Bandwidth decrease in the inside network.

Similar Messages

• The inside network is accessable only through IPsec, do I need enable ios FW?

  I'm building a remote site, and the only traffic in or out of their inside network is via IPsec tunnels.  There is no unecrypted access to the internet.  Should I still configure the ISR firewall?  If so , why?

  If I get your set correctly imagined (haha)
  Anyway, it really depends on you:
  However, for full-tunnel setup, w/c i think you have set-up there, you can enable it for better QoS and basic site blocking as well
  for split-tunnel, then configure it in your remote site.
  Stateless firewall configuration in IOS really is handly, though reporting wise, its not that friendly. 
  Best part of stateless firewall is it can be content based.
  EX: 
  class-map match-any FILTER
    match protocol http host *yahoo* 
    match protocol facebook 
    match protocol youtube
  #class-map type urlfilter match-any CONTENT_DROP
    #match url category Adult-Mature-Content
  There are more protocols as well, and (i think) even p2p protocol can be blocked (utorrent, bitorrent etc)
  Content filtering however is a subscription license and needs to be registered/enabled
  SEE: http://www.cisco.com/c/en/us/products/collateral/security/ios-content-filtering/white_paper_c89-492776.html

• ASA 5505 VPN no access to inside network

  Trying to set up ipsec/l2tp vpn to provide full access to internal network for remote users with only Windows built-in vpn client.
  The vpn client can connect successfully, but can't see anything on the inside network.
  The ASA is not the gateway for hosts on the internal network
  name x.y.z.129 isp-gateway
  name 172.16.1.0 vpn-address-pool
  name 10.11.10.0 inside-network
  name x.y.z.128 outside-network
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list vpn extended permit ip inside-network 255.255.254.0 vpn-address-pool 255.255.255.0
  access-list outside_access_in extended permit ip any any
  global (outside) 1 interface
  nat (outside) 1 vpn-address-pool 255.255.255.0
  nat (inside) 0 access-list vpn
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 isp-gateway 1
  ciscoasa# show route
  Gateway of last resort is cic-gateway to network 0.0.0.0
  C    outside-network 255.255.255.128 is directly connected, outside
  S    172.16.1.5 255.255.255.255 [1/0] via isp-gateway, outside
  C    inside-network 255.255.254.0 is directly connected, inside
  S*   0.0.0.0 0.0.0.0 [1/0] via isp-gateway, outside

  Do you configure split tunnel or no split tunnel policy?
  Also when you are connected and try to access internal network, can you pls share the output of :
  show cry isa sa
  show cry ipsec sa

• VPN clients cannot access inside network

  I have a ASA 5505 that I am using as a VPN appliance. The outside interface is connected to the DMZ (172.16.2.10) and the inside to our internal network (10.27.1.12). VPN clients are assigned an address in the range 10.27.2.2-10.27.2.20. A 1841 is the router and firewall for the network. Recently the ASA lost power when a UPS went down and now VPN clients can no longer access anything on the inside network. Config is attached. Help.

  I realized after I posted that I should have a connection active when running this command. Here is the results:
  Result of the command: "show crypto ipsec sa"
  interface: outside
  Crypto map tag: outside_dyn_map, seq num: 20, local addr: 172.16.2.10
  local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
  remote ident (addr/mask/prot/port): (10.27.2.2/255.255.255.255/0/0)
  current_peer: 169.130.14.253, username: kenz
  dynamic allocated peer ip: 10.27.2.2
  #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
  #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
  #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
  #send errors: 0, #recv errors: 0
  local crypto endpt.: 172.16.2.10, remote crypto endpt.: 169.130.14.253
  path mtu 1500, ipsec overhead 58, media mtu 1500
  current outbound spi: 208F45F5
  inbound esp sas:
  spi: 0x2026D973 (539416947)
  transform: esp-3des esp-sha-hmac none
  in use settings ={RA, Tunnel, }
  slot: 0, conn_id: 4096, crypto-map: outside_dyn_map
  sa timing: remaining key lifetime (sec): 28406
  IV size: 8 bytes
  replay detection support: Y
  outbound esp sas:
  spi: 0x208F45F5 (546260469)
  transform: esp-3des esp-sha-hmac none
  in use settings ={RA, Tunnel, }
  slot: 0, conn_id: 4096, crypto-map: outside_dyn_map
  sa timing: remaining key lifetime (sec): 28406
  IV size: 8 bytes
  replay detection support: Y
  So it looks like there are encrypts but no decrypts. What should I do now?

• How to manage c877(outside) in RFC1483 mode through ASA5505 from (inside)network

  Hi All
  Here is a quick summary of my network setup.
  ISP ADSL2 -- C877 Router(RFC1483) -- ASA5505(PPPoE) -- Internal network(s).
  I am trying to figure out how to correctly configure my C877 & my ASA so I can telnet and manage the C877 from one of the inside networks on the ASA5505.
  With the current configuration I can ping the C877 but only from the outside (PPPoE) interface of my ASA5505. I cannot connect to it from any other inside network.
  Interface connectivity is as follows:
  ISP <-> C877 PoTS
  C877 FA/0 <-> ASA Eth0/0[outside_public] [Zone SEC=0]
  ASA Eth0/1[inside_private][Zone SEC=100] <-> HP L2 Switch
  HP L2 Switch <-> Home PC.
  Device IPs:
  Cisco ASA [inside_private] gateway IP = 192.168.50.1 / 24
  Home PC = 192.168.50.81 / 24
  Router C877 IP = 192.168.50.2 / 24
  Everything is working as expected, except I want to be able to manage the C877 from the Home PC, but currently I am not able to establish any connectivity to the C877 from the [inside_private] network.
  Here is what I have tried so far but without luck:
  Connected (a 2nd) network cable from the C877 to the L2 switch. No connectivity from the Home PC.
  Connected (a 2nd) network cable from the C877 to ASA on another interface added to the [inside_private] network. No connectivity from the Home PC.
  Any help much appreciated!
  C877 config below:
  Current configuration : 1422 bytes
  version 15.1
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname c877
  boot-start-marker
  boot-end-marker
  no aaa new-model
  clock timezone UTC 11 0
  crypto pki token default removal timeout 0
  dot11 syslog
  ip source-route
  ip cef
  ip domain name --CUT--
  no ipv6 cef
  multilink bundle-name authenticated
  username --CUT-- privilege 15 password 7 --CUT--
  bridge irb
  interface ATM0
   no ip address
   no atm ilmi-keepalive
   bridge-group 1
   pvc 8/35
    encapsulation aal5snap
  interface FastEthernet0
   no ip address
  interface FastEthernet1
   no ip address
  interface FastEthernet2
   no ip address
  interface FastEthernet3
   no ip address
  interface Dot11Radio0
   no ip address
   shutdown
   speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
   station-role root
  interface Vlan1
   no ip address
   bridge-group 1
  interface BVI1
   ip address 192.168.50.2 255.255.255.0
  ip default-gateway 192.168.50.1
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  snmp-server community public RO
  snmp-server ifindex persist
  control-plane
  bridge 1 protocol ieee
  line con 0
   exec-timeout 0 0
   logging synchronous
   no modem enable
  line aux 0
  line vty 0 4
   exec-timeout 0 0
   logging synchronous
   login local
   transport input all
  end
  ASA5505 config below:
  ASA Version 9.1(3)
  hostname asa5505
  enable password --CUT-- encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd --CUT-- encrypted
  names
  interface Ethernet0/0
   switchport access vlan 10
  interface Ethernet0/1
  interface Ethernet0/2
   switchport access vlan 20
  interface Ethernet0/3
   switchport access vlan 30
  interface Ethernet0/4
   switchport access vlan 40
  interface Ethernet0/5
  interface Ethernet0/6
   switchport access vlan 70
  interface Ethernet0/7
   switchport access vlan 70
  interface Vlan1
   nameif inside_private
   security-level 100
   ip address 192.168.50.1 255.255.255.0
  interface Vlan10
   nameif outside_public
   security-level 0
   pppoe client vpdn group ADSL2
   ip address pppoe setroute
  interface Vlan20
   nameif inside_dmz
   security-level 70
   ip address 192.168.60.1 255.255.255.0
  interface Vlan30
   nameif inside_guest
   security-level 50
   ip address 192.168.70.1 255.255.255.0
  interface Vlan40
   nameif inside_experimental
   security-level 60
   ip address 10.0.0.1 255.255.0.0
  interface Vlan70
   nameif inside_phone
   security-level 10
   ip address 192.168.80.1 255.255.255.192
  boot system disk0:/asa913-k8.bin
  ftp mode passive
  clock timezone EST 10
  clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
  dns domain-lookup inside_dmz
  dns server-group DefaultDNS
   name-server 192.168.60.2
  same-security-traffic permit intra-interface
  object network LAN_private
   subnet 192.168.50.0 255.255.255.0
  object network LAN_dmz
   subnet 192.168.60.0 255.255.255.0
  object network LAN_guest
   subnet 192.168.70.0 255.255.255.0
  object network LAN_experimental
   subnet 10.0.0.0 255.255.0.0
  object network QNAP_host
   host 192.168.50.9
  object network INTELNUC_host
   host 192.168.60.2
  object network INTELNUC_prtgservice
   host 192.168.60.2
  object network INTELNUC_webservice
   host 192.168.60.2
  object network QNAP_management
   host 192.168.50.9
  object network QNAP_transmission
   host 192.168.50.9
  object network LAN_guest_wireless
   range 192.168.70.31 192.168.70.50
  object network QNAP_t51413
   host 192.168.50.9
  object network QNAP_u51413
   host 192.168.50.9
  object service 9000-9049
   service udp destination range 9000 9049
  object network C7940_u10000-20000
   host 192.168.80.11
  object network C7940_t5060
   host 192.168.80.11
  object network LAN_phone
   subnet 192.168.80.0 255.255.255.192
  object network SPINTEL_host
   host --CUT--
  object service 16384-32766
   service udp source range 16384 32766
  object network C7940_host
   host 192.168.80.11
  object service 10000-20000
   service udp destination range 10000 20000
  object network C7940_u5060
   host 192.168.80.11
  object-group network LAN_all
   network-object object LAN_dmz
   network-object object LAN_experimental
   network-object object LAN_guest
   network-object object LAN_private
   network-object object LAN_phone
  object-group protocol TCPUDP
   protocol-object udp
   protocol-object tcp
  object-group service 5060 tcp-udp
   port-object eq sip
  object-group service 53 tcp-udp
   port-object eq domain
  access-list public_ACL extended permit tcp any object QNAP_host eq 8080
  access-list public_ACL extended permit tcp any object QNAP_host eq 51413
  access-list public_ACL extended permit udp any object QNAP_host eq 51413
  access-list public_ACL extended permit tcp any object QNAP_host eq 9091
  access-list public_ACL extended permit tcp any object INTELNUC_host eq 444
  access-list public_ACL extended permit tcp any object INTELNUC_host eq www
  access-list public_ACL extended permit object-group TCPUDP any object C7940_host eq domain inactive
  access-list public_ACL extended permit tcp object SPINTEL_host object C7940_host eq sip
  access-list public_ACL extended permit udp object SPINTEL_host object C7940_host eq sip
  access-list public_ACL extended permit icmp object SPINTEL_host object C7940_host
  access-list public_ACL extended permit object 10000-20000 object SPINTEL_host object C7940_host
  access-list public_ACL extended permit ip object SPINTEL_host object C7940_host
  access-list dmz_ACL extended permit icmp any any echo
  access-list dmz_ACL extended permit udp any any eq snmp
  access-list dmz_ACL extended permit ip object INTELNUC_host object-group LAN_all
  access-list dmz_ACL extended deny ip any object LAN_private
  access-list dmz_ACL extended deny ip any object LAN_guest
  access-list dmz_ACL extended deny ip any object LAN_experimental
  access-list dmz_ACL extended deny ip any object LAN_phone
  access-list dmz_ACL extended permit ip any any
  access-list guest_ACL extended permit icmp any any echo
  access-list guest_ACL extended permit udp any any eq snmp
  access-list guest_ACL extended permit object-group TCPUDP object LAN_guest_wireless object INTELNUC_host eq domain
  access-list guest_ACL extended deny ip object LAN_guest_wireless object INTELNUC_host
  access-list guest_ACL extended deny ip object LAN_guest_wireless object QNAP_host
  access-list guest_ACL extended permit ip any object INTELNUC_host
  access-list guest_ACL extended permit ip any object QNAP_host
  access-list guest_ACL extended deny ip any object LAN_private
  access-list guest_ACL extended deny ip any object LAN_dmz
  access-list guest_ACL extended deny ip any object LAN_experimental
  access-list guest_ACL extended deny ip any object LAN_phone
  access-list guest_ACL extended permit ip any any
  access-list phone_ACL extended permit udp object C7940_host object INTELNUC_host eq tftp
  access-list phone_ACL extended permit icmp object C7940_host object SPINTEL_host
  access-list phone_ACL extended permit object 16384-32766 object C7940_host object SPINTEL_host
  access-list phone_ACL extended permit object-group TCPUDP object C7940_host any eq domain
  access-list phone_ACL extended permit udp object C7940_host any eq ntp
  access-list phone_ACL extended permit tcp object C7940_host any eq sip
  access-list phone_ACL extended permit udp object C7940_host any eq sip
  access-list phone_ACL extended permit ip object C7940_host any inactive
  access-list phone_ACL extended permit ip object LAN_phone any inactive
  pager lines 24
  logging enable
  logging asdm notifications
  mtu inside_private 1500
  mtu outside_public 1492
  mtu inside_dmz 1500
  mtu inside_guest 1500
  mtu inside_experimental 1500
  mtu inside_phone 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-714.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside_private,outside_public) source static C7940_u10000-20000 interface service 10000-20000 10000-20000
  object network LAN_private
   nat (inside_private,outside_public) dynamic interface
  object network LAN_dmz
   nat (inside_dmz,outside_public) dynamic interface
  object network LAN_guest
   nat (inside_guest,outside_public) dynamic interface
  object network LAN_experimental
   nat (inside_experimental,outside_public) dynamic interface
  object network INTELNUC_prtgservice
   nat (inside_dmz,outside_public) static interface service tcp 444 444
  object network INTELNUC_webservice
   nat (inside_dmz,outside_public) static interface service tcp www www
  object network QNAP_management
   nat (inside_private,outside_public) static interface service tcp 8080 8080
  object network QNAP_transmission
   nat (inside_private,outside_public) static interface service tcp 9091 9091
  object network QNAP_t51413
   nat (inside_private,outside_public) static interface service tcp 51413 51413
  object network QNAP_u51413
   nat (inside_private,outside_public) static interface service udp 51413 51413
  object network C7940_t5060
   nat (inside_private,outside_public) static interface service tcp sip sip
  object network LAN_phone
   nat (inside_phone,outside_public) dynamic interface
  object network C7940_u5060
   nat (inside_private,outside_public) static interface service udp sip sip
  access-group public_ACL in interface outside_public
  access-group dmz_ACL in interface inside_dmz
  access-group guest_ACL in interface inside_guest
  access-group phone_ACL in interface inside_phone
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 192.168.50.0 255.255.255.0 inside_private
  snmp-server host inside_dmz 192.168.60.2 community *****
  snmp-server location inside_dmz
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpoint localtrust
   enrollment self
   fqdn asa5505.--CUT--
   subject-name CN=sasa5505.--CUT--
   keypair sslvpnkey
   crl configure
  crypto ca trustpool policy
  crypto ca certificate chain localtrust
   certificate --CUT--
  telnet 192.168.50.0 255.255.255.0 inside_private
  telnet timeout 60
  ssh timeout 60
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  vpdn group ADSL2 request dialout pppoe
  vpdn group ADSL2 localname --CUT--
  vpdn group ADSL2 ppp authentication pap
  vpdn username --CUT-- password --CUT-- store-local
  dhcpd auto_config outside_public
  dhcprelay server 192.168.60.2 inside_dmz
  dhcprelay enable inside_private
  dhcprelay enable inside_guest
  dhcprelay enable inside_experimental
  dhcprelay enable inside_phone
  dhcprelay timeout 60
  threat-detection basic-threat
  threat-detection statistics host number-of-rate 3
  threat-detection statistics port number-of-rate 3
  threat-detection statistics protocol number-of-rate 3
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server --CUT-- source inside_private
  ssl encryption aes256-sha1 aes128-sha1 3des-sha1 rc4-sha1
  ssl trust-point localtrust outside_public
  webvpn
   anyconnect-essentials
  username --CUT-- password --CUT-- encrypted privilege 15
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
    inspect icmp
    inspect pptp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  hpm topN enable
  Cryptochecksum:--CUT--

  Ansar,
  A source group or "group" is what you need to configure on the CSS in order for the backend servers to initiate a connection outbound on the CSS. It would be helpful if you could email me directly a piece of your config. Specifically I would need the "service" section in terms of which servers need outbound access as well as the content rules you have configured and the ACL section to confirm you are not blocking anything.
  As an example.
  If you had
  service pete
  ip address 1.1.1.1
  active
  content pete
  add service pete
  protocol tcp
  port 80
  vip address 2.2.2.2
  active
  group pete_out
  vip address 2.2.2.2
  add service pete
  active
  So what happens is when the service makes an outbound connection, the source ip address is now the vip address. When the return packet comes back, the CSS recognizes it and gets it back to the backend server.
  You can also apply a source group via an acl as another option.
  Regards
  Pete..
  [email protected]

• Does having a guest network decrease the power of the main network?

  I set up a guest network when I set up my Airport Extreme ... not sure why I did this exactly. I have moved into a larger home and now have some issues with the router reaching the entire unit. (It does actually cover it all ... but very weak in the farthest areas from the router.) Does the guest network take power away from the primary network. In other words, if I reset the router without the guest network, would I be better off?
  THANKS.

  When you enable the Guest network, the bandwidth is split between the Main and Guest networks, so performance wise, it would make sense to only use the Guest network feature when you really have "guests".
  Now, if you turn the Guest network off...whether you will actually "see" any improvement is open to question. Worth a try.
  To turn off the Guest Network....
  Open AirPort Utility - Click Manual Setup
  Click the Guest Network tab below the row of icons
  Remove the check mark next to "Enable Guest Network"
  Click Update to save the changes and the AirPort will restart in 25-30 seconds.
  If you need more wireless coverage, you might want to look at adding another AirPort Extreme or AirPort Express to "extend" the wireless signal.

• PIX 501 config - access to internal network not working from remote VPN users - everything on the inside is OK

  One other thing - I had a problem with the key pairing so I rebuilt the rsa 1024 and the unit started working. Unfortunately I reloaded without the config in place and now I cannot get it to work again. Any help will be greatly apprecaited although I did review a dozen other posts of people having similar problems and for some reason there is never any conclusion as to the solution and I am not sure why.           
  Some other info from the client end:
  I just ran the stats on the client and packets are being encrypted BUT none are decrypted.
  Also Tunnel received 0 and sent 115119
  Encryption is 168-bit 3-DES
  Authentication is HMAC-SHA1
  also even though the allow LAN is selected in the Cisco VPN client it states the local LAN is disabled in the client stats
  also Transparent tunneling is selcted but in the stats it states it is inactive
  I am connecting with the Cisco VPN Client Ver 5.0.07.0440
  This config works. It is on the internal net 192.168..40.x and all users obtain dhcp and surf the web. It has required ports opened.The problem is that you can connect remotely via the VPN and you receive an IP address from the remote-vpn pool but you cannot see any machines on the internal network. The pix is at 40.2 and you cannot ping the pix and the pix from the remote PC connecting via the VPN and youcannot ping the remote PC from the PIX console when the remote is connected and receives the first IP address in the VPN pool of 192.168.40.25
  I need to  see the internal network and map network drives. I have another friend that is running the same config and it works but his computer is on a linksys wireless and has an IP of 192.168.1.x and the IP he receives from the VPN pool is 192.168.1.25 so I do not know if the same network is allowing this config to work even if there is an error in the config. In my present case I obtain the ip of 192.168.40.25 from the VPN pool and my connecting pc on 192.168.1.x    I really am not sure how the VPN virtual adapter works. I am assuming it routes all traffic from your connecting PC to and from the virtual adapater but I really do not know for sure.
  Other people have had similar issues with accessing the internal network from the VPN. One solution was the split-tunnel, another was the natting and another had to do with the encrption where there and an issue with the encrypt and ecrypt which was stopping the communicaton via the VPN.
  I still cannot seem to find the issue with this config and any help will be greatly appreciated.
  This is the config
  interface ethernet0 100full
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password somepassword
  hostname hostname
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  object-group network internal_trusted_net
    network-object 192.168.40.0 255.255.255.0
  object-group icmp-type icmp_outside
    icmp-object echo-reply
    icmp-object unreachable
    icmp-object time-exceeded
    icmp-object source-quench
  access-list OutToIn permit icmp any xxx.xxx.xxx.0 255.255.255.248 object-group icmp_outside
  access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
  access-list split_tunnel permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
  access-list OutToIn permit ip any any
  access-list outbound permit ip any any
  (NOTE: I had many more entries in the access list but removed them. Even with the above two allowing everything it does not work)
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip address outside xxx.xxx.xxx.xxx 255.255.255.248
  ip address inside 192.168.40.2 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool vpn_client_pool 192.168.40.25-192.168.40.30
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  I had this statement missing from the previous posted config but even with the nat (inside) 0 access-list no_nat_inside  it still does not work.
  nat (inside) 0 access-list no_nat_inside
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  access-group acl_outside_in in interface outside
  access-group outbound in interface inside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  http server enable
  http 192.168.40.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community $XXXXXX$
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set 3des_strong esp-3des esp-sha-hmac
  crypto dynamic-map clientmap 50 set transform-set 3des_strong
  crypto map vpn 50 ipsec-isakmp dynamic clientmap
  crypto map vpn client configuration address initiate
  crypto map vpn client configuration address respond
  crypto map vpn client authentication LOCAL
  crypto map vpn interface outside
  isakmp enable outside
  isakmp identity address
  isakmp client configuration address-pool local vpn_client_pool outside
  isakmp nat-traversal 20
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  vpngroup remote-vpn split-tunnel split_tunnel
  vpngroup remote-vpn idle-time 10800
  vpngroup remote-vpn password ANOTHER PASSWORD
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 192.168.40.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 60
  dhcpd address 192.168.40.100-192.168.40.131 inside
  dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd enable inside
  username AUSER password PASSWORD privilege 15
  terminal width 80
  ****************** End of config
  I have been searching docs and other people's postings trying to obtain the info to make this work. It appears pretty much boiler plate but I believe my problem is in the natting. I am using a range in the internal network for the VPN pool and I have tried switching this to other networks but this has not helped. Unfortunately I have been unable to get the PDM to work and I believe this is a PC config thing and I did not want to waste the time on it. I read a post where a person using the PDM interface with the same problem (not being able to access the internal network)  was able to go to a section in the VPN wizard and set the Address Exeption Translation. They said they originally set the VPN subnet when they did not have to. Many of the other blogs I read also stated that if the natting is not proper  for the VPN pool- that it will not work but I am confused by the examples. They show as I do the complete range for an access-list called no_nat_inside but I believe it should only have the VPN pool IP range and not the entire network since the others do require natting - not sure if my thought process is correct here. Any help will be greatly apprecaited. Also this morning I just tried a boiler plate example from CISCO and it also did not do what I need for it to do. And I also connect a PC to obtain an IP to see if I can see it - no good. The PC can ping the PIX and viceversa but no one can ping the remote PC that connects via the CISCO Remote VPN client even though it receive an address from the vpnpool. Also include LAN is checked off on the client. This was mentioned in anther post.
  Thank you once again.

  Hi,
  PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
  If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
  But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
  I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
  Here is a PDF of the original ASA5500 Series.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
  Here is a PDF of the new ASA5500-X Series
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
  I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
  Could you provide the requested outputs?
  From the PIX after connection test
  show crypto ipsec sa
  Screen captures of the VPN Client routing and statistics sections.
  - Jouni

• Allow VPN client to connect from the inside to another remote network

  Hi, if I have a Cisco VPN client software on the inside of network and client is to connect to a remote network, over the internet. What ports need to be opened and on the outside interface/inside/both?
  Thanks.

  Basically, all you need is UDP port 500, NAT-T will do the rest.
  Connections are initiated from the inside and while everything is allowed in that direction, this should work by default.
  If you have an access-list that limits traffic from inside to outside, you might need to allow this traffic.
  Regards,
  Leo

• WLC-2106 and multiple interfaces on the same network

  Hi there,
  I recently created a TAC request to the Cisco support regarding our WLC-2106, but they could not help me. Basically I just learned that you can create new interfaces for the wireless LAN controller and then dedicate them to a given wireless network (SSID). This way I could more effectively utilize network bandwidth also. Problem is that all of the interfaces have to be in a different network segment in order to work, which is not what I want. I specifically want to have several interfaces on the same network segment.
  Has anyone tried to accomplish the same?

  Basically what I've misunderstood is that all the traffic generated by our wireless clients have been going through the single 100Mbit/s ethernet port on the wireless LAN controller (management interface), and to mitigate this I thought I could create new interfaces (ports) and dedicate those to given WLAN networks.. I see now that this is not supported. Not inside the same network at least.
  So, by reading further and consulting my best friend Google I learned about a setting called "AP Mode". Changing that from Local (the default) to H-REAP the APs should not route their traffic anymore through the management interface on the wireless controller, but instead route all the client traffic directly to the local LAN. This way you effectively remove the 100Mbit/s bottle-neck when all the APs were using the management interface both for configuration and client data traffic.
  It seems you also have to enable H-REAP Local switching from a given WLAN network in addition to changing the AP Mode of your access points to H-REAP. I'm still in the testing phase here so should anyone have any insight to this, I'd be greatful to hear more.

• I am having a data excess usage issue with my Jetpack although I did not use the VZW network at all.

  Background: My home does not have access to landline internet and I am relying on a Verizon Jetpack device rather than satellite cable for internet access.  Within my JetPack wireless network I have several devices connected, iPADs, PC’s, printer, etc. (up to 5 devices can be connected with my system).  Recently, I had one device within my immediate wireless network that I needed to transfer data via FTP to another local device within my immediate network.  The receiving device FTP’d data from device (198.168.1.42) to local IP (address 192.168.1.2).  To understand the data path a Trace rout for this transfer is 198.168.1.42 (source) to 198.168.1.1 (Jetpack) to 192.168.1.2 (receiver).  Note that the VZW network ((cloud)/4G network) was NOT used in this transfer nor was any VZW bandwidth used for this transfer (of course less the typical overhead status/maintenance communications that happen regardless). Use of the VZW bandwidth would be something like downloading a movie from Netflix, (transferring data from a remote site, through the VZW network, into the Jetpack and to the target device).  I also understand if ones devices have auto SW updates that would also go against the usage as well.  I get that.  My understanding of my usage billing is based data transfer across the VZW network.
  Now to the problem: To my surprise I was quite substantially charged for the “internal” direct transfer of this data although I didn’t use the VZW network at all.  This does not seem to be right, and doesn’t make much sense to me.  Usage is should be based on the VZW network not a local Wi-Fi.  In this case, Verizon actually gets free money from me without any use of or impact to the VZW network.  Basically this is a VERY expensive rental for the jetpack device, which I bought anyway.  Considering this, I am also charged each time I print locally.  Dive into this further, I am also interested in knowing what is the overhead (non-data) communications between the jetpack router and devices and how much does that add up to over time?
  Once I realized I was getting socked in bandwidth, as a temp solution I found an old Wi-Fi router, created a separate Wi-Fi network off the Jetpack, but the billing damage was already done.  Switching each device back and forth to FTP and print is a hassle and there should be no reason the existing hardware couldn’t handle this and charges aligned with VSW usage. Is purposely intended by Verizon? Is this charging correct? And can I get some help with this?
  Logically, usage should be based on VZW network usage not internal transfers.  All transfers between IP addresses 192.168 are by default internal.  Any data that needs to leave the internal network are translated in to the dynamic IP addresses established by the VZW network.  That should be very easily detected for usage. In the very least, this fact needs to be clearly identified and clarified to users of the Jetpack.  How would one use a local network and not get socked with usage charges?  Can one set up a Wi-Fi network with another router, hardwire directly from the router to the Jetpack so that only data to and from the VZW network is billed? I might be able to figure out how to have the jetpack powered on but disable the VZW connection, but I don’t want to experiment and find out that the internal transfers are being logged and the log sent after the fact anyway once I connect…. A reasonable solution should be that users be able to use the router functions of the Jetpack (since one has to buy the device anyway) and only be billed for VZW usage.
  Your help in this would be greatly appreciated. Thanks

  i had one mac and spilt water on it, the motherboard fried so i had to buy a used one...being in school and all. it is a MC375lla
  Model Name:
  MacBook Pro
    Model Identifier:
  MacBookPro7,1
    Processor Name:
  Intel Core 2 Duo
    Processor Speed:
  2.66 GHz
    Number of Processors:
  1
    Total Number of Cores:
  2
    L2 Cache:
  3 MB
    Memory:
  8 GB
    Bus Speed:
  1.07 GHz
    Boot ROM Version:
  MBP71.0039.B0E
    SMC Version (system):
  1.62f7
    Hardware UUID:
  A802DE22-1E57-5509-93C5-27CEF01377B7
    Sudden Motion Sensor:
    State:
  Enabled
  i do not have a backup of it, so i am thinking about replacing my old hard drive from the water damaged into this one, not even sure if that would work, but it did not seem to be damaged, as i recovered all the files i wanted off of it to put onto this mbp
  the previous owner didnt have it set to boot, they had all their settings left on it and tried to edit all the names on it, had a bunch of server info and printers etc crap on it.  i do not believe he edited the terminal system though--he doesnt seem to terribly bright(if thats possible)
  tbh i hate lion compared to the old one i had, this one has so many more issues-overheating,fan noise, cd dvd noise
  if you need screenshots or data of anything else as away
  [problem is i do not want to start from scratch if there is a chance of fixing it, this one did not come with disks or anything like my first. so i dont even know if i could, and how it sets now i am basically starting from scratch, because now all my apps are reset but working, i am hoping to get my data back somehow though, i lost all of my bookmarks and editing all my apps and setting again would be a pain

• AnyConnect to ASA 5505 ver 8.4 unable to ping/access Inside network

  My AnyConnect VPN connect to the ASA, however I cannot access my inside network hosts (tried Split Tunnel and it didn't work either). I plan to use a Split Tunnel configuration but I thought I would get this working before I implemented that configuration. My inside hosts are on a 10.0.1.0/24 network and 10.1.0.0/16 networks. My AnyConnect hosts are using 192.168.60.0/24 addresses.
  I have seen other people that appeared to have similar posts but none of those solutions have worked for me.  I have also tried several NAT and ACL configurations to allow traffic form my Inside network to the ANYConnect hosts and back, but apparently I did it incorrectly.  I undestand that this ver 8.4 is supposed to be easier to perform NAT and such, but I now in the router IOS it was much simpler.
  My configuration is included below.
  Thank you in advance for your assistance.
  Jerry
  ASA Version 8.4(4)
  hostname mxfw
  domain-name moxiefl.com
  enable password (removed)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  switchport trunk allowed vlan 20,22
  switchport mode trunk
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Vlan20
  nameif dmz
  security-level 50
  ip address 172.26.20.1 255.255.255.0
  interface Vlan22
  nameif dmz2
  security-level 50
  ip address 172.26.22.1 255.255.255.0
  ftp mode passive
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 208.67.222.222
  name-server 208.67.220.220
  domain-name moxiefl.com
  same-security-traffic permit inter-interface
  object network Generic_All_Network
  subnet 0.0.0.0 0.0.0.0
  object network INSIDE_Hosts
  subnet 10.1.0.0 255.255.0.0
  object network AnyConnect_Hosts
  subnet 192.168.60.0 255.255.255.0
  object network NETWORK_OBJ_192.168.60.0_26
  subnet 192.168.60.0 255.255.255.192
  object network DMZ_Network
  subnet 172.26.20.0 255.255.255.0
  object network DMZ2_Network
  subnet 172.26.22.0 255.255.255.0
  pager lines 24
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  mtu dmz2 1500
  ip local pool VPN_POOL 192.168.60.20-192.168.60.40 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic Generic_All_Network interface
  nat (inside,outside) source static INSIDE_Hosts INSIDE_Hosts destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.60.0_26 NETWORK_OBJ_192.168.60.0_26 no-proxy-arp route-lookup
  nat (dmz,outside) source dynamic Generic_All_Network interface
  nat (dmz2,outside) source dynamic Generic_All_Network interface
  route inside 10.1.0.0 255.255.0.0 10.0.1.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http 10.0.0.0 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  fqdn anyconnect.moxiefl.com
  subject-name CN=AnyConnect.moxiefl.com
  keypair AnyConnect
  proxy-ldc-issuer
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate 439a4452
      3082026c 308201d5 a0030201 02020443 9a445230 0d06092a 864886f7 0d010105
      05003048 311f301d 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566
      6c2e636f 6d312530 2306092a 864886f7 0d010902 1616616e 79636f6e 6e656374
      2e6d6f78 6965666c 2e636f6d 301e170d 31333039 32373037 32353331 5a170d32
      33303932 35303732 3533315a 3048311f 301d0603 55040313 16416e79 436f6e6e
      6563742e 6d6f7869 65666c2e 636f6d31 25302306 092a8648 86f70d01 09021616
      616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092a8648
      86f70d01 01010500 03818d00 30818902 8181009a d9f320ff e93d4fdd cb707a4c
      b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d5
      fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7
      6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76
      1d56d11d da3d039a 0e714849 e6841ff2 5483b102 03010001 a3633061 300f0603
      551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
      03551d23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d
      0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06
      092a8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a8348
      5e62d6cd 47257243 e430a758 2b367543 065d4ceb 582bf666 08ff7be1 f89287a2
      ac527824 b11c2048 7fd2b50d 35ca3902 6aa00675 e4df7859 f3590596 b1d52426
      1e97a52c 4e77f4b0 226dec09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba
      0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35
    quit
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  telnet timeout 5
  ssh 10.0.0.0 255.0.0.0 inside
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd dns 208.67.222.222 208.67.220.220
  dhcpd auto_config outside
  dhcpd address 10.0.1.20-10.0.1.40 inside
  dhcpd dns 208.67.222.222 208.67.220.220 interface inside
  dhcpd enable inside
  dhcpd address 172.26.20.21-172.26.20.60 dmz
  dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
  dhcpd enable dmz
  dhcpd address 172.26.22.21-172.26.22.200 dmz2
  dhcpd dns 208.67.222.222 208.67.220.220 interface dmz2
  dhcpd enable dmz2
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  enable outside
  anyconnect-essentials
  anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
  anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy GroupPolicy_AnyConnect internal
  group-policy GroupPolicy_AnyConnect attributes
  wins-server none
  dns-server value 208.67.222.222 208.67.220.220
  vpn-tunnel-protocol ikev2 ssl-client
  default-domain value moxiefl.com
  webvpn
    anyconnect profiles value AnyConnect_client_profile type user
  username user1 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
  username user2 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
  tunnel-group AnyConnect type remote-access
  tunnel-group AnyConnect general-attributes
  address-pool VPN_POOL
  default-group-policy GroupPolicy_AnyConnect
  tunnel-group AnyConnect webvpn-attributes
  group-alias AnyConnect enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:f2c7362097b71bcada023c6bbfc45121
  : end

  Hi,
  Yes, I have saved the config and did a write erase and reloaded the config, no difference. I rebuilt it once a couple of weeks ago, but that was before I had gotten this far with your assistance.  I'll include my ASA and switches configs after this. Here is a little background (took it form the Firewall section issue just because it gives a little insight for the network). I have 2 3560s, one as a L3 switch the other L2 with an etherchannel between them (one of the cables was bad so I am waiting on the replacement to have 2 - Gigabit channels between the switches).
  I think our issue with the VPN not getting to the Inside is posibly related to my DMZ issue not getting to the internet.
  I am using 2 VLANs on my switch for Guests - one is wired and the other is wireless. I am trying to keep them separate because the wireless are any guest that might be at our restaurant that is getting on WiFi. The wired is for our Private Dining Rooms that vendors may need access and I don't want the wireless being able to see the wired network in that situation.
  I have ports on my 3560s that are assigned to VLAN 20 (Guest Wired) and VLAN 22 (Guest Wireless). I am not routing those addresses within the 3560s (one 3560 is setup as a L3 switch). Those VLANs are being L2 switched to the ASA via the trunk to save ports (I tried separating them and used 2 ports on the ASA and it still didn't work). The ASA is providing DCHP for those VLANs and the routing for the DMZ VLANs. I can ping each of the gateways (which are the VLANs on the ASA from devices on the 3560s - 172.26.20.1 and 172.26.22.1. I have those in my DMZ off the ASA so it can control and route the data.
  The 3560 is routing for my Corp VLANs. So far I have tested the Wired VLAN 10 (10.1.10.0/24) and it is working and gets to the Internet.  I have a default route (0.0.0.0 0.0.0.0) from the L3 switch to e0/1 on the ASA and e0/1 is an Inside interface.
  E0/0 on the ASA is my Outside interface and gets it IP from the upstream router (will be an AT&T router/modem when I move it to the building).
  So for a simple diagram:
  PC (172.26.20.21/24) -----3560 (L2) ------Trunk----(VLAN 20 - DMZ/ VLAN 22 - DMZ2)---- ASA -----Outside ------- Internet (via router/modem)
  I will be back at this tomorrow morning - I've been up since 4pm yesterday and it is almost 3pm.
  Thank you for all of your assistance.
  Jerry
  Current ASA Config:
  ASA Version 8.4(4)
  hostname mxfw
  domain-name moxiefl.com
  enable password $$$$$$$$$$$$$$$ encrypted
  passwd $$$$$$$$$$$$$$$$ encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  switchport access vlan 20
  interface Ethernet0/5
  switchport trunk allowed vlan 20,22
  switchport mode trunk
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Vlan20
  nameif dmz
  security-level 50
  ip address 172.26.20.1 255.255.255.0
  interface Vlan22
  nameif dmz2
  security-level 50
  ip address 172.26.22.1 255.255.255.0
  ftp mode passive
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 208.67.222.222
  name-server 208.67.220.220
  domain-name moxiefl.com
  same-security-traffic permit inter-interface
  object network Generic_All_Network
  subnet 0.0.0.0 0.0.0.0
  object network INSIDE_Hosts
  subnet 10.1.0.0 255.255.0.0
  object network AnyConnect_Hosts
  subnet 192.168.60.0 255.255.255.0
  object network NETWORK_OBJ_192.168.60.0_26
  subnet 192.168.60.0 255.255.255.192
  object network DMZ_Network
  subnet 172.26.20.0 255.255.255.0
  object network DMZ2_Network
  subnet 172.26.22.0 255.255.255.0
  object network INSIDE
  subnet 10.0.1.0 255.255.255.0
  access-list capdmz extended permit icmp host 172.26.20.22 host 208.67.222.222
  access-list capdmz extended permit icmp host 208.67.222.222 host 172.26.20.22
  access-list capout extended permit icmp host 192.168.1.231 host 208.67.222.222
  access-list capout extended permit icmp host 208.67.222.222 host 192.168.1.231
  access-list capvpn extended permit icmp host 192.168.60.20 host 10.1.10.23
  access-list capvpn extended permit icmp host 10.1.10.23 host 192.168.60.20
  access-list AnyConnect_Client_Local_Print extended deny ip any any
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
  access-list SPLIT-TUNNEL standard permit 10.0.1.0 255.255.255.0
  access-list SPLIT-TUNNEL standard permit 10.1.0.0 255.255.0.0
  access-list capins extended permit icmp host 10.1.10.23 host 10.0.1.1
  access-list capins extended permit icmp host 10.0.1.1 host 10.1.10.23
  pager lines 24
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  mtu dmz2 1500
  ip local pool VPN_POOL 192.168.60.20-192.168.60.40 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static INSIDE INSIDE destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
  nat (inside,outside) source static INSIDE_Hosts INSIDE_Hosts destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
  nat (dmz,outside) source dynamic Generic_All_Network interface
  nat (dmz2,outside) source dynamic Generic_All_Network interface
  nat (inside,outside) after-auto source dynamic Generic_All_Network interface
  route inside 10.1.0.0 255.255.0.0 10.0.1.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http 10.0.0.0 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  fqdn anyconnect.moxiefl.com
  subject-name CN=AnyConnect.moxiefl.com
  keypair AnyConnect
  proxy-ldc-issuer
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate 439a4452
      3082026c 308201d5 a0030201 02020443 9a445230 0d06092a 864886f7 0d010105
      05003048 311f301d 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566
      6c2e636f 6d312530 2306092a 864886f7 0d010902 1616616e 79636f6e 6e656374
      2e6d6f78 6965666c 2e636f6d 301e170d 31333039 32373037 32353331 5a170d32
      33303932 35303732 3533315a 3048311f 301d0603 55040313 16416e79 436f6e6e
      6563742e 6d6f7869 65666c2e 636f6d31 25302306 092a8648 86f70d01 09021616
      616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092a8648
      86f70d01 01010500 03818d00 30818902 8181009a d9f320ff e93d4fdd cb707a4c
      b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d5
      fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7
      6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76
      1d56d11d da3d039a 0e714849 e6841ff2 5483b102 03010001 a3633061 300f0603
      551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
      03551d23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d
      0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06
      092a8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a8348
      5e62d6cd 47257243 e430a758 2b367543 065d4ceb 582bf666 08ff7be1 f89287a2
      ac527824 b11c2048 7fd2b50d 35ca3902 6aa00675 e4df7859 f3590596 b1d52426
      1e97a52c 4e77f4b0 226dec09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba
      0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35
    quit
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  telnet timeout 5
  ssh 10.0.0.0 255.0.0.0 inside
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd dns 208.67.222.222 208.67.220.220
  dhcpd auto_config outside
  dhcpd address 10.0.1.20-10.0.1.40 inside
  dhcpd dns 208.67.222.222 208.67.220.220 interface inside
  dhcpd enable inside
  dhcpd address 172.26.20.21-172.26.20.60 dmz
  dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
  dhcpd enable dmz
  dhcpd address 172.26.22.21-172.26.22.200 dmz2
  dhcpd dns 208.67.222.222 208.67.220.220 interface dmz2
  dhcpd enable dmz2
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  enable outside
  anyconnect-essentials
  anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
  anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy GroupPolicy_AnyConnect internal
  group-policy GroupPolicy_AnyConnect attributes
  wins-server none
  dns-server value 208.67.222.222 208.67.220.220
  vpn-tunnel-protocol ikev2 ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value SPLIT-TUNNEL
  default-domain value moxiefl.com
  webvpn
    anyconnect profiles value AnyConnect_client_profile type user
  username user1 password $$$$$$$$$$$$$ encrypted privilege 15
  username user2 password $$$$$$$$$$$ encrypted privilege 15
  tunnel-group AnyConnect type remote-access
  tunnel-group AnyConnect general-attributes
  address-pool VPN_POOL
  default-group-policy GroupPolicy_AnyConnect
  tunnel-group AnyConnect webvpn-attributes
  group-alias AnyConnect enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:f6d9bbacca2a5c8b5af946a8ddc12550
  : end
  L3 3560 connects to ASA via port f0/3 routed port 10.0.1.0/24 network
  Connects to second 3560 via G0/3 & G0/4
  version 12.2
  no service pad
  no service timestamps debug uptime
  no service timestamps log uptime
  service password-encryption
  hostname mx3560a
  boot-start-marker
  boot-end-marker
  enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
  no aaa new-model
  system mtu routing 1500
  authentication mac-move permit
  ip subnet-zero
  ip routing
  ip dhcp excluded-address 10.1.10.1 10.1.10.20
  ip dhcp excluded-address 10.1.12.1 10.1.12.20
  ip dhcp excluded-address 10.1.14.1 10.1.14.20
  ip dhcp excluded-address 10.1.16.1 10.1.16.20
  ip dhcp excluded-address 10.1.30.1 10.1.30.20
  ip dhcp excluded-address 10.1.35.1 10.1.35.20
  ip dhcp excluded-address 10.1.50.1 10.1.50.20
  ip dhcp excluded-address 10.1.80.1 10.1.80.20
  ip dhcp excluded-address 10.1.90.1 10.1.90.20
  ip dhcp excluded-address 10.1.100.1 10.1.100.20
  ip dhcp excluded-address 10.1.101.1 10.1.101.20
  ip dhcp pool VLAN10
     network 10.1.10.0 255.255.255.0
     default-router 10.1.10.1
     dns-server 208.67.222.222 208.67.220.220
  ip dhcp pool VLAN12
     network 10.1.12.0 255.255.255.0
     default-router 10.1.12.1
     dns-server 208.67.222.222 208.67.220.220
  ip dhcp pool VLAN14
     network 10.1.14.0 255.255.255.0
     default-router 10.1.14.1
     option 150 ip 10.1.13.1
  ip dhcp pool VLAN16
     network 10.1.16.0 255.255.255.0
     default-router 10.1.16.1
     dns-server 208.67.222.222 208.67.220.220
  ip dhcp pool VLAN30
     network 10.1.30.0 255.255.255.0
     default-router 10.1.30.1
     dns-server 208.67.222.222 208.67.220.220
  ip dhcp pool VLAN35
     network 10.1.35.0 255.255.255.0
     default-router 10.1.35.1
     dns-server 208.67.222.222 208.67.220.220
  ip dhcp pool VLAN50
     network 10.1.50.0 255.255.255.0
     default-router 10.1.50.1
     option 43 hex f104.0a01.6564
  ip dhcp pool VLAN80
     network 10.1.80.0 255.255.255.0
     default-router 10.1.80.1
     dns-server 208.67.222.222 208.67.220.220
  ip dhcp pool VLAN90
     network 10.1.90.0 255.255.255.0
     default-router 10.1.90.1
     dns-server 208.67.222.222 208.67.220.220
  ip dhcp pool VLAN100
     network 10.1.100.0 255.255.255.0
     default-router 10.1.100.1
  ip dhcp pool VLAN101
     network 10.1.101.0 255.255.255.0
     default-router 10.1.101.1
  ip dhcp pool VLAN40
     dns-server 208.67.222.222 208.67.220.220
  port-channel load-balance src-dst-mac
  spanning-tree mode pvst
  spanning-tree etherchannel guard misconfig
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  interface Port-channel1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  link state group 1 downstream
  interface FastEthernet0/1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 100
  switchport mode trunk
  power inline never
  interface FastEthernet0/2
  switchport access vlan 10
  switchport mode access
  power inline never
  interface FastEthernet0/3
  description Interface to MXFW E0/1
  no switchport
  ip address 10.0.1.2 255.255.255.0
  power inline never
  interface FastEthernet0/4
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/5
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/6
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/7
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 30
  switchport mode trunk
  switchport voice vlan 14
  power inline never
  spanning-tree portfast
  interface FastEthernet0/8
  switchport access vlan 30
  switchport mode access
  power inline never
  interface FastEthernet0/9
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/10
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/11
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/12
  switchport access vlan 40
  switchport mode access
  interface FastEthernet0/13
  switchport access vlan 40
  switchport mode access
  interface FastEthernet0/14
  switchport access vlan 40
  switchport mode access
  interface FastEthernet0/15
  switchport access vlan 40
  switchport mode access
  shutdown
  interface FastEthernet0/16
  switchport access vlan 40
  switchport mode access
  shutdown
  interface FastEthernet0/17
  switchport access vlan 50
  switchport mode access
  interface FastEthernet0/18
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/19
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/20
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 10
  switchport mode trunk
  switchport voice vlan 14
  spanning-tree portfast
  interface FastEthernet0/21
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/22
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/23
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 30
  switchport mode trunk
  switchport voice vlan 14
  spanning-tree portfast
  interface FastEthernet0/24
  switchport access vlan 35
  switchport mode access
  power inline never
  interface FastEthernet0/25
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/26
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/27
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/28
  switchport access vlan 40
  switchport mode access
  interface FastEthernet0/29
  switchport access vlan 40
  switchport mode access
  interface FastEthernet0/30
  switchport access vlan 40
  switchport mode access
  interface FastEthernet0/31
  switchport access vlan 40
  switchport mode access
  shutdown
  interface FastEthernet0/32
  switchport access vlan 40
  switchport mode access
  shutdown
  interface FastEthernet0/33
  switchport access vlan 50
  switchport mode access
  interface FastEthernet0/34
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/35
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/36
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 10
  switchport mode trunk
  switchport voice vlan 14
  spanning-tree portfast
  interface FastEthernet0/37
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/38
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/39
  switchport access vlan 30
  switchport mode access
  power inline never
  interface FastEthernet0/40
  switchport access vlan 90
  switchport mode access
  power inline never
  interface FastEthernet0/41
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/42
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/43
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/44
  switchport access vlan 40
  switchport mode access
  interface FastEthernet0/45
  switchport access vlan 40
  switchport mode access
  interface FastEthernet0/46
  switchport access vlan 40
  switchport mode access
  shutdown
  interface FastEthernet0/47
  switchport access vlan 40
  switchport mode access
  shutdown
  interface FastEthernet0/48
  switchport mode access
  shutdown
  power inline never
  interface GigabitEthernet0/1
  description Interface to MXC2911 Port G0/0
  no switchport
  ip address 10.1.13.2 255.255.255.0
  interface GigabitEthernet0/2
  shutdown
  interface GigabitEthernet0/3
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 1 mode on
  interface GigabitEthernet0/4
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 1 mode on
  interface Vlan1
  no ip address
  shutdown
  interface Vlan10
  ip address 10.1.10.1 255.255.255.0
  interface Vlan12
  ip address 10.1.12.1 255.255.255.0
  interface Vlan14
  ip address 10.1.14.1 255.255.255.0
  interface Vlan16
  ip address 10.1.16.1 255.255.255.0
  interface Vlan20
  ip address 172.26.20.1 255.255.255.0
  interface Vlan22
  ip address 172.26.22.1 255.255.255.0
  interface Vlan30
  ip address 10.1.30.1 255.255.255.0
  interface Vlan35
  ip address 10.1.35.1 255.255.255.0
  interface Vlan40
  ip address 10.1.40.1 255.255.255.0
  interface Vlan50
  ip address 10.1.50.1 255.255.255.0
  interface Vlan80
  ip address 172.16.80.1 255.255.255.0
  interface Vlan86
  no ip address
  shutdown
  interface Vlan90
  ip address 10.1.90.1 255.255.255.0
  interface Vlan100
  ip address 10.1.100.1 255.255.255.0
  interface Vlan101
  ip address 10.1.101.1 255.255.255.0
  router eigrp 1
  network 10.0.0.0
  network 10.1.13.0 0.0.0.255
  network 10.1.14.0 0.0.0.255
  passive-interface default
  no passive-interface GigabitEthernet0/1
  ip classless
  ip route 0.0.0.0 0.0.0.0 FastEthernet0/3 10.0.1.1
  ip route 192.168.60.0 255.255.255.0 FastEthernet0/3 10.0.1.1 2
  ip http server
  ip sla enable reaction-alerts
  line con 0
  logging synchronous
  line vty 0 4
  login
  line vty 5 15
  login
  end
  L3 3560 Route Table (I added 192.168.60.0/24 instead of just using the default route just in case it wasn't routing for some reason - no change)
  mx3560a#sho ip route
  Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route
  Gateway of last resort is 10.0.1.1 to network 0.0.0.0
  S    192.168.60.0/24 [2/0] via 10.0.1.1, FastEthernet0/3
       172.16.0.0/24 is subnetted, 1 subnets
  C       172.16.80.0 is directly connected, Vlan80
       172.26.0.0/24 is subnetted, 2 subnets
  C       172.26.22.0 is directly connected, Vlan22
  C       172.26.20.0 is directly connected, Vlan20
       10.0.0.0/8 is variably subnetted, 14 subnets, 2 masks
  C       10.1.10.0/24 is directly connected, Vlan10
  D       10.1.13.5/32 [90/3072] via 10.1.13.1, 4d02h, GigabitEthernet0/1
  C       10.1.14.0/24 is directly connected, Vlan14
  C       10.1.13.0/24 is directly connected, GigabitEthernet0/1
  C       10.1.12.0/24 is directly connected, Vlan12
  C       10.0.1.0/24 is directly connected, FastEthernet0/3
  C       10.1.30.0/24 is directly connected, Vlan30
  C       10.1.16.0/24 is directly connected, Vlan16
  C       10.1.40.0/24 is directly connected, Vlan40
  C       10.1.35.0/24 is directly connected, Vlan35
  C       10.1.50.0/24 is directly connected, Vlan50
  C       10.1.90.0/24 is directly connected, Vlan90
  C       10.1.101.0/24 is directly connected, Vlan101
  C       10.1.100.0/24 is directly connected, Vlan100
  S*   0.0.0.0/0 [1/0] via 10.0.1.1, FastEthernet0/3
  I have a C2911 for CME on G0/1 - using it only for that purpose at this time.
  L2 3560 Config it connects to the ASA as a trunk on e0/5 of the ASA and port f0/3 of the switch - I am using L2 switching for the DMZ networks from the switches to the ASA and allowing the ASA to provide the DHCP and routing out of the network. DMZ networks: 172.26.20.0/24 and 172.26.22.0/24.
  version 12.2
  no service pad
  no service timestamps debug uptime
  no service timestamps log uptime
  service password-encryption
  hostname mx3560b
  boot-start-marker
  boot-end-marker
  enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
  no aaa new-model
  system mtu routing 1500
  crypto pki trustpoint TP-self-signed-3877365632
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3877365632
  revocation-check none
  rsakeypair TP-self-signed-3877365632
  crypto pki certificate chain TP-self-signed-3877365632
  certificate self-signed 01
    30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33383737 33363536 3332301E 170D3933 30333031 30303031
    30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373733
    36353633 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100DF81 DA515E0B 7FC760CF 2CC98400 42DCA007 215E4DDE D0C3FBF2 D974CE85
    C46A8700 6AE44C2C 79D9BD2A A9297FA0 2D9C2BE4 B3941A2F 435AC4EA 17E89DFE
    34EC8E93 63BD4CDF 784E91D7 2EE0093F 06CC97FD 83CB818B 1ED624E6 F0F5DA51
    1DE4B8A7 169EED2B 40575B81 BADDE052 85BA9D19 4C206DCB 00878FF3 89E74028
    B3F30203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
    551D1104 0C300A82 086D7833 35363062 2E301F06 03551D23 04183016 80147125
    78CE8540 DB95D852 3C0BD975 5D9C6EB7 58FC301D 0603551D 0E041604 14712578
    CE8540DB 95D8523C 0BD9755D 9C6EB758 FC300D06 092A8648 86F70D01 01040500
    03818100 94B98410 2D9CD602 4BD16181 BCB7C515 77C8F947 7C4AF5B8 281E3131
    59298655 B12FAB1D A6AAA958 8473483C E993D896 5251770B 557803C0 531DEB62
    A349C057 CB473F86 DCEBF8B8 7DDE5728 048A49D0 AB18CE8C 8257C00A C2E06A63
    B91F872C 5F169FF9 77DC523B AB1E3965 C6B67FCC 84AE11E9 02DD10F0 C45EAFEA 41D7FA6C
    quit
  port-channel load-balance src-dst-mac
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  interface Port-channel1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface FastEthernet0/1
  switchport access vlan 50
  switchport mode access
  interface FastEthernet0/2
  switchport access vlan 30
  switchport mode access
  power inline never
  interface FastEthernet0/3
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 20,22
  switchport mode trunk
  power inline never
  interface FastEthernet0/4
  switchport mode access
  shutdown
  power inline never
  interface FastEthernet0/5
  shutdown
  power inline never
  interface FastEthernet0/6
  shutdown
  power inline never
  interface FastEthernet0/7
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 30
  switchport mode trunk
  switchport voice vlan 14
  spanning-tree portfast
  interface FastEthernet0/8
  switchport access vlan 30
  switchport mode access
  power inline never
  interface FastEthernet0/9
  shutdown
  power inline never
  interface FastEthernet0/10
  switchport access vlan 20
  switchport mode access
  power inline never
  interface FastEthernet0/11
  shutdown
  power inline never
  interface FastEthernet0/12
  switchport access vlan 40
  switchport mode access
  interface FastEthernet0/13
  switchport access vlan 40
  switchport mode access
  interface FastEthernet0/14
  switchport access vlan 40
  switchport mode access
  shutdown
  interface FastEthernet0/15
  switchport access vlan 40
  switchport mode access
  shutdown
  interface FastEthernet0/16
  switchport access vlan 40
  switchport mode access
  shutdown
  interface FastEthernet0/17
  switchport access vlan 10
  switchport mode access
  power inline never
  interface FastEthernet0/18
  shutdown
  power inline never
  interface FastEthernet0/19
  shutdown
  power inline never
  interface FastEthernet0/20
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 10
  switchport mode trunk
  switchport voice vlan 14
  spanning-tree portfast
  interface FastEthernet0/21
  shutdown
  power inline never
  interface FastEthernet0/22
  shutdown
  power inline never
  interface FastEthernet0/23
  switchport access vlan 30
  switchport mode access
  power inline never
  interface FastEthernet0/24
  shutdown
  power inline never
  interface FastEthernet0/25
  switchport access vlan 20
  switchport mode access
  power inline never
  interface FastEthernet0/26
  shutdown
  power inline never
  interface FastEthernet0/27
  shutdown
  power inline never
  interface FastEthernet0/28
  switchport access vlan 40
  switchport mode access
  interface FastEthernet0/29
  switchport access vlan 40
  switchport mode access
  interface FastEthernet0/30
  switchport access vlan 40
  switchport mode access
  shutdown
  interface FastEthernet0/31
  switchport access vlan 40
  switchport mode access
  shutdown
  interface FastEthernet0/32
  switchport access vlan 40
  switchport mode access
  shutdown
  interface FastEthernet0/33
  switchport access vlan 20
  switchport mode access
  power inline never
  interface FastEthernet0/34
  shutdown
  power inline never
  interface FastEthernet0/35
  shutdown
  power inline never
  interface FastEthernet0/36
  switchport mode access
  switchport voice vlan 14
  spanning-tree portfast
  interface FastEthernet0/37
  shutdown
  power inline never
  interface FastEthernet0/38
  shutdown
  power inline never
  interface FastEthernet0/39
  switchport access vlan 30
  switchport mode access
  power inline never
  interface FastEthernet0/40
  switchport access vlan 90
  switchport mode access
  power inline never
  interface FastEthernet0/41
  shutdown
  power inline never
  interface FastEthernet0/42
  shutdown
  power inline never
  interface FastEthernet0/43
  shutdown
  power inline never
  interface FastEthernet0/44
  switchport access vlan 40
  switchport mode access
  interface FastEthernet0/45
  switchport access vlan 40
  switchport mode access
  interface FastEthernet0/46
  switchport access vlan 40
  switchport mode access
  shutdown
  interface FastEthernet0/47
  switchport access vlan 40
  switchport mode access
  shutdown
  interface FastEthernet0/48
  switchport access vlan 40
  switchport mode access
  shutdown
  interface GigabitEthernet0/1
  shutdown
  interface GigabitEthernet0/2
  switchport access vlan 40
  switchport mode access
  interface GigabitEthernet0/3
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 1 mode on
  interface GigabitEthernet0/4
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 1 mode on
  interface Vlan1
  no ip address
  ip classless
  ip http server
  ip http secure-server
  ip sla enable reaction-alerts
  line con 0
  logging synchronous
  line vty 0 4
  login
  line vty 5 15
  login
  end

• Remote Access VPN (ipsec) can ping LAN interface of firewall but not clients on the company network.

  The VPN will connect.
  I can ping and connect to the ASA 5510 on it's LAN interface.
  My problem is that I cannot ping or access anything on the LAN past the firewall. What am I doing wrong?
  Here is my config.
  Result of the command: "show config"
  : Saved
  : Written by enable_15 at 22:55:02.299 UTC Tue Jan 10 2012
  ASA Version 8.2(5)
  hostname ********
  enable password UbBnTPKwu27ohfYB encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address x.x.x.x x.x.x.x
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.0.4.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group network BC
  network-object 10.0.3.0 255.255.255.0
  network-object 10.0.4.0 255.255.255.0
  access-list outside_access_in extended permit tcp any any eq ssh
  access-list outside_access_in extended permit tcp any any eq 50000
  access-list outside_access_in extended permit tcp any any eq 3390
  access-list outside_access_in extended permit tcp any any eq 8066
  access-list outside_access_in extended permit tcp any any eq 22225
  access-list outside_access_in extended permit tcp any any eq 1600
  access-list outside_access_in extended permit tcp any any eq 37260
  access-list outside_access_in extended permit tcp any any eq 37261
  access-list outside_access_in extended permit tcp any any eq 37262
  access-list outside_access_in extended permit tcp any any eq 37263
  access-list outside_access_in extended permit tcp any any eq 37264
  access-list outside_access_in extended permit tcp any any eq 1435
  access-list outside_access_in extended permit tcp any any eq 250
  access-list outside_access_in extended permit tcp any any eq citrix-ica
  access-list outside_access_in extended permit tcp any any eq 8080
  access-list outside_access_in extended permit tcp any any eq www
  access-list outside_access_in extended permit tcp any any eq 85
  access-list outside_access_in extended permit tcp any any eq 8069
  access-list outside_access_in extended permit tcp any any eq 3389
  access-list outside_access_in extended permit tcp any any eq 23032
  access-list outside_access_in extended permit tcp any any eq 32023
  access-list outside_access_in extended permit tcp any any eq 3399
  access-list outside_access_in extended permit udp any any eq 250
  access-list outside_access_in extended permit udp any any eq 5008
  access-list outside_access_in extended permit icmp any any
  access-list splittunn-ppso extended permit ip 10.0.4.0 255.255.255.0 10.10.10.0 255.255.255.0
  access-list splittunn-ppso extended permit ip 10.0.3.0 255.255.255.0 10.10.10.0 255.255.255.0
  access-list nonat extended permit ip 10.0.4.0 255.255.255.0 10.10.10.0 255.255.255.0
  access-list nonat extended permit ip 10.0.3.0 255.255.255.0 10.10.10.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip local pool vpn-pool 10.10.10.1-10.10.10.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any inside
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 101 interface
  nat (inside) 0 access-list nonat
  nat (inside) 101 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface 50000 10.0.4.58 50000 netmask 255.255.255.255
  static (inside,outside) tcp interface ssh 10.0.4.7 ssh netmask 255.255.255.255
  static (inside,outside) tcp interface 3390 10.0.3.249 3390 netmask 255.255.255.255
  static (inside,outside) tcp interface 8066 10.0.3.249 8066 netmask 255.255.255.255
  static (inside,outside) tcp interface 22225 10.0.4.58 22225 netmask 255.255.255.255
  static (inside,outside) tcp interface 1600 10.0.4.58 1600 netmask 255.255.255.255
  static (inside,outside) tcp interface 37260 10.0.4.58 37260 netmask 255.255.255.255
  static (inside,outside) tcp interface 37261 10.0.4.58 37261 netmask 255.255.255.255
  static (inside,outside) tcp interface 37262 10.0.4.58 37262 netmask 255.255.255.255
  static (inside,outside) tcp interface 37263 10.0.4.58 37263 netmask 255.255.255.255
  static (inside,outside) tcp interface 37264 10.0.4.58 37264 netmask 255.255.255.255
  static (inside,outside) tcp interface 1433 10.0.4.240 1433 netmask 255.255.255.255
  static (inside,outside) udp interface 5008 10.0.4.240 5008 netmask 255.255.255.255
  static (inside,outside) udp interface 249 10.0.4.240 249 netmask 255.255.255.255
  static (inside,outside) tcp interface 250 10.0.4.240 250 netmask 255.255.255.255
  static (inside,outside) tcp interface www 10.0.4.15 www netmask 255.255.255.255
  static (inside,outside) tcp interface citrix-ica 10.0.4.15 citrix-ica netmask 255.255.255.255
  static (inside,outside) tcp interface 8080 10.0.4.15 8080 netmask 255.255.255.255
  static (inside,outside) tcp interface 85 10.0.4.15 85 netmask 255.255.255.255
  static (inside,outside) tcp interface 8069 10.0.4.236 8069 netmask 255.255.255.255
  static (inside,outside) tcp interface 3399 10.0.4.236 3389 netmask 255.255.255.255
  static (inside,outside) tcp interface 23032 10.0.4.244 23032 netmask 255.255.255.255
  static (inside,outside) tcp interface 32023 10.0.4.244 32023 netmask 255.255.255.255
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  route inside 10.0.3.0 255.255.255.0 10.0.4.205 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  http 0.0.0.0 0.0.0.0 management
  http x.x.x.x x.x.x.x outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
      308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
      0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
      30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
      13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
      0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
      20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
      65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
      65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
      30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
      30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
      496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
      74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
      68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
      3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
      63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
      0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
      a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
      9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
      7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
      15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
      63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
      18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
      4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
      81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
      db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
      7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
      ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
      45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
      2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
      1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
      03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
      69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
      02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
      6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
      c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
      69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
      1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
      551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
      1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
      2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
      4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
      b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
      6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
      481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
      b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
      5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
      6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
      6c2527b9 deb78458 c61f381e a4c4cb66
    quit
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet x.x.x.x 255.255.255.255 outside
  telnet 0.0.0.0 0.0.0.0 inside
  telnet 0.0.0.0 0.0.0.0 management
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 management
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.2-192.168.1.254 management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  group-policy ppso internal
  group-policy ppso attributes
  dns-server value 10.0.4.241 10.0.4.14
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value splittunn-ppso
  default-domain value ppso.local
  split-dns value ppso.local
  address-pools value vpn-pool
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  address-pool vpn-pool
  default-group-policy VPN
  tunnel-group VPN ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:88a9b69fc3d718c3badfa99db2c7ce4f

  Yeah, I figured out where my problem was.
  My IP Local Pool range was the problem.
  I was using 10.10.10.0 which conflicted with a point-to-point connection where the serial interfaces were numbered and using 10.10.10.1 and 10.10.10.2.
  Traffic would leave the firewall, hit the intended host, go back through my core router, then off to the other network.
  I changed my ip local pool to a different range (192.168.100.0) and my problem was solved.

• Can you create a Remote Access VPN connection to tunnel DMZ LAN and Inside Networks simultaneously?

  I have a customer that has a ASA 5510 version 8.3 with IPSEC Client Access that includes some of their networks on the Inside interface.   The issue they are having is when their mobile users connect with the vpn client (which is using split tunneling), they can no longer access their web server applications that are running in the DMZ.   Without the client connected, they access the web servers via the external public IP.  Once they are connected via vpn, their default dns server becomes the internal AD DNS server, which resolves the DNS of the web servers to the private DMZ ip address. 
  Can a Remote Access VPN client connection be allowed to connect to both the DMZ interface and the Inside Interface? I had always only setup RA VPN clients to connect to networks on the Inside Interface.  
  I tried adding the DMZ network to the Split Tunnel list, but I could not access anything it while connected to vpn using the private IP addresses.

  Yes, you should be able to access DMZ subnets as well if they are added to the split tunnel ACL. You could check the NAT exemption configuration for the DMZ and also check if the ASA is forwarding the packet through DMZ interface by configuring captures on the DMZ interface. 
  Share the configuration if you want help with the NAT exemption part.

• Multiple Apple TVs on the same network

  I teach at a school and have used an Apple TV in conjunction with my iPad for presentations. I find it invaluable. Other teachers at my school would like to do the same, but I'm told by our tech support that multiple Apple TVs on the same network cause problems. When I ask them what problems, they aren't sure. They just tell me that other school have experienced problems. Other than a wifi bandwidth problem, I can't imagine what kind of problem it would be. A collegue of mine wants to jump onboard but desn't want to make waves. Does anyone know of any problems?

  I have two Apple TV's, one in the living room and one in the bedroom... however, the living room is the only one that my iphone Remote APP is connecting with... I've named/tagged the two ATV's hoping that the Remote APP would provide me the option on which one to control, but it doesn't....
  I've confirmed that home sharing is "on" with in all devices "settings"...
  Any suggestions?

• Can not access CRM from outside the office network - Access denied You do not have sufficient access rights or privileges to perform this action.

  Hi,
  I can not access CRM from outside the office network - Access denied You do not have sufficient access rights or privileges to perform this action.  I can access CRM with same user id and password from our office inside the network.  I can get
  the page to give login details once I have login details I got below error. Please help me to solve this issue.  It was working before.
  Access denied You do not have sufficient access rights or privileges to perform this action. 
  Regards,
  Noushad
  [email protected]

  On Premise system Configured with AD FS server for claims-based authentication you need to update your host file with server url to access it from outside office network.
  Refer
  this on how to update host file.
  Regards, Saad