# VPN issues CISCO



## mrw5641 (Aug 14, 2015)

Hello all. I recently switched providers and I am having trouble accessing the internet network from VPN.

Any suggestions?


----------



## MitchConner (May 8, 2015)

I'm going to need a bit more to go on than that mate 

Can you provide a more thorough explanation please?


----------



## mrw5641 (Aug 14, 2015)

That would be ideal 

So we recently switched over to a new Service provider where our VPN address (CISCO AnyConnect) changed.

When someone connects to the VPN they get an IP address of 172.16.1.80-99. When I login to VPN I can only get to 1 IP address successfully which is our website residing on the 10.100.0.0 network. 

I can only ping our website and again only ssh to that host. I can't do anything else. I am unable to get to any of the other servers on the internal network (10.100.0.0). I am a bit stumped.


----------



## MitchConner (May 8, 2015)

Can I take a look at your access-lists please mate:

sh run access-list


----------



## mrw5641 (Aug 14, 2015)

Sent PM but here it is also

access-list cisco_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
access-list cisco_splitTunnelAcl standard permit 10.100.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 172.16.1.64 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.101.32 255.255.255.224 53.220.50.0 255.255.254.0
access-list DMZ_nat0_outbound extended permit ip 10.100.0.0 255.255.255.0 172.16.1.64 255.255.255.192
access-list Systems_splitTunnelAcl standard permit 10.100.0.0 255.255.255.0
access-list Systems_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended deny ip any host 10.100.0.51
access-list DMZ_access_in extended deny ip any host 10.100.0.52
access-list DMZ_access_in extended permit ip 172.16.1.64 255.255.255.192 host 10.100.0.53
access-list ip-qos extended permit ip 192.168.16.0 255.255.255.0 any
access-list ip-qos extended permit ip any 192.168.16.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.101.32 255.255.255.224 53.220.50.0 255.255.254.0
access-list outside_cryptomap extended permit ip any 170.2.32.0 255.255.240.0
access-list nat_outbound-site-DTNA extended permit ip object-group VI-Access object-group VPN-Site-DTNA
access-list test1 extended deny ip any any
access-list ACL-LPOUT-INBOUND extended permit tcp any host 10.100.0.4 object-group DM_INLINE_TCP_24
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_HMC object-group DM_INLINE_TCP_29
access-list ACL-LPOUT-INBOUND extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_TCP_15
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_OSA_ICC eq 3270
access-list ACL-LPOUT-INBOUND extended permit object-group DM_INLINE_SERVICE_3 any object inside_QUICKLOAD
access-list ACL-LPOUT-INBOUND extended permit object-group DM_INLINE_SERVICE_5 any host 10.100.0.121
access-list ACL-LPOUT-INBOUND extended permit object-group DM_INLINE_SERVICE_1 any host 10.100.0.20
access-list ACL-LPOUT-INBOUND extended permit tcp any object-group ThinAire_1 object-group DM_INLINE_TCP_9


----------



## MitchConner (May 8, 2015)

Before I take a look at the full config, can you put this into a command line please:

packet-tracer input outside tcp 172.16.1.x 1025 10.100.0.x 80 detailed

(the x's being a vpn host and a host in your 10.100.0 range)


----------



## mrw5641 (Aug 14, 2015)

packet-tracer input outside tcp 172.16.1.80 1025 10.100.0.143 80 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.100.0.0 255.255.255.0 DMZ

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL-LPOUT-INBOUND in interface LPOUT
access-list ACL-LPOUT-INBOUND extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_13
object-group network DM_INLINE_NETWORK_1
network-object object inside_VIHTTP
network-object object inside_INFINITYCSM
network-object object inside_VICOMINVENTORY
network-object object inside_worklightBT
network-object object inside-officeFTP
network-object object inside_INFINITEBLUE
network-object object inside_HMC
network-object object inside_QUICKLOAD
network-object object inside_parentGUARD
network-object object inside_RHELTEST
object-group service DM_INLINE_TCP_13 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq ssh
port-object eq 5801
port-object eq 5800
port-object eq 5900
port-object eq 5901
port-object eq telnet
port-object eq 3389
port-object eq https
port-object eq 9080
port-object eq 446
port-object eq 3300
port-object eq 3306
port-object eq 9960
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb5aaf88, priority=13, domain=permit, deny=false
hits=22, user_data=0xc94f7f30, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=10.100.0.143, mask=255.255.255.255, port=80, dscp=0x0
input_ifc=LPOUT, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb442ef0, priority=0, domain=inspect-ip-options, deny=true
hits=116074, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=LPOUT, output_ifc=any

Phase: 4
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb34ec78, priority=79, domain=punt, deny=true
hits=1379, user_data=0xcac4a588, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.16.1.80, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=LPOUT, output_ifc=any

Phase: 5
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcd320e20, priority=70, domain=svc-ib-tunnel-flow, deny=false
hits=66, user_data=0xf000, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=172.16.1.80, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=LPOUT, output_ifc=any

Result:
input-interface: LPOUT
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


----------



## MitchConner (May 8, 2015)

Can you share your config please mate, and stick this into the command line as a quick test:

sysopt connection permit-vpn


----------



## mrw5641 (Aug 14, 2015)

Can I email to you or PM?


----------



## MitchConner (May 8, 2015)

You can PM it to me mate but would you be ok with me re-posting a sanitised version after I remove any identifying information like passwords and public IP's? Someone may have a similar problem and it would be helpful to all.


----------



## mrw5641 (Aug 14, 2015)

Sent and you can post .


----------



## MitchConner (May 8, 2015)

Thanks mate, i'll re-post after a quick read through. Last one, can you post the output of a *show version* please


----------



## mrw5641 (Aug 14, 2015)

No thank you! Hopefully we can get this sorted.

firewall# show version

Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 7.1(1)52

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "disk0:/asa842-k8.bin"
Config file at boot was "startup-config"

firewall up 23 hours 22 mins

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1

0: Int: Internal-Data0/0 : address is 30f7.0d29.1807, irq 11
1: Ext: Ethernet0/0 : address is 30f7.0d29.17ff, irq 255
2: Ext: Ethernet0/1 : address is 30f7.0d29.1800, irq 255
3: Ext: Ethernet0/2 : address is 30f7.0d29.1801, irq 255
4: Ext: Ethernet0/3 : address is 30f7.0d29.1802, irq 255
5: Ext: Ethernet0/4 : address is 30f7.0d29.1803, irq 255
6: Ext: Ethernet0/5 : address is 30f7.0d29.1804, irq 255
7: Ext: Ethernet0/6 : address is 30f7.0d29.1805, irq 255
8: Ext: Ethernet0/7 : address is 30f7.0d29.1806, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5505 Security Plus license.

Serial Number: JMX1706Z11J
Running Permanent Activation Key: 0x1f05c952 0x20638fc1 0x6c1121a4 0x9e5470ac 0xc50c0d9c
Configuration register is 0x1
Configuration last modified by admin at 12:47:36.720 EDT Thu Sep 3 2015


----------



## MitchConner (May 8, 2015)

Bear with me mate, I have to use my phone as my internet dropped out.

Can you run these following command please mate:

same-security-traffic permit inter-interface

then retest


----------



## mrw5641 (Aug 14, 2015)

Good morning Mitch. I didn't see your message until now.

firewall# same-security-traffic permit inter-interface
^
ERROR: % Invalid input detected at '^' marker.


----------



## MitchConner (May 8, 2015)

Hi mate, if you type same-security then hit tab, it'll auto complete the command for you.

I'll be able to have a better look at this in a couple of hours when I get in from work so hopefully we can get this sorted for you today.


----------



## MitchConner (May 8, 2015)

Just 're-read your output 

conf t
same-security-traffic permit inter-interface


----------



## mrw5641 (Aug 14, 2015)

Hi Mitch

Thanks for the response. How do I save it from the command line?

My email isn't telling me you posted something so it took a while to respond.


----------



## mrw5641 (Aug 14, 2015)

Saved it and applied it but I am still unable to connect.

The VPN pool is 172.16.1.80-99 and needs to connect to 10.100.0.0/24


----------



## MitchConner (May 8, 2015)

You don't need to commit commands once they are entered on an asa or ios. To save the config you can use wri mem or copy run start.

Can you give me a few minutes to look over this, i'm sure i worked this out as a NAT problem but lost track over the last couple of days.


----------



## mrw5641 (Aug 14, 2015)

of course. I appreciate it!


----------



## MitchConner (May 8, 2015)

Sorry about the delay in getting back to you mate, few technical issues!

I've just realised I gave you the wrong interface in an earlier command. Can you run these through your cli please:

packet-tracer input inside tcp 172.16.1.82 1025 10.100.0.10 80 detailed
packet-tracer input DMZ tcp 10.100.0.10 1025 172.16.1.82 80 detailed

I'm running your config on my ASA now and it looks ok, but I haven't tried using the VPN yet.


----------



## mrw5641 (Aug 14, 2015)

firewall# packet-tracer input inside tcp 172.16.1.82 1025 10.100.0.10 80 detai$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb3eed50, priority=1, domain=permit, deny=false
hits=14743766, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.100.0.0 255.255.255.0 DMZ

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb3f2c48, priority=0, domain=inspect-ip-options, deny=true
hits=389653, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc539b28, priority=18, domain=flow-export, deny=false
hits=382294, user_data=0xcc24f570, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,DMZ) source static obj-172.16.1.0 obj-172.16.1.0
Additional Information:
Static translate 172.16.1.82/1025 to 172.16.1.82/1025
Forward Flow based lookup yields rule:
in id=0xcc7d3c68, priority=6, domain=nat, deny=false
hits=2613, user_data=0xcc542908, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.16.1.0, mask=255.255.255.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=DMZ

Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcc53ac90, priority=0, domain=user-statistics, deny=false
hits=1270903, user_data=0xcda47fc8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=DMZ

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcb3c59b8, priority=0, domain=inspect-ip-options, deny=true
hits=1228229, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=DMZ, output_ifc=any

Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xcc53b4d8, priority=0, domain=user-statistics, deny=false
hits=384912, user_data=0xcda47fc8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=inside

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1673672, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

Second one coming


----------



## mrw5641 (Aug 14, 2015)

firewall# packet-tracer input DMZ tcp 10.100.0.10 1025 172.16.1.82 80 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb3c1cb0, priority=1, domain=permit, deny=false
hits=27865094, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=DMZ, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,DMZ) source static obj-172.16.1.0 obj-172.16.1.0
Additional Information:
NAT divert to egress interface inside
Untranslate 172.16.1.82/80 to 172.16.1.82/80

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.100.0.0 255.255.255.0 DMZ

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb58f640, priority=13, domain=permit, deny=false
hits=772574, user_data=0xc94fbb30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=DMZ, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb3c59b8, priority=0, domain=inspect-ip-options, deny=true
hits=1228263, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=DMZ, output_ifc=any

Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc539160, priority=18, domain=flow-export, deny=false
hits=808329, user_data=0xcc24f570, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=DMZ, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcd418210, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=765571, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=DMZ, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,DMZ) source static obj-172.16.1.0 obj-172.16.1.0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcd2ea690, priority=6, domain=nat-reverse, deny=false
hits=10795, user_data=0xcc542908, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=172.16.1.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=DMZ, output_ifc=inside

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcc53b4d8, priority=0, domain=user-statistics, deny=false
hits=385188, user_data=0xcda47fc8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=inside

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcb3f2c48, priority=0, domain=inspect-ip-options, deny=true
hits=389930, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xcc53ac90, priority=0, domain=user-statistics, deny=false
hits=1270947, user_data=0xcda47fc8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=DMZ

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1673990, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow


----------



## MitchConner (May 8, 2015)

That's what I got. Which address can you access the servers from mate?


----------



## mrw5641 (Aug 14, 2015)

Once VPN'ed in, I can't access anything.

I can only access them when I am in the office on the wireless network.


----------



## MitchConner (May 8, 2015)

From your earlier post mate, which address are you able to ping and ssh from?


----------



## mrw5641 (Aug 14, 2015)

If I VPN in I can hit an external server and then I can ping everything from that server since it has an internal IP address. 

Right now I VPN and hit one of my external servers and than I can ssh to anything and ping anything on the 10.100.0.0 subnet.


----------



## MitchConner (May 8, 2015)

Are you trying to access your DMZ through your VPN web portal, or are you trying to access (for example) a web server in your DMZ?


----------



## mrw5641 (Aug 14, 2015)

I would have to say through the VPN portal since I am connecting to the VPN.


----------



## mrw5641 (Aug 14, 2015)

and it would be a server within the DMZ


----------



## MitchConner (May 8, 2015)

So we're on the same page mate, are you using the webvpn where you configure application, terminal service, etc?


----------



## mrw5641 (Aug 14, 2015)

We are using CISCO Anyconnect. Not sure what you mean by the other part.


----------



## MitchConner (May 8, 2015)

Can you ping the domain name of the server you're trying to reach?


----------



## mrw5641 (Aug 14, 2015)

From the CMD prompt, no I can NOT. I can't ping anything. I also notice when I go to my network settings it says CISCO AnyConnect (NO INTERNET)


----------



## MitchConner (May 8, 2015)

Is it your intention to tunnel all your traffic back to the ASA or split dns?


----------



## MitchConner (May 8, 2015)

It looks as though you have a routing problem mate, it's forwarding traffic back to your ip range through your lan interface rather than the tunnel interface. I would change your vpn dhcp pool to another subnet, which means you'll need to make some changes to your NAT configuration and your acls which depends on whether you tunnel everything back to your network or want to use split-dns.

If you let me know mate i'll build the config for you.


----------



## mrw5641 (Aug 14, 2015)

Is there any way to keep the current DHCP pool for 172.16.1.1? Ideally that is what I want since the wireless when you login is 172.16.1.100-199 and VPN is already 172.16.1.80-99. I would prefer to kee the original.


----------



## MitchConner (May 8, 2015)

You should really have three separate subnets mate, one for your LAN, one for wireless and another for your VPN. 

If you let me know what tunneling you need we can get this cracked out asap.


----------



## mrw5641 (Aug 14, 2015)

Hi Mitch. Let's put the VPN on 192.168.1.* to have access to 10.100.0.0/24

What is the difference between tunneling?


----------



## mrw5641 (Aug 14, 2015)

I think its SSL


----------



## mrw5641 (Aug 14, 2015)

Clientless SSL / CISCO VPN Anyconnect


----------



## MitchConner (May 8, 2015)

Hi mate.

Tunneling types = Tunnel all traffic through the ASA (including internet), or split-tunneling where you break out internet traffic at the users location and only corporate traffic traverses the VPN.


----------



## mrw5641 (Aug 14, 2015)

Tunnel traffic through the ASA is what we are using.


----------



## mrw5641 (Aug 14, 2015)

Can you help me get it working?


----------



## MitchConner (May 8, 2015)

Sure can 

I'll have to post the config in a few hours though if that's ok mate, i'm at work at the moment so can't spend any time on it till later!


----------



## mrw5641 (Aug 14, 2015)

OK thank you!! I have a different running config now since I made a few changes. Do you just post the commands or the full config?


----------



## MitchConner (May 8, 2015)

I'll give you the commands you need to remove the old config, and the commands to enter the new config. As long as you haven't made any VPN related changes we should be ok. However, i'll take you through backing up your config in the unlikely event I make a mistake


----------



## mrw5641 (Aug 14, 2015)

Thanks!!!


----------



## mrw5641 (Aug 14, 2015)

Mitch -- I found this from an old config from 2012 

access-list cisco_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0 
access-list cisco_splitTunnelAcl standard permit 10.100.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 172.16.1.64 255.255.255.192 
access-list inside_nat0_outbound extended permit ip 192.168.101.32 255.255.255.224 53.220.50.0 255.255.254.0 
access-list DMZ_nat0_outbound extended permit ip 10.100.0.0 255.255.255.0 172.16.1.64 255.255.255.192 
access-list Systems_splitTunnelAcl standard permit 10.100.0.0 255.255.255.0 
access-list Systems_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0


----------



## MitchConner (May 8, 2015)

Hi mate, hopefully this config will help you out. The bones of your config is there already so it's easy to make a few adjustments. 

There is nothing in the config that will break the fundamental operation of your firewall, only the VPN clients would be affected.

First, take a copy of your current config:

*conf t
copy start tftp
enter your tftp server IP address
press enter (twice) to accept the filenames*

The config below is based on my understanding that you want to set up Anyconnect (not SSL via a webportal), and tunnel ALL your VPN client traffic (including internet) through your ASA. If you're not sure about any of the above, just let me know.

I'll annotate the config so you can see what's going on 

*conf t
no ip local pool VPNPool 172.16.1.80-172.16.1.96 mask 255.255.255.0* (removes the old pool)
*ip local pool VPNPool 192.168.1.1-192.168.1.254 mask 255.255.255.0* (adds new pool)
*same-security-traffic permit intra-interface* (allows VPN client data to hairpin out of the same interface (later))
*sysopt connection permit-vpn* (ignores interface ACLs for your VPN clients)

*object network ANYCONNECT_VPN*
*subnet 192.168.1.0 255.255.255.0*
*nat (LPOUT,LPOUT) after-auto source dynamic VPNPool interface* (VPN network object and NAT for internet access)

*exit*

*group-policy Systems attributes
no dns-server value 8.8.8.8
dns-server value x.x.x.x
no split-tunnel-policy tunnelspecified
split-tunnel-policy tunnelall
split-tunnel-all-dns enable* (allow full tunneling. You can either keep 8.8.8.8 or use your internal DNS server)

*exit*

*tunnel-group ANYCONNECT_VPN type remote-access
tunnel-group ANYCONNECT_VPN general-attributes
default-group-policy Systems
address-pool VPNPool
tunnel-group ANYCONNECT_VPN webvpn-attributes
group-alias ANYCONNECT_VPN enable* (create a new tunnel group)

*exit*

*nat (DMZ,LPOUT) source static any any destination static ANYCONNECT_VPN ANYCONNECT_VPN no-proxy-arp route-lookup* (prevent return traffic to your VPN clients being NAT'd)

*CTRL+Z*

Any problems just give me a shout mate, if you need to rollback your config you can either reload or just *no* the commands you entered. If you get any output errors with a carat symbol on the next line, let me know as i might have made a spelling mistake somewhere.

Cheers.


----------



## mrw5641 (Aug 14, 2015)

****. I was on VPN and I did the first command with NO IP POOL and I lost my connection


----------



## MitchConner (May 8, 2015)

Lol I have to laugh because i know exactly how you feel. I had a 200 mile round-trip recently to a data centre because I shut the wrong interface.

Probably should have mentioned that you should do this either local or via a console cable for best results. Do you normally work at it's location or are you always remote from it?


----------



## mrw5641 (Aug 14, 2015)

I realized what it would have done after the face lol. I am remote all week and I realized I was VPN'd in. Anyway to fix that now?


----------



## MitchConner (May 8, 2015)

It happens to the best of us mate! 

Try accessing via the webvpn - and see if you can access the asa via ssh (if configured). Also try to ssh to your public address (the public address in the config may be yours). And a long shot would be to try and send an SNMP reload to the ASA (not even sure that works outside of IOS though).


----------



## MitchConner (May 8, 2015)

Probably worth a mention (for future reference) a command I always forget, is to set the ASA to reload:

reload in x


----------



## mrw5641 (Aug 14, 2015)

I am in. I ssh into website and I was able to ssh to the firewall. I will continue


----------



## MitchConner (May 8, 2015)

Result.

Set the reload before you do mate.


----------



## mrw5641 (Aug 14, 2015)

Not sure why it says I am inside:

inside(config-group-policy)# no split-tunnel-policy tunnelspecified
ERROR: Entered value does not match the currently configured value
inside(config-group-policy)# no split-tunnel-policy tunnel specified
^
ERROR: % Invalid input detected at '^' marker.
inside(config-group-policy)#


----------



## MitchConner (May 8, 2015)

Continue with the next lines mate, we'll have a look when done


----------



## mrw5641 (Aug 14, 2015)

OK Commands entered. What would you like me to do?


----------



## MitchConner (May 8, 2015)

Disconnect and connect using Anyconnect and see if you can access one of your DMZ hosts and the internet.


----------



## mrw5641 (Aug 14, 2015)

First thing I notice is my IP address us 192.168.1.1

No INTERNET access

I can access DMZ


----------



## MitchConner (May 8, 2015)

Well that's one problem sorted. Give me a couple of minutes to make a strong brew and review your config.

Can you show me a *show run group-policy* please


----------



## mrw5641 (Aug 14, 2015)

inside# show run group-policy
group-policy sslvpn internal
group-policy sslvpn attributes
banner value Welcome to Infinity Systems Software VPN
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
default-domain value infinite-blue.com
address-pools value VPNPool
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
webvpn
anyconnect ask enable
group-policy GroupPolicy_ISSI internal
group-policy GroupPolicy_ISSI attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol l2tp-ipsec
default-domain value infinite-blue.com
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-filter value test1
address-pools value VPNPool
client-access-rule none
group-policy Systems internal
group-policy Systems attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value cisco_splitTunnelAcl
default-domain value infinite-blue.com
split-tunnel-all-dns enable
group-policy cisco internal
group-policy cisco attributes
banner value Welcome to ISSI
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
default-domain value infinite-blue.com


-----------------

PS Thank you for your help I really really appreciate it.


----------



## MitchConner (May 8, 2015)

Can you enter this and then re-test internet please:

conf t
group-policy Systems attributes
no default-domain value infinite-blue.com


----------



## mrw5641 (Aug 14, 2015)

Internet isn't really a big deal as long as I can get to where I need to get to. I still have internet on my wireless. 

Why is the login taking 192.168.1.1 as the IP?

------

inside(config-group-policy)# no default-domain value infinite-blue.com
ERROR: Entered value does not match the currently configured value
inside(config-group-policy)#


----------



## MitchConner (May 8, 2015)

I've just noticed what you meant by 'inside', your router hostname has changed to inside when it was name firewall. Unless an older config has been loaded, or someone else has been tweaking that's pretty weird.

Your client is now 192.168.1.1 (from your selected choice) as this is the new pool for the VPN clients. Previously, when you were using the 172 range, the return traffic from your DMZ was being routed back through your inside interface so your machine was never going to see the return traffic.

Internet access can be helpful from an Anyconnect client. I can help you get it working if you need.


----------



## mrw5641 (Aug 14, 2015)

I think I was tweaking and I got stuck lol.

Thanks Mitch. I really appreciate your help and time.


----------



## MitchConner (May 8, 2015)

No problem at all mate, glad it's working for you.

If you need any more help just let me know


----------



## MitchConner (May 8, 2015)

Don't forget to enter wri mem to save your work!


----------



## mrw5641 (Aug 14, 2015)

Hi Mitch I do have one more question and I am trying to word it properly.

I have one server on the 47 network that can get out to FTP's but I can't get to another server on the 47 network nor can someone FTP to this server from outside.

What is odd is I can hit this 47 network server from command prompt and from Linux.


----------



## MitchConner (May 8, 2015)

Do you mean you have an FTP server setup on your inside or dmz network and you need to access these from outside your network?

If so, you'll need to give me the FTP server IP address because I can't see a NAT statement for that.


----------



## mrw5641 (Aug 14, 2015)

47.19.64.74 which is a z/OS server and you can get to it from CMD / Linux but not from z/OS to z/OS.


----------



## MitchConner (May 8, 2015)

Is that your server mate or external to your business?


----------



## mrw5641 (Aug 14, 2015)

That is MY external server.


----------



## mrw5641 (Aug 14, 2015)

I can FTP our from that server but I can't go to another 47.19.64 server on the network nor can anyone FTP to that server (only from CMD and Linux)


----------



## MitchConner (May 8, 2015)

And both your servers are on your inside or dmz networks?


----------



## mrw5641 (Aug 14, 2015)

I can ftp from that server 47.19.64.74 to 10.100.0.* but I can't go from 47.19.64.74 to 47.19.64.73

But I can FTP from 47.19.64.74 to let's say IBM.com


----------



## MitchConner (May 8, 2015)

I'd need to understand the infrastructure that the FTP servers connect to mate if they are external to what we've been working with.

If they sit behind a firewall with private IP's NAT'd to those public addresses, try connecting on the private address.


----------



## mrw5641 (Aug 14, 2015)

I am trying to think of the best way to explain it. One of our engineers if trying to hit the 47.19.64.74 (zOS) IP address from there personal PC which they can via CMD Prompt / Linux. 

So he is unable to get from his zOS machine to our zOS machine so he needs to FTP them down to his desktop and than from the CMD prompt FTP it back up. 

My zOS server can FTP out to IBM etc, but this zOS server is unable to FTP to another server on the 47 network but it can FTP to the internal network.


----------



## MitchConner (May 8, 2015)

When you say personal PC you mean their home PC? FTP what down?

I need to know what the FTP servers connect to mate otherwise i'm just making assumptions.


----------



## mrw5641 (Aug 14, 2015)

There home PC and they are FTP'ing some files from their z/ system to ours in the office behind the firewall.

The rule in place is 

ACL-LPOUT-INBOUND

ANY 10.100.0.34 (FTP,FTP-DATA,TCP/5000)


----------



## mrw5641 (Aug 14, 2015)

I know it is tough for you to understand since it isn't your environment.


----------



## MitchConner (May 8, 2015)

You'll need to verify those IPs mate, the 47. range doesn't (and can't) exist on your current network.

You also don't have any static NATs for FTP access.


----------



## mrw5641 (Aug 14, 2015)

What do you mean the 47 range? that is my address range for external servers.


----------



## mrw5641 (Aug 14, 2015)

My NAT rule is DMZ to LPOUT
LPOUT TO DMZ


----------



## MitchConner (May 8, 2015)

Can't see the 47.x.x.x subnet defined on any interface mate (in fact, I can't see those addresses in your config), so you can't route to it. You need to define a public address in the same subnet as your outside (LPOUT) interface so it is routable from outside.

In order for you to process FTP inbound (from the outside interface) you need to tell the ASA which host to forward to packets on port 20/21.


----------



## mrw5641 (Aug 14, 2015)

47 is defined on LPOUT interface which is the internet and my EXT IP block.


----------



## MitchConner (May 8, 2015)

Your public range is 64.x.x.x/26 mate. I'm hazarding a guess that when you mean .74 your talking about the last octet in that range. In which case, you need to do something like this:

*conf t
object network FTP_SERVER_1*
*host x.x.x.x* (your private IP)
*nat (DMZ,LPOUT) static x.x.x.x service ftp ftp-data* (your required public IP)
*exit*

*wri mem*

*show nat x.x.x.x* (your private IP)

you should see this (except different IP's):

Auto NAT Policies (Section 2)
1 (dmz) to (lpout) source static FTP 1.1.1.1 service tcp ftp ftp-data
translate_hits = 0, untranslate_hits = 0


----------



## mrw5641 (Aug 14, 2015)

OOO. 64.50 is GONE. 47.19 is my NEW.


----------



## MitchConner (May 8, 2015)

Probably worth a heads up if your config changed mate, although i'll call that even seeing as i forgot to mention the reload command yesterday 

Exactly the same mate, just plug in your required public address into the pat configuration and you'll be good to go (assuming you have the corresponding ACL).


----------



## mrw5641 (Aug 14, 2015)

Well it appears to be an issue on the other end, meaning my config is fine 

Thanks MITCH!


----------



## MitchConner (May 8, 2015)

Anytime mate


----------



## mrw5641 (Aug 14, 2015)

Hi Mitch, I hit a bit of an issue. It looks like the firewall may have been restarted and I am not able to access everything from the VPN. I can only hit one of the internal IP's but when I ssh it says no route to host.

Any suggestions?


----------



## MitchConner (May 8, 2015)

Where are you trying to ssh from mate?


----------



## mrw5641 (Aug 14, 2015)

PING 10.100.0.66 (10.100.0.66) 56(84) bytes of data.
From 10.100.0.132: icmp_seq=1 Destination Host Unreachable
From 10.100.0.132 icmp_seq=1 Destination Host Unreachable
From 10.100.0.132 icmp_seq=2 Destination Host Unreachable
From 10.100.0.132 icmp_seq=3 Destination Host Unreachable
From 10.100.0.132 icmp_seq=4 Destination Host Unreachable
From 10.100.0.132 icmp_seq=5 Destination Host Unreachable
From 10.100.0.132 icmp_seq=6 Destination Host Unreachable
From 10.100.0.132 icmp_seq=7 Destination Host Unreachable
From 10.100.0.132 icmp_seq=8 Destination Host Unreachable
From 10.100.0.132 icmp_seq=9 Destination Host Unreachable


----------



## mrw5641 (Aug 14, 2015)

Not sure what happened but I lost connection to everything but this one host.


----------



## MitchConner (May 8, 2015)

Have a look at your routing table (show route) and see if that host IP or subnet is in there.


----------



## mrw5641 (Aug 14, 2015)

Gateway of last resort is 47.19.64.65 to network 0.0.0.0

C 172.16.1.0 255.255.255.0 is directly connected, inside
C 10.100.0.0 255.255.255.0 is directly connected, DMZ
C 192.168.16.0 255.255.255.0 is directly connected, guests
S 192.168.1.1 255.255.255.255 [1/0] via 47.19.64.65, LPOUT
C 47.19.64.64 255.255.255.192 is directly connected, LPOUT
S* 0.0.0.0 0.0.0.0 [1/0] via 47.19.64.65, LPOUT


----------



## mrw5641 (Aug 14, 2015)

It was working before and a restart happened, maybe power went out. Can you suggest a solution?


----------



## mrw5641 (Aug 14, 2015)

Trying to ping also from the firewall

inside# ping 47.19.64.65
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 47.19.64.65, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
inside# ping 47.19.64.81
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 47.19.64.81, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
inside# ping 10.100.0.34
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to inside_LPAR4, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
inside# ping 10.100.0.237
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.0.237, timeout is 2 seconds:
??
Success rate is 0 percent (0/2)
inside# ping 10.100.0.132
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.0.132, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
inside# ping 10.100.0.157
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.0.157, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)


----------



## MitchConner (May 8, 2015)

Where are you trying to ssh from, the vpn client?


----------



## mrw5641 (Aug 14, 2015)

Oh yes, sorry. Logged into VPN.


----------



## MitchConner (May 8, 2015)

Did you write the config after your previous changes? My gut of saying you have a NAT issue. 

Going to need to see your config please mate.


----------



## mrw5641 (Aug 14, 2015)

I thought I saved it. Maybe it didn't come up at start up. I am on 192.168.1.1. Is it easy to write the commands again?


----------



## mrw5641 (Aug 14, 2015)

inside# show config
: Saved
: Written by admin at 10:19:59.556 EDT Wed Sep 30 2015
!
ASA Version 8.4(2)
!
hostname inside
domain-name infinite-blue.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 64.50.48.231 lpar1 description zOS LPAR1
name 64.50.48.232 lpar2 description zOS LPAR2
name 64.50.48.233 lpar3 description zOS LPAR3
name 64.50.48.236 vmguest1 description i-b.com web server
name 64.0.197.99 vmguest2 description qls.com web server
name 64.0.197.100 vmguest3 description vi.com web server
name 64.50.48.226 zseries_hmc description HMC for z9 BC
name 64.50.48.237 public_ftp description zLinux Public FTP server for customer SW DLs
name 64.0.197.104 dns_dhcp description See Note 1
name 64.0.197.105 www_quickload description quickload mail server
name 64.0.197.108 ds6800_hmc description HMC for DS6800
name 64.0.197.109 osa_icc description External IP for OSA ICC
name 64.0.197.102 avtech_monitor description Server Room Temp. monitor
name 64.0.197.101 zVM description zVM LPAR
name 64.50.48.228 mail description Actually points to Sonic Wall, but external for mail
name 64.0.197.107 ma1 description SNA Solaris
name 64.0.197.110 unknown_host1 description See Note 3
name 64.50.48.234 lpar4 description zOS LPAR4
name 64.50.48.227 newmail description Supposed to be Old Mail server, but currently unmapped
name 64.50.48.229 outside description Outside LAN Interface
name 64.0.197.98 linb10 description Matt's Linux Cloning Image
name 64.50.48.238 zlinux1 description zLinux Sandbox External
name 64.0.197.106 macmini description MacMini Virtualbox external IP
name 10.100.0.31 inside_LPAR1
name 10.100.0.32 inside_LPAR2
name 10.100.0.33 inside_LPAR3
name 10.100.0.34 inside_LPAR4
name 10.100.0.35 inside_LPAR5
name 64.50.48.235 lpar5 description zVM LPAR5
name 64.0.197.214 pargrd1 description pargrd1.parent-guard.net
name 64.0.197.213 TArppd1 description ThinAire
name 64.0.197.212 TAinfcvs1 description ThinAire
name 64.0.197.210 TAirweb description ThinAire
name 64.0.197.215 infinity03
name 64.0.197.220 infinity04
name 64.0.197.216 ServerMonitor description Monitors All of the Servers
name 47.19.64.71 TArpqa1 description ThinAire
name 47.19.64.72 inotes description Production Mail Server
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 17
speed 100
duplex full
!
interface Ethernet0/4
switchport access vlan 4090
!
interface Ethernet0/5
switchport access vlan 7
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 7
!
interface Vlan2
nameif DMZ
security-level 50
ip address 10.100.0.2 255.255.255.0
!
interface Vlan3
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan7
nameif guests
security-level 10
ip address 192.168.16.1 255.255.255.0
!
interface Vlan17
nameif LPOUT
security-level 0
ip address 47.19.64.66 255.255.255.192
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup LPOUT
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name infinite-blue.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.100.0.0
subnet 10.100.0.0 255.255.255.0
object network obj-172.16.1.64
subnet 172.16.1.64 255.255.255.192
object network obj-10.100.0.8
host 10.100.0.8
object network public_ftp
host 64.50.48.237
object network www_quickload
host 64.0.197.105
object network 10.100.0.99
host 10.100.0.99
description 10.100.0.99
object network dns_dhcp
host 64.0.197.104
object network obj-10.100.0.19
host 10.100.0.19
object network osa_icc
host 64.0.197.109
object network obj-10.100.0.20
host 10.100.0.20
object network avtech_monitor
host 64.0.197.102
object network inside_z63PROD01
host 10.100.0.235
object network lpar1
host 64.50.48.231
object network inside_LPAR2
host 10.100.0.32
object network lpar2
host 64.50.48.232
object network inside_zOS2
host 10.100.0.33
object network lpar3
host 64.50.48.233
object network lpar4
host 64.50.48.234
object network lpar5
host 64.50.48.235
object network obj-10.100.0.108
host 10.100.0.108
object network worklight
host 64.50.48.236
object network obj-10.100.0.109
host 10.100.0.157
object network vmguest2
host 64.0.197.99
object network obj-10.100.0.66
host 10.100.0.66
object network vmguest3
host 64.0.197.100
object network linb10
host 64.0.197.98
object network obj-10.100.0.80
host 10.100.0.80
object network mail
host 64.50.48.228
object network obj-10.100.0.14
host 10.100.0.14
object network zseries_hmc
host 64.50.48.226
object network HostOnDemand
host 64.0.197.110
object network obj-10.100.0.140
host 10.100.0.140
object network obj-10.100.0.4
host 10.100.0.4
object network inotes
host 47.19.64.72
object network obj-10.100.0.55
host 10.100.0.55
object network macmini
host 64.0.197.106
object network zlinux1
host 64.50.48.238
object network qloadsystem
host 10.100.0.116
object network inside_DonovanTESTdomino
host 10.100.0.119
object network TAirweb
host 64.0.197.210
object network obj-10.100.0.107
host 10.100.0.107
object network TArpqa1
host 47.19.64.71
object network obj-10.100.0.132
host 10.100.0.132
object network TArppd1
host 64.0.197.213
object network obj-10.100.0.134
host 10.100.0.134
object network pargrd1
host 64.0.197.214
object network obj-10.100.0.141
host 10.100.0.141
object network infinity03
host 64.0.197.215
object network obj-10.100.0.74
host 10.100.0.74
object network infinity04
host 64.0.197.220
object network inside_INFINITYCSM
host 10.100.0.143
object network ServerMonitor-01
host 64.0.197.216
object network outside
host 64.50.48.229
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-172.16.1.0
subnet 172.16.1.0 255.255.255.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.16.0
subnet 192.168.16.0 255.255.255.192
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
object network inside_VIHTTP
host 10.100.0.66
object network VIHTTP
host 47.19.64.78
object network inside_HOD
host 10.100.0.241
object network INSIDE_thinaireSharepoint
host 10.100.0.106
object network thinaireSharepoint
host 64.0.197.222
object network NewiNotes
host 10.100.0.140
object network Inside_ISSIQuickR
host 10.100.0.184
object network outside_ISSIQuickR
host 64.0.197.222
object network V7000
host 10.100.0.53
object network obj-10.100.0.157
host 10.100.0.157
object network Worklight
host 64.0.197.101
object network inside_VICOMINVENTORY
host 10.100.0.117
object network insideDEMOlpar
host 10.100.0.237
object network outside-vicominventory
host 64.0.197.218
object network obj-vicominventory-internal
host 10.100.0.87
object network inside_worklightBT
host 10.100.0.91
object network inside-officeFTP
host 10.100.0.132
object network outsideofficeFTP
host 47.19.64.70
object network waveInside
host 10.100.0.191
object network waveout
host 64.0.197.221
object network 47.19.64.66
host 47.19.64.66
description LightPath Outside Interface
object network any2
host 0.0.0.0
object network inside_HMC
host 10.100.0.14
object network outside_LPAR4LP
host 47.19.64.72
object network outside_LPAR3
host 47.19.64.73
object network odj-172.16.1.0
subnet 172.16.1.0 255.255.255.0
object network 172.16.1.0
subnet 172.16.1.0 255.255.255.0
object network inside_INFINITEBLUE
host 10.100.0.107
object network pgrd
host 10.100.0.132
object network pargrd
host 10.100.0.134
object network z-os
host 10.100.0.33
object network vicominventoryOUT
host 47.19.64.75
object network outsideOFFICEFTP
host 64.50.48.235
object network ob1j-172.16.1.0
host 172.16.1.0
object network quickloadLPOUT
host 47.19.64.76
object network quickloadOUT-LP
host 10.100.0.157
object network inside_zOSLPAR
host 10.100.0.34
object network infiniteblue
host 10.100.0.107
object network infinite-bluecom
host 10.100.0.107
object network tiaaPOC
host 10.100.0.120
object network LPOUT-PAT
host 47.19.64.67
object network vicominvOUT-LP
host 10.100.0.117
object network parentGuardOUTLP
host 10.100.0.134
object network parentguardoutLP
host 47.19.64.77
object network outsideVIHTTPLP
host 47.19.64.78
object network outsideviHTTPLP
host 10.100.0.66
object network OSAICCLP
host 47.19.64.79
object network osaICCLPOUT
host 10.100.0.19
object network outside_HMC_LP
host 47.19.64.80
object network inside_HMC_DMZ
host 10.100.0.14
object network officeFTPLPOUT
host 47.19.64.81
object network officeoutFTPLP
host 10.100.0.132
object network outsidevihttp
host 10.100.0.66
object network obj-10.100.0.165
host 10.100.0.165
object network z63prdoutLP
host 47.19.64.83
object network z63prodLPARLP
host 10.100.0.235
object network redhatguest
host 10.100.0.91
object network infiniteblue.com
host 10.100.0.107
object network interalServers
subnet 10.100.0.0 255.255.255.0
object network dmztoLP
subnet 10.100.0.0 255.255.255.0
description DMZ out to LP Internet
object network VMTEST
host 10.100.0.163
object network tiaaPOCinside
host 10.100.0.120
object network tiaaPocOutside
host 47.19.64.85
object network inside_OSA_ICC
host 10.100.0.19
object network inside_QUICKLOAD
host 10.100.0.157
object network inside_parentGUARD
host 10.100.0.134
object network inside_Timesheets
host 10.100.0.140
object network inside_ChristinaSAMBA
host 10.100.0.112
object network obj-10.100.0
subnet 10.100.0.0 255.255.255.0
object network DMZtoOUT
host 172.16.1.0
object network DMZ_outside
subnet 0.0.0.0 0.0.0.0
object network web-server-fromOutside
host 10.0.0.1
object network obj-10.100.0.163OUT
host 10.100.0.163
object network obj2-10.100.0.0
subnet 10.100.0.0 255.255.255.0
object network outside_INFINITYCSMLP
host 47.19.64.84
object network outside_INFINITYCSMWEBLP
host 10.100.0.143
object network inside_z63TSTLPAR
host 10.100.0.236
object network outside_Z63TSTLPAR
host 47.19.64.86
object network inside_RHELTEST
host 10.100.0.92
object network outside_RHELtest
host 47.19.64.87
object network ISSI
object network inside_TIAAPOC
host 10.100.0.120
object network VPNpoolISSI
object network inside_LPAR1
host 10.100.0.31
object network inside_LPAR3
host 10.100.0.33
object network inside_LPAR4
host 10.100.0.34
object network inside_LPAR5
host 10.100.0.35
object network ANYCONNECT_VPN
subnet 192.168.1.0 255.255.255.0
object network zOS_FTPSERVER
host 10.100.0.34
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3389
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq 3389
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_5
service-object tcp destination eq 8451
service-object tcp destination eq ftp
service-object tcp destination eq www
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object udp destination eq 8451
object-group network DM_INLINE_NETWORK_2
network-object object inside_DonovanTESTdomino
network-object object inside_Timesheets
object-group service high-avail-manager tcp
port-object range 32200 32216
object-group network ISSIVPN
object-group network parent-guard.net
network-object host pargrd1
object-group service DM_INLINE_TCP_7 tcp
port-object eq ftp
port-object eq www
port-object eq https
port-object eq ssh
port-object eq ftp-data
object-group network ThinAire
network-object host TAirweb
network-object host TAinfcvs1
network-object host TArppd1
network-object host TArpqa1
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp destination eq ssh
object-group service DM_INLINE_TCP_9 tcp
port-object eq ftp
port-object eq www
port-object eq https
port-object eq ssh
port-object eq 8080
port-object eq ftp-data
object-group network ThinAireMail
network-object host infinity03
object-group service DM_INLINE_TCP_11 tcp
port-object eq www
port-object eq imap4
port-object eq pop3
port-object eq smtp
object-group network ServerMonitor
network-object host ServerMonitor
object-group network ThinAireQuickr
network-object host infinity04
object-group service DM_INLINE_TCP_13 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq ssh
port-object eq 5801
port-object eq 5800
port-object eq 5900
port-object eq 5901
port-object eq telnet
port-object eq 3389
port-object eq https
port-object eq 9080
port-object eq 446
port-object eq 3300
port-object eq 3306
port-object eq 9960
object-group network VI-Access
network-object 172.16.1.0 255.255.255.0
object-group network VPN-Site-DTNA
network-object 53.220.50.0 255.255.254.0
object-group network VPN-NAT-Site-DTNA
network-object 192.168.101.32 255.255.255.255
object-group network ThinAire_1
network-object host 10.100.0.130
network-object host 10.100.0.135
network-object host 10.100.0.132
network-object host 10.100.0.150
object-group network parent-guard.net_1
network-object object inside_parentGUARD
object-group network ThinAireMail_1
network-object host 10.100.0.88
object-group network ThinAireQuickr_1
network-object host 10.100.0.70
object-group network VPNPool
network-object 192.168.100.0 255.255.255.0
object-group service DM_INLINE_TCP_15 tcp
port-object eq 992
port-object eq telnet
group-object high-avail-manager
port-object eq 5000
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq 9960
port-object eq 8181
port-object eq 3270
object-group network DM_INLINE_NETWORK_4
network-object object inside_z63PROD01
network-object object inside_z63TSTLPAR
network-object object inside_OSA_ICC
network-object object inside_LPAR1
network-object object inside_LPAR2
network-object object inside_LPAR3
network-object object inside_LPAR4
network-object object inside_LPAR5
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq 465
service-object tcp destination eq 587
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop2
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object tcp destination eq ssh
service-object udp destination eq www
object-group service DM_INLINE_TCP_21 tcp
port-object eq 1533
port-object eq 5309
port-object eq 5801
port-object eq 5901
port-object eq 8081
port-object eq 8082
port-object eq 8088
port-object eq 8585
port-object eq 9800
port-object eq 9900
port-object eq www
port-object eq imap4
port-object eq lotusnotes
port-object eq pop3
port-object eq smtp
port-object eq ssh
port-object eq https
port-object eq 993
port-object eq 465
port-object eq 995
port-object eq 88
object-group service DM_INLINE_TCP_22 tcp
port-object eq 1533
port-object eq 465
port-object eq 5309
port-object eq 5800
port-object eq 5801
port-object eq 587
port-object eq 5900
port-object eq 5901
port-object eq 8081
port-object eq 8082
port-object eq 8088
port-object eq 8585
port-object eq 9800
port-object eq 9900
port-object eq ftp
port-object eq www
port-object eq https
port-object eq lotusnotes
object-group service DM_INLINE_TCP_24 tcp
port-object eq 1533
port-object eq 5309
port-object eq 5801
port-object eq 5901
port-object eq 8081
port-object eq 8082
port-object eq 8088
port-object eq 8585
port-object eq 9800
port-object eq 9900
port-object eq www
port-object eq imap4
port-object eq lotusnotes
port-object eq pop3
port-object eq smtp
port-object eq ssh
object-group service DM_INLINE_TCP_29 tcp
port-object eq 5000
port-object eq 8080
port-object eq 9090
port-object eq ftp
port-object eq www
port-object eq telnet
port-object eq ftp-data
object-group network DM_INLINE_NETWORK_1
network-object object inside_VIHTTP
network-object object inside_INFINITYCSM
network-object object inside_VICOMINVENTORY
network-object object inside_worklightBT
network-object object inside-officeFTP
network-object object inside_INFINITEBLUE
network-object object inside_HMC
network-object object inside_QUICKLOAD
network-object object inside_parentGUARD
network-object object inside_RHELTEST
object-group service DM_INLINE_TCPUDP_1 tcp-udp
port-object eq 137
port-object eq 138
port-object eq 139
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network TEST1_Destination
network-object object inside_Timesheets
object-group network BlackList
description BlackList
network-object host 50.74.218.54
object-group service DM_INLINE_TCP_17 tcp
port-object eq www
port-object eq imap4
port-object eq pop3
port-object eq smtp
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq 445
service-object tcp destination eq ftp
service-object tcp destination eq www
service-object tcp destination eq ssh
service-object udp destination eq 445
access-list cisco_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
access-list cisco_splitTunnelAcl standard permit 10.100.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 172.16.1.64 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.101.32 255.255.255.224 53.220.50.0 255.255.254.0
access-list DMZ_nat0_outbound extended permit ip 10.100.0.0 255.255.255.0 172.16.1.64 255.255.255.192
access-list Systems_splitTunnelAcl standard permit 10.100.0.0 255.255.255.0
access-list Systems_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended deny ip any host 10.100.0.51
access-list DMZ_access_in extended deny ip any host 10.100.0.52
access-list DMZ_access_in extended permit ip 172.16.1.64 255.255.255.192 host 10.100.0.53
access-list ip-qos extended permit ip 192.168.16.0 255.255.255.0 any
access-list ip-qos extended permit ip any 192.168.16.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.101.32 255.255.255.224 53.220.50.0 255.255.254.0
access-list outside_cryptomap extended permit ip any 170.2.32.0 255.255.240.0
access-list nat_outbound-site-DTNA extended permit ip object-group VI-Access object-group VPN-Site-DTNA
access-list test1 extended deny ip any any
access-list ACL-LPOUT-INBOUND extended permit tcp any host 10.100.0.4 object-group DM_INLINE_TCP_24
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_HMC object-group DM_INLINE_TCP_29
access-list ACL-LPOUT-INBOUND extended permit tcp any object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_TCP_15
access-list ACL-LPOUT-INBOUND extended permit object-group DM_INLINE_SERVICE_3 any object inside_QUICKLOAD
access-list ACL-LPOUT-INBOUND extended permit object-group DM_INLINE_SERVICE_5 any host 10.100.0.121
access-list ACL-LPOUT-INBOUND extended permit object-group DM_INLINE_SERVICE_1 any host 10.100.0.20
access-list ACL-LPOUT-INBOUND extended permit tcp any object-group ThinAire_1 object-group DM_INLINE_TCP_9
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_parentGUARD object-group DM_INLINE_TCP_7
access-list ACL-LPOUT-INBOUND extended permit tcp any object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_TCP_21
access-list ACL-LPOUT-INBOUND extended permit tcp any object Inside_ISSIQuickR object-group DM_INLINE_TCP_22
access-list ACL-LPOUT-INBOUND extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_13
access-list ACL-LPOUT-INBOUND extended permit object-group TCPUDP any object inside_ChristinaSAMBA object-group DM_INLINE_TCPUDP_1
access-list ACL-LPOUT-INBOUND extended deny tcp host 94.102.3.151 any object-group DM_INLINE_TCP_11
access-list ACL-LPOUT-INBOUND extended deny tcp object-group BlackList any object-group DM_INLINE_TCP_17
access-list ACL-LPOUT-INBOUND extended permit ip 192.168.101.32 255.255.255.224 53.220.50.0 255.255.254.0
access-list ACL-LPOUT-INBOUND extended permit tcp any eq 3389 object tiaaPocOutside object-group DM_INLINE_TCP_1
access-list ACL-LPOUT-INBOUND extended permit tcp any object tiaaPOCinside object-group DM_INLINE_TCP_2
pager lines 24
logging enable
logging timestamp
logging buffer-size 512000
logging buffered critical
logging trap warnings
logging history critical
logging asdm warnings
logging device-id hostname
flow-export destination DMZ 10.100.0.59 2055
flow-export template timeout-rate 1
flow-export delay flow-create 30
mtu DMZ 1500
mtu inside 1500
mtu guests 1500
mtu LPOUT 1500
ip local pool SYSPool 10.100.0.230-10.100.0.235 mask 255.255.255.0
ip local pool VPNPool 192.168.1.1-192.168.1.254 mask 255.255.255.0
ip verify reverse-path interface DMZ
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
asdm history enable
arp timeout 14400
nat (DMZ,guests) source static obj-10.100.0.0 obj-10.100.0.0 destination static obj-172.16.1.64 obj-172.16.1.64 no-proxy-arp route-lookup
nat (inside,LPOUT) source dynamic VI-Access VPN-NAT-Site-DTNA destination static VPN-Site-DTNA VPN-Site-DTNA
nat (inside,DMZ) source static obj-172.16.1.0 obj-172.16.1.0
nat (DMZ,inside) source static obj-10.100.0.0 obj-10.100.0.0
nat (DMZ,LPOUT) source static any any destination static ANYCONNECT_VPN ANYCONNECT_VPN no-proxy-arp route-lookup
!
object network obj-10.100.0.0
nat (DMZ,LPOUT) dynamic interface
object network inside_zOS2
nat (DMZ,LPOUT) static outside_LPAR3 dns
object network obj-10.100.0.140
nat (DMZ,LPOUT) static 47.19.64.72
object network obj-172.16.1.0
nat (inside,LPOUT) dynamic interface
object network NewiNotes
nat (DMZ,LPOUT) static 47.19.64.72
object network quickloadOUT-LP
nat (any,any) static quickloadLPOUT
object network inside_zOSLPAR
nat (DMZ,LPOUT) static 47.19.64.74 dns
object network vicominvOUT-LP
nat (any,any) static 47.19.64.75
object network parentGuardOUTLP
nat (any,any) static 47.19.64.77
object network osaICCLPOUT
nat (DMZ,LPOUT) static OSAICCLP
object network inside_HMC_DMZ
nat (DMZ,LPOUT) static outside_HMC_LP
object network officeoutFTPLP
nat (any,any) static officeFTPLPOUT
object network outsidevihttp
nat (DMZ,LPOUT) static VIHTTP
object network infiniteblue.com
nat (any,any) static 47.19.64.71
object network outside_INFINITYCSMWEBLP
nat (any,any) static outside_INFINITYCSMLP
object network inside_z63TSTLPAR
nat (any,any) static outside_Z63TSTLPAR
object network inside_RHELTEST
nat (any,any) static outside_RHELtest
object network inside_TIAAPOC
nat (DMZ,LPOUT) static tiaaPocOutside
!
nat (LPOUT,LPOUT) after-auto source dynamic VPNPool interface
access-group DMZ_access_in in interface DMZ
access-group ACL-LPOUT-INBOUND in interface LPOUT
route LPOUT 0.0.0.0 0.0.0.0 47.19.64.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 2:00:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 DMZ
http 0.0.0.0 0.0.0.0 inside
snmp-server host DMZ 10.100.0.55 community ***** version 2c udp-port 161
snmp-server host DMZ 10.100.0.56 community ***** version 2c udp-port 161
snmp-server host DMZ 10.100.0.59 community ***** version 2c udp-port 161
snmp-server location One Penn Plaza
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 1440
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map3 10 match address outside_cryptomap
crypto map outside_map3 10 set peer 170.2.52.28
crypto map outside_map3 10 set ikev1 transform-set myset
crypto map outside_map3 10 set ikev2 ipsec-proposal AES256
crypto map DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map DMZ_map interface DMZ
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn firewall
subject-name CN=firewall
no client-types
proxy-ldc-issuer
crl configure
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable DMZ client-services port 443
crypto ikev1 enable DMZ
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 1440
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 DMZ
ssh 0.0.0.0 0.0.0.0 inside
ssh 173.251.21.2 255.255.255.255 LPOUT
ssh timeout 15
console timeout 0
management-access inside
vpn-sessiondb max-other-vpn-limit 25
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 25

dhcp-client update dns server none
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd auto_config LPOUT
!
dhcpd address 10.100.0.100-10.100.0.199 DMZ
dhcpd dns 8.8.8.8 interface DMZ
dhcpd enable DMZ
!
dhcpd address 172.16.1.100-172.16.1.199 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
dhcpd address 192.168.16.100-192.168.16.199 guests
dhcpd dns 8.8.8.8 interface guests
dhcpd enable guests
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.29
ntp server 129.6.15.28 prefer
webvpn
enable LPOUT
anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-3.0.08057-k9.pkg 3
anyconnect image disk0:/anyconnect-macosx-i386-3.1.05170-k9.pkg 4
anyconnect enable
tunnel-group-list enable
group-policy sslvpn internal
group-policy sslvpn attributes
banner value Welcome to Infinity Systems Software VPN
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
default-domain value infinite-blue.com
address-pools value VPNPool
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
webvpn
anyconnect ask enable
group-policy GroupPolicy_ISSI internal
group-policy GroupPolicy_ISSI attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol l2tp-ipsec
default-domain value infinite-blue.com
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-filter value test1
address-pools value VPNPool
client-access-rule none
group-policy Systems internal
group-policy Systems attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value cisco_splitTunnelAcl
default-domain value infinite-blue.com
split-tunnel-all-dns enable
group-policy cisco internal
group-policy cisco attributes
banner value Welcome to ISSI
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
default-domain value infinite-blue.com
username csuisse password vsM3qxTYr3hNfrFQ encrypted
username csuisse attributes
service-type remote-access
username sspaulding password 8pqIj31KutvnR0Te encrypted
username sspaulding attributes
service-type remote-access
username cslint password Sw1bAn4mkF3Tk6jt encrypted
username cslint attributes
service-type remote-access
username cslint2 password Sw1bAn4mkF3Tk6jt encrypted
username cslint2 attributes
service-type remote-access
username cslint3 password Sw1bAn4mkF3Tk6jt encrypted
username cslint3 attributes
service-type remote-access
username bcbs2 password OB/PgSgQ3X0URp0X encrypted
username bcbs2 attributes
service-type remote-access
username bcbs3 password OB/PgSgQ3X0URp0X encrypted
username bcbs3 attributes
service-type remote-access
username rsolheim password Fv9Bs6uZ/ho.wXid encrypted
username rsolheim attributes
service-type remote-access
username bcbs1 password OB/PgSgQ3X0URp0X encrypted
username bcbs1 attributes
service-type remote-access
username bcbs4 password OB/PgSgQ3X0URp0X encrypted
username bcbs4 attributes
service-type remote-access
username test password P4ttSyrm33SV8TYp encrypted
username test attributes
vpn-group-policy GroupPolicy1
service-type remote-access
username rchabot password coC56pS9jWuuhfX4 encrypted
username rchabot attributes
service-type remote-access
username vterrone password 6etJj2hbULQ141tY encrypted
username vterrone attributes
service-type remote-access
username veristorm1 password peLYN965RXzhhRZ9 encrypted
username veristorm1 attributes
service-type remote-access
username raddixs1 password ivfbgdHz9tI8DOpw encrypted
username raddixs2 password ivfbgdHz9tI8DOpw encrypted
username raddixs3 password ivfbgdHz9tI8DOpw encrypted
username sgovindan password aLUEa486.BRF/Gj/ encrypted
username sgovindan attributes
service-type remote-access
username tamodio password ziC8HUdYGCPC2fdt encrypted
username tamodio attributes
service-type remote-access
username admin password lr6KZ2BYtOyE/7JT encrypted privilege 15
username bwatcke password h9pEAp8grIagSMmu encrypted
username bwatcke attributes
service-type remote-access
username tcorrado password A3oOUVNVfP8U2cdT encrypted
username tcorrado attributes
service-type remote-access
username student1 password S3k8GWLEd2xHVcrY encrypted
username student1 attributes
service-type remote-access
username student3 password l6hEreUkLKUuK6Ti encrypted
username student3 attributes
service-type remote-access
username student2 password l6hEreUkLKUuK6Ti encrypted
username student2 attributes
service-type remote-access
username intellinx password nLbHva2P6wG.TnQA encrypted
username intellinx attributes
service-type remote-access
username tlia password .rhb8DY/RWZE89Hk encrypted
username tlia attributes
service-type remote-access
username kcollins password e906qN53Bzp/sXim encrypted
username kcollins attributes
service-type remote-access
username jcruz1 password 5F7ToFMBOs5EPFRQ encrypted
username jcruz1 attributes
service-type remote-access
username czura password nW.Qi/KTr6zyx.x3 encrypted
username czura attributes
service-type remote-access
username jskivington password jE69VrlrPKMtbESC encrypted
username jskivington attributes
service-type remote-access
username jcruz password T88xDp7hmXaWxYTO encrypted
username jcruz attributes
service-type remote-access
username mdacey password 4Ga8gHxtAh6XmjQb encrypted
username mdacey attributes
service-type remote-access
username pimbriale password boImWfd.FkltUr89 encrypted
username pimbriale attributes
service-type remote-access
username mw390 password ETcIfBSHv7ZB2hrN encrypted
username mw390 attributes
service-type remote-access
username jporell password yMrYipUwGQ74Axmh encrypted
username jporell attributes
service-type remote-access
username mweiner password TmhNQmBT9YMdNiAH encrypted
username mweiner attributes
service-type remote-access
username ciannitelli password XM2PAPDvxSQyK6tO encrypted
username ciannitelli attributes
service-type remote-access
username ndudnik password pvFxKM25HyAiBxmC encrypted
username ndudnik attributes
vpn-group-policy sslvpn
service-type remote-access
username gmunoz password 2O3vyJXci84FQXJ0 encrypted
username gmunoz attributes
service-type remote-access
username doctor password f1BJNrMr3bh4zBYr encrypted
username doctor attributes
service-type remote-access
username neale password 9otHXpz7M/7OzsTT encrypted
username neale attributes
service-type remote-access
username chip password e2GN4bAXCXhxr9mH encrypted
username chip attributes
service-type remote-access
username vmdave9 password p.hlh26KveNjy2Q. encrypted
username vmdave9 attributes
service-type remote-access
username matkison password WRYk2y90yMp84CYF encrypted
username matkison attributes
service-type remote-access
username tiaapoc password 0VDuSXx/aFPkCLCv encrypted
username tiaapoc attributes
service-type remote-access
username jwolfgang password bycScLjHWQj2Z19z encrypted
username jwolfgang attributes
service-type remote-access
username AlexKim password L3z7vzgQYs/11Pv0 encrypted
username AlexKim attributes
service-type remote-access
username bosttech password 7VQpWf3SkRANHK1Z encrypted
username bosttech attributes
service-type remote-access
username bobl password ASeCnPbRgL8/nZa9 encrypted
username bobl attributes
service-type remote-access
username blitzmetrics password IoLzBwIthu/SXhbd encrypted
username blitzmetrics attributes
service-type remote-access
username djackson password 2tPgKTMNoIK0O8Zm encrypted
username djackson attributes
service-type remote-access
username dkreuter password diDXV.2V7oRcm.SB encrypted
username dkreuter attributes
service-type remote-access
username visa password zRZzROWsQHFGT3.I encrypted
username visa attributes
service-type remote-access
username operator password VxfEhiZ7eV4XqrIH encrypted
username mriggs password ZeulnhVjDYFGoF5j encrypted
username mriggs attributes
service-type remote-access
username bmalitz password peuBHJpzntwKe2Lc encrypted
username bmalitz attributes
service-type remote-access
tunnel-group Systems type remote-access
tunnel-group Systems general-attributes
address-pool SYSPool
default-group-policy Systems
tunnel-group Systems webvpn-attributes
group-alias Systems enable
tunnel-group Systems ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
address-pool VPNPool
default-group-policy cisco
tunnel-group cisco ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group sslvpn type remote-access
tunnel-group sslvpn general-attributes
address-pool (inside) VPNPool
address-pool VPNPool
default-group-policy sslvpn
tunnel-group sslvpn webvpn-attributes
group-alias VPN enable
tunnel-group 170.2.52.28 type ipsec-l2l
tunnel-group 170.2.52.28 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group ISSI type remote-access
tunnel-group ISSI general-attributes
address-pool VPNPool
default-group-policy GroupPolicy_ISSI
tunnel-group ISSI webvpn-attributes
group-alias ISSI enable
tunnel-group ANYCONNECT_VPN type remote-access
tunnel-group ANYCONNECT_VPN general-attributes
address-pool VPNPool
default-group-policy Systems
tunnel-group ANYCONNECT_VPN webvpn-attributes
group-alias ANYCONNECT_VPN enable
!
class-map DMZ-class
match any
class-map inspection_default
match default-inspection-traffic
class-map qos
description qos policy for guest-network
match access-list ip-qos
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
flow-export event-type all destination 10.100.0.59
user-statistics accounting
policy-map qos
class qos
police output 1536000 1536000
police input 1024000 1024000
policy-map DMZ-policy
description DMZ-QoS Priority
class DMZ-class
priority
!
service-policy global_policy global
smtp-server 10.100.0.4
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:4bd0890f1e6bc1c7afd71c904d4559e9
inside#
inside#
inside#
inside#
inside#
inside#
inside#
inside#
inside#
inside#
inside#
inside#
inside#
inside#
inside#
inside#
inside#
inside#


----------



## MitchConner (May 8, 2015)

Can you definitely confirm that those hosts are up before we go deep? You can't ping some of them from the firewall itself (inside# ?) which is odd.


----------



## mrw5641 (Aug 14, 2015)

Not sure, we can't access them from the wireless network either. Seems everything down.


----------



## mrw5641 (Aug 14, 2015)

Certain things seem up we can hit 10.100.0.132 from VPN and from wireless01, and some don't work at all.


----------



## MitchConner (May 8, 2015)

Have you got a user on site to check the host?


----------



## mrw5641 (Aug 14, 2015)

yep. just did. He couldn't connect to the ones I asked him to connect to from the wireless network but he could connect to the ones .132.

I had him try and connect to .66 / .107 no luck but he can connect to .132


----------



## MitchConner (May 8, 2015)

Ok mate. I'll pick this up in a little while when I get home from work and don't have to scroll through config on my phone.


----------



## mrw5641 (Aug 14, 2015)

OK, I appreciate it. Anything I try to connect to from the only host that works, it says no route to host. Really appreciate it.


----------



## mrw5641 (Aug 14, 2015)

Mitch - there was an outage on one of my systems. No issues with the firewall


----------



## MitchConner (May 8, 2015)

Glad you got it sorted mate!


----------



## mrw5641 (Aug 14, 2015)

Hi Mitch,

Question for you. Hope all is well. When trying to upload a 100 MB file from my desktop logging into the VPN it says it is going to take 8 hours and then goes up and up. We are getting 50 MB / S. Is there any reason it is going so slow?


----------



## MitchConner (May 8, 2015)

How are you transferring the file mate?


----------



## mrw5641 (Aug 14, 2015)

Using WINSCP and or CMD prompt. I am getting KBP/S


----------



## mrw5641 (Aug 14, 2015)

Mitch

I am seeing a ton of traffic going in and out of the network constantly maxing out our circuit at 50 MB/S. Can you help me diagnose the issue?

Please


----------



## MitchConner (May 8, 2015)

Hi mate.

Sorry for the delay in replying. Your slowness issue (1st post) is likely because winscp is pretty slow in itself (i'd use a different protocol).

If something is chewing up your bandwidth, you have a few options. You can use show connections from the cli and export it into excel and check the bytes per connection.

You can enable NetFlow on the ASA and export to a collector to view the flows, although finding a decent NetFlow collector for free isn't the easiest of tasks.

The other (easiest) way is through using the ASDM. If you log into ASDM, in the firewall dashboard you'll see Top destinations, services and sources. In order to see it, you'll need to ensure you have basic threat detection enabled. You can enable threat detection either through the cli or ASDM.


----------



## mrw5641 (Aug 14, 2015)

Thank you Mitch. I blocked some stuff and removed from ports and speed is up to 30 now. Here is what I am seeing within the logs:

4Nov 17 201516:08:42
104.35.38.71047.19.64.8558969Invalid transport field for protocol=TCP, from 104.35.38.71/0 to 47.19.64.85/589694Nov 17 201516:08:53




[ ACL drop] drop rate-1 exceeded. Current burst rate is 235 per second, max configured rate is 800; Current average rate is 572 per second, max configured rate is 400; Cumulative total count is 3436714Nov 17 201516:08:56




[ 10.100.0.120] drop rate-1 exceeded. Current burst rate is 3 per second, max configured rate is 10; Current average rate is 15 per second, max configured rate is 5; Cumulative total count is 18938


----------



## MitchConner (May 8, 2015)

Are you seeing those on ingress?


----------



## MitchConner (May 8, 2015)

Checking through your config, to refresh my memory, says yes. It looks like a recon attack as it's using port 0 as the source port. The fact your ASA is dropping it is a good thing.

If you look in the log viewer on the ASA and plug in 104.35.38.71 as the source address, how many hits are you seeing in the log?


----------



## mrw5641 (Aug 14, 2015)

I have seen a big drop since I removed ssh, https, and other items from certain servers. The biggest hitter is dmz (any,any) service ip (deny) has over 1 million hits. I turned off logging. The hit on that was going crazy.


----------



## MitchConner (May 8, 2015)

Leave logging enabled mate, unless it's chewing up CPU or memory on the ASA. Is that 1 million hits over a short period of time or over a long period?

You could be the victim of a dos attack if you're getting hammered from a single address using 0 as a source port.


----------



## MitchConner (May 8, 2015)

If you don't recognise that source address, and you're under a volumetric dos attack, the next port of call would be to your ISP as there is nothing you can do to stop it.


----------



## mrw5641 (Aug 14, 2015)

Thank you. I blocked the traffic. I do have 1 final question.

Why does it matter within the access rules order? How does that work?


Meaning I had website down at the bottom let's say at rule 22 and I moved it to rule 10 and it works now. What is with that?


----------



## MitchConner (May 8, 2015)

Hi mate,

Your ASA should automatically drop anything with a source port of 0 or anything exceeding the specified burst rate, you shouldn't need a specific rule, that being said blocking that IP completely is a good starting point to prevent other 'nefarious' activities. Don't forget to give the ISP a call (use an IP lookup tool online, I think that IP was comcast) and report that IP.

With regards your rule base, do you have any deny's in the middles of your rules? If so, take them out and leave the implicit deny at the bottom to take care of it. Another thing to consider is there may be a more specific rule above that rule which is matching and the additional rule won't be processed.


----------



## mrw5641 (Aug 14, 2015)

Thank you. That makes sense. Is it possible to help me get the internet working on my VPN? I am also having some trouble getting guests on the 10.100.0 network access to the web


----------



## MitchConner (May 8, 2015)

Hi mate, you need to go ahead and enable split dns for your vpn tunnel.


----------



## mrw5641 (Aug 14, 2015)

What about internet access for the 10.100.0.0/24 guests?


----------



## MitchConner (May 8, 2015)

Sorry mate, I think I misread your question. Check your dynamic Nat statement for your 10.x network object.


----------



## mrw5641 (Aug 14, 2015)

Here is what I have and it isn't working.

DMZ, LPOUT obj-10.100.0.0-guests to (any,any) to LPOUT


----------



## mrw5641 (Aug 14, 2015)

Mitch, I got the internet to work. I have DMZ IP TO IP blocked. I unblocked it and it works. Is there anyway to make this more secure? I am getting a ton and a ton of hits on this.


----------



## MitchConner (May 8, 2015)

If you only want to allow internet traffic you can add an outbound rule you only allow port 80, 443 etc.


----------



## MitchConner (May 8, 2015)

If you can forward me your current config (just attach as a text file, masking your public IPs) I'll take a look at your config.


----------



## mrw5641 (Aug 14, 2015)

I know there is a command to get it to text file can you tell me what that is please?

Do you have an email?

I am learning a lot! Thanks for all of you're help.


----------



## MitchConner (May 8, 2015)

Hi mate, you can pm it to me or attach to the thread. You can output the config using copy start tftp and plugging in your tftp address.


----------



## mrw5641 (Aug 14, 2015)

Sent you a PM mitch


----------



## mrw5641 (Aug 14, 2015)

Can you restrict specific guests from getting to the internet? For example, restricting a website from going out?


----------



## mrw5641 (Aug 14, 2015)

I was able to restrict guests from getting out.


----------



## MitchConner (May 8, 2015)

I'll run your config through my ASA in a few minutes and come back to you. In reference to your message question, remove the IP any any rule. Any rules that have an any statement are not good practice. lock it down (inbound) to ftp ports, i.e:

access-list DMZ_access_in permit tcp any host serverip eq ftp

and remove

access-list DMZ_access_in extended permit ip any any log disable


----------



## mrw5641 (Aug 14, 2015)

I am starting to understand the rules more now


----------



## MitchConner (May 8, 2015)

I'm not sure that you gave me the most recent running config as two interface IP addresses had five octets.

Remove your deny rules from your access lists, you don't need them. If there is no permit statement, the firewall will block them using an implicit deny:

no access-list DMZ_access_in extended deny ip any host 10.0.0.0.51
no access-list DMZ_access_in extended deny ip any host 10.0.0.0.52
no access-list ACL-LPOUT-INBOUND extended deny object-group DM_INLINE_SERVICE_4 any any
access-list ACL-LPOUT-INBOUND extended deny object-group DM_INLINE_SERVICE_3 host 104.35.38.71 any
no access-list ACL-LPOUT-INBOUND extended deny tcp object-group BlackList any object-group DM_INLINE_TCP_5
no access-list ACL-LPOUT-INBOUND extended deny tcp host 94.102.3.151 any object-group DM_INLINE_TCP_4

The security level on an interface will define what traffic is allowed to pass without an ACL, i.e higher to lower is allowed (inside network of 100 to dmz of 50, or outside of 0), dmz to inside wouldn't be allowed without a specific access-list. The outside (public facing, and untrusted, can't access any internal resource without an access-list).

In order to have a more granular control, we add access lists to control the flow of data using specific rules between interfaces of different security levels, the more specific the better.

Hopefully that makes sense, but if you're not sure or need a further explanation then just let me know mate.


----------



## mrw5641 (Aug 14, 2015)

Thanks again mitch. YOu have been very helpful!


----------



## mrw5641 (Aug 14, 2015)

Is there a way to test the speed? Speedtest.net from wireless is showing 30 MB download speed and 50 upload speed. When I transfer a file to my FTP server I am getting about 800KB/S. Any reason why?


----------

