Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

asa 5510 with a WLC5508 on DMZ network

i have a unique thing to do i have been given a task of connecting a WLC5508 to a ASA5510 because the dont want to get a another switch.

how can i do this. i think it is possable to do but i cant get the NAT and ACL to work right.

here is what i have so far

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname CSL-GW
domain-name csl.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.6 Server2008 description Domain Controller
name 12.133.51.114 PublicIP_114 description Public IP Address - used for SharePoint Server
name 192.168.0.8 SharePoint description The SharePoint 2007 Server
name 12.133.51.115 PublicIP_115 description Public IP Address
name 12.133.51.116 PublicIP_116 description Public IP Address
name 192.168.2.0 corinth-network
name 192.168.3.0 decatur-network
name 192.168.4.0 florence-network
name 192.168.11.0 hartselle-network
name 192.168.5.0 hoover-network
name 192.168.6.0 huntsville-network
name 192.168.7.0 lawrenceburg-network
name 192.168.8.0 montgomery-network
name 192.168.9.0 mountain-network
name 192.168.10.0 russellville-network
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 12.133.51.120 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif dmz
security-level 50
ip address 192.168.12.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name csl.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 65100
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq 587
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 8443
access-list outside_access_in extended permit tcp any interface outside eq 81
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 3390
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any host PublicIP_114 object-group DM_INLINE_TCP_2
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0
access-list outside_5_cryptomap extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0
access-list outside_6_cryptomap extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0
access-list outside_7_cryptomap extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0
access-list outside_8_cryptomap extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0
access-list outside_9_cryptomap extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0
access-list outside_10_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
no pager
logging enable
logging trap debugging
logging asdm informational
logging host inside Server2008
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool RemoteClientPool 192.168.0.50-192.168.0.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www Server2008 www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.7 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 65100 192.168.0.2 65100 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server2008 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 587 Server2008 587 netmask 255.255.255.255
static (inside,outside) tcp interface https Server2008 https netmask 255.255.255.255
static (inside,outside) tcp interface 81 192.168.0.7 81 netmask 255.255.255.255
static (inside,outside) tcp interface smtp Server2008 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.0.251 3390 netmask 255.255.255.255
static (inside,outside) PublicIP_114 SharePoint netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 12.133.51.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server ADSERVERS protocol radius
aaa-server ADSERVERS (inside) host Server2008
key CSL-2820
http server enable
http hartselle-network 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http corinth-network 255.255.255.0 inside
http decatur-network 255.255.255.0 inside
http florence-network 255.255.255.0 inside
http hoover-network 255.255.255.0 inside
http huntsville-network 255.255.255.0 inside
http lawrenceburg-network 255.255.255.0 inside
http mountain-network 255.255.255.0 inside
http russellville-network 255.255.255.0 inside
http montgomery-network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 12.131.108.179
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 12.139.80.51
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 12.139.80.163
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer 12.23.150.67
crypto map outside_map 4 set transform-set ESP-AES-128-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer 12.133.51.195
crypto map outside_map 5 set transform-set ESP-AES-128-SHA
crypto map outside_map 6 match address outside_6_cryptomap
crypto map outside_map 6 set peer 12.164.17.19
crypto map outside_map 6 set transform-set ESP-AES-128-SHA
crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set peer 12.139.80.131
crypto map outside_map 7 set transform-set ESP-AES-128-SHA
crypto map outside_map 8 match address outside_8_cryptomap
crypto map outside_map 8 set peer 12.139.80.147
crypto map outside_map 8 set transform-set ESP-AES-128-SHA
crypto map outside_map 9 match address outside_9_cryptomap
crypto map outside_map 9 set peer 12.131.64.99
crypto map outside_map 9 set transform-set ESP-AES-128-SHA
crypto map outside_map 10 match address outside_10_cryptomap
crypto map outside_map 10 set peer 12.37.170.163
crypto map outside_map 10 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.0.0 255.255.255.0 inside
telnet corinth-network 255.255.255.0 inside
telnet decatur-network 255.255.255.0 inside
telnet florence-network 255.255.255.0 inside
telnet hoover-network 255.255.255.0 inside
telnet huntsville-network 255.255.255.0 inside
telnet lawrenceburg-network 255.255.255.0 inside
telnet mountain-network 255.255.255.0 inside
telnet russellville-network 255.255.255.0 inside
telnet montgomery-network 255.255.255.0 inside
telnet hartselle-network 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.0.100-192.168.0.150 inside
dhcpd dns Server2008 12.127.16.67 interface inside
dhcpd wins Server2008 interface inside
dhcpd lease 14400 interface inside
dhcpd domain csl.local interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
ntp server Server2008 source inside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.0.6
dns-server value 192.168.0.6 12.127.16.67
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value csl.local
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
tunnel-group DefaultRAGroup general-attributes
address-pool RemoteClientPool
authentication-server-group ADSERVERS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 12.131.108.179 type ipsec-l2l
tunnel-group 12.131.108.179 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.51 type ipsec-l2l
tunnel-group 12.139.80.51 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.163 type ipsec-l2l
tunnel-group 12.139.80.163 ipsec-attributes
pre-shared-key *
tunnel-group 12.23.150.67 type ipsec-l2l
tunnel-group 12.23.150.67 ipsec-attributes
pre-shared-key *
tunnel-group 12.133.51.195 type ipsec-l2l
tunnel-group 12.133.51.195 ipsec-attributes
pre-shared-key *
tunnel-group 12.164.17.19 type ipsec-l2l
tunnel-group 12.164.17.19 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.131 type ipsec-l2l
tunnel-group 12.139.80.131 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.147 type ipsec-l2l
tunnel-group 12.139.80.147 ipsec-attributes
pre-shared-key *
tunnel-group 12.131.64.99 type ipsec-l2l
tunnel-group 12.131.64.99 ipsec-attributes
pre-shared-key *
tunnel-group 12.37.170.163 type ipsec-l2l
tunnel-group 12.37.170.163 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:423721254cdd7681b11454f1b5f93b44
: end

on the dmz i did have a sub interface called WLC on vlan 12

but nothing i did worked.                 

Everyone's tags (3)
9 REPLIES
Super Bronze

Re: asa 5510 with a WLC5508 on DMZ network

Your DMZ interface is currently shutdown, that's probably why nothing works:

interface Ethernet0/2

shutdown

nameif dmz

security-level 50

ip address 192.168.12.1 255.255.255.0

New Member

asa 5510 with a WLC5508 on DMZ network

i know that i had it disable as i got tired of dealing with it for 3 days now.

is there anything else i should be looking at?

Super Bronze

asa 5510 with a WLC5508 on DMZ network

To get internet access from DMZ, just add the following NAT entry:

nat (dmz) 1 0 0

New Member

asa 5510 with a WLC5508 on DMZ network

i am not realy want it to have internet i just need it to talk to the inside network so that the ap will get the info that they need. also will need it go over the VPNs to the sites

hostname CSL-GW

domain-name csl.local

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.0.6 Server2008 description Domain Controller

name 12.133.51.114 PublicIP_114 description Public IP Address - used for SharePoint Server

name 192.168.0.8 SharePoint description The SharePoint 2007 Server

name 12.133.51.115 PublicIP_115 description Public IP Address

name 12.133.51.116 PublicIP_116 description Public IP Address

name 192.168.2.0 corinth-network

name 192.168.3.0 decatur-network

name 192.168.4.0 florence-network

name 192.168.11.0 hartselle-network

name 192.168.5.0 hoover-network

name 192.168.6.0 huntsville-network

name 192.168.7.0 lawrenceburg-network

name 192.168.8.0 montgomery-network

name 192.168.9.0 mountain-network

name 192.168.10.0 russellville-network

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 12.133.51.120 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/2.12

vlan 12

nameif WLC

security-level 100

ip address 192.168.12.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa724-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name csl.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any source-quench

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq 65100

access-list outside_access_in extended permit tcp any interface outside eq pop3

access-list outside_access_in extended permit tcp any interface outside eq 587

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in extended permit tcp any interface outside eq 8443

access-list outside_access_in extended permit tcp any interface outside eq 81

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any interface outside eq 3390

access-list outside_access_in extended permit tcp any interface outside eq 8080

access-list outside_access_in remark used for SharePoint

access-list outside_access_in extended permit tcp any host PublicIP_114 object-group DM_INLINE_TCP_2

access-list DefaultRAGroup_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0

access-list outside_3_cryptomap extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0

access-list outside_4_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0

access-list outside_5_cryptomap extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0

access-list outside_6_cryptomap extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0

access-list outside_7_cryptomap extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0

access-list outside_8_cryptomap extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0

access-list outside_9_cryptomap extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0

access-list outside_10_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0

access-list dmz_access_in extended permit ip any any

access-list inside_access_in extended permit ip any any

no pager

logging enable

logging trap debugging

logging asdm informational

logging host inside Server2008

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

mtu WLC 1500

ip local pool RemoteClientPool 192.168.0.50-192.168.0.99 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp deny any echo outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (management) 0 0.0.0.0 0.0.0.0

nat (WLC) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www Server2008 www netmask 255.255.255.255

static (inside,outside) tcp interface 3389 192.168.0.7 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 65100 192.168.0.2 65100 netmask 255.255.255.255

static (inside,outside) tcp interface pop3 Server2008 pop3 netmask 255.255.255.255

static (inside,outside) tcp interface 587 Server2008 587 netmask 255.255.255.255

static (inside,outside) tcp interface https Server2008 https netmask 255.255.255.255

static (inside,outside) tcp interface 81 192.168.0.7 81 netmask 255.255.255.255

static (inside,outside) tcp interface smtp Server2008 smtp netmask 255.255.255.255

static (inside,outside) tcp interface 3390 192.168.0.251 3390 netmask 255.255.255.255

static (inside,outside) PublicIP_114 SharePoint netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 12.133.51.113 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server ADSERVERS protocol radius

aaa-server ADSERVERS (inside) host Server2008

key CSL-2820

http server enable

http hartselle-network 255.255.255.0 inside

http 192.168.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

http corinth-network 255.255.255.0 inside

http decatur-network 255.255.255.0 inside

http florence-network 255.255.255.0 inside

http hoover-network 255.255.255.0 inside

http huntsville-network 255.255.255.0 inside

http lawrenceburg-network 255.255.255.0 inside

http mountain-network 255.255.255.0 inside

http russellville-network 255.255.255.0 inside

http montgomery-network 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec df-bit clear-df outside

crypto ipsec df-bit clear-df inside

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 12.131.108.179

crypto map outside_map 1 set transform-set ESP-AES-128-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 12.139.80.51

crypto map outside_map 2 set transform-set ESP-AES-128-SHA

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set peer 12.139.80.163

crypto map outside_map 3 set transform-set ESP-AES-128-SHA

crypto map outside_map 4 match address outside_4_cryptomap

crypto map outside_map 4 set peer 12.23.150.67

crypto map outside_map 4 set transform-set ESP-AES-128-SHA

crypto map outside_map 5 match address outside_5_cryptomap

crypto map outside_map 5 set peer 12.133.51.195

crypto map outside_map 5 set transform-set ESP-AES-128-SHA

crypto map outside_map 6 match address outside_6_cryptomap

crypto map outside_map 6 set peer 12.164.17.19

crypto map outside_map 6 set transform-set ESP-AES-128-SHA

crypto map outside_map 7 match address outside_7_cryptomap

crypto map outside_map 7 set peer 12.139.80.131

crypto map outside_map 7 set transform-set ESP-AES-128-SHA

crypto map outside_map 8 match address outside_8_cryptomap

crypto map outside_map 8 set peer 12.139.80.147

crypto map outside_map 8 set transform-set ESP-AES-128-SHA

crypto map outside_map 9 match address outside_9_cryptomap

crypto map outside_map 9 set peer 12.131.64.99

crypto map outside_map 9 set transform-set ESP-AES-128-SHA

crypto map outside_map 10 match address outside_10_cryptomap

crypto map outside_map 10 set peer 12.37.170.163

crypto map outside_map 10 set transform-set ESP-AES-128-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

crypto isakmp nat-traversal  20

telnet 192.168.0.0 255.255.255.0 inside

telnet corinth-network 255.255.255.0 inside

telnet decatur-network 255.255.255.0 inside

telnet florence-network 255.255.255.0 inside

telnet hoover-network 255.255.255.0 inside

telnet huntsville-network 255.255.255.0 inside

telnet lawrenceburg-network 255.255.255.0 inside

telnet mountain-network 255.255.255.0 inside

telnet russellville-network 255.255.255.0 inside

telnet montgomery-network 255.255.255.0 inside

telnet hartselle-network 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.0.100-192.168.0.150 inside

dhcpd dns Server2008 12.127.16.67 interface inside

dhcpd wins Server2008 interface inside

dhcpd lease 14400 interface inside

dhcpd domain csl.local interface inside

dhcpd update dns both override interface inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

ntp server Server2008 source inside

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 192.168.0.6

dns-server value 192.168.0.6 12.127.16.67

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

default-domain value csl.local

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 10

vpn-idle-timeout none

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

smartcard-removal-disconnect enable

client-firewall none

client-access-rule none

webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

tunnel-group DefaultRAGroup general-attributes

address-pool RemoteClientPool

authentication-server-group ADSERVERS

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

authentication ms-chap-v2

tunnel-group 12.131.108.179 type ipsec-l2l

tunnel-group 12.131.108.179 ipsec-attributes

pre-shared-key *

tunnel-group 12.139.80.51 type ipsec-l2l

tunnel-group 12.139.80.51 ipsec-attributes

pre-shared-key *

tunnel-group 12.139.80.163 type ipsec-l2l

tunnel-group 12.139.80.163 ipsec-attributes

pre-shared-key *

tunnel-group 12.23.150.67 type ipsec-l2l

tunnel-group 12.23.150.67 ipsec-attributes

pre-shared-key *

tunnel-group 12.133.51.195 type ipsec-l2l

tunnel-group 12.133.51.195 ipsec-attributes

pre-shared-key *

tunnel-group 12.164.17.19 type ipsec-l2l

tunnel-group 12.164.17.19 ipsec-attributes

pre-shared-key *

tunnel-group 12.139.80.131 type ipsec-l2l

tunnel-group 12.139.80.131 ipsec-attributes

pre-shared-key *

tunnel-group 12.139.80.147 type ipsec-l2l

tunnel-group 12.139.80.147 ipsec-attributes

pre-shared-key *

tunnel-group 12.131.64.99 type ipsec-l2l

tunnel-group 12.131.64.99 ipsec-attributes

pre-shared-key *

tunnel-group 12.37.170.163 type ipsec-l2l

tunnel-group 12.37.170.163 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:423721254cdd7681b11454f1b5f93b44

: end

hostname CSL-GW

domain-name csl.local

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.0.6 Server2008 description Domain Controller

name 12.133.51.114 PublicIP_114 description Public IP Address - used for SharePoint Server

name 192.168.0.8 SharePoint description The SharePoint 2007 Server

name 12.133.51.115 PublicIP_115 description Public IP Address

name 12.133.51.116 PublicIP_116 description Public IP Address

name 192.168.2.0 corinth-network

name 192.168.3.0 decatur-network

name 192.168.4.0 florence-network

name 192.168.11.0 hartselle-network

name 192.168.5.0 hoover-network

name 192.168.6.0 huntsville-network

name 192.168.7.0 lawrenceburg-network

name 192.168.8.0 montgomery-network

name 192.168.9.0 mountain-network

name 192.168.10.0 russellville-network

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 12.133.51.120 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/2.12

vlan 12

nameif WLC

security-level 100

ip address 192.168.12.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa724-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name csl.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any source-quench

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq 65100

access-list outside_access_in extended permit tcp any interface outside eq pop3

access-list outside_access_in extended permit tcp any interface outside eq 587

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in extended permit tcp any interface outside eq 8443

access-list outside_access_in extended permit tcp any interface outside eq 81

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any interface outside eq 3390

access-list outside_access_in extended permit tcp any interface outside eq 8080

access-list outside_access_in remark used for SharePoint

access-list outside_access_in extended permit tcp any host PublicIP_114 object-group DM_INLINE_TCP_2

access-list DefaultRAGroup_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0

access-list outside_3_cryptomap extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0

access-list outside_4_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0

access-list outside_5_cryptomap extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0

access-list outside_6_cryptomap extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0

access-list outside_7_cryptomap extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0

access-list outside_8_cryptomap extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0

access-list outside_9_cryptomap extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0

access-list outside_10_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0

access-list dmz_access_in extended permit ip any any

access-list inside_access_in extended permit ip any any

no pager

logging enable

logging trap debugging

logging asdm informational

logging host inside Server2008

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

mtu WLC 1500

ip local pool RemoteClientPool 192.168.0.50-192.168.0.99 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp deny any echo outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (management) 0 0.0.0.0 0.0.0.0

nat (WLC) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www Server2008 www netmask 255.255.255.255

static (inside,outside) tcp interface 3389 192.168.0.7 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 65100 192.168.0.2 65100 netmask 255.255.255.255

static (inside,outside) tcp interface pop3 Server2008 pop3 netmask 255.255.255.255

static (inside,outside) tcp interface 587 Server2008 587 netmask 255.255.255.255

static (inside,outside) tcp interface https Server2008 https netmask 255.255.255.255

static (inside,outside) tcp interface 81 192.168.0.7 81 netmask 255.255.255.255

static (inside,outside) tcp interface smtp Server2008 smtp netmask 255.255.255.255

static (inside,outside) tcp interface 3390 192.168.0.251 3390 netmask 255.255.255.255

static (inside,outside) PublicIP_114 SharePoint netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 12.133.51.113 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server ADSERVERS protocol radius

aaa-server ADSERVERS (inside) host Server2008

key CSL-2820

http server enable

http hartselle-network 255.255.255.0 inside

http 192.168.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

http corinth-network 255.255.255.0 inside

http decatur-network 255.255.255.0 inside

http florence-network 255.255.255.0 inside

http hoover-network 255.255.255.0 inside

http huntsville-network 255.255.255.0 inside

http lawrenceburg-network 255.255.255.0 inside

http mountain-network 255.255.255.0 inside

http russellville-network 255.255.255.0 inside

http montgomery-network 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec df-bit clear-df outside

crypto ipsec df-bit clear-df inside

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 12.131.108.179

crypto map outside_map 1 set transform-set ESP-AES-128-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 12.139.80.51

crypto map outside_map 2 set transform-set ESP-AES-128-SHA

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set peer 12.139.80.163

crypto map outside_map 3 set transform-set ESP-AES-128-SHA

crypto map outside_map 4 match address outside_4_cryptomap

crypto map outside_map 4 set peer 12.23.150.67

crypto map outside_map 4 set transform-set ESP-AES-128-SHA

crypto map outside_map 5 match address outside_5_cryptomap

crypto map outside_map 5 set peer 12.133.51.195

crypto map outside_map 5 set transform-set ESP-AES-128-SHA

crypto map outside_map 6 match address outside_6_cryptomap

crypto map outside_map 6 set peer 12.164.17.19

crypto map outside_map 6 set transform-set ESP-AES-128-SHA

crypto map outside_map 7 match address outside_7_cryptomap

crypto map outside_map 7 set peer 12.139.80.131

crypto map outside_map 7 set transform-set ESP-AES-128-SHA

crypto map outside_map 8 match address outside_8_cryptomap

crypto map outside_map 8 set peer 12.139.80.147

crypto map outside_map 8 set transform-set ESP-AES-128-SHA

crypto map outside_map 9 match address outside_9_cryptomap

crypto map outside_map 9 set peer 12.131.64.99

crypto map outside_map 9 set transform-set ESP-AES-128-SHA

crypto map outside_map 10 match address outside_10_cryptomap

crypto map outside_map 10 set peer 12.37.170.163

crypto map outside_map 10 set transform-set ESP-AES-128-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

crypto isakmp nat-traversal  20

telnet 192.168.0.0 255.255.255.0 inside

telnet corinth-network 255.255.255.0 inside

telnet decatur-network 255.255.255.0 inside

telnet florence-network 255.255.255.0 inside

telnet hoover-network 255.255.255.0 inside

telnet huntsville-network 255.255.255.0 inside

telnet lawrenceburg-network 255.255.255.0 inside

telnet mountain-network 255.255.255.0 inside

telnet russellville-network 255.255.255.0 inside

telnet montgomery-network 255.255.255.0 inside

telnet hartselle-network 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.0.100-192.168.0.150 inside

dhcpd dns Server2008 12.127.16.67 interface inside

dhcpd wins Server2008 interface inside

dhcpd lease 14400 interface inside

dhcpd domain csl.local interface inside

dhcpd update dns both override interface inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

ntp server Server2008 source inside

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 192.168.0.6

dns-server value 192.168.0.6 12.127.16.67

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

default-domain value csl.local

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 10

vpn-idle-timeout none

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

smartcard-removal-disconnect enable

client-firewall none

client-access-rule none

webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

tunnel-group DefaultRAGroup general-attributes

address-pool RemoteClientPool

authentication-server-group ADSERVERS

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

authentication ms-chap-v2

tunnel-group 12.131.108.179 type ipsec-l2l

tunnel-group 12.131.108.179 ipsec-attributes

pre-shared-key *

tunnel-group 12.139.80.51 type ipsec-l2l

tunnel-group 12.139.80.51 ipsec-attributes

pre-shared-key *

tunnel-group 12.139.80.163 type ipsec-l2l

tunnel-group 12.139.80.163 ipsec-attributes

pre-shared-key *

tunnel-group 12.23.150.67 type ipsec-l2l

tunnel-group 12.23.150.67 ipsec-attributes

pre-shared-key *

tunnel-group 12.133.51.195 type ipsec-l2l

tunnel-group 12.133.51.195 ipsec-attributes

pre-shared-key *

tunnel-group 12.164.17.19 type ipsec-l2l

tunnel-group 12.164.17.19 ipsec-attributes

pre-shared-key *

tunnel-group 12.139.80.131 type ipsec-l2l

tunnel-group 12.139.80.131 ipsec-attributes

pre-shared-key *

tunnel-group 12.139.80.147 type ipsec-l2l

tunnel-group 12.139.80.147 ipsec-attributes

pre-shared-key *

tunnel-group 12.131.64.99 type ipsec-l2l

tunnel-group 12.131.64.99 ipsec-attributes

pre-shared-key *

tunnel-group 12.37.170.163 type ipsec-l2l

tunnel-group 12.37.170.163 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:423721254cdd7681b11454f1b5f93b44

: end

Super Bronze

asa 5510 with a WLC5508 on DMZ network

To access the inside network, you would need to configure the following:

static (inside,WLC) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

And for VPN, which particular VPN peer do you want to have access? For VPN, you would need to make changes on both ends of the VPN tunnel.

New Member

asa 5510 with a WLC5508 on DMZ network

i am wanting to get to all of the but for now just the the peer 12.133.51.195

Super Bronze

asa 5510 with a WLC5508 on DMZ network

For peer 12.133.51.195:

access-list outside_5_cryptomap extended permit ip 192.168.12.0 255.255.255.0 huntsville-network 255.255.255.0

access-list nonat-wlc extended permit ip 192.168.12.0 255.255.255.0 huntsville-network 255.255.255.0

nat (WLC) 0 access-list nonat-wlc

And you would need to add the mirror image ACL on the remote end (12.133.51.195).

New Member

asa 5510 with a WLC5508 on DMZ network

ok thanks

i have not put in the vpn stuff but want you to take a look as i cannot ping on the WLC network.

also i cannot get on the internet.

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname CSL-GW
domain-name csl.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.6 Server2008 description Domain Controller
name 12.133.51.114 PublicIP_114 description Public IP Address - used for SharePoint Server
name 192.168.0.8 SharePoint description The SharePoint 2007 Server
name 12.133.51.115 PublicIP_115 description Public IP Address
name 12.133.51.116 PublicIP_116 description Public IP Address
name 192.168.2.0 corinth-network
name 192.168.3.0 decatur-network
name 192.168.4.0 florence-network
name 192.168.11.0 hartselle-network
name 192.168.5.0 hoover-network
name 192.168.6.0 huntsville-network
name 192.168.7.0 lawrenceburg-network
name 192.168.8.0 montgomery-network
name 192.168.9.0 mountain-network
name 192.168.10.0 russellville-network
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 12.133.51.120 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/2.12
description Wireless Lan Contoller
vlan 12
nameif WLC
security-level 100
ip address 192.168.12.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name csl.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 65100
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq 587
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 8443
access-list outside_access_in extended permit tcp any interface outside eq 81
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 3390
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in remark used for SharePoint
access-list outside_access_in extended permit tcp any host PublicIP_114 object-group DM_INLINE_TCP_2
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 corinth-network 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 decatur-network 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.0.0 255.255.255.0 florence-network 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hoover-network 255.255.255.0
access-list outside_5_cryptomap extended permit ip 192.168.0.0 255.255.255.0 huntsville-network 255.255.255.0
access-list outside_6_cryptomap extended permit ip 192.168.0.0 255.255.255.0 lawrenceburg-network 255.255.255.0
access-list outside_7_cryptomap extended permit ip 192.168.0.0 255.255.255.0 mountain-network 255.255.255.0
access-list outside_8_cryptomap extended permit ip 192.168.0.0 255.255.255.0 russellville-network 255.255.255.0
access-list outside_9_cryptomap extended permit ip 192.168.0.0 255.255.255.0 montgomery-network 255.255.255.0
access-list outside_10_cryptomap extended permit ip 192.168.0.0 255.255.255.0 hartselle-network 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
no pager
logging enable
logging trap debugging
logging asdm informational
logging host inside Server2008
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
mtu WLC 1500
ip local pool RemoteClientPool 192.168.0.50-192.168.0.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
nat (WLC) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www Server2008 www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.7 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 65100 192.168.0.2 65100 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server2008 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 587 Server2008 587 netmask 255.255.255.255
static (inside,outside) tcp interface https Server2008 https netmask 255.255.255.255
static (inside,outside) tcp interface 81 192.168.0.7 81 netmask 255.255.255.255
static (inside,outside) tcp interface smtp Server2008 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.0.251 3390 netmask 255.255.255.255
static (inside,outside) PublicIP_114 SharePoint netmask 255.255.255.255
static (inside,WLC) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (WLC,inside) 192.168.12.0 192.168.12.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 12.133.51.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server ADSERVERS protocol radius
aaa-server ADSERVERS (inside) host Server2008
key CSL-2820
http server enable
http hartselle-network 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http corinth-network 255.255.255.0 inside
http decatur-network 255.255.255.0 inside
http florence-network 255.255.255.0 inside
http hoover-network 255.255.255.0 inside
http huntsville-network 255.255.255.0 inside
http lawrenceburg-network 255.255.255.0 inside
http mountain-network 255.255.255.0 inside
http russellville-network 255.255.255.0 inside
http montgomery-network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 12.131.108.179
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 12.139.80.51
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 12.139.80.163
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer 12.23.150.67
crypto map outside_map 4 set transform-set ESP-AES-128-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer 12.133.51.195
crypto map outside_map 5 set transform-set ESP-AES-128-SHA
crypto map outside_map 6 match address outside_6_cryptomap
crypto map outside_map 6 set peer 12.164.17.19
crypto map outside_map 6 set transform-set ESP-AES-128-SHA
crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set peer 12.139.80.131
crypto map outside_map 7 set transform-set ESP-AES-128-SHA
crypto map outside_map 8 match address outside_8_cryptomap
crypto map outside_map 8 set peer 12.139.80.147
crypto map outside_map 8 set transform-set ESP-AES-128-SHA
crypto map outside_map 9 match address outside_9_cryptomap
crypto map outside_map 9 set peer 12.131.64.99
crypto map outside_map 9 set transform-set ESP-AES-128-SHA
crypto map outside_map 10 match address outside_10_cryptomap
crypto map outside_map 10 set peer 12.37.170.163
crypto map outside_map 10 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.0.0 255.255.255.0 inside
telnet corinth-network 255.255.255.0 inside
telnet decatur-network 255.255.255.0 inside
telnet florence-network 255.255.255.0 inside
telnet hoover-network 255.255.255.0 inside
telnet huntsville-network 255.255.255.0 inside
telnet lawrenceburg-network 255.255.255.0 inside
telnet mountain-network 255.255.255.0 inside
telnet russellville-network 255.255.255.0 inside
telnet montgomery-network 255.255.255.0 inside
telnet hartselle-network 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.0.100-192.168.0.150 inside
dhcpd dns Server2008 12.127.16.67 interface inside
dhcpd wins Server2008 interface inside
dhcpd lease 14400 interface inside
dhcpd domain csl.local interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
ntp server Server2008 source inside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.0.6
dns-server value 192.168.0.6 12.127.16.67
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value csl.local
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
tunnel-group DefaultRAGroup general-attributes
address-pool RemoteClientPool
authentication-server-group ADSERVERS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 12.131.108.179 type ipsec-l2l
tunnel-group 12.131.108.179 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.51 type ipsec-l2l
tunnel-group 12.139.80.51 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.163 type ipsec-l2l
tunnel-group 12.139.80.163 ipsec-attributes
pre-shared-key *
tunnel-group 12.23.150.67 type ipsec-l2l
tunnel-group 12.23.150.67 ipsec-attributes
pre-shared-key *
tunnel-group 12.133.51.195 type ipsec-l2l
tunnel-group 12.133.51.195 ipsec-attributes
pre-shared-key *
tunnel-group 12.164.17.19 type ipsec-l2l
tunnel-group 12.164.17.19 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.131 type ipsec-l2l
tunnel-group 12.139.80.131 ipsec-attributes
pre-shared-key *
tunnel-group 12.139.80.147 type ipsec-l2l
tunnel-group 12.139.80.147 ipsec-attributes
pre-shared-key *
tunnel-group 12.131.64.99 type ipsec-l2l
tunnel-group 12.131.64.99 ipsec-attributes
pre-shared-key *
tunnel-group 12.37.170.163 type ipsec-l2l
tunnel-group 12.37.170.163 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:423721254cdd7681b11454f1b5f93b44
: end

Super Bronze

asa 5510 with a WLC5508 on DMZ network

YOu don't need the following:

static (WLC,inside) 192.168.12.0 192.168.12.0 netmask 255.255.255.0

To ping, please configure the following:

policy-map global_policy

class inspection_default

  inspect icmp

You should be able to access the internet. Can you ping 4.2.2.2 from the WLC network? What is your IP Address?

750
Views
0
Helpful
9
Replies