Network diagram asa# sh run : Saved : ASA Version 8.0(3) ! hostname asa domain-name example.com enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.0.2.200 255.255.255.0 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.0.1.200 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive clock timezone ICT 7 dns server-group DefaultDNS domain-name example.com access-list inside_nat0_outbound extended permit ip any 10.0.3.0 255.255.255.0 no pager logging enable logging asdm debugging mtu inside 1500 mtu outside 1500 ip local pool pool1 10.0.3.1-10.0.3.254 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-613.bin no asdm history enable arp timeout 14400 nat (inside) 0 access-list inside_nat0_outbound route outside 0.0.0.0 0.0.0.0 10.0.2.254 1 route inside 0.0.0.0 0.0.0.0 10.0.1.254 tunneled timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESPAES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESPDES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside threat-detection basic-threat threat-detection statistics access-list group-policy tunnel1 internal group-policy tunnel1 attributes vpn-tunnel-protocol IPSec username remote1 password sjlpmOJZS8330gsa encrypted privilege 0 username remote1 attributes vpn-group-policy tunnel1 tunnel-group tunnel1 type remote-access tunnel-group tunnel1 general-attributes address-pool pool1 default-group-policy tunnel1 tunnel-group tunnel1 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp ! service-policy global_policy global prompt hostname context Cryptochecksum:d450c3915347cd06375471015256a614 : end ASA configuration asa# sh ver Cisco Adaptive Security Appliance Software Version 8.0(3) Device Manager Version 6.1(3) Compiled on Tue 06-Nov-07 22:59 by builders System image file is "disk0:/asa803-k8.bin" Config file at boot was "startup-config" asa up 5 hours 20 mins Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz Internal ATA Compact Flash, 256MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0) Boot microcode : CN1000-MC-BOOT-2.00 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01 IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04 0: Ext: GigabitEthernet0/0 : address is 001b.5496.3aba, irq 9 1: Ext: GigabitEthernet0/1 : address is 001b.5496.3abb, irq 9 2: Ext: GigabitEthernet0/2 : address is 001b.5496.3abc, irq 9 3: Ext: GigabitEthernet0/3 : address is 001b.5496.3abd, irq 9 4: Ext: Management0/0 : address is 001b.5496.3abe, irq 11 5: Int: Not used : irq 11 6: Int: Not used : irq 5 Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 150 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts :2 GTP/GPRS : Disabled VPN Peers : 750 WebVPN Peers :2 AnyConnect for Mobile : Disabled AnyConnect for Linksys phone : Disabled Advanced Endpoint Assessment : Disabled This platform has an ASA 5520 VPN Plus license. Serial Number: JMX1134L19R Running Activation Key: 0x8b33724c 0x2c92ec69 0xdc2299cc 0xb2c8003c 0x081287a5 Configuration register is 0x1 Configuration last modified by enable_15 at 19:39:33.212 ICT Wed May 13 2009 ASA version VPN client asa# sh route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 10.0.2.254 to network 0.0.0.0 S C C S* S 10.0.3.1 255.255.255.255 [1/0] via 10.0.2.254, outside 10.0.2.0 255.255.255.0 is directly connected, outside 10.0.1.0 255.255.255.0 is directly connected, inside 0.0.0.0 0.0.0.0 [1/0] via 10.0.2.254, outside 0.0.0.0 0.0.0.0 [255/0] via 10.0.1.254, inside tunneled ASA routing asa# %ASA-7-609001: Built local-host outside:10.0.2.100 %ASA-6-302021: Teardown ICMP connection for faddr 10.0.3.1/1280 gaddr 10.0.2.100/0 laddr 10.0.2.100/0 (remote1) %ASA-7-609002: Teardown local-host outside:10.0.2.100 duration 0:00:00 %ASA-7-609001: Built local-host outside:10.0.2.100 %ASA-6-302021: Teardown ICMP connection for faddr 10.0.3.1/1280 gaddr 10.0.2.100/0 laddr 10.0.2.100/0 (remote1) %ASA-7-609002: Teardown local-host outside:10.0.2.100 duration 0:00:00 %ASA-7-609001: Built local-host outside:10.0.2.100 %ASA-6-302021: Teardown ICMP connection for faddr 10.0.3.1/1280 gaddr 10.0.2.100/0 laddr 10.0.2.100/0 (remote1) %ASA-7-609002: Teardown local-host outside:10.0.2.100 duration 0:00:00 %ASA-7-609001: Built local-host outside:10.0.2.100 %ASA-6-302021: Teardown ICMP connection for faddr 10.0.3.1/1280 gaddr 10.0.2.100/0 laddr 10.0.2.100/0 (remote1) %ASA-7-609002: Teardown local-host outside:10.0.2.100 duration 0:00:00 ASA logging