[cisco firewall] routing DMZ inside + vpn werkt niet

: Saved
: Written by cisco at 14:36:38.527 CEDT Wed Jun 7 2006
!
ASA Version 7.1(2) 
!
hostname ciscoasa
domain-name SECAS.ORG
enable password eSfZJhatppRp4hrk encrypted
names
!
interface Ethernet0/0
 description WAN
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/1
 description leeg
 nameif inside
 security-level 10
 ip address 192.168.100.1 255.255.255.0 
!
interface Ethernet0/1.1
 no vlan
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1.4
 description finance / directie
 vlan 400
 nameif vlan400
 security-level 10
 ip address 192.168.4.1 255.255.255.0 
!
interface Ethernet0/1.5
 description secr / receptie
 vlan 500
 nameif vlan500
 security-level 10
 ip address 192.168.5.1 255.255.255.0 
!
interface Ethernet0/1.6
 description servers inside
 vlan 600
 nameif vlan600
 security-level 10
 ip address 192.168.6.1 255.255.255.0 
!
interface Ethernet0/1.8
 description IT
 vlan 800
 nameif vlan800
 security-level 10
 ip address 192.168.8.1 255.255.255.0 
!
interface Ethernet0/2
 description dmz
 nameif DMZ
 security-level 1
 ip address 192.168.2.1 255.255.255.0 
!
interface Management0/0
 description management
 nameif management
 security-level 20
 ip address 192.168.0.4 255.255.255.0 
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
!
time-range niek
!
boot system disk0:/asa712-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
 domain-name SECAS.ORG
same-security-traffic permit inter-interface
access-list vlan600_authentication_ACS extended permit tcp interface vlan600 interface outside 
access-list vlan400_access_in extended permit ip 192.168.4.0 255.255.255.0 192.168.6.0 255.255.255.0 
access-list tisec_splitTunnelAcl standard permit host 192.168.6.1 
!
http-map webtraffic
 port-misuse p2p action drop log
 port-misuse tunnelling action drop log
 port-misuse default action allow log
 request-method rfc post action drop
 request-method rfc put action drop
 request-method rfc delete action drop
 request-method rfc default action allow log
 request-method ext copy action drop log
 request-method ext edit action drop log
 request-method ext default action allow log
!
pager lines 24
logging enable
logging timestamp
logging buffered emergencies
logging trap informational
logging asdm informational
logging facility 16
logging host vlan600 192.168.6.3
logging debug-trace
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu vlan400 1500
mtu vlan500 1500
mtu vlan600 1500
mtu vlan800 1500
mtu DMZ 1500
mtu management 1500
ip local pool tisec-dhcp 192.168.45.1-192.168.45.10 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface vlan400
ip verify reverse-path interface vlan500
ip verify reverse-path interface vlan600
ip verify reverse-path interface vlan800
ip verify reverse-path interface DMZ
icmp permit any outside
icmp permit any vlan400
icmp permit any vlan500
icmp permit any vlan600
icmp permit any vlan800
icmp permit any DMZ
asdm image disk0:/asdm512.bin
asdm location 192.168.4.2 255.255.255.255 vlan400
asdm location 192.168.6.2 255.255.255.255 vlan600
asdm location 146.76.18.20 255.255.255.255 outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (vlan600) 1 192.168.6.0 255.255.255.0
static (vlan600,vlan400) 192.168.6.0 192.168.6.0 netmask 255.255.255.0 
access-group vlan400_access_in in interface vlan400
rip vlan600 passive version 2
rip vlan600 default version 2
rip vlan800 passive version 2
rip vlan800 default version 2
route outside 0.0.0.0 0.0.0.0 192.168.6.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server secas.org protocol nt
aaa-server secas.org (vlan600) host 192.168.6.3
 nt-auth-domain-controller dc-01.secas.org
aaa-server ACS protocol tacacs+
aaa-server ACS (vlan600) host 192.168.6.7
 key Sec123
aaa-server TISEC-RADIUS protocol radius
aaa-server TISEC-RADIUS (vlan600) host 192.168.6.3
 key tisec
 authentication-port 1812
 accounting-port 1813
group-policy tisec internal
group-policy tisec attributes
 dns-server value 192.168.6.3
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username tisec password yo1itj32lyPcbYQo encrypted privilege 15
url-server (vlan600) vendor websense host 192.168.6.7 timeout 30 protocol TCP version 4 connections 5
aaa authentication enable console ACS LOCAL
aaa authentication http console ACS LOCAL
aaa authentication serial console ACS LOCAL
aaa authentication ssh console ACS LOCAL
aaa authentication telnet console ACS LOCAL
aaa authentication match vlan600_authentication_ACS vlan600 ACS
aaa authorization command LOCAL 
aaa accounting enable console ACS
aaa accounting serial console ACS
aaa accounting ssh console ACS
aaa accounting telnet console ACS
aaa accounting command ACS
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow 
http server enable
http 192.168.0.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt authentication domaincontroller 
auth-prompt accept goed zo!! 
auth-prompt reject he eikel.... 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp enable vlan600
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group tisec type ipsec-ra
tunnel-group tisec general-attributes
 address-pool tisec-dhcp
 authentication-server-group TISEC-RADIUS
 default-group-policy tisec
tunnel-group tisec ipsec-attributes
 pre-shared-key tisec2
telnet 192.168.6.0 255.255.255.0 vlan600
telnet 192.168.0.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.4.100-192.168.4.200 vlan400
dhcpd address 192.168.5.100-192.168.5.200 vlan500
dhcpd address 192.168.6.100-192.168.6.200 vlan600
dhcpd address 192.168.8.100-192.168.8.200 vlan800
dhcpd address 192.168.2.10-192.168.2.100 DMZ
dhcpd dns 145.76.6.32 192.168.6.3
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain SECAS
dhcpd enable vlan400
dhcpd enable vlan500
dhcpd enable vlan600
dhcpd enable vlan800
dhcpd enable DMZ
!
class-map inspection_default
 match default-inspection-traffic
class-map outside-class-web
 match port tcp eq www
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
policy-map webtraffic-policy
 class outside-class-web
  inspect http webtraffic 
!
service-policy global_policy global
service-policy webtraffic-policy interface outside
ntp server 194.109.22.18 source outside prefer
:end

access-list outside_int extended permit tcp any host 146.76.18.20 eq smtp 
access-list dmz_int extended permit tcp host 192.168.2.2 any eq smtp 
static (vlan600,dmz) 192.168.6.0 192.168.6.0 netmask 255.255.255.0 
static (dmz,outside) 146.76.18.20 192.168.2.2 netmask 255.255.255.255
access-group outside_int in interface outside
access-group dmz_int in interface dmz