[c-nsp] vpn issues

Bill Duffy security at 4duffy.com
Fri Jun 17 17:18:15 EDT 2011 


  When connected to the VPN I can't access inside resources or the internet.  using vpn client.

  : Saved
  :
  ASA Version 8.0(3)
  !
  hostname -asa
  domain-name enterprises.local
  enable password xxx encrypted
  names
  !
  interface Vlan1
   nameif inside
   security-level 100
   ip address 10.1.1.254 255.255.255.0
  !
  interface Vlan2
   nameif outside
   security-level 0
   ip address x.x.x.x 255.255.255.192
  !
  interface Ethernet0/0
   switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  passwd 3sjiWaXsnourf7bS encrypted
  boot system disk0:/asa803-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
   domain-name enterprises.local
  access-list vpngroup_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
  access-list vpngroup_splitTunnelAcl standard permit any
  access-list inside_nat0_outbound extended permit ip any 10.200.200.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.200.200.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.200.200.0 255.255.255.0 any
  access-list nonat extended permit ip any 10.200.200.0 255.255.255.0
  access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.200.200.0 255.255.255.0
  access-list nonat extended permit ip 10.200.200.0 255.255.255.0 any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool ippool 10.200.200.1-10.200.200.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-603.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (outside,inside) tcp interface 3389 10.1.1.50 3389 netmask 255.255.255.255
  route outside 0.0.0.0 0.0.0.0 67.77.132.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 10.1.1.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 

  ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA 

  ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet 10.1.1.0 255.255.255.0 inside
  telnet timeout 60
  ssh 10.1.1.0 255.255.255.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 60
  console timeout 0

  threat-detection basic-threat
  threat-detection statistics access-list
  group-policy vpngroup internal
  group-policy vpngroup attributes
   dns-server value 10.1.1.50 10.1.1.36
   vpn-tunnel-protocol IPSec
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value vpngroup_splitTunnelAcl
   default-domain value enterprises.com
  username xxxxx password xxx encrypted privilege 0
  username xxxxx attributes
   vpn-group-policy vpngroup
  tunnel-group vpngroup type remote-access
  tunnel-group vpngroup general-attributes
   address-pool ippool
   default-group-policy vpngroup
  tunnel-group vpngroup ipsec-attributes
   pre-shared-key *
  !
  class-map inspection_default
   match default-inspection-traffic
  !
  !
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  !
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:4e8d71ca3aab37a92459da8c043c0f88
  : end
  -asa(config)#

More information about the cisco-nsp mailing list