ASA Version 8.0(3)6 ! hostname firewall domain-name xxxxx enable password 2KFQnbNIdI.2KYOU encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address x.x.x.x 255.255.255.248 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.10.1.1 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! ftp mode passive clock timezone Manila 8 dns domain-lookup inside dns server-group DefaultDNS domain-name clfc-online.com dns server-group vpnlocal name-server 10.10.1.10 object-group network vpnclient network-object 10.10.3.0 255.255.255.0 object-group network host network-object host 10.10.1.26 access-list inside_access_out extended permit ip any any access-list inside_access_out extended permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0 access-list inside_access_out extended permit icmp any any access-list outside_access_out extended permit ip any any access-list outside_access_out extended permit icmp any any access-list outside_access_in extended permit ip 10.10.3.0 255.255.255.0 host 10.10.1.26 access-list outside_access_in extended permit ip any any access-list outside_access_in extended permit icmp 10.10.3.0 255.255.255.0 10.10.1.0 255.255.255.0 access-list outside_access_in_1 extended permit ip any any access-list outside_access_in_1 extended permit icmp any any access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0 access-list inside_access_in extended permit icmp any any access-list outside_1_cryptomap extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip any 10.10.3.48 255.255.255.240 access-list Lcocal_lan_access extended permit ip any 10.10.1.0 255.255.255.0 access-list Lcocal_lan_access extended permit icmp any 10.10.1.0 255.255.255.0 access-list outside_nat0_outbound extended permit ip 10.10.3.0 255.255.255.0 10.10.1.0 255.255.255.0 access-list outside_nat0_outbound extended permit icmp any any access-list test_splitTunnelAcl_1 standard permit any access-list test_splitTunnelAcl_1 standard permit 10.10.3.48 255.255.255.240 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 ip local pool test 10.10.1.150-10.10.1.160 mask 255.255.255.0 ip local pool test2 10.10.3.50-10.10.3.60 mask 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-602.bin asdm history enable arp timeout 14400 global (outside) 101 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 101 10.10.1.0 255.255.255.0 dns access-group outside_access_in_1 in interface outside access-group outside_access_out out interface outside access-group inside_access_in in interface inside access-group inside_access_out out interface inside route outside 0.0.0.0 0.0.0.0 122.54.152.49 1 route outside 10.10.2.0 255.255.255.0 122.54.152.54 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa-server VPNaccess protocol radius accounting-mode simultaneous aaa-server VPNaccess (inside) host 10.10.1.4 key cisco radius-common-pw test123 aaa authentication http console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL aaa authentication enable console LOCAL http server enable http 192.168.1.0 255.255.255.0 management http 10.10.1.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart auth-prompt prompt RADIUS authentication successful auth-prompt accept Access granted auth-prompt reject Access denied! crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 122.54.152.51 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 1 set reverse-route crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 0.0.0.0 0.0.0.0 outside telnet 10.10.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection scanning-threat threat-detection statistics ntp server 122.54.152.53 ntp server 122.54.152.54 group-policy test internal group-policy test attributes dns-server value 10.10.1.10 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value test_splitTunnelAcl_1 username test password 3ibM4DVokaSgIOfElXr8cg== nt-encrypted privilege 15 username test attributes memberof test username glynford password 3kM/F2LuiepkNbhS encrypted privilege 15 tunnel-group 122.54.152.51 type ipsec-l2l tunnel-group 122.54.152.51 ipsec-attributes pre-shared-key * tunnel-group test type remote-access tunnel-group test general-attributes address-pool test2 default-group-policy test tunnel-group test ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global smtp-server 122.54.152.51 prompt hostname context Cryptochecksum:4c9977e6b22604867febb2f09159489e : end firewall# firewall# sh crypto isakmp Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 125.60.248.143 Type : user Role : responder Rekey : no State : AM_ACTIVE Global IKE Statistics Active Tunnels: 1 Previous Tunnels: 5 In Octets: 30468 In Packets: 269 In Drop Packets: 4 In Notifys: 233 In P2 Exchanges: 4 In P2 Exchange Invalids: 0 In P2 Exchange Rejects: 0 In P2 Sa Delete Requests: 4 Out Octets: 24964 Out Packets: 262 Out Drop Packets: 0 Out Notifys: 466 Out P2 Exchanges: 1 Out P2 Exchange Invalids: 0 Out P2 Exchange Rejects: 0 Out P2 Sa Delete Requests: 0 Initiator Tunnels: 1 Initiator Fails: 0 Responder Fails: 0 System Capacity Fails: 0 Auth Fails: 0 Decrypt Fails: 0 Hash Valid Fails: 0 No Sa Fails: 0 Global IPSec over TCP Statistics -------------------------------- Embryonic connections: 0 Active connections: 0 Previous connections: 0 Inbound packets: 0 Inbound dropped packets: 0 Outbound packets: 0 Outbound dropped packets: 0 RST packets: 0 Recevied ACK heart-beat packets: 0 Bad headers: 0 Bad trailers: 0 Timer failures: 0 Checksum errors: 0 Internal errors: 0