: Saved : ASA Version 7.2(4) ! hostname Gateway domain-name xxxx.local names name 172.28.42.0 Mantis_Network name 192.168.20.10 Mantis_Pc name 192.168.20.2 Dmz_Switch ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address x.x.x.x 255.255.255.252 ! interface Vlan3 no forward interface Vlan1 nameif dmz security-level 50 ip address 192.168.20.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 switchport access vlan 3 ! interface Ethernet0/6 ! interface Ethernet0/7 ! banner login This is a Private Network - Please Disconnect Now if not Authorised ftp mode passive dns server-group DefaultDNS domain-name cypra.local access-list inside_nat0_outbound extended permit ip any 192.168.30.0 255.255.255.224 access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.31.0 255.255.255.224 access-list inside_nat0_outbound remark Allow Inside to DMZ access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list dmz_nat0_outbound extended permit ip host Mantis_Pc Mantis_Network 255.255.255.0 access-list outside_1_cryptomap extended permit ip host Mantis_Pc Mantis_Network 255.255.255.0 access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded access-list OUTSIDE_IN_ACL extended permit tcp host 213.207.149.166 host 81.4.144.254 eq 3389 access-list OUTSIDE_IN_ACL extended permit tcp host 213.207.149.166 host 192.168.1.113 eq 3389 access-list 10 extended deny ip any host Dmz_Switch inactive access-list 10 remark Permit IP Access from Any to DMZ Subnet (192.168.20.0/24) access-list 10 extended permit ip 192.168.31.0 255.255.255.224 192.168.20.0 255.255.255.0 pager lines 24 logging enable logging asdm informational logging host inside 192.168.1.140 mtu inside 1500 mtu outside 1500 mtu dmz 1500 ip local pool inside_pool 192.168.30.10-192.168.30.20 mask 255.255.255.0 ip local pool dmz_pool 192.168.31.10-192.168.31.20 mask 255.255.255.0 ip local pool inside_SSL 192.168.30.40-192.168.30.50 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (dmz) 0 access-list dmz_nat0_outbound static (inside,outside) tcp interface 3389 192.168.1.113 3389 netmask 255.255.255.255 access-group OUTSIDE_IN_ACL in interface outside route outside 0.0.0.0 0.0.0.0 81.4.144.253 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL aaa authentication enable console LOCAL http server enable http 192.168.30.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA TRANS_ESP_3DES_MD5 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 212.31.96.121 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 11 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp nat-traversal 20 no vpn-addr-assign aaa no vpn-addr-assign dhcp telnet 192.168.1.0 255.255.255.0 inside telnet 192.168.30.0 255.255.255.0 inside telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 console timeout 0 management-access inside dhcpd auto_config outside ! dhcpd address 192.168.1.140-192.168.1.170 inside dhcpd dns 192.168.1.113 195.14.130.170 interface inside dhcpd lease 172800 interface inside dhcpd domain cypra.local interface inside dhcpd enable inside ! webvpn enable outside svc image disk0:/sslclient-win-1.1.4.179.pkg 1 svc enable group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes vpn-tunnel-protocol IPSec l2tp-ipsec group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none smartcard-removal-disconnect enable client-firewall none client-access-rule none webvpn functions none html-content-filter none homepage none keep-alive-ignore 4 http-comp gzip filter none url-list none customization value DfltCustomization port-forward none port-forward-name value Application Access sso-server none deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information svc none svc keep-installer installed svc keepalive none svc rekey time none svc rekey method none svc dpd-interval client none svc dpd-interval gateway none svc compression deflate group-policy WebGroupPolicy internal group-policy WebGroupPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec webvpn webvpn svc required svc keep-installer installed svc rekey time 30 svc rekey method new-tunnel svc dpd-interval client 500 svc dpd-interval gateway 500 group-policy Internal_Users internal group-policy Internal_Users attributes vpn-tunnel-protocol IPSec l2tp-ipsec webvpn webvpn svc enable svc keep-installer installed svc rekey time 30 svc rekey method new-tunnel svc dpd-interval client 500 svc dpd-interval gateway 500 group-policy Dmz_Users internal group-policy Dmz_Users attributes vpn-tunnel-protocol IPSec l2tp-ipsec webvpn webvpn svc enable svc keep-installer installed svc rekey time 30 svc rekey method ssl svc dpd-interval client 500 svc dpd-interval gateway 500 group-policy cisco_clients internal group-policy cisco_clients attributes dns-server value 192.168.1.113 vpn-tunnel-protocol IPSec default-domain value cypra.local username test password username test attributes vpn-group-policy cisco_clients username webuser1 password username webuser1 attributes vpn-group-policy Dmz_Users username webtest password username webtest attributes vpn-group-policy WebGroupPolicy username mikecl password username admin851 password username admin851 attributes vpn-framed-ip-address 192.168.30.5 255.255.255.0 username user1 password username user1 attributes vpn-group-policy cisco_clients username user2 password username dmztest password username cypraremote password username cypraremote attributes vpn-group-policy DefaultRAGroup group-lock value DefaultRAGroup username nextech password username nextech attributes vpn-group-policy WebGroupPolicy vpn-framed-ip-address 192.168.30.7 255.255.255.0 webvpn functions url-entry svc enable svc keep-installer installed svc rekey time 30 svc rekey method ssl username mantis password username gigeorge password username gigeorge attributes vpn-group-policy WebGroupPolicy vpn-framed-ip-address 192.168.30.6 255.255.255.0 tunnel-group DefaultRAGroup general-attributes address-pool dmz_pool default-group-policy DefaultRAGroup strip-realm strip-group tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * isakmp keepalive threshold 15 retry 10 tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2 tunnel-group DefaultWEBVPNGroup general-attributes default-group-policy WebGroupPolicy tunnel-group cisco_clients type ipsec-ra tunnel-group cisco_clients general-attributes address-pool inside_pool default-group-policy cisco_clients tunnel-group cisco_clients ipsec-attributes pre-shared-key * tunnel-group 212.31.96.121 type ipsec-l2l tunnel-group 212.31.96.121 ipsec-attributes pre-shared-key * tunnel-group WebTunnelGroup1 type webvpn tunnel-group WebTunnelGroup1 general-attributes address-pool inside_pool default-group-policy Internal_Users tunnel-group WebTunnelGroup type webvpn tunnel-group WebTunnelGroup general-attributes address-pool inside_SSL default-group-policy WebGroupPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect pptp ! service-policy global_policy global prompt hostname context Cryptochecksum:a12cbc0ac9dbc50f72e49929bfc0d537 : end [OK]