Limited Resources accessible through VPN tunnel

Unanswered Question
Aug 24th, 2016
User Badges:

I have an IPsec vpn tunnel setup between an ASA 5505 on our end and a sophos on our associates end.  We are having several issues.  The first is that I defined our network that they can access as Ip address 10.100.6.65 through 10.100.6.73 but they can only access .66 and .67  I used the VPN setup wizard and created a group policy also.  I did not create any access rules independnetly as it was my understanding that specifying the remote and local networks while setting up the VPN took care of this.  Also the associate cannot initiate the tunnel only we can.  I have pasted the ASA config below and would appreciate any help.  the tunnel in question is the 66.195.155.226 tunnel  Thanks


CON-ASA5510# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname CON-ASA5510
domain-name XXXXXX
enable password 5DvauU9v6Csl8a7g encrypted
passwd 5DvauU9v6Csl8a7g encrypted
names
name 10.100.6.38 CityRX2
name 10.100.5.8 CityApps description Citrix Server
name 10.100.5.7 CityApps2
name 10.100.120.152 FDD-PCs description Fire Dispatch Computers
name 10.100.5.52 CityMail1 description Hub Transport Server
name 192.168.12.0 Library-Legacy description "Old" Library Network
name 71.181.12.198 mail.nashuanh.gov description Mail natted Address
name 71.181.12.232 CityFTP description FTP server
name 71.181.12.211 CityRAS2 description PPTP VPN Server
name 64.222.165.243 DNS1 description Fairpoint DNS Server #1
name 64.222.84.243 DNS2 description Fairpoint DNS Server #2
name 71.181.12.231 CityWeb description Web Server
name 71.181.12.248 CityGISWeb2 description GIS Web Server
name 71.181.12.214 BroadCast-PIX description For PEG TV
name 10.100.6.32 CityTelestaff description Telestaff Server
name 64.22.125.89 atl01.telestaff.net description Telestaff Hosted Server
name 67.18.208.95 dal01.telestaff.net description Telestaff Hosted Server
name 66.160.141.75 fre01.telestaff.net description Telestaff Hosted Server
name 10.100.6.24 CityKronoss2
name 10.100.6.39 CityTrain
name 10.100.6.37 CityKronosS1
name 10.100.6.34 CityKronosTest
name 71.181.12.247 CityGISWeb3 description Another GIS Web Server
name 71.181.12.250 Wordpress-Centos-Server description Allow for SFTP to WordPress Server
name 209.67.142.202 psm.telestaff.net
name 10.100.5.40 citycmdb description access Change Gear
name 71.181.12.226 City-Nashua-DMV-VPN description Nashua-DMV-VPN-DMZ-IP
name 72.95.124.69 Concord-DMV-VPN description VPN endpoint at concord DMV
name 10.100.6.10 cityspicewin7
name 10.100.6.101 citywsus
name 71.181.12.219 CityRouteCloud description RouteMatch cloud to monitor
name 67.220.100.110 Route-Match-Cloud description data from cloud to terminal in transit
name 10.100.5.22 CityTerm1
name 10.100.5.27 CityTerm2
name 10.100.5.43 CityTerm3
name 199.192.3.10 Concord-DMV-VPN2 description New VPN Endpoint 1-15
name 71.181.12.240 Netscaler
name 10.100.5.63 CityCitrix1 description Citrix Storefront
name 10.100.5.60 CityCitrix2 description Citrix Delivery Controller
name 10.100.5.61 CityCitrix3 description Citix Mgmt
name 10.100.5.62 CityCitrixApp description Citrix Virtual Delivery Agent
name 10.100.22.0 Elm_High_Street_Garages description Elm & High Street Garages
name 10.100.5.67 CityFuelXP description CityFuelXP
name 10.100.120.13 CityIMCMSG description CityIMCMSG
name 10.100.5.13 Patriot description Patriot
name 10.100.5.45 CitySQLX description CityCluster1 SQL Address
name 10.100.6.42 CitySMTP description SMTP Server
name 10.100.5.14 Thunderstone description Thunderstone Search Appliance
name 10.100.6.27 CityGIS4 description GIS Virtual Server
name 10.100.5.51 CityNet description Intranet Server
name 10.100.6.49 CityVictor description Camera Server
name 71.181.12.251 CityFilr description Filr Server for File Sharing
name 10.100.6.23 CityManager2 description Server to manage Group Policy +
name 10.100.160.80 HuntBuildingPC description Hunt Building PC for Library Staff
name 10.100.5.2 CityDC2 description City Domain Controller 2
name 10.100.5.3 CityDC3 description City Domain Controller 3
name 10.100.5.5 CityDC5 description City Domain Controller 5
name 71.181.12.234 Netscaler_Management description Netscaler Management IP
name 71.181.12.235 Netscaler_Static_IP description Netscaler Static IP
name 10.98.3.4 NPL-DC1 description Library Domain Controller 1
name 10.98.3.25 NPL-DC2 description Library Domain Controller 2
name 10.100.5.35 CityFile
name 10.100.10.15 NPL-VM1
name 10.100.5.48 CityMail2 description City Mail Server 2
name 10.100.5.36 CityMail3 description City Mail Server 3
name 10.100.30.10 Cablecast_Pro
name 10.98.3.0 Library_Staff_Wired_Network description Wired Network for Library Staff
name 10.98.4.0 Library_Staff_Wireless_Network description Wireless for Library Staff
name 71.181.12.212 Slingbox_Public description Slingbox Public IP
name 10.100.110.25 Slingbox_Private description Slingbox Internal IP
name 173.162.244.73 HVAC_Vendor description HVAC Vendor
name 71.181.12.246 CITYCARTWEB description City Web Server
name 10.100.22.5 CITYCAM_Inside description Camera Server
name 71.181.12.201 CITYCAM_Outside description Camera Server
name 71.181.12.233 Google_Mini
name 10.100.6.56 CitySyslogWatcher description CitySyslogWatcher
name 10.100.6.48 Scrutinizer description Scrutinizer
name 71.181.4.142 CH_IT1941_Outside description Router Interface Facing Fairpoint
name 10.100.6.63 CITYPICTOMETRY1 description CITYPICTOMETRY IP 1
name 10.100.7.125 CITYPICTOMETRY2 description CITYPICTOMETRY IP 2
name 10.100.95.11 Dana_PC description Dana PC
name 10.100.5.90 DPW-Backup1 description DPW Backup Server
name 10.100.5.55 CITYWSUS2 description City Wsus Server
name 71.181.12.249 CityGISWeb4 description CityGISWeb4
name 10.100.7.84 RS_GIS description Rack Station GIS
name 10.100.6.52 CityOnBase description CityOnBase Server
name 10.100.6.53 CityOnBaseWeb description CityOnBaseWeb Server
name 10.100.6.110 IPSentry description IPSentry Sever
name 10.100.5.80 CitySpiceworks description City SpiceWorks Sever
name 46.163.100.220 TeamViewer_Website description TeamViewer Website
name 10.100.30.20 City_HVAC_COntroller_Inside description Inside HVAC IP
name 71.181.12.218 City_HVAC_Controller_Outside description HVAC Controller at City Hall Outside Ip
name 69.25.43.0 LogicMonitor1 description LogicMonitor Network 1
name 38.100.30.0 LogicMonitor2 description LogicMonitor Network 2
name 74.201.65.0 LogicMonitor3 description LogicMonitor Network 3
name 38.100.37.0 LogicMonitor4 description LogicMonitor Network 4
name 212.118.245.0 LogicMonitor5 description LogicMonitor Network 5
name 149.5.93.0 LogicMonitor6 description LogicMonitor Network 6
name 52.52.63.0 LogicMonitor7 description LogicMonitor Network 7
name 52.202.255.64 LogicMonitor8 description LogicMonitor Network 8
name 10.98.3.21 NPL-Admin2 description NPL-Admin2
name 10.100.110.28 Broadcast_PIX_Inside
name 10.100.5.28 City_RAS2_Inside
name 10.100.95.0 IT_Network
name 10.98.2.0 Library_Public_PC_Network description Library Public PC Network
name 71.181.12.199 CON_Public_IP description Public PAT for City Network
name 216.177.20.0 NH_Legislative_Broadcast_Network
name 10.100.0.0 City_LAN description All City Inside Networks
name 10.100.106.0 Edgewood_Cemetary_Network
name 10.100.5.0 Servers_Network1
name 10.100.6.0 Servers_Network2
name 10.100.32.16 Transit_Hut_Monitor
name 10.100.4.0 VMS_Servers_network description Network for VMS Servers
name 10.100.104.0 Woodlawn_Cemetary_Network
name 71.181.12.200 CON_Public_IP_2
name 10.100.250.10 CityBloxx description Bloxx Device
name 71.181.12.215 CityTeleStaff_Outside
name 12.28.108.0 MSW_DVR_Vendor
name 71.181.12.209 MSW-DVR_Outside description DVR Unit at Solid Waste
name 10.100.109.17 MSW_DVR
name 10.14.2.52 School_ADFS_Server description School's ADFS Server
name 10.100.250.128 NATExemptVPNpoolnew description allow VPN assigned IP without NAT
name 10.100.6.65 CITYADFS description CITYADFS
name 10.100.6.61 InfoDB1 description InforDB1
name 10.100.6.73 InforDB description InforDB
name 10.100.6.71 InforDB1 description InforDB1
name 10.100.6.72 InforDB2 description InforDB2
name 10.100.6.70 InforLBI description InforLBI
name 10.100.6.67 InforLRE description InforLRE
name 10.100.6.66 InforLSF description InforLSF
name 10.100.6.69 InforLSO description InfoLSO
name 10.100.6.68 InforMing description InforMING
name 10.244.3.1 Lawson_VPN_External description IP for Lawson VPN
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 71.181.12.194 255.255.255.224
!
interface Ethernet0/1
 nameif dmz
 security-level 50
 ip address 71.181.12.225 255.255.255.224
!
interface Ethernet0/2
 description Interface facing NPL Firewall
 nameif Library
 security-level 51
 ip address 10.99.0.2 255.255.255.0
!
interface Ethernet0/3
 nameif inside
 security-level 100
 ip address 10.100.250.2 255.255.255.0
 ospf message-digest-key 5 md5 *****
 ospf authentication message-digest
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.252
 management-only
!
!
time-range Temp
 absolute end 15:23 15 October 2011
 periodic daily 0:00 to 23:59
!
banner exec **You have reached the City of Nashua.  Any unauthorized users will be prosecuted to the fullest extent of the law**
banner login City of Nashua Property - Authorized Users Only
banner login Un-authorized tampering with this equipment is punishable by law
banner login Do not attempt to login if you are not authorized
banner asdm You have reached a device that is the sole property of the City of Nashua.  Unauthorized use that has not been given explicit permission by the City's CIO/IT Division Director is prohiibited.  
banner asdm Any unauthorized users will be prosecuted to the fullest extent of the law.  If you have reached this device in error, you MUST disconnect immediately.  
boot system disk0:/asa825-k8.bin
boot system disk0:/asa821-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup dmz
dns domain-lookup Library
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
 domain-name nashuanh.gov
same-security-traffic permit intra-interface
object-group service DVRMonitor
 description Allow Viewpoint monitoring company to access Landfill and Streets DVRs
 service-object tcp range 9002 9005
 service-object tcp eq www
object-group service TransitHVAC-tcp-udp
 description Access to Transit garage HVAC control from Control Technologies
 service-object tcp-udp eq 1911
 service-object tcp-udp eq 3011
 service-object tcp-udp eq 8080
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service For_Pete tcp
 description Web Access to SX2 Server
 port-object eq 8100
object-group service netflow udp
 description netflow monitoring
 port-object eq 9991
object-group service Netbios_All tcp
 description Netbois ports necessary for accessing a file share
 port-object range 135 netbios-ssn
object-group service Netbios udp
 description File sharing ports for NetBios
 port-object range 135 139
object-group service NetStat udp
 description Netstat port
 port-object eq 15
object-group network DM_INLINE_NETWORK_5
 network-object VMS_Servers_network 255.255.255.0
 network-object Servers_Network1 255.255.255.0
 network-object Servers_Network2 255.255.255.0
 network-object host 10.100.30.36
 network-object host 10.100.32.80
object-group service AgentMon tcp
 description CBE Agent for monitoring servers port
 port-object eq 5721
object-group service Symantec
 description Ports for Symantec Endpoint Protection
 service-object tcp eq 8014
 service-object tcp eq www
 service-object tcp eq https
 service-object udp eq 39999
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp eq 814
object-group service PASV-FTP tcp
 description Passive FTP port range for FTP Server
 port-object range 1024 1033
object-group network Fairpoint-DNS
 description Fairpoint DNS Servers for EDIA Service
 network-object host DNS1
 network-object host DNS2
object-group service RouteMatch udp
 description RouteMatch Tablets to Web Server
 port-object range 55923 55925
object-group service RM_Out udp
 description Tablet Communication
 port-object eq 1234
object-group network DM_INLINE_NETWORK_4
 network-object host atl01.telestaff.net
 network-object host fre01.telestaff.net
 network-object host dal01.telestaff.net
 network-object host psm.telestaff.net
object-group network DM_INLINE_NETWORK_8
 network-object host CityMail1
 network-object host CityMail3
 network-object host CityMail2
object-group network DM_INLINE_NETWORK_9
 network-object host CityDC2
 network-object host CityDC3
 network-object host CityDC5
object-group service DM_INLINE_TCP_5 tcp
 port-object eq www
 port-object eq https
object-group network CHECVPN
 description VPN Access Group for Edgewood Cemetary
 network-object 10.100.200.0 255.255.255.0
 network-object VMS_Servers_network 255.255.254.0
 network-object Servers_Network2 255.255.255.0
 network-object IT_Network 255.255.255.192
object-group service CIFS tcp
 description File Sharing
 port-object range 137 netbios-ssn
 port-object eq 445
object-group service SFTP tcp
 description Secure FTP
 port-object eq ssh
object-group service DM_INLINE_SERVICE_3
 service-object tcp-udp
 service-object tcp range 3001 3001
object-group service autodiscover tcp
 port-object eq 587
object-group network Cocnord-DMV-endpoints
 network-object host Concord-DMV-VPN2
 network-object host Concord-DMV-VPN
object-group service DM_INLINE_TCP_6 tcp
 port-object eq www
 port-object eq https
object-group service citrix-storefront
 service-object tcp eq https
 service-object tcp eq 8443
 service-object tcp eq citrix-ica
 service-object tcp eq www
 service-object tcp eq 2598
object-group service citrix-delivery
 service-object tcp eq www
 service-object tcp eq https
 service-object tcp eq 88
 service-object tcp eq ldap
 service-object tcp eq 464
 service-object tcp eq 1433
 service-object tcp eq 8080
 service-object tcp eq citrix-ica
 service-object tcp eq 2598
 service-object tcp eq 8008
object-group service ADports
 service-object tcp-udp eq domain
 service-object tcp-udp eq 389
 service-object tcp eq ldaps
 service-object tcp eq 3268
 service-object tcp eq 3269
 service-object tcp-udp eq 88
 service-object tcp-udp eq 445
 service-object tcp eq smtp
 service-object tcp eq 135
 service-object tcp eq 5722
 service-object udp eq ntp
 service-object tcp-udp eq 464
 service-object udp eq netbios-dgm
 service-object tcp eq 9389
 service-object udp eq netbios-ns
 service-object tcp eq netbios-ssn
 service-object tcp-udp range 49152 65535
object-group network DM_INLINE_NETWORK_12
 network-object host CityFile
 network-object host citywsus
 network-object host CityRX2
 network-object host CITYWSUS2
 network-object host CitySpiceworks
object-group network CityCitrix
 description Citrix Environment
 network-object host CityCitrix2
 network-object host CityCitrix3
 network-object host CityCitrixApp
 network-object host CityCitrix1
object-group network DM_INLINE_NETWORK_15
 network-object host Netscaler_Management
 network-object host Netscaler_Static_IP
object-group network DM_INLINE_NETWORK_16
 network-object host Netscaler_Management
 network-object host Netscaler_Static_IP
object-group network DM_INLINE_NETWORK_17
 network-object host Netscaler_Management
 network-object host Netscaler_Static_IP
object-group network DM_INLINE_NETWORK_18
 network-object host Netscaler_Management
 network-object host Netscaler_Static_IP
object-group network DM_INLINE_NETWORK_19
 network-object host Netscaler
 network-object host Netscaler_Management
 network-object host Netscaler_Static_IP
object-group network DM_INLINE_NETWORK_23
 network-object host CityDC2
 network-object host CityDC3
 network-object host CityDC5
object-group service radius
 service-object udp eq 1812
 service-object udp eq 1813
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 1433
 port-object eq www
object-group network DM_INLINE_NETWORK_1
 network-object host CityGISWeb3
 network-object host CityGISWeb2
 network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_10
 network-object host CityDC2
 network-object host CityDC3
 network-object host CityDC5
object-group network DM_INLINE_NETWORK_11
 network-object host CityDC2
 network-object host CityDC3
 network-object host CityDC5
object-group network DM_INLINE_NETWORK_7
 network-object host CityDC2
 network-object host CityDC3
 network-object host CityDC5
object-group network DM_INLINE_NETWORK_2
 network-object host CityKronoss2
 network-object host CityKronosTest
 network-object host CityKronosS1
 network-object host CityTrain
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_3
 network-object host CityFile
 network-object host citywsus
 network-object host CityRX2
 network-object host CITYWSUS2
 network-object host CitySpiceworks
object-group network DM_INLINE_NETWORK_6
 network-object host CityKronoss2
 network-object host CityKronosTest
 network-object host CityKronosS1
 network-object host CityTrain
object-group service DM_INLINE_TCP_3 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object tcp eq www
object-group service Cameras tcp
 description For Parking Garage Cameras
 port-object eq rtsp
object-group service Cameras_UDP udp
 port-object eq 554
object-group network DM_INLINE_NETWORK_14
 network-object host CITYPICTOMETRY1
 network-object host CITYPICTOMETRY2
object-group service VideoEdge tcp-udp
 description Camera Server Mobile App
 port-object eq 8125
object-group service DM_INLINE_TCP_4 tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_20
 network-object host CITYWSUS2
 network-object host citywsus
object-group service DM_INLINE_SERVICE_2
 service-object tcp eq 445
 service-object tcp eq netbios-ssn
 service-object udp eq netbios-dgm
 service-object udp eq netbios-ns
object-group network DM_INLINE_NETWORK_21
 network-object host CityGISWeb3
 network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_22
 network-object host CityGISWeb3
 network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_24
 network-object host CityGISWeb3
 network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_25
 network-object host CityGISWeb3
 network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_26
 network-object host CityGISWeb3
 network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_27
 network-object host CityGISWeb3
 network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_28
 network-object Library_Staff_Wired_Network 255.255.255.0
 network-object Library_Staff_Wireless_Network 255.255.255.0
object-group network DM_INLINE_NETWORK_29
 network-object host CityOnBase
 network-object host CityOnBaseWeb
object-group network Logic_Monitor_Networks
 description LogicMonitor Public IP Address Spaces
 network-object LogicMonitor6 255.255.255.0
 network-object LogicMonitor5 255.255.255.0
 network-object LogicMonitor2 255.255.255.0
 network-object LogicMonitor4 255.255.255.0
 network-object LogicMonitor8 255.255.255.192
 network-object LogicMonitor7 255.255.255.192
 network-object LogicMonitor1 255.255.255.0
 network-object LogicMonitor3 255.255.255.0
object-group network Lawson_VPN
 description Lawson VPN Internal Resources
 network-object host CITYADFS
 network-object host InforLSF
 network-object host InforLRE
 network-object host InforMing
 network-object host InforLSO
 network-object host InforLBI
 network-object host InforDB1
 network-object host InforDB2
 network-object host InforDB
 network-object 10.100.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip City_LAN 255.255.0.0 10.100.105.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.100.105.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip VMS_Servers_network 255.255.255.0 Woodlawn_Cemetary_Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 71.181.12.224 255.255.255.224
access-list inside_nat0_outbound extended permit ip Servers_Network1 255.255.255.0 Woodlawn_Cemetary_Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip Servers_Network1 255.255.255.0 Edgewood_Cemetary_Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip VMS_Servers_network 255.255.255.0 Edgewood_Cemetary_Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip Servers_Network2 255.255.255.0 Edgewood_Cemetary_Network 255.255.255.0
access-list inside_nat0_outbound remark Allow non-natted traffic for vpn clients
access-list inside_nat0_outbound extended permit ip any 10.100.250.64 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 10.99.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.98.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any Library-Legacy 255.255.255.0
access-list inside_nat0_outbound extended permit ip City_LAN 255.255.0.0 Edgewood_Cemetary_Network 255.255.255.128
access-list inside_nat0_outbound remark Allow access to VPN clients from internal network
access-list inside_nat0_outbound extended permit ip any NATExemptVPNpoolnew 255.255.255.224
access-list inside_nat0_outbound extended permit ip object-group Lawson_VPN host Lawson_VPN_External
access-list Library_access_in remark Allow in for ERP Servers
access-list Library_access_in extended permit tcp Library_Staff_Wired_Network 255.255.255.0 10.100.200.0 255.255.255.0
access-list Library_access_in remark Allow access for Change Gear
access-list Library_access_in extended permit object-group TCPUDP Library_Staff_Wired_Network 255.255.255.0 host citycmdb eq www
access-list Library_access_in remark Allow in for Web Servers
access-list Library_access_in extended permit tcp Library_Staff_Wired_Network 255.255.255.0 object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_TCP_2
access-list Library_access_in remark Allow access for CityFile, citywsus, cityspicewin7, & CityRX2
access-list Library_access_in extended permit ip Library_Staff_Wired_Network 255.255.255.0 object-group DM_INLINE_NETWORK_3
access-list Library_access_in extended permit ip Library_Staff_Wired_Network 255.255.255.0 host Thunderstone
access-list Library_access_in extended permit tcp Library_Staff_Wired_Network 255.255.255.0 host CityNet
access-list Library_access_in remark Allow access for Library Staff to Hunt Building PC
access-list Library_access_in extended permit ip Library_Staff_Wired_Network 255.255.255.0 host HuntBuildingPC
access-list Library_access_in extended permit ip Library_Staff_Wired_Network 255.255.255.0 host NPL-VM1
access-list Library_access_in extended permit icmp any any echo-reply
access-list Library_access_in extended permit icmp any any unreachable
access-list Library_access_in remark Allow in for domain controller authentication
access-list Library_access_in extended permit ip any object-group DM_INLINE_NETWORK_9
access-list Library_access_in remark Allow in for Exchange
access-list Library_access_in extended permit ip any object-group DM_INLINE_NETWORK_8
access-list Library_access_in remark Allow HTTP to Citywsus from library vlan with private and public PC's
access-list Library_access_in extended permit tcp Library_Public_PC_Network 255.255.255.0 object-group DM_INLINE_NETWORK_20 eq www
access-list Library_access_in remark Allow Library Domain COntroller 1 access into City
access-list Library_access_in extended permit ip host NPL-DC1 any
access-list Library_access_in remark Allow Library Domain Controller 2 access into City
access-list Library_access_in extended permit ip host NPL-DC2 any
access-list Library_access_in remark Allow Library Staff Wireless in for ERP Servers
access-list Library_access_in extended permit tcp Library_Staff_Wireless_Network 255.255.255.0 10.100.200.0 255.255.255.0
access-list Library_access_in remark Allow Library Staff Wireless in for Web Servers
access-list Library_access_in extended permit tcp Library_Staff_Wireless_Network 255.255.255.0 object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_3
access-list Library_access_in remark Allow Library Staff Wireless access to CityFile, citywsus, cityspicewin7, & CityRX2
access-list Library_access_in extended permit ip Library_Staff_Wireless_Network 255.255.255.0 object-group DM_INLINE_NETWORK_12
access-list Library_access_in remark Allow Library Staff Wireless Access to Change Gear
access-list Library_access_in extended permit object-group TCPUDP Library_Staff_Wireless_Network 255.255.255.0 host citycmdb eq www
access-list Library_access_in extended permit ip Library_Staff_Wireless_Network 255.255.255.0 host Thunderstone
access-list Library_access_in extended permit tcp Library_Staff_Wireless_Network 255.255.255.0 host CityNet
access-list Library_access_in extended permit ip Library_Staff_Wireless_Network 255.255.255.0 host HuntBuildingPC
access-list Library_access_in extended permit ip Library_Staff_Wireless_Network 255.255.255.0 host NPL-VM1
access-list Library_access_in remark Allow Library Staff Internet Access Through EDIA
access-list Library_access_in extended permit ip Library_Staff_Wired_Network 255.255.255.0 interface outside
access-list Library_access_in remark Allow Staff Access to OnBase
access-list Library_access_in extended permit ip object-group DM_INLINE_NETWORK_28 object-group DM_INLINE_NETWORK_29
access-list Library_access_in remark Allow Library Servers access to IPSentry
access-list Library_access_in extended permit ip host NPL-DC1 host IPSentry
access-list Library_access_in remark Allow NPL-Admin2 in
access-list Library_access_in extended permit ip host NPL-Admin2 any
access-list outside_access_in remark Temp Rule for web server issues
access-list outside_access_in extended deny ip 220.181.0.0 255.255.0.0 any
access-list outside_access_in remark Block access to TeamViewer
access-list outside_access_in extended deny ip host TeamViewer_Website any
access-list outside_access_in remark Allow web access from outside.
access-list outside_access_in extended permit tcp any host City-Nashua-DMV-VPN eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host CityWeb eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host CityFTP eq www
access-list outside_access_in extended permit tcp any host Google_Mini eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host Netscaler_Management eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host Netscaler_Static_IP eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host Netscaler eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_27 object-group DM_INLINE_TCP_4
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host CityGISWeb2 eq www
access-list outside_access_in extended permit tcp any host Wordpress-Centos-Server eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host CityFilr eq www
access-list outside_access_in extended permit tcp any 71.181.12.224 255.255.255.224 eq https
access-list outside_access_in remark Rule to allow RedBarn access to Sandbox
access-list outside_access_in extended permit tcp any host CityWeb eq 82
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in remark Allow in for FTPS on CityFTP
access-list outside_access_in extended permit tcp any host CityFTP eq 990
access-list outside_access_in remark Allow in for FTPS on CityFTP
access-list outside_access_in extended permit tcp any host CityFTP object-group PASV-FTP
access-list outside_access_in remark Allow FTP in to CityFTP
access-list outside_access_in extended permit tcp any host CityFTP eq ftp
access-list outside_access_in remark Rule to allow SX2 in web access
access-list outside_access_in extended permit tcp any interface outside object-group For_Pete
access-list outside_access_in remark Allow in for MSW DVR monitoring
access-list outside_access_in extended permit ip MSW_DVR_Vendor 255.255.255.0 host MSW-DVR_Outside
access-list outside_access_in extended permit tcp any host mail.nashuanh.gov eq smtp
access-list outside_access_in extended permit tcp any host mail.nashuanh.gov eq https
access-list outside_access_in extended permit tcp any host mail.nashuanh.gov object-group autodiscover
access-list outside_access_in extended permit gre any host CityRAS2
access-list outside_access_in extended permit tcp any host CityRAS2 eq pptp
access-list outside_access_in remark Access to Remote TV Switcher
access-list outside_access_in extended permit tcp any host BroadCast-PIX eq 9999
access-list outside_access_in remark Allow Access to Citrix
access-list outside_access_in extended permit object-group citrix-storefront any host Netscaler
access-list outside_access_in remark Allow Telestaff Web Host Server to NAT of internal Telestaff Server
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 host CityTeleStaff_Outside object-group DM_INLINE_TCP_5
access-list outside_access_in remark Concord DMV VPN IP to Nashua DMV VPN IP
access-list outside_access_in extended permit ip host Concord-DMV-VPN2 host City-Nashua-DMV-VPN
access-list outside_access_in remark In from Outside Route Match Cloud to Transit Route Match Monitor
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 host Route-Match-Cloud host CityRouteCloud
access-list outside_access_in extended permit tcp any host CityFilr eq 8443
access-list outside_access_in extended permit tcp any host Slingbox_Public eq 5001
access-list outside_access_in remark Allow HVAC Vendor Access to the HVAC System
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host HVAC_Vendor host City_HVAC_Controller_Outside
access-list outside_access_in remark Allow in for FrontDoor
access-list outside_access_in extended permit tcp any host Cablecast_Pro eq 8100
access-list outside_access_in extended permit tcp any host CITYCAM_Outside
access-list outside_access_in remark Allow Router to Internet Traffic Send to Scrutinizer
access-list outside_access_in extended permit udp host CH_IT1941_Outside interface outside eq 2055
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec interface dmz host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host City-Nashua-DMV-VPN host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host CityWeb host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host CityFTP host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host Netscaler_Management host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host Netscaler_Static_IP host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host Netscaler host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host CITYCARTWEB host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec object-group DM_INLINE_NETWORK_21 host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host CityGISWeb2 host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host Wordpress-Centos-Server host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host CityFilr host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec 71.181.12.224 255.255.255.224 host CityRX2
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host City-Nashua-DMV-VPN any eq www
access-list dmz_access_in remark Allow web access
access-list dmz_access_in extended permit tcp host CityWeb any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host CityFTP any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host Netscaler_Management any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host Netscaler_Static_IP any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host Netscaler any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host CITYCARTWEB any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_22 any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host CityGISWeb2 any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host Wordpress-Centos-Server any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host CityFilr any eq www
access-list dmz_access_in extended permit tcp 71.181.12.224 255.255.255.224 any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host City-Nashua-DMV-VPN any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host CityWeb any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host CityFTP any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host Netscaler_Management any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host Netscaler_Static_IP any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host Netscaler any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host CITYCARTWEB any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_24 any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host CityGISWeb2 any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host CityFilr any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host Wordpress-Centos-Server any eq www
access-list dmz_access_in extended permit udp 71.181.12.224 255.255.255.224 any eq www
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP interface dmz object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host City-Nashua-DMV-VPN object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host CityWeb object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host CityFTP object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host Netscaler_Management object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host Netscaler_Static_IP object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host Netscaler object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host CITYCARTWEB object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_25 object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host CityGISWeb2 object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host Wordpress-Centos-Server object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host CityFilr object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP 71.181.12.224 255.255.255.224 object-group Fairpoint-DNS eq domain
access-list dmz_access_in extended permit icmp any any echo-reply
access-list dmz_access_in extended permit icmp any any unreachable
access-list dmz_access_in extended permit tcp any any eq https
access-list dmz_access_in extended permit tcp 71.181.12.224 255.255.255.224 host CityMail1 eq smtp
access-list dmz_access_in extended permit tcp 71.181.12.224 255.255.255.224 host CityMail1 object-group autodiscover
access-list dmz_access_in remark Allow the Google mini to ping citymailfe.
access-list dmz_access_in remark The google tried to perform this test before using a SMTP server.
access-list dmz_access_in extended permit icmp 71.181.12.224 255.255.255.224 host CityMail1 echo
access-list dmz_access_in extended permit object-group citrix-delivery object-group DM_INLINE_NETWORK_15 object-group CityCitrix
access-list dmz_access_in extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_16 object-group DM_INLINE_NETWORK_7 eq domain
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_17 object-group DM_INLINE_NETWORK_10 eq 3268
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_18 object-group DM_INLINE_NETWORK_23 eq ldap
access-list dmz_access_in extended permit icmp object-group DM_INLINE_NETWORK_19 object-group DM_INLINE_NETWORK_11
access-list dmz_access_in remark Allow out for NTP
access-list dmz_access_in extended permit udp host Wordpress-Centos-Server any eq ntp
access-list dmz_access_in remark City DMV VPN to Concord DMV VPN
access-list dmz_access_in extended permit ip host City-Nashua-DMV-VPN host Concord-DMV-VPN2
access-list dmz_access_in extended permit tcp host CityWeb host Patriot object-group DM_INLINE_TCP_1
access-list dmz_access_in extended permit tcp host CityWeb host CitySQLX
access-list dmz_access_in extended permit icmp host CityWeb host CitySQLX
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host CitySQLX
access-list dmz_access_in extended permit udp host CityFilr host 129.6.15.28 eq ntp
access-list dmz_access_in extended permit tcp 71.181.12.224 255.255.255.224 host CitySMTP eq smtp
access-list dmz_access_in extended permit tcp host CityFilr host CityDC5 eq ldap
access-list dmz_access_in extended permit object-group radius host City-Nashua-DMV-VPN host CityDC5
access-list dmz_access_in extended permit tcp host CityFilr host CityFile eq cifs
access-list dmz_access_in extended permit ip host CityFilr host CityFile
access-list dmz_access_in extended permit udp host CityFilr host CityFile eq netbios-dgm
access-list dmz_access_in remark Syslog for Mark
access-list dmz_access_in extended permit udp host Netscaler_Management host CitySyslogWatcher eq syslog
access-list dmz_access_in remark for Angelo access to share
access-list dmz_access_in extended permit ip object-group DM_INLINE_NETWORK_26 object-group DM_INLINE_NETWORK_14
access-list dmz_access_in remark Allow CITYCARTWEB Access to DPW-Backup1
access-list dmz_access_in extended permit tcp host CITYCARTWEB host DPW-Backup1 eq 10000
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 host CityGISWeb2 host CITYPICTOMETRY1
access-list dmz_access_in extended permit tcp host CityGISWeb3 host RS_GIS eq 3260
access-list dmz_access_in extended permit ip host CityGISWeb3 host DPW-Backup1
access-list FireVPN-Permits extended permit ip any 10.100.120.0 255.255.255.0
access-list FireVPN-Permits extended permit object-group Symantec any host CityRX2
access-list FireVPN-Permits extended permit object-group TCPUDP any Servers_Network1 255.255.255.0 eq domain
access-list FireVPN-Permits extended permit ip any host CityGIS4
access-list outside_cryptomap remark Edgewood
access-list outside_cryptomap extended permit ip object-group CHECVPN Edgewood_Cemetary_Network 255.255.255.128
access-list Library_nat0_outbound remark Exempt all NAT Traffic
access-list Library_nat0_outbound extended permit ip any any
access-list inside_mpc extended permit tcp any host CityRouteCloud eq 1287
access-list CH<>EC standard permit VMS_Servers_network 255.255.255.0
access-list CH<>EC standard permit Servers_Network1 255.255.255.0
access-list CH<>EC standard permit Servers_Network2 255.255.255.0
access-list inside_access_in remark Allow mail server to send mail outgoing
access-list inside_access_in extended permit tcp host CityMail1 any eq smtp
access-list inside_access_in remark Deny all SMTP Out
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip FDD-PCs 255.255.255.248 71.181.12.224 255.255.255.224
access-list inside_access_in remark Block access to Team viewer
access-list inside_access_in extended deny ip any host TeamViewer_Website
access-list inside_access_in extended deny ip any host 69.4.232.112
access-list inside_access_in extended permit udp host CITYCAM_Inside any eq 554
access-list inside_access_in remark Allow Default outgoing
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended deny ip host CityFuelXP any
access-list inside_access_in extended permit tcp host CityIMCMSG any eq smtp
access-list inside_access_in extended permit ip host CityIMCMSG 10.100.250.64 255.255.255.224 log disable
access-list inside_access_in extended deny ip host CityIMCMSG any
access-list split_tunnel standard permit City_LAN 255.255.0.0
access-list AC_VPN_Limited_Permit remark Allow access to servers
access-list AC_VPN_Limited_Permit extended permit ip any object-group DM_INLINE_NETWORK_5
access-list AC_VPN_Limited_Permit extended permit ip any IT_Network 255.255.255.192
access-list AC_VPN_Limited_Denies extended deny ip any host CityManager2
access-list throttle extended permit ip host CON_Public_IP any
access-list throttle extended permit ip host CON_Public_IP_2 any
access-list throttle extended permit ip any host CON_Public_IP
access-list throttle extended permit ip any host CON_Public_IP_2
access-list Bloxx-group remark Bloxx Unit
access-list Bloxx-group standard permit host CityBloxx
access-list Bloxx extended deny ip host 10.100.30.35 any
access-list Bloxx extended deny ip host 10.100.30.37 any
access-list Bloxx extended deny ip host 10.100.95.6 any
access-list Bloxx extended deny ip host 10.100.30.56 any
access-list Bloxx extended deny ip City_LAN 255.255.0.0 69.56.155.0 255.255.255.192
access-list Bloxx extended deny ip City_LAN 255.255.0.0 host 63.127.199.226
access-list Bloxx extended deny ip City_LAN 255.255.0.0 host 72.55.246.22
access-list Bloxx extended deny ip host 10.100.32.69 any
access-list Bloxx remark State's Server for legislative broadcasts
access-list Bloxx extended deny ip City_LAN 255.255.0.0 NH_Legislative_Broadcast_Network 255.255.255.0
access-list Bloxx remark CDC Server for broadcasts
access-list Bloxx extended deny ip City_LAN 255.255.0.0 host 198.246.99.21
access-list Bloxx extended deny ip City_LAN 255.255.0.0 71.181.12.224 255.255.255.224
access-list Bloxx extended deny ip City_LAN 255.255.0.0 City_LAN 255.255.0.0
access-list Bloxx remark do not forward web traffic to Library
access-list Bloxx extended deny ip City_LAN 255.255.0.0 10.98.0.0 255.255.0.0
access-list Bloxx remark us.getac.com
access-list Bloxx extended deny tcp any host 204.236.134.65 object-group DM_INLINE_TCP_6
access-list Bloxx remark Allow city traffic
access-list Bloxx extended permit tcp City_LAN 255.255.0.0 any eq www
access-list Bloxx-Group1 extended permit ip host CityBloxx any
access-list AC_VPN_Limited2_Permit extended permit ip any 10.100.200.0 255.255.255.0
access-list outside_cryptomap_1 remark Woodlawn Cemetary
access-list outside_cryptomap_1 extended permit ip City_LAN 255.255.0.0 10.100.105.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip City_LAN 255.255.0.0 10.100.105.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip object-group Lawson_VPN host Lawson_VPN_External
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging asdm-buffer-size 250
logging trap warnings
logging asdm debugging
logging from-address [email protected]
logging recipient-XXXXXXX
logging facility 18
logging device-id hostname
logging host inside 10.100.6.20
logging host inside 10.100.5.114
logging host inside CitySyslogWatcher
logging class auth trap informational
logging class config trap notifications
logging class vpn trap informational
logging class vpnc trap notifications
logging class webvpn history notifications trap notifications
logging class ssl history notifications trap notifications
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304002
no logging message 304001
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside Scrutinizer 9995
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu outside 1500
mtu dmz 1500
mtu Library 1500
mtu inside 1500
mtu management 1500
ip local pool VPNPool 10.250.0.1-10.250.0.50 mask 255.255.255.0
ip local pool RAVPN_POOL 10.100.250.65-10.100.250.95 mask 255.255.255.224
ip local pool ssl_vpn_pool_new 10.100.250.129-10.100.250.158 mask 255.255.255.224
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 11 64.80.28.136 netmask 255.0.0.0
global (outside) 99 64.80.28.135
global (outside) 10 CON_Public_IP netmask 255.255.255.255
global (outside) 10 CON_Public_IP_2 netmask 255.255.255.255
nat (Library) 0 access-list Library_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 8100 Cablecast_Pro www netmask 255.255.255.255
static (inside,outside) tcp interface smtp CitySMTP smtp netmask 255.255.255.255
static (inside,outside) udp interface 2055 Scrutinizer 2055 netmask 255.255.255.255
static (dmz,outside) 71.181.12.224 71.181.12.224 netmask 255.255.255.224
static (inside,outside) CITYCAM_Outside CITYCAM_Inside netmask 255.255.255.255
static (inside,outside) MSW-DVR_Outside MSW_DVR netmask 255.255.255.255
static (inside,outside) mail.nashuanh.gov CityMail1 netmask 255.255.255.255
static (inside,outside) CityRAS2 City_RAS2_Inside netmask 255.255.255.255
static (inside,outside) BroadCast-PIX Broadcast_PIX_Inside netmask 255.255.255.255
static (inside,outside) CityTeleStaff_Outside CityTelestaff netmask 255.255.255.255
static (inside,outside) CityRouteCloud Transit_Hut_Monitor netmask 255.255.255.255
static (inside,outside) Slingbox_Public Slingbox_Private netmask 255.255.255.255 tcp 2 0 udp 2
static (inside,outside) City_HVAC_Controller_Outside City_HVAC_COntroller_Inside netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group Library_access_in in interface Library
access-group inside_access_in in interface inside
!
router ospf 1
 router-id 10.100.250.2
 network 10.99.0.0 255.255.255.0 area 2
 network 10.100.250.0 255.255.255.0 area 0
 area 0 range City_LAN 255.255.0.0
 distance ospf intra-area 80 inter-area 80 external 95
 log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 71.181.12.193 1
timeout xlate 3:00:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map Group-Map
  map-name  memberOf Group-Policy
  map-value memberOf "CN=VPNFire,OU=All Security Groups,OU=City of Nashua,DC=nashua,DC=city" AVC-GP
  map-value memberOf "CN=vpnusersadmin,OU=All Security Groups,OU=City of Nashua,DC=nashua,DC=city" AVC-Timmed-Test
dynamic-access-policy-record DfltAccessPolicy
 user-message "Authorized Access Only"
 action terminate
dynamic-access-policy-record VPN-Limited
 description "VPN user group for limited City Access"
 user-message "XXXXXXXXXXXX"
 network-acl AC_VPN_Limited_Permit
 network-acl AC_VPN_Limited_Denies
 priority 500
 webvpn
  svc ask none default svc
dynamic-access-policy-record VPN-Fire
 description "Access for Fire Vehicles"
 network-acl FireVPN-Permits
 priority 600
 webvpn       
  svc ask none default svc
dynamic-access-policy-record VPN-Limited2
 description "Adds Lawson Access"
 network-acl AC_VPN_Limited_Permit
 network-acl AC_VPN_Limited_Denies
 network-acl AC_VPN_Limited2_Permit
 priority 275
 webvpn
  svc ask enable default svc
dynamic-access-policy-record VPN-Admins
 description "Allow Administrative VPN Access"
 user-message "Unauthorized users will be shot.  Survivors will be shot again."
 priority 250
 webvpn
  svc ask none default svc
dynamic-access-policy-record AVC-Fire
 description "SSLVPN Policy for Fire Dept Users"
 priority 299
aaa-server VPN-LDAP protocol ldap
aaa-server VPN-LDAP (inside) host CityDC2
 timeout 15
 ldap-base-dn DC=nashua,DC=city
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=mgrjboss,OU=Resources,DC=nashua,DC=city
 server-type microsoft
aaa-server RADIUS protocol radius
 reactivation-mode timed
aaa-server RADIUS (inside) host CityDC5
 retry-interval 5
 key *****
aaa-server AVC-LDAP-SG protocol ldap
aaa-server AVC-LDAP-SG (inside) host CityDC5
 ldap-base-dn DC=nashua,DC=city
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=mgrjboss,OU=Resources,DC=nashua,DC=city
 server-type microsoft
 ldap-attribute-map Group-Map
aaa authentication ssh console RADIUS LOCAL
aaa authentication enable console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
aaa authentication serial console LOCAL
http server enable 8080
http server idle-timeout 30
http CityManager2 255.255.255.255 inside
http IT_Network 255.255.255.192 inside
snmp-server host inside 10.100.5.114 trap community ***** version 2c
snmp-server host inside citycmdb community ***** version 2c
snmp-server host inside 10.100.5.76 community *****
snmp-server host inside 10.100.6.20 trap community ***** version 2c
snmp-server host inside 10.100.6.21 community *****
snmp-server host inside 10.100.6.25 community ***** version 2c
snmp-server host inside Scrutinizer community ***** version 2c
snmp-server host inside CitySyslogWatcher trap community ***** version 2c
snmp-server host inside 10.100.6.6 community *****
snmp-server host inside 10.100.95.50 trap community *****
snmp-server host inside 10.100.6.11 community *****
snmp-server location ""City Hall - 2nd Floor Equipment Room, right"
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change
snmp-server enable traps remote-access session-threshold-exceeded
sysopt noproxyarp dmz
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set peer 71.168.70.56
crypto map outside_map1 1 set transform-set ESP-AES-128-MD5
crypto map outside_map1 2 match address outside_2_cryptomap
crypto map outside_map1 2 set pfs group5
crypto map outside_map1 2 set peer 66.195.155.226
crypto map outside_map1 2 set transform-set ESP-AES-256-SHA
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption aes-192
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 70
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
telnet timeout 25
ssh scopy enable
ssh 10.100.6.20 255.255.255.255 inside
ssh CityManager2 255.255.255.255 inside
ssh IT_Network 255.255.255.192 inside
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.2-192.168.1.2 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address City_LAN 255.255.0.0
threat-detection scanning-threat shun duration 300
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
wccp 200 redirect-list Bloxx group-list Bloxx-Group1
wccp interface inside 200 redirect in
ntp server 10.100.2.253
webvpn        
 port 8484
 enable outside
 dtls port 8484
 svc image disk0:/anyconnect-macosx-i386-2.5.6005-k9.pkg 1
 svc image disk0:/anyconnect-win-2.5.6005-k9.pkg 2
 svc enable
 tunnel-group-list enable
group-policy TeamABS<>CON internal
group-policy TeamABS<>CON attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol webvpn
group-policy AC-VPN-GP internal
group-policy AC-VPN-GP attributes
 banner none
 dns-server value 10.100.5.2 10.100.5.3
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
 default-domain value XXXXXXX
 address-pools value RAVPN_POOL
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 wins-server none
 dns-server none
 vpn-tunnel-protocol svc
 default-domain value XXXXXXX
group-policy AVC-GP internal
group-policy AVC-GP attributes
 banner none
 wins-server none
 dns-server value 10.100.5.2 10.100.5.5
 vpn-idle-timeout 900
 vpn-session-timeout none
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
 default-domain value XXXXXXXX
 address-pools value ssl_vpn_pool_new
group-policy AVC-Timmed-Test internal
group-policy AVC-Timmed-Test attributes
 wins-server none
 dns-server none
 vpn-idle-timeout 30
 vpn-session-timeout 720
 vpn-tunnel-protocol svc webvpn
 default-domain value XXXXXXX
group-policy CH<>WL internal
group-policy CH<>WL attributes
 vpn-tunnel-protocol IPSec
group-policy CH<>MSW internal
group-policy CH<>MSW attributes
 vpn-tunnel-protocol IPSec
group-policy CH<>EC internal
group-policy CH<>EC attributes
 vpn-tunnel-protocol IPSec
username admin password 90nATqa6nCj5iJ88 encrypted privilege 15
username Cisco password kGOz5H/IcvmJAAtS encrypted privilege 15
username Cisco attributes
 service-type remote-access
username itadmin password sNnj/F6CPVWNeUXn encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
 isakmp ikev1-user-authentication none
tunnel-group 71.168.70.56 type ipsec-l2l
tunnel-group 71.168.70.56 general-attributes
 default-group-policy CH<>EC
tunnel-group 71.168.70.56 ipsec-attributes
 pre-shared-key *****
tunnel-group 75.144.145.93 type ipsec-l2l
tunnel-group 75.144.145.93 general-attributes
 default-group-policy CH<>MSW
tunnel-group 75.144.145.93 ipsec-attributes
 pre-shared-key *****
tunnel-group AC-VPN type remote-access
tunnel-group AC-VPN general-attributes
 authentication-server-group VPN-LDAP
 default-group-policy AC-VPN-GP
tunnel-group AC-VPN webvpn-attributes
 group-alias CityVPN enable
tunnel-group 68.238.57.133 type ipsec-l2l
tunnel-group 68.238.57.133 general-attributes
 default-group-policy CH<>WL
tunnel-group 68.238.57.133 ipsec-attributes
 pre-shared-key *****
tunnel-group AVC-CP type remote-access
tunnel-group AVC-CP general-attributes
 address-pool ssl_vpn_pool_new
 authentication-server-group AVC-LDAP-SG
 default-group-policy AVC-GP
tunnel-group AVC-CP webvpn-attributes
 radius-reject-message
 group-alias AVC-CP disable
 group-alias AVG-CP enable
tunnel-group AVC-T type remote-access
tunnel-group AVC-T general-attributes
 address-pool ssl_vpn_pool_new
 authentication-server-group AVC-LDAP-SG
 default-group-policy AVC-Timmed-Test
tunnel-group 66.195.155.226 type ipsec-l2l
tunnel-group 66.195.155.226 general-attributes
 default-group-policy TeamABS<>CON
tunnel-group 66.195.155.226 ipsec-attributes
 pre-shared-key *****
!
class-map throttle
 match access-list throttle
class-map class_sqlnet
 match port tcp eq 1433
class-map inspection_default
 match default-inspection-traffic
class-map Routematch
 match access-list inside_mpc
class-map Netflow-Class
 description Use for netflow
 match any
class-map outside-class
 match port tcp range 1 65535
!
!
policy-map throttle-traffic
 class throttle
  police input 25000000 12500
  police output 25000000 12500
policy-map RouteMatch
 class Routematch
  set connection timeout half-closed 0:00:00 idle 0:00:00 dcd 0:15:00 5
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect ip-options
 class Netflow-Class
  flow-export event-type all destination Scrutinizer
policy-map outside-policy
 description Traffic limit on TCP to 40Mbs with a 5Mbs burst (prevent TCP from starving UPD and tunnel traffic on 50Mbs interface)
 class outside-class
  police input 35000000 1000000
  police output 35000000 1000000
!
service-policy global_policy global
service-policy outside-policy interface outside
service-policy RouteMatch interface inside
smtp-server 10.100.5.52
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:670d2aef79a36bd86b9c6fa59c56cb9c
: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Bradfield Fri, 08/26/2016 - 05:14
User Badges:
  • Silver, 250 points or more

Hi,

your ACL used for the crypto map shown below must be mirrored at the remote site

access-list outside_2_cryptomap extended permit ip object-group Lawson_VPN host Lawson_VPN_External

now the object group Lawson_VPN, has the individual hosts so the ACL will have many entries.

It would be easier if you had an

object Lawson_VPN _subnet 

network 10.100.6.64 255.255.255.248

and used that

HTH

Richard.

Actions

This Discussion

Related Content