get here.
    Solved!
    Go to Solution.

    Hi Zhleo,
    If you are about to use the PCI-6363 with the Real-Time Desktop you are right you need to have it installed, and then you need to deploy DAQmx driver software to the real-time target.
    To do that you access your real-time desktop under Remote Systems in MAX and start the Real-Time Software Wizard. There you should see DAQmx listed. 
    In case you do not have DAQmx listed there, see this KB: Deploying DAQmx to a Real-Time Controller or PC?
    Regards,
    Eirikur Runarsson
    Platinum Applications Engineer
    NI Denmark

Maybe you are looking for