TCP intercept..question

HI ALL.
TCP intercept is feature which used to prevent from Syn flood attack on router. is the router will not under attack.if too many proxy connection will be handel by router
PLEASE REPLY

Hi mate,
Please, clarify your question.
A little bit of TCP iontercept as follows: *this is some notes from my studies)
TCP intercept
   % Prevents TCP SYN flood attacks (TCP 3 way handshake not completed)
      .SYN, ACK SYN, ACK
   % Results in half open or embryonic session
- TCP intercept tries to prevent this in TWO ways
   %Intercept mode (proxy for all connections / only connect to server after 3 way hand completes)
   %WATCH mode (passively monitor session establishment / Send TCP RST if 3 way handshake does not complete in time)   >> The best choice <<
Waiting to hear from you.
PLease, rate useful posts !
cheers

Similar Messages

IP TCP intercept cisco 6500

Hi,
does anyone has experience with ip tcp intercept configuration on cisco 6500 for protecting network against TCP SYN flooding.
Which mode is recommended to configure (intercept or watch) and how can affect CPU on cisco 6500?
Any infos regarding that would be much appreciated.
Thank you
Salja

Hey Salja,
In Sup720 for TCP Intercept the support is as follows:
Watch mode: Initial TCP packets (SYN, SYN-ACK and ACK of SYN-ACK) and terminating TCP packets (FIN, RST) of a TCP flow is sent to RP for processing in SW. All other TCP packets of the flow are handled in HW using netflow (if TCP packets come in before the netflow entry is created it will get punted to SW). Note that the rate of netflow entry creation is limited and if new TCP connections come in at a rate faster than the rate at which netflow entries can be created in HW there will be large number of packets hitting the CPU.
Intercept Mode: For Intercept mode without timeout the behavior is similar to Watch mode mentioned above. Intercept mode with timeout all packets of a TCP flow is handled in SW by the RP.
So its not advised to use TCP intercept on 6500 as it may degrade box performance. I would suggest using firewall for this feature.
HTH.
Regards,
RS.

TCP intercept

Just received a bunch of 2951s UC+Sec running 15.3M. Doing initial configuration,
The command 'ip tcp intercept' is not available. Do I need to switch to the T train or
Is the command structure different?

I have two 2911s. One with a security license and the other has a data license. Neither has the other (data one does not have security license, and security license one does not have data).
Believe it or not, the security license does not have that option, but the data license one does, so I believe you're going to need to get a data license to support this.
HTH,
John

Tcp Reset question - IPS Sensor 4255

I have this sensor doing tcp resets, the question I have is if I add a network to the "never block addresses" will the sensor still send tcp resets even though the network is in the never block? if so how do I tell the sensor to not block certain ip addresses..
Thanks in advance
Phil

You can configure sensors to send TCP reset packets to try to reset a network connection between an attacker host and its intended target host. In some installations when the interface is operating in promiscuous mode, the sensor may not be able to send the TCP reset packets over the same sensing interface on which the attack was detected. In such cases, you can associate the sensing interface with an alternate TCP reset interface and any TCP resets that would otherwise be sent on the sensing interface when it is operating in promiscuous mode, are instead sent out on the associated alternate TCP reset interface.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_guide_chapter09186a008055fc77.html

TCP IP question

Hi everyone,
I would like to try a very simple TCP/IP connection.
In other words, I have to IP addresses, two PC and on one of it, I would like to read the temperature captured by the other.
Since it's a large topic, I would appreciate any advice or suggestion on where to find examples.
Thanks in advance
Gérard
Gérard Férini
Switzerland
http://home.tiscalinet.ch/gferini/Main_Photos.html

Thanks Dan for your reply
Gérard
Gérard Férini
Switzerland
http://home.tiscalinet.ch/gferini/Main_Photos.html
"dan bookwalter" wrote in message
news:[email protected]..
> Gerard
>
> start by looking at the Simple Data Client.vi and Simple Data
> Server.vi examples that ship with LabVIEW... that should get you
> started...
>
> Dan

TCP( EXAM QUESTION ANYONE PLEASE CHECK IT ).

Design a TCP server to provide the service exam service on the port 50601 .The server expect to read a message made of N bytes with the following structure:
Byte 0: length(u8)
Byte 1:command(u8)
Byte 2...Byte(N-1): Data Bytes (u8)
The first byte represent the message length(N).
The second byte is the command byte.
The remaining bytes are the data bytes.i.e a sequence of u8 representing codes collected from an 8bits analog to digital converter.
The server acts as in the following
1. If the command byte is equal to the hexadecimal code 0xAA the server builds a waveform converting the array of U8 samples (Data byes)to doubles(dbl)and scaling them to represent the voltage levels between 0v and 1 v.Assume for the waveform t0 the current time and dt=1ms .the server plots the samples and save the wavform to the file samples.txt.and send to the client response DATA SAVED
2. If the 1st byte is equal to the hexadecimal code 0xBB the server builds a waveform converting the array of u8 samples(DATA BYTES) TO doubles(dbl)and sacling them to represent the voltage level between 0v and 1v.THE SERVER Calculates the maximum and minimm and avarage of teh recieved samples,show the result to the user in the fromt panel.
3. Every time a successful connection is closed ,the server saves the date,the time,the ip address of the remote client and the recieved byte(on a file entitled server log text)
4.any error ,the server jst replies the message ERROR OR MALFORMED REQUEST and drops the connection.

balbal207 wrote:
Design a TCP server to provide the service exam service on the port 50601 .The server expect to read a message made of N bytes with the following structure:
Byte 0: length(u8)
Byte 1:command(u8)
Byte 2...Byte(N-1): Data Bytes (u8)
The first byte represent the message length(N).
The second byte is the command byte.
The remaining bytes are the data bytes.i.e a sequence of u8 representing codes collected from an 8bits analog to digital converter.
Your code has very little resemblance to the stated requirements:
You are only reading one set of data, then spin the loop forever doing the same thing over and over until stop is pressed. almost everything belongs inside the while loop!
You are not even looking at the first receive byte (the lenght!). You need that to decide how much more to read. You need to look at what the read returns, not the size (1) you wire into the read! That's just silly!
How many times do you need to calculate 1/255? Are you expecting different results every time?
What's up with all the coercions and type mismatches?
Why do you wire the net address? What IP is 193.205.4.11?
Do some LabVIEW tutorials. Learn about dataflow and programming basics. Look at the TCP examples that ship with LabVIEW!

TCP Reset Question

I have a query on TCP/IP communication. Let's say I have a cisco device running with http server disabled. If I send a TCP syn packet to the device with destination port 80/443(any non-listening port), will the device respond with TCP RESET? Or will it simply drop the packet without any acknowledgement?

I think this will be different from device to device:
ASA will drop denied connection to services it does not run, to make it send resets use the command "service resetoutside" to send reset to a denied TCP packet to outside interface.
Access Points will by default reset
Routers will by default reset
Switches will by default reset
Regards,
PS. Please rate and mark as right

ASA 5505 Interface Security Level Question

I am wondering if someone can shed some light on this for me. I have a new ASA 5505 with a somewhat simple config. I want to set up a guest VLAN on it for a guest wireless connection.
I set up the ASA with the VLAN, made a trunk port, set up DHCP (on the ASA) on the guest VLAN, configured NAT, etc. Everything seem to be working with that. Guests are getting address on the correct subnet, etc.
The only issue I have is that the Guest VLAN (192.168.22.0) can get to the secure (VLAN1 - 172.16.0.0). I set up the guest VLAN (VLAN 5) with a security level of 10, the secure with a level of 100. I figured that would be enough. To stop the guest from accessing the secure, I had to throw on an ACL (access-list Guest-VLAN_access_in line 1 extended deny ip any 172.16.0.0 255.255.255.0)
Can someone show me what I did wrong?
Thank you for any help!
To create the VLAN, I did the following:
int vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
no shutdown
int Ethernet0/1
switchport trunk allowed vlan 1 5
switchport trunk native vlan 1
switchport mode trunk
no shutdown
below is the whole config.
Result of the command: "sho run"
: Saved
ASA Version 9.1(3)
hostname ciscoasa
enable password zGs7.eQ/0VxLuSIs encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport trunk allowed vlan 1,5
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address <External IP/Mask>
interface Vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
boot system disk0:/asa913-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside_Server1_80
host <Inside_server1_IP>
object network Inside_Server1_25
host <Inside_server1_IP>
object network Inside_Server1_443
host <Inside_server1_IP>
object network Inside_Server1_RDP
host <Inside_server1_IP>
object service RDP
service tcp destination eq 3389
object network Outside_Network1
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network TERMINALSRV_RDP
host <Inside_server2_IP>
object network Inside_Server2_RDP
host <Inside_Server2_IP>
object-group network Outside_Network
network-object object Outside_Network1
network-object object Outside_Network2
object-group network RDP_Allowed
description Group used for hosts allowed to RDP to Inside_Server1
network-object object <Outside_Network_3>
group-object Outside_Network
object-group network SBS_Services
network-object object Inside_Server1_25
network-object object Inside_Server1_443
network-object object Inside_Server1_80
object-group service SBS_Service_Ports
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group SBS_Service_Ports any object-group SBS_Services
access-list outside_access_in extended permit object RDP any object TERMINALSRV_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server1_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server2_RDP
access-list Guest-VLAN_access_in extended deny ip any 172.16.0.0 255.255.255.0
access-list Guest-VLAN_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Inside_Server1_80
nat (inside,outside) static interface service tcp www www
object network Inside_Server1_25
nat (inside,outside) static interface service tcp smtp smtp
object network Inside_Server1_443
nat (inside,outside) static interface service tcp https https
object network Inside_Server1_RDP
nat (inside,outside) static interface service tcp 3389 3389
object network TERMINALSRV_RDP
nat (inside,outside) static <TerminalSRV_outside)IP> service tcp 3389 3389
object network Inside_Server2_RDP
nat (inside,outside) static interface service tcp 3389 3390
nat (Guest-VLAN,outside) after-auto source dynamic obj_any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Guest-VLAN_access_in in interface Guest-VLAN
route outside 0.0.0.0 0.0.0.0 <Public_GW> 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.22.50-192.168.22.100 Guest-VLAN
dhcpd dns 8.8.8.8 4.2.2.2 interface Guest-VLAN
dhcpd lease 43200 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.30 prefer
username <Username> VAn7VeaGHX/c7zWW encrypted privilege 15
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect icmp
inspect icmp error
inspect pptp
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7f5d70668ebeb94f49f312612f76c943
: end

Hi,
To my understanding they should not be able to connect to the more secure network IF you DONT have an interface ACL configured.
One very important thing to notice and which I think is the most likely reason this happened is the fact that as soon as you attach an interface ACL to an interface then the "security-level" looses its meaning. The "security-level" has meaning as long as the interface is without an ACL. This makes the "security-level" only usable in very simple setups.
What I think happend is that you have "permit ip any any" ACL on the interface that allowed all the traffic.
Your option is to either remove the interface ACL completely or have the ACL configured like you have now. I mean first block traffic to your secure LAN and then allow all other traffic which would allow the traffic to Internet
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni

ASA5505 NAT CONFIG QUESTION? OPEN STATIC IP

8.2
HI ALL
Here is my scenerio and I have worked on this with TAC support over the last month, we finally made progress by getting our ISP to activate the 5 static IPs but here is my issue.
basically we have a VOIP phone that is "remote". This phone needs to come through the Public IP to an internal address of 192.168.10.57.
We tried only allowing certain "ports" to pass, such as SIP, RTP> but the remote phone still cannot reach the phone server at 192.168.10.57
So
I want to open it completely as this phone pc is the ONLY device on that public IP.
so my 2 questions are.
what do i need to config as a rule/ command to make this happen. were I want the public IP of 50.x.x.x to corelate directly and openly to the internal of 192.168.10.57?
Also what is the command to allow the public IP to be pingable? so i can just confirm that it is reachable. I know at the very end we turned it off with a sort of ICMP command.
Thank you all for your time and help. if you need more info please ask.

Thank you very much for your help.
I applied
access-list out-in extended permit icmp any host 50.x.x.x
and now i can ping TY
But,
I applied
static (inside,outside) 50.245.59.98 192.168.10.57 netmask 255.255.255.255
ANd got this error:
ciscoasa(config)# static (inside,outside) 50.245.59.98 192.168.10.57 netmask 2$
ERROR: mapped-address conflict with existing static
inside:192.168.10.57 to outside:50.245.59.98 netmask 255.255.255.255
I just want this port "wide open" to see if the remote phone will connect to it.
here is my edited SH RUN
ASA Version 8.2(1)
hostname ciscoasa
enable password PfdcbR/f90Mel1yp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 50.X.X.X 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner login
banner login &
banner login ~
banner login ***********Warning*******
banner login
banner login ^
ftp mode passive
access-list out-in extended permit tcp any host 50.X.X.X eq 3462
access-list out-in extended permit tcp any host 50.X.X.X eq sip
access-list out-in extended permit tcp any host 40.X.X.X eq ftp-data
access-list out-in extended permit tcp any host 40.X.X.X eq ftp
access-list out-in extended permit icmp any host 50.X.X.X
access-list split standard permit 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.169.169.0 255.255.255.0
access-list FTP remark Allow
access-list FTP extended permit tcp any eq ftp any eq ftp
access-list FTP extended permit tcp any any eq ftp-data
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool 192.169.169.1-192.169.169.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp 192.168.10.2 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.10.2 ftp-data netmask 255.255.255.255
static (inside,outside) 50.X.X.X 192.168.10.57 netmask 255.255.255.255
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 50.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.10.50-192.168.10.100 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.3041-k9.pkg 1
svc enable
port-forward rdpfromsslvpn 5050 50.X.X.X 5050 remote desktop server from ssl vpn
tunnel-group-list enable
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
banner value *****************************WARNING**********************************
banner value Access Beyond This Point Requires Prior Authorization from your Network Administrator
banner value ****************************************************************************
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
webvpn
url-list none
svc ask enable default webvpn
username aalmonte password m7vzxUlfTDi05gS6 encrypted privilege 0
username aalmonte attributes
vpn-group-policy RemoteAccess
username mmaccormack password IWIdkIPCDtg4CmHR encrypted privilege 0
username mmaccormack attributes
vpn-group-policy RemoteAccess
username lmaccormack password qRsbIpdvRgZhIVS/ encrypted privilege 0
username lmaccormack attributes
vpn-group-policy RemoteAccess
username admin password V8ctuy0OtxmDU4HD encrypted privilege 15
username rdirkee password mHVkPntgw4LQyh.U encrypted
username rdirkee attributes
service-type remote-access
username wmaccormack password AhNi5Rk6JFlHU9Fy encrypted privilege 0
username wmaccormack attributes
vpn-group-policy RemoteAccess
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username rickg password 46/GVMAZTuz4ywzs encrypted privilege 0
username rickg attributes
vpn-group-policy RemoteAccess
service-type remote-access
username jgoucher password fMhOfzHeEB1lu9z6 encrypted privilege 0
username jgoucher attributes
vpn-group-policy RemoteAccess
username smaccormack password LCkB1kwdtIbPmtQK encrypted privilege 0
username smaccormack attributes
vpn-group-policy RemoteAccess
username rmaccormack password JG98o0q2ozZeYYrv encrypted privilege 0
username rmaccormack attributes
vpn-group-policy RemoteAccess
username bmaccormack password JTx67mnIFw62G6kx encrypted privilege 0
username bmaccormack attributes
vpn-group-policy RemoteAccess
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool ippool
default-group-policy RemoteAccess
tunnel-group RemoteAccess webvpn-attributes
group-alias RemoteAccess enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
TYVM

Asa 5505 vpn from internet native vpn client, tcp discarted 1723

Hello to all,
I'm configuring this asa for to connect home users to my network using the native microsoft vpn clients with windows xp over internet.
This asa have on the outside interface one public intenet ip and in the inside inferface have configured in the the network 192.168.0.x and i want to acces to this network from internet users using native vpn clients.
I tested with one pc connected directly to the outside interface and works well, but when i connect this interface to internet and tried to connect on user to the vpn i can see in the logs this, and can't connect with error 800.
TCP request discarded from "public_ip_client/61648" to outside:publicip_outside_interface/1723"
Can help me please?, Very thanks in advance !
(running configuration)
: Saved
ASA Version 8.4(3)
hostname ciscoasa
enable password *** encrypted
passwd *** encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address publicinternetaddress 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network gatewayono
host gatewayofinternetprovideraccess
description salida gateway ono
object service remotointerno
service tcp destination eq 3389
description remoto
object network pb_clienteing_2
host 192.168.0.15
description Pebble cliente ingesta 2
object service remotoexternopebble
service tcp destination eq 5353
description remotoexterno
object network actusmon
host 192.168.0.174
description Actus monitor web
object service Web
service tcp destination eq www
description 80
object network irdeto
host 192.168.0.31
description Irdeto
object network nmx_mc_p
host 192.168.0.60
description NMX Multicanal Principal
object network nmx_mc_r
host 192.168.0.61
description NMX multicanal reserva
object network tarsys
host 192.168.0.10
description Tarsys
object network nmx_teuve
host 192.168.0.30
description nmx cabecera teuve
object network tektronix
host 192.168.0.20
description tektronix vnc
object service vnc
service tcp destination eq 5900
description Acceso vnc
object service exvncnmxmcr
service tcp destination eq 5757
description Acceso vnc externo nmx mc ppal
object service exvncirdeto
service tcp destination eq 6531
description Acceso vnc externo irdeto
object service exvncnmxmcp
service tcp destination eq 5656
object service exvnctektronix
service tcp destination eq 6565
object service exvncnmxteuve
service tcp destination eq 6530
object service ssh
service tcp destination eq ssh
object service sshtedialexterno
service tcp destination eq 5454
object-group service puertosabiertos tcp
description remotedesktop
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object object irdeto
network-object object nmx_mc_p
network-object object nmx_mc_r
network-object object nmx_teuve
network-object object tektronix
object-group service vpn udp
port-object eq 1723
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq pptp
object-group network DM_INLINE_NETWORK_2
network-object object actusmon
network-object object tarsys
access-list inside_access_in extended permit object remotointerno any any
access-list inside_access_in extended permit object ssh any any
access-list inside_access_in extended permit object-group TCPUDP any any eq www
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit object vnc any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object remotointerno any object pb_clienteing_2
access-list outside_access_in extended permit object-group TCPUDP any object actusmon eq www
access-list outside_access_in remark Acceso tedial ssh
access-list outside_access_in extended permit tcp any object tarsys eq ssh
access-list outside_access_in extended permit object vnc any object-group DM_INLINE_NETWORK_1
access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_access_in extended deny icmp any any
access-list corporativa standard permit 192.168.0.0 255.255.255.0
access-list Split-Tunnel-ACL standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging monitor debugging
logging asdm debugging
logging debug-trace
mtu inside 1500
mtu outside 1500
ip local pool clientesvpn 192.168.0.100-192.168.0.110 mask 255.255.255.0
ip local pool clientesvpn2 192.168.1.120-192.168.1.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (outside,inside) source static any interface destination static interface actusmon service Web Web unidirectional
nat (outside,inside) source static any interface destination static interface tarsys service sshtedialexterno ssh unidirectional
nat (outside,inside) source static any interface destination static interface pb_clienteing_2 service remotoexternopebble remotointerno unidirectional
nat (outside,inside) source static any interface destination static interface irdeto service exvncirdeto vnc unidirectional
nat (outside,inside) source static any interface destination static interface nmx_mc_p service exvncnmxmcp vnc unidirectional
nat (outside,inside) source static any interface destination static interface nmx_mc_r service exvncnmxmcr vnc unidirectional
nat (outside,inside) source static any interface destination static interface nmx_teuve service exvncnmxteuve vnc unidirectional
nat (outside,inside) source static any interface destination static interface tektronix service exvnctektronix vnc unidirectional
nat (any,outside) source dynamic DM_INLINE_NETWORK_2 interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside per-user-override
route outside 0.0.0.0 0.0.0.0 gatewayinternetprovideracces 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
eou allow none
aaa local authentication attempts max-fail 10
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set clientewindowsxp esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set clientewindowsxp mode transport
crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set clientewindowsxp
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto dynamic-map L2TP-MAP 10 set ikev1 transform-set L2TP-IKE1-Transform-Set
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map L2TP-VPN-MAP 20 ipsec-isakmp dynamic L2TP-MAP
crypto map L2TP-VPN-MAP interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint Ingenieria
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8
dhcpd auto_config outside
dhcpd address 192.168.0.5-192.168.0.36 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point Ingenieria outside
webvpn
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server none
dns-server value 192.168.0.1
vpn-tunnel-protocol l2tp-ipsec
default-domain none
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
group-policy ingenieria internal
group-policy ingenieria attributes
vpn-tunnel-protocol l2tp-ipsec
default-domain none
group-policy L2TP-Policy internal
group-policy L2TP-Policy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel-ACL
intercept-dhcp enable
username ingenieria password 4fD/5xY/6BwlkjGqMZbnKw== nt-encrypted privilege 0
username ingenieria attributes
vpn-group-policy ingenieria
username rjuve password SjBNOLNgSkUi5KWk/TUsTQ== nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool clientesvpn
address-pool clientesvpn2
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
default-group-policy L2TP-Policy
authorization-required
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
class-map inspection_default
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
prompt hostname context
call-home reporting anonymous
Cryptochecksum:59b54f1d10fe829aeb47bafee57ba95e
: end
no asdm history enable

Yes with this command creates this
policy-map global_policy
class inspection_default
inspect pptp
But don't work. I also tried to add the pptp and gre in the outside access rules but nothing...
I don't understand why if a connect directly to the outside interface with the same outside network works well.
ej: the pc have 89.120.145.14 ip and the outside asa have 89.120.145.140 and if I create one vpn in this pc the outside ip 89.120.145.140 with the correct parameters the asa don't discart 1723 and connect ok but if this ip is not of this range discards 1723...

ASA 5520 site-to-site VPN question

Hello,
We have a Cisco 5520 ASA 8.2(1) connected to a Cisco RVS4000 router via an IPsec Site-to-Site VPN. The RVS4000 is located at a branch office. The tunnel works beautifully. When computers at the remote site are turned on the tunnel is established, and data is transferred back and forth.
The only issue I'm having is being able to Remote Desktop to the branch office computers, or ping for that matter. I can ping and Remote Desktop from the branch office computers to computers at the main site where the ASA is located.
After doing some research, I came across the this command;
sysopt connection permit-vpn
I haven't tried entering the command yet, but was wondering if this is something that I can try initially to see it it resolves the problem.
Thanks,
John

What are your configs and network diagrams at each location? What are you doing for DNS? I can help quicker with that info. Also, here are some basic site to site VPN examples if it helps.
hostname cisco
domain-name cisco.com
enable password XXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.2 255.255.255.0
interface Ethernet0/2
nameif backup
security-level 0
no ip address
interface Ethernet0/3
nameif outsidetwo
security-level 0
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
same-security-traffic permit intra-interface
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list split standard permit 10.0.0.0 255.255.255.0
access-list split standard permit 10.90.238.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered errors
logging trap notifications
logging asdm informational
logging class vpn buffered debugging
mtu outside 1500
mtu inside 1500
mtu backup 1500
mtu outsidetwo 1500
mtu management 1500
ip local pool vpnpool 10.0.10.100-10.0.10.200
ip audit name Inbound-Attack attack action alarm drop
ip audit name Inbound-Info info action alarm
ip audit interface outside Inbound-Info
ip audit interface outside Inbound-Attack
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address XXX
crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
crypto map outside_map 1 set transform-set myset
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address XXX2
crypto map outside_map 2 set peer XXX.XXX.XXX.XXX
crypto map outside_map 2 set transform-set myset
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address XXX3
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer XXX.XXX.XXX.XXX
crypto map outside_map 3 set transform-set myset
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy XXXgroup internal
group-policy XXXgroup attributes
dns-server value XXX.XXX.XXX.XXX
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value domain.local
username XXX24 password XXXX encrypted privilege 15
username admin password XXXX encrypted
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
tunnel-group XXXgroup type remote-access
tunnel-group XXXgroup general-attributes
address-pool vpnpool
default-group-policy rccgroup
tunnel-group XXXgroup ipsec-attributes
pre-shared-key XXXXXXXXXX
isakmp ikev1-user-authentication none
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

%ASA-7-710005: TCP request discarded error in Client to Site VPN in CISCO ASA 5510

Hi Friends,
I'm trying to built client to site VPN in CISCO ASA 5510 8.4(4) and getting below error while connecting cisco VPN client software. Also, I'm getting below log in ASA. Please help me to reslove.
Error in CISCO VPN Client Software:
Secure VPN Connection Terminated locally by the client.
Reason : 414 : Failed to establish a TCP connection.
Error in CISCO ASA 5510
%ASA-7-710005: TCP request discarded from <Public IP> /49276 to outside:<Outside Interface IP of my ASA> /10000
ASA Configuration:
XYZ# sh run
: Saved
ASA Version 8.4(4)
hostname XYZ
domain-name XYZ
enable password 3uLkVc9JwRA1/OXb level 3 encrypted
enable password R/x90UjisGVJVlh2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
nameif outside_rim
security-level 0
ip address 1.1.1.1 255.255.255.252
interface Ethernet0/1
duplex full
nameif XYZ_DMZ
security-level 50
ip address 172.1.1.1 255.255.255.248
interface Ethernet0/2
speed 100
duplex full
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.252
interface Ethernet0/3
speed 100
duplex full
nameif inside
security-level 100
ip address 3.3.3.3 255.255.255.224
interface Management0/0
shutdown
no nameif
no security-level
no ip address
boot system disk0:/asa844-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
domain-name XYZ
object network obj-172.17.10.3
host 172.17.10.3
object network obj-10.1.134.0
subnet 10.1.134.0 255.255.255.0
object network obj-208.75.237.0
subnet 208.75.237.0 255.255.255.0
object network obj-10.7.0.0
subnet 10.7.0.0 255.255.0.0
object network obj-172.17.2.0
subnet 172.17.2.0 255.255.255.0
object network obj-172.17.3.0
subnet 172.17.3.0 255.255.255.0
object network obj-172.19.2.0
subnet 172.19.2.0 255.255.255.0
object network obj-172.19.3.0
subnet 172.19.3.0 255.255.255.0
object network obj-172.19.7.0
subnet 172.19.7.0 255.255.255.0
object network obj-10.1.0.0
subnet 10.1.0.0 255.255.0.0
object network obj-10.2.0.0
subnet 10.2.0.0 255.255.0.0
object network obj-10.3.0.0
subnet 10.3.0.0 255.255.0.0
object network obj-10.4.0.0
subnet 10.4.0.0 255.255.0.0
object network obj-10.6.0.0
subnet 10.6.0.0 255.255.0.0
object network obj-10.9.0.0
subnet 10.9.0.0 255.255.0.0
object network obj-10.11.0.0
subnet 10.11.0.0 255.255.0.0
object network obj-10.12.0.0
subnet 10.12.0.0 255.255.0.0
object network obj-172.19.1.0
subnet 172.19.1.0 255.255.255.0
object network obj-172.21.2.0
subnet 172.21.2.0 255.255.255.0
object network obj-172.16.2.0
subnet 172.16.2.0 255.255.255.0
object network obj-10.19.130.201
host 10.19.130.201
object network obj-172.30.2.0
subnet 172.30.2.0 255.255.255.0
object network obj-172.30.3.0
subnet 172.30.3.0 255.255.255.0
object network obj-172.30.7.0
subnet 172.30.7.0 255.255.255.0
object network obj-10.10.1.0
subnet 10.10.1.0 255.255.255.0
object network obj-10.19.130.0
subnet 10.19.130.0 255.255.255.0
object network obj-XXXXXXXX
host XXXXXXXX
object network obj-145.248.194.0
subnet 145.248.194.0 255.255.255.0
object network obj-10.1.134.100
host 10.1.134.100
object network obj-10.9.124.100
host 10.9.124.100
object network obj-10.1.134.101
host 10.1.134.101
object network obj-10.9.124.101
host 10.9.124.101
object network obj-10.1.134.102
host 10.1.134.102
object network obj-10.9.124.102
host 10.9.124.102
object network obj-115.111.99.133
host 115.111.99.133
object network obj-10.8.108.0
subnet 10.8.108.0 255.255.255.0
object network obj-115.111.99.129
host 115.111.99.129
object network obj-195.254.159.133
host 195.254.159.133
object network obj-195.254.158.136
host 195.254.158.136
object network obj-209.164.192.0
subnet 209.164.192.0 255.255.224.0
object network obj-209.164.208.19
host 209.164.208.19
object network obj-209.164.192.126
host 209.164.192.126
object network obj-10.8.100.128
subnet 10.8.100.128 255.255.255.128
object network obj-115.111.99.130
host 115.111.99.130
object network obj-10.10.0.0
subnet 10.10.0.0 255.255.0.0
object network obj-115.111.99.132
host 115.111.99.132
object network obj-10.10.1.45
host 10.10.1.45
object network obj-10.99.132.0
subnet 10.99.132.0 255.255.255.0
object-group network Serversubnet
network-object 10.10.1.0 255.255.255.0
network-object 10.10.5.0 255.255.255.192
object-group network XYZ_destinations
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
network-object 10.12.0.0 255.255.0.0
network-object 172.19.1.0 255.255.255.0
network-object 172.19.2.0 255.255.255.0
network-object 172.19.3.0 255.255.255.0
network-object 172.19.7.0 255.255.255.0
network-object 172.17.2.0 255.255.255.0
network-object 172.17.3.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
network-object host 10.50.2.206
object-group network XYZ_us_admin
network-object 10.3.1.245 255.255.255.255
network-object 10.5.33.7 255.255.255.255
network-object 10.211.5.7 255.255.255.255
network-object 10.3.33.7 255.255.255.255
network-object 10.211.3.7 255.255.255.255
object-group network XYZ_blr_networkdevices
network-object 10.200.10.0 255.255.255.0
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.21
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.22
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
access-list XYZ_PAT extended permit ip 10.19.130.0 255.255.255.0 any
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.159.133
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.158.136
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 any
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 209.164.192.0 255.255.224.0
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.208.19
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.192.126
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
access-list nonat extended permit ip object-group Serversubnet object-group XYZ_destinations
access-list nonat extended permit ip 10.10.1.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list nonat extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
access-list nonat extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list Guest_PAT extended permit ip 10.8.108.0 255.255.255.0 any
access-list Cacib extended permit ip 10.8.100.128 255.255.255.128 145.248.194.0 255.255.255.0
access-list Cacib_PAT extended permit ip 10.8.100.128 255.255.255.128 any
access-list New_Edge extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list XYZ_global extended permit ip 10.7.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
access-list XYZ_global extended permit ip 172.17.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.17.3.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.3.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.7.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.2.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.3.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.4.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.6.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.9.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.11.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.12.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.1.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.21.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.16.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.2.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.3.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.7.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
access-list XYZ_global extended permit ip object-group Serversubnet object-group XYZ_destinations
access-list XYZ_global extended permit ip object-group XYZ_destinations object-group Serversubnet
access-list ML_VPN extended permit ip host 115.111.99.129 209.164.192.0 255.255.224.0
access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.208.19
access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.192.126
access-list Da_VPN extended permit ip host 10.9.124.100 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.101 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.102 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.100 10.125.81.0 255.255.255.0
access-list Da_VPN extended permit ip host 10.9.124.101 10.125.81.0 255.255.255.0
access-list Da_VPN extended permit ip host 10.9.124.102 10.125.81.0 255.255.255.0
access-list Sr_PAT extended permit ip 10.10.0.0 255.255.0.0 any
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.86.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.86.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.86.46
access-list XYZ_reliance extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list coextended permit ip host 2.2.2.2 host XXXXXXXX
access-list coextended permit ip host XXXXXXXXhost 2.2.2.2
access-list ci extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list ci extended permit ip 208.75.237.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list acl-outside extended permit ip host 57.66.81.159 host 172.17.10.3
access-list acl-outside extended permit ip host 80.169.223.179 host 172.17.10.3
access-list acl-outside extended permit ip any host 172.17.10.3
access-list acl-outside extended permit tcp any host 10.10.1.45 eq https
access-list acl-outside extended permit tcp any any eq 10000
access-list acl-outside extended deny ip any any log
pager lines 10
logging enable
logging buffered debugging
mtu outside_rim 1500
mtu XYZ_DMZ 1500
mtu outside 1500
mtu inside 1500
ip local pool XYZ_c2s_vpn_pool 172.30.10.51-172.30.10.254
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-208.75.237.0 obj-208.75.237.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.7.0.0 obj-10.7.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.2.0 obj-172.17.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.3.0 obj-172.17.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.2.0 obj-172.19.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.3.0 obj-172.19.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.7.0 obj-172.19.7.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.1.0.0 obj-10.1.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.3.0.0 obj-10.3.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.4.0.0 obj-10.4.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.6.0.0 obj-10.6.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.9.0.0 obj-10.9.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.11.0.0 obj-10.11.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.12.0.0 obj-10.12.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.1.0 obj-172.19.1.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.21.2.0 obj-172.21.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.16.2.0 obj-172.16.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.2.0 obj-172.30.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.3.0 obj-172.30.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.7.0 obj-172.30.7.0 no-proxy-arp route-lookup
nat (inside,any) source static Serversubnet Serversubnet destination static XYZ_destinations XYZ_destinations no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-XXXXXXXX obj-XXXXXXXX no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-145.248.194.0 obj-145.248.194.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-10.1.134.100 obj-10.9.124.100
nat (inside,outside) source static obj-10.1.134.101 obj-10.9.124.101
nat (inside,outside) source static obj-10.1.134.102 obj-10.9.124.102
nat (inside,outside) source dynamic obj-10.8.108.0 interface
nat (inside,outside) source dynamic obj-10.19.130.0 obj-115.111.99.129
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.159.133 obj-195.254.159.133
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.158.136 obj-195.254.158.136
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.0 obj-209.164.192.0
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.208.19 obj-209.164.208.19
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.126 obj-209.164.192.126
nat (inside,outside) source dynamic obj-10.8.100.128 obj-115.111.99.130
nat (inside,outside) source dynamic obj-10.10.0.0 obj-115.111.99.132
nat (inside,outside) source static obj-10.10.1.45 obj-115.111.99.133
nat (inside,outside) source dynamic obj-10.99.132.0 obj-115.111.99.129
object network obj-172.17.10.3
nat (XYZ_DMZ,outside) static 115.111.99.134
access-group acl-outside in interface outside
route outside 0.0.0.0 0.0.0.0 115.111.23.129 1
route outside 0.0.0.0 0.0.0.0 115.254.127.130 10
route inside 10.10.0.0 255.255.0.0 10.8.100.1 1
route inside 10.10.1.0 255.255.255.0 10.8.100.1 1
route inside 10.10.5.0 255.255.255.192 10.8.100.1 1
route inside 10.8.100.128 255.255.255.128 10.8.100.1 1
route inside 10.8.108.0 255.255.255.0 10.8.100.1 1
route inside 10.19.130.0 255.255.255.0 10.8.100.1 1
route inside 10.99.4.0 255.255.255.0 10.99.130.254 1
route inside 10.99.132.0 255.255.255.0 10.8.100.1 1
route inside 10.1.134.0 255.255.255.0 10.8.100.1 1
route outside 208.75.237.0 255.255.255.0 115.111.23.129 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set vpn2 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn6 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set vpn5 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn7 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set vpn4 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn1 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn_reliance esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set c2s_vpn esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map dyn1 1 set ikev1 transform-set c2s_vpn
crypto dynamic-map dyn1 1 set reverse-route
crypto map vpn 1 match address XYZ
crypto map vpn 1 set peer XYZ Peer IP
crypto map vpn 1 set ikev1 transform-set vpn1
crypto map vpn 1 set security-association lifetime seconds 3600
crypto map vpn 1 set security-association lifetime kilobytes 4608000
crypto map vpn 2 match address NE
crypto map vpn 2 set peer NE_Peer IP
crypto map vpn 2 set ikev1 transform-set vpn2
crypto map vpn 2 set security-association lifetime seconds 3600
crypto map vpn 2 set security-association lifetime kilobytes 4608000
crypto map vpn 4 match address ML_VPN
crypto map vpn 4 set pfs
crypto map vpn 4 set peer ML_Peer IP
crypto map vpn 4 set ikev1 transform-set vpn4
crypto map vpn 4 set security-association lifetime seconds 3600
crypto map vpn 4 set security-association lifetime kilobytes 4608000
crypto map vpn 5 match address XYZ_global
crypto map vpn 5 set peer XYZ_globa_Peer IP
crypto map vpn 5 set ikev1 transform-set vpn5
crypto map vpn 5 set security-association lifetime seconds 3600
crypto map vpn 5 set security-association lifetime kilobytes 4608000
crypto map vpn 6 match address Da_VPN
crypto map vpn 6 set peer Da_VPN_Peer IP
crypto map vpn 6 set ikev1 transform-set vpn6
crypto map vpn 6 set security-association lifetime seconds 3600
crypto map vpn 6 set security-association lifetime kilobytes 4608000
crypto map vpn 7 match address Da_Pd_VPN
crypto map vpn 7 set peer Da_Pd_VPN_Peer IP
crypto map vpn 7 set ikev1 transform-set vpn6
crypto map vpn 7 set security-association lifetime seconds 3600
crypto map vpn 7 set security-association lifetime kilobytes 4608000
crypto map vpn interface outside
crypto map vpn_reliance 1 match address XYZ_rim
crypto map vpn_reliance 1 set peer XYZ_rim_Peer IP
crypto map vpn_reliance 1 set ikev1 transform-set vpn_reliance
crypto map vpn_reliance 1 set security-association lifetime seconds 3600
crypto map vpn_reliance 1 set security-association lifetime kilobytes 4608000
crypto map vpn_reliance interface outside_rim
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev1 enable outside_rim
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 4
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28000
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.8.100.0 255.255.255.224 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy XYZ_c2s_vpn internal
username testadmin password oFJjANE3QKoA206w encrypted
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXXtype ipsec-l2l
tunnel-group XXXXXXXXipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XYZ_c2s_vpn type remote-access
tunnel-group XYZ_c2s_vpn general-attributes
address-pool XYZ_c2s_vpn_pool
tunnel-group XYZ_c2s_vpn ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect ip-options
service-policy global_policy global
privilege show level 3 mode exec command running-config
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command crypto
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:caa7476cd348ed89b95d37d4e3c9e1d8
: end
XYZ#

Thanks Javier.
But i have revised the VPN confuration. Below are the latest configs. with this latest configs. I'm getting username & password screen while connecting cisco vpn client software. once we entered the login credential. it shows "security communication channel" then it goes to "not connected" state. Can you help me to fix this.
access-list ACL-RA-SPLIT standard permit host 10.10.1.3
access-list ACL-RA-SPLIT standard permit host 10.10.1.13
access-list ACL-RA-SPLIT standard permit host 10.91.130.201
access-list nonat line 1 extended permit ip host 10.10.1.3 172.30.10.0 255.255.255.0
access-list nonat line 2 extended permit ip host 10.10.1.13 172.30.10.0 255.255.255.0
access-list nonat line 3 extended permit ip host 10.91.130.201 172.30.10.0 255.255.255.0
ip local pool CO-C2S-VPOOL 172.30.10.51-172.30.10.254 mask 255.255.255.0
group-policy CO-C2S internal
group-policy CO-C2S attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list vlauel ACL-RA-SPLIT
dns-server value 10.10.1.3
tunnel-group TUN-RA-SPLIT type remote-access
tunnel-group TUN-RA-SPLIT general-attributes
default-group-policy CO-C2S
address-pool CO-C2S-VPOOL
tunnel-group TUN-RA-SPLIT ipsec-attributes
pre-shared-key sekretk3y
username ra-user1 password passw0rd1 priv 1
group-policy CO-C2S internal
group-policy CO-C2S attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list vlauel ACL-RA-SPLIT
dns-server value 10.10.1.3
tunnel-group TUN-RA-SPLIT type remote-access
tunnel-group TUN-RA-SPLIT general-attributes
default-group-policy CO-C2S
address-pool CO-C2S-VPOOL
tunnel-group TUN-RA-SPLIT ipsec-attributes
pre-shared-key *********
username ******* password ******** priv 1
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set 3DES
crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
crypto isakmp identify address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encr 3des
hash sha
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set 3DES
crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
crypto map vpn interface outside
crypto isakmp identify address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encr 3des
hash sha
group 1
lifetime 3600

Simple Port Forwarding / ACL Question

Hi Everyone,
I'm kind of a novice when it comes to Cisco configuration. I went to college for networking but haven't used it enough since graduating and I'm having some trouble with opening some ports for email to my home PC.
Specifically i'm trying to set up IMAP with Gmail to be downloaded to my Mozilla Thunderbird client. I'm using a similar syntax for other ports that i've opened but it isn't working. I also did a "show access list" and saw that one of my rules had hit counts on it but i'm not sure what this means as far as troubleshooting goes.
Can someone lend a hand and explain what i'm doing wrong? If you're feeling extra nice could you let me know what I would need to do to open some Xbox Live ports as well? The rules aren't set up yet but the ports are present in my config. I've bolded the relevant ports below.
*** Config ****
ASA Version 8.2(5)
hostname RyansFirewall
enable password C5OQraC02mISnP8p encrypted
passwd 3mBdM08UO1apR0bB encrypted
names
name 192.168.1.130 theking
name 192.168.1.240 wap
name 192.168.1.252 cam
name 192.168.1.253 switch
name 192.168.1.150 xbox
name x.x.x.x vpnreactor
name x.x.x.x HSoftware
name x.x.x.x Mom_and_Dad
interface Ethernet0/0
description Connection_to_Cable_Modem
switchport access vlan 10
interface Ethernet0/1
description Cisco_Catalyst_2960
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
description Guest_Wireless
switchport access vlan 20
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
description Private_Internal_Lan
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Vlan10
description WOW_Internet
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan20
description Guest_Wireless
no forward interface Vlan1
nameif dmz
security-level 30
ip address 172.16.1.254 255.255.255.0
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone Eastern -5
object-group network outside_ip_group
description This group contains a list of allowed public IP Addresses
network-object HSoftware 255.255.255.255
network-object Mom_and_Dad 255.255.255.255
object-group service Xbox_Ports tcp-udp
description Ports needed for Xbox Live
port-object eq www
port-object eq 88
port-object eq domain
port-object eq 3074
object-group service Email_Ports tcp-udp
description Ports needed for Email
port-object eq 143
port-object eq 465
port-object eq 587
port-object eq 993
access-list outside_access_in extended permit tcp object-group outside_ip_group any eq 1024
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any any eq ftp
access-list outside_access_in extended permit gre host vpnreactor host theking
access-list outside_access_in extended permit tcp host vpnreactor host theking eq pptp
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit tcp object-group outside_ip_group any eq 5900
access-list outside_access_in extended permit tcp any any object-group Email_Ports
access-list outside_access_in extended permit udp any any object-group Email_Ports
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 access-list outside_access_in
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 theking 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ftp theking ftp netmask 255.255.255.255
static (inside,outside) tcp interface 1024 cam 1024 netmask 255.255.255.255
static (inside,outside) tcp interface 5900 theking 5900 netmask 255.255.255.255
static (inside,outside) tcp interface 143 theking 143 netmask 255.255.255.255
static (inside,outside) tcp interface 465 theking 465 netmask 255.255.255.255
static (inside,outside) tcp interface 587 theking 587 netmask 255.255.255.255
static (inside,outside) tcp interface 993 theking 993 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh Mom_and_Dad 255.255.255.255 outside
ssh HSoftware 255.255.255.255 outside
ssh timeout 10
console timeout 10
dhcpd address 192.168.1.2-192.168.1.25 inside
dhcpd dns x.x.x.x x.x.x.x interface inside
dhcpd lease 10800 interface inside
dhcpd domain RyanJohn interface inside
dhcpd enable inside
dhcpd address 172.16.1.2-172.16.1.25 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd domain RyanJohnGuest interface dmz
dhcpd enable dmz
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username XXXXX password ZpRIy72StEDDpdfG encrypted
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect pptp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3c7abf7d5d55aba0e19d5da340132000
: end
*** Show Access List ****
RyansFirewall# show access-list outside_access_in
access-list outside_access_in; 19 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp object-group outside_ip_group any eq 1024 0xf13a69fb
access-list outside_access_in line 1 extended permit tcp host HSoftware any eq 1024 (hitcnt=0) 0xc8c42900
access-list outside_access_in line 1 extended permit tcp host Mom_and_Dad any eq 1024 (hitcnt=0) 0x7e777675
access-list outside_access_in line 2 extended permit tcp any any eq 3389 (hitcnt=7451) 0x51a647d7
access-list outside_access_in line 3 extended permit tcp any any eq ftp (hitcnt=11) 0x8d0d5aac
access-list outside_access_in line 4 extended permit gre host vpnreactor host theking (hitcnt=0) 0x894a4bbb
access-list outside_access_in line 5 extended permit tcp host vpnreactor host theking eq pptp (hitcnt=0) 0xcb0322a8
access-list outside_access_in line 6 extended permit icmp any any echo-reply (hitcnt=563) 0x54b872f3
access-list outside_access_in line 7 extended permit icmp any any time-exceeded (hitcnt=703) 0x03690eb3
access-list outside_access_in line 8 extended permit icmp any any unreachable (hitcnt=7408) 0x5c2fa603
access-list outside_access_in line 9 extended permit tcp object-group outside_ip_group any eq 5900 0xe88875b2
access-list outside_access_in line 9 extended permit tcp host HSoftware any eq 5900 (hitcnt=0) 0x2208e16f
access-list outside_access_in line 9 extended permit tcp host Mom_and_Dad any eq 5900 (hitcnt=0) 0xa3aaaedd
access-list outside_access_in line 10 extended permit tcp any any object-group Email_Ports 0x91529965
access-list outside_access_in line 10 extended permit tcp any any eq imap4 (hitcnt=17) 0x53d153bd
access-list outside_access_in line 10 extended permit tcp any any eq 465 (hitcnt=0) 0x4d992f5e
access-list outside_access_in line 10 extended permit tcp any any eq 587 (hitcnt=0) 0x734d200d
access-list outside_access_in line 10 extended permit tcp any any eq 993 (hitcnt=0) 0xb91930a9
access-list outside_access_in line 11 extended permit udp any any object-group Email_Ports 0xe12dbb9d
access-list outside_access_in line 11 extended permit udp any any eq 143 (hitcnt=0) 0x34d1c49d
access-list outside_access_in line 11 extended permit udp any any eq 465 (hitcnt=0) 0x5cc4b908
access-list outside_access_in line 11 extended permit udp any any eq 587 (hitcnt=0) 0x6e3b53a3
access-list outside_access_in line 11 extended permit udp any any eq 993 (hitcnt=0) 0x7f9dd9b7

Hi Riyasat,
Here is the result of the command. I'm a little confused though as it said it passed through although this port is still not open to my inside host.
RyansFirewall# packet-tracer input outside tcp 8.8.8.8 465 Outside_IP 465 detailed
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp interface 465 theking 465 netmask 255.255.255.255
match tcp inside host theking eq 465 outside any
    static translation to Outside_IP/465
    translate_hits = 0, untranslate_hits = 2
Additional Information:
NAT divert to egress interface inside
Untranslate Outside_IP/465 to theking/465 using netmask 255.255.255.255
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any any eq 465
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd863ac20, priority=12, domain=permit, deny=false
        hits=9, user_data=0xd613bd70, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=465, dscp=0x0
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7de9018, priority=0, domain=inspect-ip-options, deny=true
        hits=20003, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (outside) 1 access-list outside_access_in
match tcp outside any outside any eq 3389
    dynamic translation to pool 1 (Outside_IP [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7e62278, priority=2, domain=host, deny=false
        hits=25913, user_data=0xd7e61e60, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7debf90, priority=0, domain=host-limit, deny=false
        hits=143, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp interface 465 theking 465 netmask 255.255.255.255
match tcp inside host theking eq 465 outside any
    static translation to Outside_IP/465
    translate_hits = 0, untranslate_hits = 2
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd7e84380, priority=5, domain=nat-reverse, deny=false
        hits=3, user_data=0xd7e58b08, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=theking, mask=255.255.255.255, port=465, dscp=0x0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface 3389 theking 3389 netmask 255.255.255.255
match tcp inside host theking eq 3389 outside any
    static translation to 0.0.0.0/3389
    translate_hits = 0, untranslate_hits = 107
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd7e70e30, priority=5, domain=host, deny=false
        hits=1642, user_data=0xd7e6c678, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=theking, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd7d9e160, priority=0, domain=inspect-ip-options, deny=true
        hits=30929, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 31012, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

ACE: design/config question: trans.slb + slb + mngt

Hi,
Could this ACE setup/design work?
I want PROXIED sessions (to VIP proxy 10.0.0.10) to be loadbalanced
All other sessions (eg. Some public ip's) will have to transparent loadbalanced to proxy servers. Thus not destinations NAT
ACE is inline between firewalls and proxy servers.
Vip definitions:
class-map match-all P_PXYVIP_VS_LB
2 match virtual-address 10.0.0.10 255.255.255.255 tcp 8080
class-map match-all P_PXYTRANS_VS_LB
2 match virtual-address 0.0.0.0 0.0.0.0 tcp any
Question in this case: would it still be possible to have management sessions towards proxy servers routed by the ACE ? (physical ip addresses of proxy)
Probably the classmap PXYTRANS is catching those sessies also.
Are there other design/config solutions to solve this one?
Thank you!
Wim

Let me repose the question:
How could one still be able to access the realserver IP (which is directly connected
to the ACE) for manangement.
Knowing that there is 1 VIP which (normal) loadbalance to the realservers
and
there is 1 VIP 0.0.0.0 tcp any which is configure to catch all other traffic to be
transparant loadbalanced.
The VIP 0.0.0.0 is always catching the sessions which need only to be routed
to the real servers ip.

Proxy behind ASA configuration questions

Hello,
I have an ASA sitting in front of a proxy server that directs users to certain internal remote sites. I have successfully set up HTTPS authenticaiton via remote LDAP on the ASA for traffic coming inbound. I can also get to Apaches test page on the proxy server if i have no proxy set up in my browser. However, I can not access anything after I authenticate when I have the proxy configured in my browser. I can ping from the proxy to my machine and vice-versa. I was wondering if there is a configuration setting I am missing that needs to be enabled when a proxy server is in place.

ciscoasa(config)# show running-config
: Saved
ASA Version 8.2(4)
hostname ciscoasa
domain-name ciscoasa.xxx.xxx
enable password encrypted
passwd encrypted
names
name 192.168.127.130 henrytown
interface GigabitEthernet0/0
nameif outside
security-level 99
ip address 192.168.12.245 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 0
ip address 10.16.16.4 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ciscoasa.mitre.osis.gov
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service all
service-object ip
service-object icmp
service-object udp
service-object tcp
service-object tcp-udp eq www
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ldap
service-object tcp eq ldaps
service-object udp eq www
object-group service tcp tcp
port-object eq ftp
port-object eq www
port-object eq https
port-object eq ldap
port-object eq ldaps
access-list inside_access_in extended permit object-group all 192.168.12.0 255.255.255.0 10.16.16.0 255.255.255.0 log debugging
access-list inside_access_in extended permit object-group all any host henrytown
access-list inside_authentication extended permit tcp any any
access-list inside_access_in_1 extended permit object-group all 10.16.16.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list 12-network_authentication extended permit tcp any 10.16.16.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
global (outside) 101 192.168.6.245 netmask 0.0.0.0
access-group inside_access_in in interface outside
access-group inside_access_in_1 in interface inside
route outside 0.0.0.0 0.0.0.0 10.16.16.2 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ldap protocol ldap
aaa-server ldap (outside) host 192.168.12.101
ldap-base-dn ou=people
ldap-scope subtree
ldap-naming-attribute uid
aaa authentication ssh console LOCAL
aaa authentication match 12-network_authentication outside ldap
aaa authentication secure-http-client
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.12.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Authenticate
auth-prompt accept Hello!!!
auth-prompt reject Intruder Alert.
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 4691cd51
    308201ff 30820168 a0030201 02020446 91cd5130 0d06092a 864886f7 0d010105
    05003044 3111300f 06035504 03130863 6973636f 61736131 2f302d06 092a8648
    86f70d01 09021620 63697363 6f617361 2e636973 636f6173 612e6d69 7472652e
    6f736973 2e676f76 301e170d 31333037 30313132 30363034 5a170d32 33303632
    39313230 3630345a 30443111 300f0603 55040313 08636973 636f6173 61312f30
    2d06092a 864886f7 0d010902 16206369 73636f61 73612e63 6973636f 6173612e
    6d697472 652e6f73 69732e67 6f763081 9f300d06 092a8648 86f70d01 01010500
    03818d00 30818902 8181009a e0c80a44 a5fe7ec7 0eb54cf3 42917d74 721e70fd
    764b8abc 72c7b58d ce8ec3d6 14f84c45 39225e2c 9a0b1664 a2d99b1e 3651a5e2
    99c8b769 eb64549c 37364ee1 5306dc71 116d0f5f cd394ddb 8dec8474 10ff0011
    49ac6f84 770eb5bd 8785f31e aa0810bd 9dbced6c fddf2bdf 249378e3 46657d70
    5e34350b b6f00789 078a4f02 03010001 300d0609 2a864886 f70d0101 05050003
    81810032 66c3eda1 25ace7e3 8bfcccae be9b89b3 a63d96f3 6c910207 44f16d3f
    4625d8b1 342e9baa cb8834e0 650f6ea9 e61c92ff 3356faab 386cfbdb ee6e1424
    b77138e5 d4fdab5e e5487818 2357e4d0 4953ade4 1b2e03cb 1a0d3c80 a0167ce0
    89521b65 8de542aa 53cef75e ea596cd6 7871af52 6b5c7fc4 67a72a3b 230a73c8 1d4b70
quit
telnet timeout 5
ssh 192.168.12.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside vpnlb-ip
ssl trust-point ASDM_TrustPoint0 inside
webvpn
username admin password encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
: end

TCP intercept..question

Similar Messages

Maybe you are looking for