NAC WiFi + NAC Internal VPN

Has anyone tested this scenario?
The idea is the following: Users connect via Wireless connection to the network and are certified by the NAC appliance, after certification they are switched out of Band. This will grant them access to basic network resources. To get access to more secure resources the users will have to establish a VPN connection over the already established Wireless connection. After succesfull VPN connection they will need to go through a second NAC appliance connected in-band to the VPN endpoint for extra security checks.
My question is, how will these users be treated by the NAC appliance since their user credentials are already logged by the NAC manager because of the succesfull Wifi Login.
I have looked into the Max users sessions option, but this only works per role. And since Wifi and VPN users will have different roles I suspect that that option will not work for my purpose

Hi,
No differerence, except that using a third party cert simplifies the process in that majority of the clients already trust the root certs of the well known CAs. Other than that if you have a way of distributing your internal CA's root cert to your clients, it should work just fine with internal certs.
HTH,
Faisal

Similar Messages

How get VMWare Fusion's internal VPN to pass along the Window's logo key?

I'm also posting this at VMWare Communities, with no replies so far.
VMWare Fusion (5) has an internal VPN, which I find helpful and faster than tunnelling (SSH) into my Mac from somewhere else on the Net, and then using Fusion as usual. With the internal VPN, I go straight to Windows (8), bypass the Mac interface entirely, and that used to be faster to interact with it that way.
Now, having upgraded to Windows 8 (from Vista!), I need the Windows logo key - using the mouse is too slow and inaccurate to call up the Charms bar, for example. Windows logo + C works like a ... charm!
So, tunnelling into my iMac (from afar) and using "Windows logo" keystrokes in Fusion works fine.
But tunnelling directly into Fusion, using its internal VPN (Settings -> Advanced), does not work.
There are several options to set for "Keyboard and Mouse" but I haven't found a combo which works.
Missing anything?
Thanks to all.
Charles

Update: having called VMWare Support, they have reproduced the problem, and temporarily circumvented it by using RealVNC and changing the two "Command Keys" to "Super_L" and Super_R". This has also fixed the absence of right-clicking, although it seems intermittently.

Cisco NAC with VPN Concentrators

Looking at the deployment guidelines for NAC integration with VPN Concentrators:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_vpncon.html
Is it possible to define traffic which is exempt from NAC enforcement, for example traffic associated for LAN-to-LAN VPNs?

NAC enforcements do not work for traffic types. Following links may help you
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/m_addSrv.html
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_cca.html

ACS NAC and VPN

I am trying to set up NAC using ACS 4.1 and a VPN concentrator 3015 using 4.7.2K. I have had it working before using 3.3 and 4.0, but had to wipe out my server because of some issues. This is all in test, but I would like to complete this soon.
Is there some document out there that will allow me to see examples of this setup? I have googled it and checked on Cisco, but the examples are normally IOS specific. Any help would be appreciated.
Thanks
Dwane

Refer to the link to the NAC Phase One whitepaper which is the best guide to configuring NAC at the moment.
The document was released prior to NAC introduction on the VPN concentrator, but all the ACS and CTA configuration is valid.
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns466/c654/cdccont_0900aecd80217e26.pdf
also refer these links to know more info about VPN concentrator with NAC:
http://www.cisco.com/warp/public/471/vpn3k-nac-config-471.html
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee22f.html#wp1652431

NAC for VPN clients

Hi everyone,
does somebody knows how to configure a pix/asa and/or a router to do admission control for the vpn clients that connects?
Thanks

Hi,
These links will help :-
http://www.cisco.com/en/US/products/ps6121/products_configuration_guide_chapter09186a00806a81a0.html
Regards,
Vivek

"Cannot connect to the iTunes Store" when using WiFi and Cisco VPN

hi
I'm on iPhone software 2.0 and have a connection to the internet via WiFi and VPN (using the integrated Cisco client). Everything works fine (Safari, Mail, mobileme push of contacts and calendars) but the iTunes Store and the App Store won't. While the App Store keeps spinning the iTunes Store says "Cannot connect to the iTunes Store". Has anyone else experienced a similar phenomenon?
thanks
Message was edited by: samaki

We're having the same issue. App Store and iTunes do not work when all traffic is tunneled over VPN. Yet, other applications like Safari, New York Times reader, Telnet, etc... work perfectly fine over VPN. If we have the iPhone switch over to using split tunneling VPN mode, then the App Store and iTunes work since they do not appear to be sending traffic over the VPN tunnel. I can say for certain that no outgoing traffic is being blocked on the VPN servers since I administer those servers. I also did a packet capture on the iPhone wireless session and it appears that the App Store sends traffic over the regular HTTP port. So it really doesn't make any sense from a VPN perspective why Safari would work but not the App Store or iTunes when you're tunneling all traffic over VPN. Our iPhones are using the latest firmware (5F136). If anyone has any update, please do share.

BT Wifi Hotspots - No VPN functionality?

Hello!
I have been using BT Hotspots for a few weeks now and have noticed, since these hotspots have no security on them, any information from my computer could be seen by a hacker/intruder. I decided to sign up for a VPN service that i have used in the past (Not with hotspots though). However i have hit a problem, when i login to the hotspot and am connected to the internet, the VPN always says "Connecting..." and then eventually gives up saying the server was unreachable. I have checked with the VPN provider and their service is functioning normally.
If it helps, here is some information i believe is relevant;
Apple MacBook Pro
VPN Client: Built in VPN via the "Network" control panel.
VPN Provider: Anonine (vpn.anonine.net)
Hotspot: (Either connected to "BTWiFi" or "BTWiFi-With-Fon")
Any information is greatly appreciated

BT Wifi have their own free VPN software which works fine, and protects the connection.
See http://www.btwifi.co.uk/help/security/vpn-software.jsp
You have to logged into a hotspot, to download it.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

Problems in Boot Camp with Wifi and internal speakers

I loaded boot camp from Leopard with no known issues on installation. However, my wireless and internal speakers, which work fine in Leopard, do not work in Boot Camp. I'm guessing it's a driver problem, but I don't know how to proceed. I've tried reinstalling...
Any help is appreciated.
Kerry

Hi Kerrywm, I have exactly the same problem. I can get my Apple Bluetooth keyboard to work fine after I set it up using a wired keyboard. But after a single reboot, the wireless keyboard is 'lost' in Windows XP. It's a real nuisance, it's like the Bluetooth 'preferences' for the keyboard are not remembered by Windows XP after restart. One exception however, after restart, seems to be that the top right hand key, the CD eject key on the keyboard, does work as a '+ volume' control key - its really odd! Fox.

Nac framewwork or nac appliance which is better

hi all can someone just advise which is a better solution the nac appliance or the nac framework.
regards
sushil

Hi Sushil,
If you are taking a poll, please count me in for the appliance over the NAC framework. I've done both and there are more variables in the framework than when you use the appliances. From my experience, the more variables the harder it is to troubleshoot. Your mileage may vary.
I would also add that doing an implementation which employs a Virtual Gateway, Out-of-Band
for wired users, and Central Deployment is the best use of your time and money.
Of course, if you are using NAC for VPN and Wireless users you still need dedicated CAS devices for these require In-band deployments.
Hope this helps.
Paul

Nac without gui?

Hello, I am trying to connect to my college's network through arch. The issue is that the school uses the Cisco Any Connect vpn client and Nac agent client to connect to the network. Since I just installed arch onto my laptop, I do not yet have X11 installed. While I have correctly setup online and offline netcfg profiles I have to launch the Cisco java applet in order to have access to the web.
Links obviously does not have a java plugin, and even if it did I would not be able to connect to the network because the Cisco java applet launches a gui window. I tried downloading the necessary X packages through my windows partition and installing them using pacman -U, but then I discovered dozens of extra dependencies that I would need to install for that to work. Since I do not have internet access installing every single one of those dependencies would be tedious.
I have tried to find somebody in the IT department or the Computer Society to give me assistance but I have had no luck. Despite the existence of a Linux research lab, I appear to be the only person on campus who actually uses Linux (proprietary systems are yucky). I want to know if there is a workaround for my issue--is there a guiless NAC and vpn client that is compatible with Cisco? Are there any other possible solutions?
Thank you for your assistance .
EDIT: As An alternative is there any way I can download all of the required xorg files off the archlinux website without having to go out of the way to download every individual dependency for every package? Again, the issue is that I can not access the network through my linux partition. I can connect to it, but I can not download off of the package repository or browse the internet without a java and javascript enabled browser. The network authenticates me by prompting me with a cisco nac gui window and asks for my username and password. Is it possible to do this without a gui browser?
EDIT AGAIN: Can openvpn achieve what I want it to? I want to connect to the network vpn with my username and password.
Last edited by werdna94 (2012-09-16 21:02:48)

Carlos there is a simple way to bypass authentication and just enforce posturing.
However this will not work if your entire deployment requires user authentication. If not, then this is how you would accomplish this.
You will create device filter for all mac address and select the role type as check, reference material is found here:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_addSrv.html#wp1052361
Then you will create a port profile and follow step 9 here:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html#wp1083087
I wanted to know more about your deployment, please keep in mind that the filter behavior does change depending on the deployment:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_addSrv.html#wp1142120
Thanks,
Tarik

IMessage and FaceTime activation error during international travel- WiFi still works

I am travelling out of the US for a few months and had been successfully using my iPhone 4s through wifi (no international plan, just using wifi features). I left a wifi zone and upon my return, my iMessage and faceTime are both showing me errors when I input my AppleId- that the ID and/or password are wrong. I've changed my password through my phone, through iTunes, and through the Apple ID website to no avail. My ID and password work for everything else.
Also, I am additionally getting an error message that my iPhone and cloud cannot be backed up now either.
Please help if possible- I am out of the US for a few more weeks to months.

In order to activate FaceTime and iMessage, the phone has to be able to send an SMS. So, if you put your phone in Airplane mode and turned WiFi back on or have turned off roaming, the phone won't be able to send that text. Sending a text, even internationally, shouldn't cost you more than about fifty cents.
Best of luck.

My iPhone's Personal Hotspot Doesnt Give WiFi over VPN anymore.

Basically when i connect my Mac to my iphone it bypasses the VPN on my iPhone which is on. I use to open my VPN and Personal Hotspot on my iPhone before the iOS 5 update and give wifi internet over VPN to my MAC or other iphone ( i carry two iphones 1st iphone 2nd iPhone 4S ).
I am sure it's a firmware thing because it use to work perfectly.
Regards,

Those are Apples support link for using and troubleshooting hotspot, which you are whining about.
I gave you links to help you and all you do is complain.
Not suprise the mods deleted your post.

VPN not working after Update from SLS to MLS

Hi folks,
last weekend I updated my Snow Leopard Server following the suggested procedure, installed first Mountain Lion and then OS X Server. Now I have a problem.
Setup:
- Macmini Server located in my private LAN, running SLS as a virtual machine (VMware)
- connected to the Internet via an AVM FritzBox 7270
For HTTP (80) and VPN (500, 1701 and 4500) the ports are forwarded to the virtual machine - everything was working well before the update (access to Website & VPN from both internal and external). The VPN connection is used either with an iPhoen or with my Macbook pro.
The website is still working like expected. VPN service is not working properly anymore. I can access it from internal, but not from external.
So, to make it clear, nothing but the server OS changed in the setup.
Any ideas? Changed ports from 10.6 to 10.8?
Thanks in advance,
Andre
(err, and YES, I have a snapshot of 10.6. - if I revert it's working again, but this can't be the solution)

Hi all,
to point out the difference, this is what the logs say....
Connecting from internal, VPN success:
21.06.13 18:12:13,880
racoon[226]
IPSec Phase1 started (Initiated by peer).
21.06.13 18:12:13,882
racoon[226]
IKE Packet: receive success. (Responder, Main-Mode message 1).
21.06.13 18:12:13,883
racoon[226]
IKE Packet: transmit success. (Responder, Main-Mode message 2).
21.06.13 18:12:13,921
racoon[226]
IKE Packet: receive success. (Responder, Main-Mode message 3).
21.06.13 18:12:13,942
racoon[226]
IKE Packet: transmit success. (Responder, Main-Mode message 4).
21.06.13 18:12:13,969
racoon[226]
IKEv1 Phase1 AUTH: success. (Responder, Main-Mode Message 5).
21.06.13 18:12:13,969
racoon[226]
IKE Packet: receive success. (Responder, Main-Mode message 5).
21.06.13 18:12:13,970
racoon[226]
IKEv1 Phase1 Responder: success. (Responder, Main-Mode).
21.06.13 18:12:13,970
racoon[226]
IKE Packet: transmit success. (Responder, Main-Mode message 6).
21.06.13 18:12:13,970
racoon[226]
IPSec Phase1 established (Initiated by peer).
21.06.13 18:12:14,881
racoon[226]
IPSec Phase2 started (Initiated by peer).
21.06.13 18:12:14,881
racoon[226]
IKE Packet: receive success. (Responder, Quick-Mode message 1).
21.06.13 18:12:14,881
racoon[226]
IKE Packet: transmit success. (Responder, Quick-Mode message 2).
21.06.13 18:12:14,885
racoon[226]
IKE Packet: receive success. (Responder, Quick-Mode message 3).
21.06.13 18:12:14,886
racoon[226]
IKEv1 Phase2 Responder: success. (Responder, Quick-Mode).
21.06.13 18:12:14,886
racoon[226]
IPSec Phase2 established (Initiated by peer).
21.06.13 18:12:14,890
vpnd[1210]
Incoming call... Address given to client = 192.168.0.203
21.06.13 18:12:14,918
pppd[1371]
pppd 2.4.2 (Apple version 596.13) started by root, uid 0
21.06.13 18:12:14,923
pppd[1371]
L2TP incoming call in progress from '192.168.0.117'...
21.06.13 18:12:14,931
pppd[1371]
L2TP connection established.
21.06.13 18:12:14,935
pppd[1371]
Connect: ppp1 <--> socket[34:18]
21.06.13 18:12:14,944
UserEventAgent[17]
Captive: [mySCCopyWiFiDevices:162] WiFi Device Name == NULL
21.06.13 18:12:15,036
pppd[1371]
CHAP peer authentication succeeded for <username>
21.06.13 18:12:15,042
pppd[1371]
DSAccessControl plugin: User '<username>' authorized for access
21.06.13 18:12:15,052
pppd[1371]
Unsupported protocol 0x8057 received
21.06.13 18:12:15,058
pppd[1256]
l2tp_wait_input: Address added. previous interface setting (name: en0, address: 192.168.0.103), current interface setting (name: ppp1, family: PPP, address: 192.168.0.103, subnet: 255.255.255.0, destination: 192.168.0.203).
21.06.13 18:12:15,058
pppd[1371]
local IP address 192.168.0.103
21.06.13 18:12:15,059
pppd[1371]
remote IP address 192.168.0.203
21.06.13 18:12:15,061
pppd[1371]
l2tp_wait_input: Address added. previous interface setting (name: en0, address: 192.168.0.103), current interface setting (name: ppp1, family: PPP, address: 192.168.0.103, subnet: 255.255.255.0, destination: 192.168.0.203).
21.06.13 18:12:15,068
configd[21]
network changed: v4(en0:192.168.0.103, ppp0, ppp1+:192.168.0.103) DNS* Proxy SMB
21.06.13 18:12:17,102
apsd[466]
Certificate not yet generated
21.06.13 18:12:18,103
apsd[466]
Certificate not yet generated
21.06.13 18:12:19,004
apsd[466]
Couldn't find cert in response dict
21.06.13 18:12:19,006
apsd[466]
Failed to get client cert on attempt 11, will retry in 900 seconds
21.06.13 18:12:19,066
racoon[226]
IKE Packet: transmit success. (Information message).
21.06.13 18:12:19,067
racoon[226]
IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).
21.06.13 18:12:19,120
apsd[466]
Certificate not yet generated
21.06.13 18:12:21,802
pppd[1256]
l2tp_wait_input: Address deleted. previous interface setting (name: en0, address: 192.168.0.103), deleted interface setting (name: ppp1, family: PPP, address: 192.168.0.103, subnet: 255.255.255.0, destination: 192.168.0.203).
21.06.13 18:12:21,817
pppd[1371]
l2tp_wait_input: Address deleted. previous interface setting (name: en0, address: 192.168.0.103), deleted interface setting (name: ppp1, family: PPP, address: 192.168.0.103, subnet: 255.255.255.0, destination: 192.168.0.203).
21.06.13 18:12:21,822
configd[21]
network changed: v4(en0:192.168.0.103, ppp0, ppp1-:192.168.0.103) DNS* Proxy SMB
21.06.13 18:12:21,981
pppd[1371]
Fatal signal 6
21.06.13 18:12:21,982
racoon[226]
IKE Packet: receive success. (Information message).
21.06.13 18:12:22,011
vpnd[1210]
--> Client with address = 192.168.0.203 has hungup
21.06.13 18:12:22,022
UserEventAgent[17]
Captive: [mySCCopyWiFiDevices:162] WiFi Device Name == NULL
21.06.13 18:12:23,837
apsd[466]
Certificate not yet generated
21.06.13 18:12:23,839
apsd[466]
Certificate not yet generated
21.06.13 18:12:25,148
apsd[466]
Couldn't find cert in response dict
21.06.13 18:12:25,148
apsd[466]
Failed to get client cert on attempt 12, will retry in 900 seconds
21.06.13 18:12:25,845
apsd[466]
Certificate not yet generated
Connecting from external, VPN fail:
21.06.13 18:10:52,533
racoon[226]
Connecting.
21.06.13 18:10:52,533
racoon[226]
IPSec Phase1 started (Initiated by peer).
21.06.13 18:10:52,535
racoon[226]
IKE Packet: receive success. (Responder, Main-Mode message 1).
21.06.13 18:10:52,536
racoon[226]
IKE Packet: transmit success. (Responder, Main-Mode message 2).
21.06.13 18:10:52,692
racoon[226]
IKE Packet: receive success. (Responder, Main-Mode message 3).
21.06.13 18:10:52,713
racoon[226]
IKE Packet: transmit success. (Responder, Main-Mode message 4).
21.06.13 18:10:52,882
racoon[226]
IKEv1 Phase1 AUTH: success. (Responder, Main-Mode Message 5).
21.06.13 18:10:52,882
racoon[226]
IKE Packet: receive success. (Responder, Main-Mode message 5).
21.06.13 18:10:52,882
racoon[226]
IKEv1 Phase1 Responder: success. (Responder, Main-Mode).
21.06.13 18:10:52,883
racoon[226]
IKE Packet: transmit success. (Responder, Main-Mode message 6).
21.06.13 18:10:52,883
racoon[226]
IPSec Phase1 established (Initiated by peer).
21.06.13 18:10:53,412
racoon[226]
Connecting.
21.06.13 18:10:53,413
racoon[226]
IPSec Phase2 started (Initiated by peer).
21.06.13 18:10:53,413
racoon[226]
IKE Packet: receive success. (Responder, Quick-Mode message 1).
21.06.13 18:10:53,414
racoon[226]
IKE Packet: transmit success. (Responder, Quick-Mode message 2).
21.06.13 18:10:53,531
racoon[226]
IKE Packet: receive success. (Responder, Quick-Mode message 3).
21.06.13 18:10:53,532
racoon[226]
IKEv1 Phase2 Responder: success. (Responder, Quick-Mode).
21.06.13 18:10:53,532
racoon[226]
IPSec Phase2 established (Initiated by peer).
21.06.13 18:11:13,643
racoon[226]
IKE Packet: receive success. (Information message).
21.06.13 18:11:13,671
racoon[226]
IKE Packet: receive success. (Information message).
Hope you see more than me and can help... :-(

VPN Tunnel setup - can't ping either endpoint

So I was given the task to set up a new VPN tunnel for a client and even though I've basically made it open, we still cannot ping each other's endpoints. I troubleshooted for over an hour with one of their techs, still to no avail. I included the config of this router. The tunnel can build out, completes phase 1 and 2, but still doesn't allow traffic or ability to connect to either endpoint. Please help.
Result of the command: "sh run"
: Saved
ASA Version 8.0(3)6
hostname RBPASA01
domain-name rbmc.org
enable password *removed* encrypted
passwd *removed* encrypted
names
name 10.20.10.0 OBD-DHCP-10.20.10.x description DHCP Scopes for VLAN20
name 10.20.11.0 OBD-DHCP-10.20.11.x description DHCP Scopes for VLAN20
name 10.20.12.0 OBD-DHCP-10.20.12.x description DHCP Scopes for VLAN20
name 10.10.14.0 PAD-DHCP-10.10.14.X description DHCP Scopes for VLAN10
name 128.127.0.0 Millennium-Remote
name 10.10.0.0 Pad-10.10-network
name 10.11.0.0 Pad-10.11-network
name 10.12.0.0 Pad-10.12-network
name 10.100.91.0 Pad-10.100-network
name 10.30.13.0 Millennium-nat
name 10.100.91.200 Maxsys-Server
name 65.171.123.34 Maxsys-Remote description Landacorp remote access
name 65.211.65.21 FTP-External-Address
name 172.31.0.15 FTP-Internal-Address description FTP Server in DMZ
name 10.100.91.201 RBPMAXYS02 description Landacorp Access
name 10.10.10.231 c05407
name 192.168.55.4 c05407Nat
name 192.168.55.3 c057017Nat
name 10.10.13.50 c05744
name 192.168.55.5 c05744Nat
name 151.198.253.253 VPN-External
name 10.13.102.30 NBI20610 description Viewpoint Server SBHCS
name 10.100.90.51 RBPASA01 description PRI ASA
name 10.100.90.52 RBPASA02 description SECASA
name 151.198.253.254 VPN02External
name 10.10.7.189 RBMHIS description AergoVPN(Local)
name 10.10.7.43 RBMHIS1 description AergoVPN(Local)
name 10.10.7.44 RBMHIS2 description AergoVPN(Local)
name 10.100.98.21 RBMS2 description AergoVPN(Local)
name 10.1.6.0 AergoVPN-Remote description AergoVPN-Remote
name 216.167.127.4 Lynx-PicisHost1 description Lynx Encryption Domain
name 216.167.127.30 Lynx-PicisHost10 description Lynx Encryption Domain
name 216.167.127.31 Lynx-PicisHost11 description Lynx Encryption Domain
name 216.167.127.32 Lynx-PicisHost12 description Lynx Encryption Domain
name 216.167.127.33 Lynx-PicisHost13 description Lynx Encryption Domain
name 216.167.127.34 Lynx-PicisHost14 description Lynx Encryption Domain
name 216.167.127.35 Lynx-PicisHost15 description Lynx Encryption Domain
name 216.167.127.5 Lynx-PicisHost2 description Lynx Encryption Domain
name 216.167.127.6 Lynx-PicisHost3 description Lynx Encryption Domain
name 216.167.127.7 Lynx-PicisHost4 description Lynx Encryption Domain
name 216.167.127.8 Lynx-PicisHost5 description Lynx Encryption Domain
name 216.167.127.9 Lynx-PicisHost6 description Lynx Encryption Domain
name 216.167.127.10 Lynx-PicisHost7 description Lynx Encryption Domain
name 216.167.127.28 Lynx-PicisHost8 description Lynx Encryption Domain
name 216.167.127.29 Lynx-PicisHost9 description Lynx Encryption Domain
name 216.167.119.208 Lynx-PicisNtwk description Lynx-PicisNtwk
name 10.10.7.152 OLSRV2RED description Picis-LynxLocal
name 10.100.91.14 RBPPICISTST description Lynx-PicisLocal
name 10.100.98.20 RBPAERGO1 description AERGO
name 10.50.1.141 PACSHost1 description GE PACS Local
name 10.50.1.149 PACSHost2 description GE PACS Local
name 10.50.1.151 PACSHost3 description GE PACS Local
name 10.50.1.38 PACSHost4 description GE PACS Local
name 10.50.1.39 PACSHost5 description GE PACS Local
name 10.50.1.41 PACSHost6 description GE PACS Local
name 10.50.1.42 PACSHost7 description GE PACS Local
name 10.50.1.43 PACSHost8 description GE PACS Local
name 10.50.1.64 PACSHost10 description GE PACS Local
name 10.50.1.67 PACSHost11 description GE PACS Local
name 10.50.1.68 PACSHost12 description GE PACS Local
name 10.50.1.69 PACSHost13 description GE PACS Local
name 10.50.1.44 PACSHost9 description GE PACS Local
name 10.50.1.70 PACSHost14 description GE PACS Local
name 10.50.1.71 PACSHost15 description GE PACS Local
name 10.50.1.72 PACSHost16 description GE PACS Local
name 10.50.1.73 PACSHost17 description GE PACS Local
name 10.50.1.74 PACSHost18 description GE PACS Local
name 10.50.1.75 PACSHost19 description GE PACS Local
name 10.50.1.76 PACSHost20 description GE PACS Local
name 10.50.1.77 PACSHost21 description GE PACS Local
name 10.50.1.91 PACSHost22 description GE PACS Local
name 10.50.1.92 PACSHost23 description GE PACS Local
name 10.60.1.42 PACSHost24 description GE PACS Local
name 10.60.1.43 PACSHost25 description GE PACS Local
name 10.60.1.44 PACSHost26 description GE PACS Local
name 10.60.1.45 PACSHost27 description GE PACS Local
name 10.60.1.46 PACSHost28 description GE PACS Local
name 10.60.1.47 PACSHost29 description GE PACS Local
name 10.60.1.48 PACSHost30 description GE PACS Local
name 10.60.1.49 PACSHost31 description GE PACS Local
name 10.60.1.51 PACSHost32 description GE PACS Local
name 10.60.1.52 PACSHost33 description GE PACS Local
name 10.60.1.53 PACSHost34 description GE PACS Local
name 10.60.1.80 PACSHost35 description GE PACS Local
name 10.50.1.30 PACSHost36 description GE PACS Local
name 10.50.1.200 PACSHost37 description GE PACS Local
name 10.50.1.137 PACSHost38 description GE PACS Local
name 10.50.1.203 PACSHost39 description GE PACS Local
name 10.50.1.206 PACSHost40 description GE PACS Local
name 10.50.1.209 PACSHost41 description GE PACS Local
name 10.60.1.215 PACSHost42 description GE PACS Local
name 10.60.1.23 PACSHost43 description GE PACS Local
name 10.60.1.21 PACSHost44 description GE PACS Local
name 10.50.1.36 PACSHost45 description GE PACS Local
name 10.50.1.34 PACSHost46 description GE PACS Local
name 10.50.1.10 PACSHost47 description GE PACS Local
name 150.2.0.0 GE_PACS_NET description GE PACS Remote
name 10.50.1.19 PACSHost49 description GE PACS Local
name 10.50.1.28 PACSHost50 description GE PACS Local
name 10.50.1.29 PACSHost51 description GE PACS Local
name 10.50.1.140 PACSHost52 description GE PACS Local
name 10.60.1.161 PACSHost53 description GE PACS Local
name 10.50.1.31 PACSHost54 description GE PACS Local
name 10.50.1.32 PACSHost55 description GE PACS Local
name 10.50.1.4 PACSHost56 description GE PACS Local
name 10.50.1.35 PACSHost57 description GE PACS Local
name 10.50.1.37 PACSHost58 description GE PACS Local
name 10.60.1.22 PACSHost59 description GE PACS Local
name 10.60.1.24 PACSHost60 description GE PACS Local
name 10.60.1.218 PACSHost61 description GE PACS Local
name 10.60.1.221 PACSHost62 description GE PACS Local
name 10.50.1.16 PACSHost63 description GE PACS Local
name 10.50.1.15 PACSHost64 description GE PACS Local
name 10.50.1.106 PACSHost65 description GE PACS Local
name 10.50.1.33 PACSHost66 description GE PACS Local
name 10.20.7.160 PACSHost67 description GE PACS Local
name 10.50.1.135 PACSHost68 description GE PACS Local
name 10.60.1.141 PACSHost69 description GE PACS Local
name 10.60.1.150 PACSHost70 description GE PACS Local
name 10.60.1.154 PACSHost71 description GE PACS Local
name 10.50.1.136 PACSHost72 description GE PACS Local
name 10.50.1.147 PACSHost73 description GE PACS Local
name 10.50.1.161 PACSHost74 description GE PACS Local
name 10.60.1.155 PACSHost75 description GE PACS Local
name 10.30.0.0 Throckmorton_Net1 description Internal
name 108.58.104.208 Throckmorton_Net2 description External
name 10.0.0.0 PAD_Internal description PAD INternal
name 172.16.100.16 LandaCorp_Remote description LandaCorp
name 192.168.55.6 C05817Nat description ViewPoint Computer
name 10.10.13.71 C05817 description ViewPoint Computer
name 10.50.1.189 RBMCCCG description GE PACS Local
name 10.50.1.21 RBMCDAS21 description GE PACS Local
name 10.50.1.22 RBMCDAS22 description GE PACS Local
name 10.50.1.23 RBMCDAS23 description GE PACS Local
name 10.50.1.24 RBMCDAS24 description GE PACS Local
name 10.50.1.248 RBMCNAS_BACKUP description GE PACS Local
name 10.50.1.243 RBMCNAS_STS description GE PACS Local
name 10.50.1.186 RBMCSPS description GE PACS Local
name 10.50.1.188 RBMCTESTCCG description GE PACS Local
name 10.50.1.252 RBMCTESTIMS description GE PACS Local
name 10.50.1.249 RBMICISU2 description GE PACS Local
name 10.50.1.191 RBMC1DAS32ILO description GE PACS Local
name 10.50.1.192 RBMC1DAS33ILO description GE PACS Local
name 10.50.1.193 RBMC1DAS34ILO description GE PACS Local
name 10.50.1.194 RBMC1DAS35ILO description GE PACS Local
name 10.50.1.195 RBMC1DAS36ILO description GE PACS Local
name 10.50.1.197 RBMC1DAS38ILO description GE PACS Local
name 10.50.1.190 RBMC1DPS106ILO description GE PACS Local
name 10.50.1.196 RBMCCWEBILO description GE PACS Local
name 10.50.1.17 RBMCEACA description GE PACS Local
name 10.50.1.247 RBMCNAS_BACKUPILO description GE PACS Local
name 10.50.1.254 RBMICISU2ILO description GE PACS Local
name 10.50.1.187 RBMC1DAS31_ILO description GE PACS Local
name 10.50.1.253 RBMCTESTDAS description GE PACS Local
name 12.145.95.0 LabCorp_Test_Remote description LabCorp VPN TEST
name 38.107.151.110 ClearSea_Server description DeafTalk External Server
name 10.100.90.15 DeafTalk1
name 10.10.10.155 Dennis
name 10.10.7.81 RBPMAM description SunQuest Lab Server
dns-guard
interface GigabitEthernet0/0
description External Interface
speed 1000
duplex full
nameif Verizon-ISP
security-level 0
ip address VPN-External 255.255.255.224 standby VPN02External
ospf cost 10
interface GigabitEthernet0/1
description LAN/STATE Failover Interface
interface GigabitEthernet0/2
description INTERNAL-NET
nameif Internal
security-level 100
ip address RBPASA01 255.255.255.0 standby RBPASA02
ospf cost 10
interface GigabitEthernet0/3
description DMZ Zone
nameif DMZ
security-level 10
ip address 172.31.0.51 255.255.255.0
interface Management0/0
shutdown
no nameif
no security-level
no ip address
time-range Vendor-Access
periodic Monday 9:00 to Friday 16:00
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Verizon-ISP
dns domain-lookup Internal
dns server-group DefaultDNS
name-server 10.100.91.5
name-server 10.10.7.149
domain-name rbmc.org
object-group service VPN_Tunnel tcp
description Ports used for Site to Site VPN Tunnel
port-object eq 10000
port-object eq 2746
port-object eq 4500
port-object eq 50
port-object eq 500
port-object eq 51
object-group network Millennium-Local-Network
description Pad networks that connect to millennium
network-object Pad-10.10-network 255.255.0.0
network-object Throckmorton_Net1 255.255.0.0
object-group icmp-type ICMP-Request-Group
icmp-object echo
icmp-object information-request
icmp-object mask-request
icmp-object timestamp-request
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
object-group network Viewpoint
description OB Viewpoint Clients
network-object host 10.10.10.220
network-object host c05407
network-object host c05744
network-object host 192.168.55.2
network-object host c057017Nat
network-object host c05407Nat
network-object host c05744Nat
network-object host C05817Nat
network-object host C05817
object-group service ConnectionPorts tcp-udp
port-object eq 3872
port-object eq 4890
port-object eq 4898
object-group service TCP tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
group-object ConnectionPorts
port-object eq 3389
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object icmp
protocol-object tcp
object-group network AergoVPN-Local
description Aergo VPN Local HIS Servers
network-object host RBMHIS
network-object host RBMHIS1
network-object host RBMHIS2
network-object host RBMS2
network-object host RBPAERGO1
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object icmp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network Lynx-PicisRemote
description Lynx-Picis Remote Encryption Domain
network-object Lynx-PicisNtwk 255.255.255.240
network-object host Lynx-PicisHost7
network-object host Lynx-PicisHost8
network-object host Lynx-PicisHost9
network-object host Lynx-PicisHost10
network-object host Lynx-PicisHost11
network-object host Lynx-PicisHost12
network-object host Lynx-PicisHost13
network-object host Lynx-PicisHost14
network-object host Lynx-PicisHost15
network-object host Lynx-PicisHost1
network-object host Lynx-PicisHost2
network-object host Lynx-PicisHost3
network-object host Lynx-PicisHost4
network-object host Lynx-PicisHost5
network-object host Lynx-PicisHost6
object-group network DM_INLINE_NETWORK_1
network-object host OLSRV2RED
network-object host RBPPICISTST
object-group network DM_INLINE_NETWORK_2
network-object host OLSRV2RED
network-object host RBPPICISTST
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object icmp
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object host OLSRV2RED
network-object host RBPPICISTST
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_3 tcp
group-object ConnectionPorts
port-object eq 3389
object-group network GE_PACS_Local
description GE PACS Local Hosts
network-object host PACSHost67
network-object host PACSHost65
network-object host PACSHost47
network-object host PACSHost68
network-object host PACSHost72
network-object host PACSHost38
network-object host PACSHost52
network-object host PACSHost1
network-object host PACSHost73
network-object host PACSHost2
network-object host PACSHost3
network-object host PACSHost64
network-object host PACSHost74
network-object host PACSHost63
network-object host PACSHost49
network-object host PACSHost37
network-object host PACSHost39
network-object host PACSHost40
network-object host PACSHost41
network-object host PACSHost50
network-object host PACSHost51
network-object host PACSHost36
network-object host PACSHost54
network-object host PACSHost55
network-object host PACSHost66
network-object host PACSHost46
network-object host PACSHost57
network-object host PACSHost45
network-object host PACSHost58
network-object host PACSHost4
network-object host PACSHost5
network-object host PACSHost6
network-object host PACSHost7
network-object host PACSHost8
network-object host PACSHost9
network-object host PACSHost56
network-object host PACSHost10
network-object host PACSHost11
network-object host PACSHost12
network-object host PACSHost13
network-object host PACSHost14
network-object host PACSHost15
network-object host PACSHost16
network-object host PACSHost17
network-object host PACSHost18
network-object host PACSHost19
network-object host PACSHost20
network-object host PACSHost21
network-object host PACSHost22
network-object host PACSHost23
network-object host PACSHost69
network-object host PACSHost70
network-object host PACSHost71
network-object host PACSHost75
network-object host PACSHost53
network-object host PACSHost42
network-object host PACSHost61
network-object host PACSHost44
network-object host PACSHost62
network-object host PACSHost59
network-object host PACSHost43
network-object host PACSHost60
network-object host PACSHost24
network-object host PACSHost25
network-object host PACSHost26
network-object host PACSHost27
network-object host PACSHost28
network-object host PACSHost29
network-object host PACSHost30
network-object host PACSHost31
network-object host PACSHost32
network-object host PACSHost33
network-object host PACSHost34
network-object host PACSHost35
network-object host RBMCSPS
network-object host RBMCTESTCCG
network-object host RBMCCCG
network-object host RBMCDAS21
network-object host RBMCDAS22
network-object host RBMCDAS23
network-object host RBMCNAS_STS
network-object host RBMCNAS_BACKUP
network-object host RBMICISU2
network-object host RBMCDAS24
network-object host RBMCTESTIMS
network-object host RBMCEACA
network-object host RBMC1DAS31_ILO
network-object host RBMC1DPS106ILO
network-object host RBMC1DAS32ILO
network-object host RBMC1DAS33ILO
network-object host RBMC1DAS34ILO
network-object host RBMC1DAS35ILO
network-object host RBMC1DAS36ILO
network-object host RBMCCWEBILO
network-object host RBMC1DAS38ILO
network-object host RBMCNAS_BACKUPILO
network-object host RBMCTESTDAS
network-object host RBMICISU2ILO
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group network DM_INLINE_NETWORK_4
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group network DM_INLINE_NETWORK_5
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group network DM_INLINE_NETWORK_6
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group network DM_INLINE_NETWORK_7
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group network DM_INLINE_NETWORK_8
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group service DM_INLINE_SERVICE_4
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group service DM_INLINE_SERVICE_5
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group network DM_INLINE_NETWORK_9
network-object host RBMCEACA
group-object GE_PACS_Local
object-group protocol DM_INLINE_PROTOCOL_9
protocol-object ip
protocol-object icmp
object-group service ClearSea tcp-udp
description DeafTalk
port-object range 10000 19999
port-object eq 35060
object-group service ClearSeaUDP udp
description DeafTalk
port-object range 10000 19999
object-group service DM_INLINE_TCP_4 tcp
group-object ClearSea
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_11
network-object 0.0.0.0 0.0.0.0
network-object host DeafTalk1
object-group protocol DM_INLINE_PROTOCOL_10
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_11
protocol-object ip
protocol-object icmp
access-list RBMCVPNCL_splitTunnelAcl standard permit Pad-10.100-network 255.255.255.0
access-list Verizon-ISP_Internal extended permit tcp any host FTP-External-Address eq ftp
access-list dmz_internal extended permit tcp host FTP-Internal-Address any eq ftp
access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_4 object-group AergoVPN-Local AergoVPN-Remote 255.255.255.0
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_3 object-group Lynx-PicisRemote
access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_6 object-group Viewpoint host NBI20610
access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_7 host RBPMAXYS02 host LandaCorp_Remote
access-list Internal_access_in extended permit tcp host RBPMAXYS02 host LandaCorp_Remote object-group DM_INLINE_TCP_3
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group GE_PACS_Local GE_PACS_NET 255.255.0.0
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_4 Pad-10.10-network 255.255.0.0 object-group DM_INLINE_NETWORK_7
access-list Internal_access_in remark Permit to connect to DeafTalk Server
access-list Internal_access_in extended permit tcp object-group DM_INLINE_NETWORK_11 host ClearSea_Server object-group DM_INLINE_TCP_4
access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_10 any LabCorp_Test_Remote 255.255.255.0
access-list Verizon-ISP_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_11 host RBPMAM LabCorp_Test_Remote 255.255.255.0
access-list Verizon-ISP_2_cryptomap extended permit tcp host Maxsys-Server host Maxsys-Remote object-group VPN_Tunnel
access-list Internal_nat0_outbound extended permit tcp Pad-10.100-network 255.255.255.0 host Maxsys-Remote object-group VPN_Tunnel
access-list DMZ_access_in extended permit ip Pad-10.10-network 255.255.0.0 172.31.0.0 255.255.255.0
access-list Verizon-ISP_access_in extended permit tcp any host FTP-External-Address object-group DM_INLINE_TCP_2
access-list Verizon-ISP_access_in extended permit tcp host LandaCorp_Remote host RBPMAXYS02 object-group DM_INLINE_TCP_1
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host NBI20610 object-group Viewpoint
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_3 AergoVPN-Remote 255.255.255.0 object-group AergoVPN-Local
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object-group Lynx-PicisRemote object-group DM_INLINE_NETWORK_2
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_2 host LandaCorp_Remote host RBPMAXYS02
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_SERVICE_3 GE_PACS_NET 255.255.0.0 object-group DM_INLINE_NETWORK_9
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_9 LabCorp_Test_Remote 255.255.255.0 any
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_SERVICE_5 object-group DM_INLINE_NETWORK_8 Pad-10.10-network 255.255.0.0
access-list Verizon-ISP_3_cryptomap extended permit ip host Maxsys-Server host Maxsys-Remote
access-list Internal_nat0_outbound_1 extended permit ip host RBPMAXYS02 host LandaCorp_Remote
access-list Internal_nat0_outbound_1 extended permit ip object-group AergoVPN-Local AergoVPN-Remote 255.255.255.0
access-list Internal_nat0_outbound_1 extended permit ip host OLSRV2RED object-group Lynx-PicisRemote
access-list Internal_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_1 object-group Lynx-PicisRemote
access-list Internal_nat0_outbound_1 extended permit ip any 10.100.99.0 255.255.255.0
access-list Internal_nat0_outbound_1 extended permit ip object-group GE_PACS_Local GE_PACS_NET 255.255.0.0
access-list Internal_nat0_outbound_1 extended permit ip Pad-10.10-network 255.255.0.0 object-group DM_INLINE_NETWORK_4
access-list Internal_nat0_outbound_1 extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_5
access-list Internal_nat0_outbound_1 extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_6
access-list Internal_nat0_outbound_1 extended permit ip object-group Millennium-Local-Network Millennium-Remote 255.255.0.0
access-list Internal_nat0_outbound_1 extended deny ip any LabCorp_Test_Remote 255.255.255.0 inactive
access-list Verizon-ISP_5_cryptomap extended permit ip host RBPMAXYS02 host LandaCorp_Remote
access-list Verizon-ISP_6_cryptomap extended permit ip object-group Viewpoint host NBI20610
access-list Verizon-ISP_4_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group Lynx-PicisRemote
access-list Verizon-ISP_7_cryptomap extended permit ip object-group GE_PACS_Local GE_PACS_NET 255.255.0.0
access-list Verizon-ISP_8_cryptomap extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_5
access-list Verizon-ISP_9_cryptomap extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_6
access-list Verizon-ISP_cryptomap extended permit ip object-group AergoVPN-Local AergoVPN-Remote 255.255.255.0
pager lines 24
logging enable
logging buffer-size 32000
logging buffered debugging
logging asdm debugging
mtu Verizon-ISP 1500
mtu Internal 1500
mtu DMZ 1500
ip local pool CiscoClient-IPPool-192.168.55.x 192.168.45.1-192.168.45.25 mask 255.255.255.0
ip local pool VLAN99VPNUsers 10.100.99.6-10.100.99.255 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/1
failover key *****
failover replication http
failover link Failover GigabitEthernet0/1
failover interface ip Failover 172.16.90.17 255.255.255.248 standby 172.16.90.18
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 173.72.107.26 Verizon-ISP
icmp deny any Verizon-ISP
icmp permit host 192.168.10.2 Internal
icmp permit host 192.168.10.3 Internal
icmp permit host 192.168.10.4 Internal
icmp permit host 192.168.10.5 Internal
icmp permit host 10.10.10.96 Internal
icmp permit host 10.10.13.20 Internal
icmp permit host 10.10.12.162 Internal
icmp deny any Internal
icmp permit host Dennis Internal
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
global (Verizon-ISP) 1 65.211.65.6-65.211.65.29 netmask 255.255.255.224
global (Verizon-ISP) 101 interface
nat (Internal) 0 access-list Internal_nat0_outbound_1
nat (Internal) 101 0.0.0.0 0.0.0.0
static (Internal,DMZ) Pad-10.10-network Pad-10.10-network netmask 255.255.0.0
static (Verizon-ISP,DMZ) FTP-Internal-Address FTP-External-Address netmask 255.255.255.255
static (DMZ,Verizon-ISP) FTP-External-Address FTP-Internal-Address netmask 255.255.255.255
static (Internal,Verizon-ISP) c05407Nat c05407 netmask 255.255.255.255
static (Internal,Verizon-ISP) c057017Nat 10.10.10.220 netmask 255.255.255.255
static (Internal,Verizon-ISP) c05744Nat c05744 netmask 255.255.255.255
static (Verizon-ISP,Internal) Maxsys-Server VPN-External netmask 255.255.255.255
static (Internal,Verizon-ISP) C05817Nat C05817 netmask 255.255.255.255
access-group Verizon-ISP_access_in in interface Verizon-ISP
access-group Internal_access_in in interface Internal
access-group dmz_internal in interface DMZ
route Verizon-ISP 0.0.0.0 0.0.0.0 65.211.65.2 1
route Internal Pad-10.10-network 255.255.0.0 10.10.0.1 1
route Internal 10.20.0.0 255.255.0.0 10.10.0.1 1
route Internal Throckmorton_Net1 255.255.0.0 10.10.0.1 1
route Internal 10.50.0.0 255.255.0.0 10.10.0.1 1
route Internal 10.60.0.0 255.255.0.0 10.10.0.1 1
route Internal 10.70.0.0 255.255.0.0 10.10.0.1 1
route Internal 10.100.0.0 255.255.0.0 10.10.0.1 1
route Internal 64.46.192.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.193.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.194.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.195.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.196.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.201.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.246.0 255.255.255.0 10.10.0.1 1
route Verizon-ISP 65.51.206.130 255.255.255.255 65.211.65.2 255
route Verizon-ISP Millennium-Remote 255.255.0.0 65.211.65.2 1
route Internal Millennium-Remote 255.255.0.0 10.10.0.1 255
route Internal 172.31.1.0 255.255.255.0 10.10.0.1 1
route Internal 192.168.55.0 255.255.255.0 10.10.0.1 1
route Internal 195.21.26.0 255.255.255.0 10.10.0.1 1
route Internal 199.21.26.0 255.255.255.0 10.10.0.1 1
route Internal 199.21.27.0 255.255.255.0 10.10.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RadiusServer protocol radius
aaa-server RadiusServer (Internal) host 10.10.7.240
timeout 5
key r8mcvpngr0up!
radius-common-pw r8mcvpngr0up!
aaa-server SafeNetOTP protocol radius
max-failed-attempts 1
aaa-server SafeNetOTP (Internal) host 10.100.91.13
key test
radius-common-pw test
aaa-server VPN-FW protocol radius
aaa-server VPN-FW (Internal) host 10.10.7.240
timeout 5
key r8mcvpngr0up!
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa local authentication attempts max-fail 16
http server enable
http Dennis 255.255.255.255 Internal
http 10.10.11.108 255.255.255.255 Internal
http 10.10.10.194 255.255.255.255 Internal
http 10.10.10.195 255.255.255.255 Internal
http 10.10.12.162 255.255.255.255 Internal
http 10.10.13.20 255.255.255.255 Internal
snmp-server location BRN2 Data Center
snmp-server contact Crystal Holmes
snmp-server community r8mc0rg
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps entity config-change
auth-prompt prompt Your credentials have been verified
auth-prompt accept Your credentials have been accepted
auth-prompt reject Your credentials have been rejected. Contact your system administrator
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Verizon-ISP_map 1 match address Verizon-ISP_cryptomap
crypto map Verizon-ISP_map 1 set peer 65.51.154.66
crypto map Verizon-ISP_map 1 set transform-set ESP-3DES-MD5
crypto map Verizon-ISP_map 2 match address Verizon-ISP_2_cryptomap
crypto map Verizon-ISP_map 2 set peer Maxsys-Remote
crypto map Verizon-ISP_map 2 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 2 set nat-t-disable
crypto map Verizon-ISP_map 3 match address Verizon-ISP_3_cryptomap
crypto map Verizon-ISP_map 3 set peer Maxsys-Remote
crypto map Verizon-ISP_map 3 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 3 set nat-t-disable
crypto map Verizon-ISP_map 4 match address Verizon-ISP_4_cryptomap
crypto map Verizon-ISP_map 4 set peer 198.65.114.68
crypto map Verizon-ISP_map 4 set transform-set ESP-AES-256-SHA
crypto map Verizon-ISP_map 4 set nat-t-disable
crypto map Verizon-ISP_map 5 match address Verizon-ISP_5_cryptomap
crypto map Verizon-ISP_map 5 set peer 12.195.130.2
crypto map Verizon-ISP_map 5 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 5 set nat-t-disable
crypto map Verizon-ISP_map 6 match address Verizon-ISP_6_cryptomap
crypto map Verizon-ISP_map 6 set peer 208.68.22.250
crypto map Verizon-ISP_map 6 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 6 set nat-t-disable
crypto map Verizon-ISP_map 7 match address Verizon-ISP_7_cryptomap
crypto map Verizon-ISP_map 7 set peer 208.51.30.227
crypto map Verizon-ISP_map 7 set transform-set ESP-3DES-MD5
crypto map Verizon-ISP_map 8 match address Verizon-ISP_8_cryptomap
crypto map Verizon-ISP_map 8 set peer Throckmorton_Net2
crypto map Verizon-ISP_map 8 set transform-set ESP-3DES-MD5
crypto map Verizon-ISP_map 9 match address Verizon-ISP_9_cryptomap
crypto map Verizon-ISP_map 9 set peer 108.58.104.210
crypto map Verizon-ISP_map 9 set transform-set ESP-3DES-MD5
crypto map Verizon-ISP_map 10 match address Verizon-ISP_cryptomap_1
crypto map Verizon-ISP_map 10 set peer 162.134.70.20
crypto map Verizon-ISP_map 10 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Verizon-ISP_map interface Verizon-ISP
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn vpn.rbmc.org
subject-name CN=vpn.rbmc.org
keypair sslvpnkeypair
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
    308201dc 30820145 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
    34311530 13060355 0403130c 76706e2e 72626d63 2e6f7267 311b3019 06092a86
    4886f70d 01090216 0c76706e 2e72626d 632e6f72 67301e17 0d303830 38323030
    34313134 345a170d 31383038 31383034 31313434 5a303431 15301306 03550403
    130c7670 6e2e7262 6d632e6f 7267311b 30190609 2a864886 f70d0109 02160c76
    706e2e72 626d632e 6f726730 819f300d 06092a86 4886f70d 01010105 0003818d
    00308189 02818100 a1664806 3a378c37 a55b2cd7 86c1fb5a de884ec3 6d5652e3
    953e9c01 37f4593c a6b61c31 80f87a51 c0ccfe65 e5ca3d33 216dea84 0eeeecf3
    394505ea 231b0a5f 3c0b59d9 b7c9ba4e 1da130fc cf0159bf 537282e4 e34c2442
    beffc258 a8d8edf9 59412e87 c5f819d0 2d233ecc 214cea8b 3a3922e5 2718ef6a
    87c340a3 d3a0ae21 02030100 01300d06 092a8648 86f70d01 01040500 03818100
    33902c9e 54dc8574 13084948 a21390a2 7000648a a9c7ad0b 3ffaeae6 c0fc4e6c
    60b6a60a ac89c3da 869d103d af409a8a e2d43387 a4fa2278 5a105773 a8d6b5c3
    c13a743c 8a42c34a e6859f6e 760a81c7 5116f42d b3d81b83 11fafae7 b541fad1
    f9bc1cb0 5ed77033 6cab9c90 0a14a841 fc30d8e4 9c85c0e0 d2cca126 fd449e39
quit
crypto isakmp identity address
crypto isakmp enable Verizon-ISP
crypto isakmp enable Internal
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 173.72.107.26 255.255.255.255 Verizon-ISP
ssh 10.10.12.162 255.255.255.255 Internal
ssh 10.100.91.53 255.255.255.255 Internal
ssh Dennis 255.255.255.255 Internal
ssh timeout 60
console timeout 2
management-access Internal
vpn load-balancing
interface lbpublic Verizon-ISP
interface lbprivate Internal
cluster key r8mcl0adbalanc3
cluster encryption
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
ntp server 207.5.137.133 source Verizon-ISP prefer
ntp server 10.100.91.5 source Internal prefer
ssl trust-point ASDM_TrustPoint0
ssl trust-point ASDM_TrustPoint0 Verizon-ISP
webvpn
enable Verizon-ISP
svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.1.0148-k9.pkg 2
svc image disk0:/anyconnect-linux-2.1.0148-k9.pkg 3
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
wins-server value 10.100.91.5
dns-server value 10.100.91.5
vpn-simultaneous-logins 1
vpn-idle-timeout 15
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc ask none default webvpn
group-policy VPNUsers internal
group-policy VPNUsers attributes
dns-server value 10.100.91.6 10.100.91.5
vpn-tunnel-protocol IPSec
default-domain value RBMC
tunnel-group DefaultL2LGroup ipsec-attributes
peer-id-validate nocheck
tunnel-group 65.51.154.66 type ipsec-l2l
tunnel-group 65.51.154.66 ipsec-attributes
pre-shared-key *
tunnel-group 65.171.123.34 type ipsec-l2l
tunnel-group 65.171.123.34 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group 12.195.130.2 type ipsec-l2l
tunnel-group 12.195.130.2 ipsec-attributes
pre-shared-key *
tunnel-group 208.68.22.250 type ipsec-l2l
tunnel-group 208.68.22.250 ipsec-attributes
pre-shared-key *
tunnel-group 198.65.114.68 type ipsec-l2l
tunnel-group 198.65.114.68 ipsec-attributes
pre-shared-key *
tunnel-group VPNUsers type remote-access
tunnel-group VPNUsers general-attributes
address-pool VLAN99VPNUsers
authentication-server-group VPN-FW
default-group-policy VPNUsers
tunnel-group VPNUsers ipsec-attributes
trust-point ASDM_TrustPoint0
tunnel-group 208.51.30.227 type ipsec-l2l
tunnel-group 208.51.30.227 ipsec-attributes
pre-shared-key *
tunnel-group 108.58.104.210 type ipsec-l2l
tunnel-group 108.58.104.210 ipsec-attributes
pre-shared-key *
tunnel-group 162.134.70.20 type ipsec-l2l
tunnel-group 162.134.70.20 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect sunrpc
service-policy global_policy global
prompt hostname context
Cryptochecksum:9d17ad8684073cb9f3707547e684007f
: end
Message was edited by: Dennis Farrell

Hi Dennis,
Your tunnel to "12.145.95.0 LabCorp_Test_Remote" segment can only be initiated from host: RBPMAM is due to your crytp-acl below.
access-list Verizon-ISP_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_11 host RBPMAM LabCorp_Test_Remote 255.255.255.0
Secondly your no-nat on internal interface is denying the traffic that must enter into crytp engine, therefore your tunnel never going to come up.
Therefore please turn it to a "permit" instead.
access-list Internal_nat0_outbound_1 extended deny ip any LabCorp_Test_Remote 255.255.255.0 inactive
Please update,
thanks
Rizwan Rafeek
Message was edited by: Rizwan Mohamed

Mail won't work when VPN is connected

I use VPN to blog for a newspaper, from home. I don't access the company's internal mail system--I just use VPN to get through security and use wordpress on the in-house servers.
But when I connect with VPN, mail stops working (for gmail, verizon.net, hotmail). I otherwise have full access to the internet; I can get gmail through the web, for example. But since I use Mail extensively, I'd like to be able to have it and VPN active at the same time.
My current workaround is just to use VPN for posting, then I get out. But this is a big hassle. Is there a mail setting that I can change that will let it work while (Cisco) VPN is active?
(I'm a freelancer using my own iMac, so I get no tech support from work.)

http://docs.info.apple.com/article.html?path=Mac/10.6/en/11941.html
Any chance that you have "Send all traffic over VPN connection" enabled ?
I use the OSX internal VPN to connect to my Office PC and can use Mail while VPN-connected.
Stefan

NAC WiFi + NAC Internal VPN

Similar Messages

Maybe you are looking for