ASA 5505 no internet

                   Dear all
i have a problem with ASA 5505
i have three vlans : Inside, Guest, Outside
the Inside's vlan network is 172.16.100.0  255.255.252.0
Guest                           is 192.168.1.0    255.255.252.0
Outside                        is  78.100.86.70 255.255.255.252
i am able to ping from Guest and inside vlans to outside
but i can't get internet from outside (the dns from the ISP 212.77.192.59, 212.77.192.60)
i configured for the guest vlan a PC-DHCP server, it's configured DNS  it's working fine.
i am getting ip and dns from the DHCP server to my PCs i still can't get the internet
here the running configuration
[BEGIN] 05/5/2012 4:56:02 PM
sho run
: Saved
ASA Version 8.2(5)
hostname ConcordeASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
switchport access vlan 12
interface Ethernet0/5
switchport access vlan 12
interface Ethernet0/6
<--- More --->
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.100.1 255.255.252.0
interface Vlan2
nameif outside
security-level 0
ip address 78.100.86.70 255.255.255.252
interface Vlan12
no forward interface Vlan1
nameif Guest
security-level 50
ip address 192.168.1.1 255.255.252.0
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup Guest
dns server-group DefaultDNS
<--- More --->
name-server 212.77.192.59
name-server 212.77.192.60
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any eq www any eq www
access-list Guest_access_in extended permit ip any any
access-list Guest_access_in extended permit tcp any eq www any eq www
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Guest 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Guest) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group Guest_access_in in interface Guest
route outside 0.0.0.0 0.0.0.0 78.100.86.70 1
route outside 0.0.0.0 255.255.255.255 78.100.86.70 1
route inside 172.16.100.0 255.255.252.0 172.16.100.1 1
timeout xlate 3:00:00
<--- More --->
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.100.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
<--- More --->
    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
    30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
    30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
    496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
    74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
    68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
    3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
    63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
    0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
    a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
    9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
    7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
    15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
    63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
    18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
    4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
    81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
    db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
    7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
    ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
    45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
    2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
    1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
<--- More --->
    03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
    69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
    02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
    6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
    c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
    69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
    1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
    551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
    1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
    2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
    4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
    b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
    6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
    481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
    b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
    5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
    6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
    6c2527b9 deb78458 c61f381e a4c4cb66
  quit
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
<--- More --->
dhcpd address 172.16.100.5-172.16.101.4 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
<--- More --->
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect http
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:e0196cb8af51c7a69c8c6a9b426d33e4
: end
ConcordeASA#
[END] 05/5/2012 4:56:38 PM
please help

Can you ping your default gateway from the asa?
You should be able to ping 8.8.8.8 from the asa of not then check your ip address for the outside interface and then the default route.
Let me know.
Sent from Cisco Technical Support iPhone App

Similar Messages

  • ASA 5505 - 2 Internet Connections, Problems with the Default Route

    Hey there,
    i have a Problem at a Customer Site at the moment. The customer uses an ASA 5505 with two internet connections attached to it. On the first connection (which is the only one in use at the moment) he has some Static-PAT's from Outside to Inside where he translates different services to the internal servers. He also has a site-2-site VPN terminating there and AnyConnect.
    He now wants to switch the Internet Traffic from Inside to the new Internet Connection. Therefore changing the default route to that new ISPs Gateway. The problem now is, that no traffic recieved on the old "outside" Interface is transmitted back out of that old "outside" Interface. And this happens although the "same-security permit intra-interface" command is set.
    Can you tell me what's wrong here? For every Static-PAT from outside to inside there is also a dynamic PAT from inside to outside. But the ASA seems to ignore this. I have not looked into the Logs yet, was too busy finding the problem because i had no real time window to test on the productive ASA.
    Can it be achieved in any way? Having a default route on the ASA which leads any traffic to the second internet connection while still having connections on the first internet connection where no explicit route can be set? Because connections arrive from random IPs?
    Many thanks for your help in advance!
    Steffen

    Phillip, indeed , I have as well read may comments,it all depends on your environment as they all differ from one another, you best bet is to have a good solid plan for upgrade and fall back. You do have a justification to upgrade for features needed, so I would suggest the following:
    1- Do a search again in forum for ASA code upgrades and look at comments from users that have gone through this process and note their impact in fuctionality if any. I believe this is good resource to collect information .
    2- Very important , look into release notes for a particular version. For example version 8.0, look into open CAVEATS usually at the end of the link page, reading the open bugs gives you clues what has not yet been resolved for that particular code and if in fact could impact you in your environment, it is possible that a particular bug does not realy apply to your environment becuase you have yet not implemented that particualr configuration. Usually we all try to aim towards a GD (General Deployment) code which is what we all understand is most stable but not necesarily means you have to be stack in that code waiting for another GD release, in my personal experience I have upgraded our firewall from 7.2 to 8.0(3) long ago and had no issues, and recently upgraded to 8.0(4)when it was first release in August this year.
    Release notes
    http://www.cisco.com/en/US/products/ps6120/prod_release_notes_list.html
    3- AS a good practice precaution -
    a-Backup firewall configs in clear text as well as via tftp code.
    b-Backup running code and ASDM version code currently running in firewall.
    c- Save the output of " show version " to have as reference for all the feature licenses you currently have running as asll as activation keys - good info to have to compare with after upgrade.
    d- Ensure that the code you will be using to upgrade also uses correct ASDM version code.
    I think with thorough assesment and preparation you can indeed minimize impact.
    Rgds
    Jorge

  • ASA 5505 to Internet (Part 2)

    I've been trying to get an ASA 5505 configured correctly to let a laptop on one of the ports successfully browse the web.  Afterwards, I'll set up AnyConnect but thats another story. I previously had a thread where I had lots of help, but unfortunately the end results were still not successful. I decided to redo my config from sctrach and have all my information compiled in hopes of getting more help with a simpler post.
    Hopefully I this is not an overwhelming amount of information. I'm just trying to figure out what I have set wrong. Thanks in advance for any help. Its greatly appreciated.
    Background:
    IT has provided me with a port with the following information
    Static IP address: 99.66.167.69
    Default Gateway: 99.66.167.70
    Subnet Mask: 255.255.255.248
    Primary DNS: A.A.A.A
    Secondary DNS: B.B.B.B
    I have ethernet going from the above port to the eth0/0 port of the ASA and then another ethernet going from eth0/1 to the laptop.  I have the console connection going to a desktop server that is connected to a completely different network (only available machine with console port).
    Configuration of ASA:
    ciscoasa# show run
    : Saved
    ASA Version 8.2(5)
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    !interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    shutdown
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 99.66.167.69 255.255.255.248
    !ftp mode passive
    pager lines 24
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 99.66.167.70 1timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
    : end
    Current Interface Settings
    ciscoasa# show int ip br
    Interface                  IP-Address      OK? Method Status                Protocol
    Ethernet0/0                unassigned      YES unset  up                    up
    Ethernet0/1                unassigned      YES unset  up                    up
    Ethernet0/2                unassigned      YES unset  down                  down
    Ethernet0/3                unassigned      YES unset  down                  down
    Ethernet0/4                unassigned      YES unset  down                  down
    Ethernet0/5                unassigned      YES unset  down                  down
    Ethernet0/6                unassigned      YES unset  administratively down down
    Ethernet0/7                unassigned      YES unset  administratively down down
    Internal-Data0/0           unassigned      YES unset  up                    up
    Internal-Data0/1           unassigned      YES unset  up                    up
    Vlan1                      192.168.1.1     YES manual up                    up
    Vlan2                      99.66.167.69    YES manual up                    up
    Virtual0                   127.0.0.1       YES unset  up                    up
    Laptop Settings:
    C:\Users\user>ipconfig
    Windows IP Configuration
    Ethernet adapter Local Area Connection 12:
        Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
    Ethernet adapter Local Area Connection* 28:
        Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
    Ethernet adapter Local Area Connection* 17:
       Connection-specific DNS Suffix  . :
       Link-local IPv6 Address . . . . . : fe80::41ae:ea9e:1bab:71e7%19
       Default Gateway . . . . . . . . . :
    Wireless LAN adapter Wireless Network Connection:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
    Ethernet adapter Local Area Connection:
       Connection-specific DNS Suffix  . :
       Link-local IPv6 Address . . . . . : fe80::5095:d5d4:ce1d:8514%11
       IPv4 Address. . . . . . . . . . . : 192.168.1.3
       Subnet Mask . . . . . . . . . . . : 255.255.0.0
       Default Gateway . . . . . . . . . :
    Tunnel adapter Local Area Connection* 9:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
    Tunnel adapter Teredo Tunneling Pseudo-Interface:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
    Tunnel adapter isatap.{D6E5C2D0-8D75-4795-A613-944AF2C74691}:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
    Tunnel adapter isatap.{4FF04642-E278-4F02-AA4C-20FF49FF3400}:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
    Ping Results
    C:\Users\user>ping 4.2.2.2
    Pinging 4.2.2.2 with 32 bytes of data:
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.
    Ping statistics for 4.2.2.2:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    C:\Users\user>ping 99.67.167.70
    Pinging 99.67.167.70 with 32 bytes of data:
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.
    Ping statistics for 99.67.167.70:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    C:\Users\user>ping 99.67.167.69
    Pinging 99.67.167.69 with 32 bytes of data:
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.
    PING: transmit failed. General failure.
    Ping statistics for 99.67.167.69:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    C:\Users\user>ping 192.168.1.1
    Pinging 192.168.1.1 with 32 bytes of data:
    Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
    Reply from 192.168.1.1: bytes=32 time=9ms TTL=255
    Reply from 192.168.1.1: bytes=32 time<1ms TTL=255
    Reply from 192.168.1.1: bytes=32 time<1ms TTL=255
    Ping statistics for 192.168.1.1:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum = 9ms, Average = 2ms

    Default gateway appears to be correct. I went ahead and just put the DNS's you suggested for the print out
    C:\Users\user>ipconfig /all
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : user
       Primary Dns Suffix  . . . . . . . : removed
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : huawei.com
    Ethernet adapter Local Area Connection* 28:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Nortel VPN Adapter
       Physical Address. . . . . . . . . : 00-FF-D6-E5-C2-D0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Ethernet adapter Local Area Connection* 17:
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Nortel IPSECSHM Adapter
       Physical Address. . . . . . . . . : 44-45-53-54-42-00
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::41ae:ea9e:1bab:71e7%19(Preferred)
       Default Gateway . . . . . . . . . :
       DHCPv6 IAID . . . . . . . . . . . : 574899539
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-10-63-AE-F0-DE-F1-48-06-EC
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Enabled
    Wireless LAN adapter Wireless Network Connection:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6200 AGN
       Physical Address. . . . . . . . . : 18-3D-A2-3E-81-84
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    Ethernet adapter Local Area Connection:
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) 82577LM Gigabit Network Connecti
    on
       Physical Address. . . . . . . . . : F0-DE-F1-57-7E-00
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::5095:d5d4:ce1d:8514%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.1.3(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.1.1
       DHCPv6 IAID . . . . . . . . . . . : 250666737
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-10-63-AE-F0-DE-F1-48-06-EC
       DNS Servers . . . . . . . . . . . : 8.8.8.8
                                           8.8.4.4
       NetBIOS over Tcpip. . . . . . . . : Enabled
    Tunnel adapter Local Area Connection* 9:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft 6to4 Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter Teredo Tunneling Pseudo-Interface:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter isatap.{D6E5C2D0-8D75-4795-A613-944AF2C74691}:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #7
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter isatap.{14DF9E78-3A5B-4384-BCE7-F47362E18C14}:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #8
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter isatap.{4FF04642-E278-4F02-AA4C-20FF49FF3400}:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #9
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    C:\Users\user>

  • Cisco ASA 5505 IPSEC, one endpoint behind NAT device

    We have two Cisco ASA 5505 devices.
    Both are identical, however, one of them is behind a NAT device.
    We are attempting to create an IPSEC network.
    Site fg:
    <ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
    ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)
    Site be:
    <ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
    ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
    USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
    USG1: UDP port 500/4500 forwarded to 192.168.4.50
    It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
    Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
    Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
    Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED
    We verified / attempted the following:
    - NAT excemption on both sides for IPSEC subnets
    - Mirror image crypto maps
    - Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
    - Toggled between static to dynamic crypto maps on ASA1
    Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.
    Does anyone have any idea?
    195.txt contains show running-config of ASA3
    212.txt contains show running-config of ASA1
    log.txt contains somewhat entire log snipper of ASA1

    Hi,
    on 212 is see
    tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
    tunnel-group 195.xxx.xxx.xxx ipsec-attributes
    pre-shared-key
    When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
    If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
    Regards,
    Abaji.

  • Internet Connection Became Slow after Introduction of Cisco ASA 5505 to the Network

    I configured a Cisco ASA 5505 (Version Cisco Adaptive Security Appliance Software Version 7.2(3)
    Device Manager Version 5.2(3)
    in transparent firewall mode and inserted after Cisco 1700 router. However, the internet connection became very slow and users are compaining that they cannot load any pages.
    My setup looks like:
    Internet --> Cisco 1700 --> Cisco ASA 5505 --> LAN
    The license information is:
    Licensed features for this platform:
    Maximum Physical Interfaces : 8
    VLANs                       : 3, DMZ Restricted
    Inside Hosts                : Unlimited
    Failover                    : Disabled
    VPN-DES                     : Enabled
    VPN-3DES-AES                : Enabled
    VPN Peers                   : 10
    WebVPN Peers                : 2
    Dual ISPs                   : Disabled
    VLAN Trunk Ports            : 0
    This platform has a Base license.
    The flash activation key is the SAME as the running key.
    My running-config looks like:
    ASA Version 7.2(3)
    firewall transparent
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password 8Ry2YjIyt7RRXU24 encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    no shut
    interface Vlan2
    nameif outside
    security-level 0
    no shut
    interface Ethernet0/0
    switchport access vlan 2
    no shut
    interface Ethernet0/1
    no shut
    interface Ethernet0/2
    no shut
    interface Ethernet0/3
    no shut
    interface Ethernet0/4
    no shut
    interface Ethernet0/5
    no shut
    interface Ethernet0/6
    no shut
    interface Ethernet0/7
    no shut
    passwd 2KFQnbNIdI.2KYOU encrypted
    regex urllist1 ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]"
    regex urllist2 ".*\.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh]) HTTP/1.[01]"
    regex urllist3 ".*\.([Dd][Oo][Cc]|[Xx][Ll][Ss]|[Pp][Pp][Tt]) HTTP/1.[01]"
    regex urllist4 ".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP/1.[01]"
    regex domainlist1 "\.facebook\.com"
    regex domainlist2 "\.diretube\.com"
    regex domainlist3 "\.youtube\.com"
    regex domainlist4 "\.vimeo\.com"
    regex applicationheader "application/.*"
    regex contenttype "Content-Type"
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list outside_in extended permit ip any any
    access-list inside_mpc extended permit tcp any any eq www
    access-list inside_mpc extended permit tcp any any eq 8080
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address 192.168.1.254 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    access-group outside_in in interface outside
    route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    class-map type regex match-any DomainBlockList
    match regex domainlist1
    match regex domainlist2
    match regex domainlist3
    match regex domainlist4
    class-map type inspect http match-all BlockDomainsClass
    match request header host regex class DomainBlockList
    class-map type regex match-any URLBlockList
    match regex urllist1
    match regex urllist2
    match regex urllist3
    match regex urllist4
    class-map inspection_default
    match default-inspection-traffic
    class-map type inspect http match-all AppHeaderClass
    match response header regex contenttype regex applicationheader
    class-map httptraffic
    match access-list inside_mpc
    class-map type inspect http match-all BlockURLsClass
    match request uri regex class URLBlockList
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map type inspect http http_inspection_policy
    parameters
      protocol-violation action drop-connection
    class AppHeaderClass
      drop-connection log
    match request method connect
      drop-connection log
    class BlockDomainsClass
      reset log
    class BlockURLsClass
      reset log
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    policy-map inside-policy
    class httptraffic
      inspect http http_inspection_policy
    service-policy global_policy global
    service-policy inside-policy interface inside
    prompt hostname context
    Cryptochecksum:8ab1a53df6ae3c202aee236d6080edfd
    : end
    Could the slow internet connection be due to license limitations? Or is there something wrong with my configuration?
    Please see the configuration and help.
    Thanks

    I have re-configured the ASA 5505 yesterday and so far it's working fine. I am not sure if the problem will re-appear later on. Anyways here is my sh tech-support
    ciscoasa# sh tech-support
    Cisco Adaptive Security Appliance Software Version 7.2(3)
    Device Manager Version 5.2(3)
    Compiled on Wed 15-Aug-07 16:08 by builders
    System image file is "disk0:/asa723-k8.bin"
    Config file at boot was "startup-config"
    ciscoasa up 14 hours 16 mins
    Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
    Internal ATA Compact Flash, 128MB
    BIOS Flash M50FW080 @ 0xffe00000, 1024KB
    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                                 Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                                 SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                                 IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
    0: Int: Internal-Data0/0    : address is 001f.9ee8.ffa2, irq 11
    1: Ext: Ethernet0/0         : address is 001f.9ee8.ff9a, irq 255
    2: Ext: Ethernet0/1         : address is 001f.9ee8.ff9b, irq 255
    3: Ext: Ethernet0/2         : address is 001f.9ee8.ff9c, irq 255
    4: Ext: Ethernet0/3         : address is 001f.9ee8.ff9d, irq 255
    5: Ext: Ethernet0/4         : address is 001f.9ee8.ff9e, irq 255
    6: Ext: Ethernet0/5         : address is 001f.9ee8.ff9f, irq 255
    <--- More --->
    7: Ext: Ethernet0/6         : address is 001f.9ee8.ffa0, irq 255
    8: Ext: Ethernet0/7         : address is 001f.9ee8.ffa1, irq 255
    9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
    10: Int: Not used            : irq 255
    11: Int: Not used            : irq 255
    Licensed features for this platform:
    Maximum Physical Interfaces : 8        
    VLANs                       : 3, DMZ Restricted
    Inside Hosts                : Unlimited
    Failover                    : Disabled
    VPN-DES                     : Enabled  
    VPN-3DES-AES                : Enabled  
    VPN Peers                   : 10       
    WebVPN Peers                : 2        
    Dual ISPs                   : Disabled 
    VLAN Trunk Ports            : 0        
    This platform has a Base license.
    Serial Number: JMX1211Z2N4
    Running Activation Key: 0xaf0ed046 0xbcf18ebf 0x80b38508 0xba785cc0 0x05250493
    Configuration register is 0x1
    Configuration has not been modified since last system restart.
    <--- More --->
    ------------------ show clock ------------------
    18:32:58.254 UTC Tue Nov 26 2013
    ------------------ show memory ------------------
    Free memory:       199837144 bytes (74%)
    Used memory:        68598312 bytes (26%)
    Total memory:      268435456 bytes (100%)
    ------------------ show conn count ------------------
    1041 in use, 2469 most used
    ------------------ show xlate count ------------------
    0 in use, 0 most used
    ------------------ show blocks ------------------
      SIZE    MAX    LOW    CNT
         0    100     68    100
    <--- More --->
         4    300    299    299
        80    100     92    100
       256    100     94    100
      1550   6174   6166   6174
      2048   1124    551    612
    ------------------ show blocks queue history detail ------------------
    History buffer memory usage: 2136 bytes (default)
    ------------------ show interface ------------------
    Interface Internal-Data0/0 "", is up, line protocol is up
      Hardware is y88acs06, BW 1000 Mbps
    (Full-duplex), (1000 Mbps)
    MAC address 001f.9ee8.ffa2, MTU not set
    IP address unassigned
    18491855 packets input, 11769262614 bytes, 0 no buffer
    Received 213772 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops, 0 demux drops
    18185861 packets output, 11626494317 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 late collisions, 0 deferred
    <--- More --->
    0 input reset drops, 0 output reset drops
    input queue (curr/max packets): hardware (0/0) software (0/0)
    output queue (curr/max packets): hardware (0/55) software (0/0)
      Control Point Interface States:
    Interface number is unassigned
    Interface Internal-Data0/1 "", is administratively down, line protocol is up
      Hardware is 88E6095, BW 1000 Mbps
    (Full-duplex), (1000 Mbps)
    MAC address 0000.0003.0002, MTU not set
    IP address unassigned
    18184216 packets input, 11625360131 bytes, 0 no buffer
    Received 206655 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 switch ingress policy drops
    18490057 packets output, 11768078777 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 switch egress policy drops
      Control Point Interface States:
    Interface number is unassigned
    Interface Loopback0 "_internal_loopback", is up, line protocol is up
      Hardware is VirtualMAC address 0000.0000.0000, MTU 1500
    IP address 127.1.0.1, subnet mask 255.255.0.0
    <--- More --->
      Traffic Statistics for "_internal_loopback":
    1 packets input, 28 bytes
    1 packets output, 28 bytes
    1 packets dropped
          1 minute input rate 0 pkts/sec,  0 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  0 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
      Control Point Interface States:
    Interface number is 28
    Interface config status is active
    Interface state is active
    Interface Vlan1 "inside", is up, line protocol is up
      Hardware is EtherSVI
    MAC address 001f.9ee8.ffa2, MTU 1500
    IP address 192.168.1.254, subnet mask 255.255.255.0
      Traffic Statistics for "inside":
    7742275 packets input, 903584114 bytes
    10645034 packets output, 10347291114 bytes
    184883 packets dropped
          1 minute input rate 320 pkts/sec,  35404 bytes/sec
          1 minute output rate 325 pkts/sec,  313317 bytes/sec
    <--- More --->
          1 minute drop rate, 17 pkts/sec
          5 minute input rate 399 pkts/sec,  59676 bytes/sec
          5 minute output rate 483 pkts/sec,  503200 bytes/sec
          5 minute drop rate, 9 pkts/sec
      Control Point Interface States:
    Interface number is 1
    Interface config status is active
    Interface state is active
    Interface Vlan2 "outside", is up, line protocol is up
      Hardware is EtherSVI
    MAC address 001f.9ee8.ffa3, MTU 1500
    IP address 192.168.1.254, subnet mask 255.255.255.0
      Traffic Statistics for "outside":
    10750090 packets input, 10432619059 bytes
    7541331 packets output, 870613684 bytes
    109911 packets dropped
          1 minute input rate 328 pkts/sec,  313770 bytes/sec
          1 minute output rate 301 pkts/sec,  32459 bytes/sec
          1 minute drop rate, 2 pkts/sec
          5 minute input rate 485 pkts/sec,  503789 bytes/sec
          5 minute output rate 387 pkts/sec,  57681 bytes/sec
          5 minute drop rate, 2 pkts/sec
      Control Point Interface States:
    Interface number is 2
    <--- More --->
    Interface config status is active
    Interface state is active
    Interface Ethernet0/0 "", is up, line protocol is up
      Hardware is 88E6095, BW 100 Mbps
    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
    Available but not configured via nameif
    MAC address 001f.9ee8.ff9a, MTU not set
    IP address unassigned
    10749794 packets input, 10630700889 bytes, 0 no buffer
    Received 2506 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    3 switch ingress policy drops
    7541070 packets output, 1028190148 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 rate limit drops
    0 switch egress policy drops
      Control Point Interface States:
    Interface number is unassigned
    Interface Ethernet0/1 "", is up, line protocol is up
      Hardware is 88E6095, BW 100 Mbps
    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
    <--- More --->
    Available but not configured via nameif
    MAC address 001f.9ee8.ff9b, MTU not set
    IP address unassigned
    7741977 packets input, 1064586806 bytes, 0 no buffer
    Received 211282 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    0 switch ingress policy drops
    10644663 packets output, 10543362751 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 rate limit drops
    0 switch egress policy drops
      Control Point Interface States:
    Interface number is unassigned
    Interface Ethernet0/2 "", is down, line protocol is down
      Hardware is 88E6095, BW 100 Mbps
    Auto-Duplex, Auto-Speed
    Available but not configured via nameif
    MAC address 001f.9ee8.ff9c, MTU not set
    IP address unassigned
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants
    <--- More --->
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    0 switch ingress policy drops
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 rate limit drops
    0 switch egress policy drops
      Control Point Interface States:
    Interface number is unassigned
    Interface Ethernet0/3 "", is down, line protocol is down
      Hardware is 88E6095, BW 100 Mbps
    Auto-Duplex, Auto-Speed
    Available but not configured via nameif
    MAC address 001f.9ee8.ff9d, MTU not set
    IP address unassigned
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    0 switch ingress policy drops
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    <--- More --->
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 rate limit drops
    0 switch egress policy drops
      Control Point Interface States:
    Interface number is unassigned
    Interface Ethernet0/4 "", is down, line protocol is down
      Hardware is 88E6095, BW 100 Mbps
    Auto-Duplex, Auto-Speed
    Available but not configured via nameif
    MAC address 001f.9ee8.ff9e, MTU not set
    IP address unassigned
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    0 switch ingress policy drops
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 rate limit drops
    0 switch egress policy drops
      Control Point Interface States:
    <--- More --->
    Interface number is unassigned
    Interface Ethernet0/5 "", is down, line protocol is down
      Hardware is 88E6095, BW 100 Mbps
    Auto-Duplex, Auto-Speed
    Available but not configured via nameif
    MAC address 001f.9ee8.ff9f, MTU not set
    IP address unassigned
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    0 switch ingress policy drops
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 rate limit drops
    0 switch egress policy drops
      Control Point Interface States:
    Interface number is unassigned
    Interface Ethernet0/6 "", is down, line protocol is down
      Hardware is 88E6095, BW 100 Mbps
    Auto-Duplex, Auto-Speed
    Available but not configured via nameif
    <--- More --->
    MAC address 001f.9ee8.ffa0, MTU not set
    IP address unassigned
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    0 switch ingress policy drops
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 rate limit drops
    0 switch egress policy drops
      Control Point Interface States:
    Interface number is unassigned
    Interface Ethernet0/7 "", is down, line protocol is down
      Hardware is 88E6095, BW 100 Mbps
    Auto-Duplex, Auto-Speed
    Available but not configured via nameif
    MAC address 001f.9ee8.ffa1, MTU not set
    IP address unassigned
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    <--- More --->
    0 L2 decode drops
    0 switch ingress policy drops
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collisions, 0 deferred
    0 lost carrier, 0 no carrier
    0 rate limit drops
    0 switch egress policy drops
      Control Point Interface States:
    Interface number is unassigned
    ------------------ show cpu usage ------------------
    CPU utilization for 5 seconds = 12%; 1 minute: 11%; 5 minutes: 11%
    ------------------ show cpu hogging process ------------------
    Process:      Dispatch Unit, NUMHOG: 1, MAXHOG: 133, LASTHOG: 140
    LASTHOG At:   04:45:59 UTC Nov 26 2013
    PC:           8be0f7
    Traceback:    8bed19  8bf553  302b87  3030a5  2fad69  7674bf  75ca16
                  c6251d  c62a4c  c62f6c  75c653  767820  797f64  769c85
    <--- More --->
    ------------------ show process ------------------
        PC       SP       STATE       Runtime    SBASE     Stack Process
    Mwe 00c9bb24 01bb8700 013e3250          0 01733fc8 15616/16384 emweb/cifs
    Lwe 001072ac 0176f9c4 013e32d0          0 0176d9f0 8132/8192 block_diag
    Mrd 00223a67 01783d5c 013e33b0     314854 0177be18 25752/32768 Dispatch Unit
    Msi 00f82847 01b07b84 013e3250        229 01b05bc0 7984/8192 y88acs06 OneSec Thread
    Mwe 0011b1a5 01b09cfc 013e3250          0 01b07d88 7864/8192 Reload Control Thread
    Mwe 00120606 01b1260c 013e5258          0 01b10988 7256/8192 aaa
    Mwe 001486aa 01b19404 013e5ae8          0 01b15450 16020/16384 CMGR Server Process
    Mwe 0014c3c5 01b1b4d4 013e3250          0 01b19570 7968/8192 CMGR Timer Process
    Lwe 002227a1 01b239b4 013ee360          0 01b219f0 7524/8192 dbgtrace
    Mwe 004e1ba5 01b29c34 013e3250        157 01b27d50 6436/8192 eswilp_svi_init
    Mwe 01064b1d 01b4a7f4 013e3250          0 01b48890 7848/8192 Chunk Manager
    Msi 008b61b6 01b52d54 013e3250        230 01b50da0 7856/8192 PIX Garbage Collector
    Lsi 00ecb6ac 01b54e94 013e3250         12 01b52ec0 7552/8192 route_process
    Mwe 008a5ddc 01b5dc04 0133b430          0 01b5bc40 8116/8192 IP Address Assign
    Mwe 00acb779 01b60604 01346e10          0 01b5e640 8116/8192 QoS Support Module
    Mwe 0091eba9 01b6275c 0133c530          0 01b60798 8116/8192 Client Update Task
    Lwe 01083c8e 01b656d4 013e3250     123088 01b63770 7840/8192 Checkheaps
    Mwe 00acfd7d 01b6b824 013e3250        623 01b69ad0 3476/8192 Quack process
    Mwe 00b2a260 01b6dad4 013e3250         22 01b6bbf0 7364/8192 Session Manager
    Mwe 00c55efd 01b78564 031d0478          4 01b74a50 14768/16384 uauth
    <--- More --->
    Mwe 00be3c9e 01b7aaec 0135c010          0 01b78b28 7524/8192 Uauth_Proxy
    Mwe 00c52759 01b80e0c 01361770          0 01b7ee88 7712/8192 SMTP
    Mwe 00c3f7b9 01b82eec 01361710          0 01b80fa8 7412/8192 Logger
    Mwe 00c3fd26 01b8502c 013e3250          0 01b830c8 7492/8192 Thread Logger
    Mwe 00f62272 01b9596c 013ac520          0 01b939c8 7188/8192 vpnlb_thread
    Msi 00b4097c 01c598c4 013e3250        190 01c578f0 8000/8192 emweb/cifs_timer
    Msi 005bd338 017a909c 013e3250      25855 017a7108 7412/8192 arp_timer
    Mwe 005c76bc 01b486e4 013fba50      20643 01b46770 7348/8192 arp_forward_thread
    Mwe 00c5a919 023fa5fc 013619e0          0 023f8648 7968/8192 tcp_fast
    Mwe 00c5a6e5 023fc624 013619e0          0 023fa670 7968/8192 tcp_slow
    Mwe 00c754d1 0240d42c 013628a0          0 0240b478 8100/8192 udp_timer
    Mwe 0019cb17 01b404a4 013e3250          0 01b3e530 7984/8192 CTCP Timer process
    Mwe 00efe8b3 0308c15c 013e3250          0 0308a208 7952/8192 L2TP data daemon
    Mwe 00efef23 0308e194 013e3250          0 0308c230 7968/8192 L2TP mgmt daemon
    Mwe 00eea02b 030c62ac 013a5c10         43 030c2338 16244/16384 ppp_timer_thread
    Msi 00f62d57 030c82f4 013e3250        264 030c6360 7924/8192 vpnlb_timer_thread
    Mwe 001b96e6 01b7cbbc 01b1e9c8          1 01b7ac48 7728/8192 IPsec message handler
    Msi 001c9bac 01b8d4dc 013e3250       2917 01b8b548 7648/8192 CTM message handler
    Mwe 00af93b8 031465b4 013e3250          0 03144640 7984/8192 ICMP event handler
    Mwe 00831003 0314a724 013e3250        387 031467b0 16100/16384 IP Background
    Mwe 0021b267 031a83c4 013123c0         31 03188450 123488/131072 tmatch compile thread
    Mwe 009f2405 03290044 013e3250          0 0328c0c0 16072/16384 Crypto PKI RECV
    Mwe 009f305a 03294144 013e3250          0 032901e0 16040/16384 Crypto CA
    Mwe 0064d4fd 01b3e24c 013e3250          8 01b3c2f8 7508/8192 ESW_MRVL switch interrupt service
    <--- More --->
    Msi 00646f5c 032c134c 013e3250    3059378 032bf448 7184/8192 esw_stats
    Lsi 008cbb80 032dc704 013e3250          3 032da730 7908/8192 uauth_urlb clean
    Lwe 008afee7 034a0914 013e3250        197 0349e9b0 6636/8192 pm_timer_thread
    Mwe 0052f0bf 034a35ac 013e3250          0 034a1648 7968/8192 IKE Timekeeper
    Mwe 00520f6b 034a8adc 0132e2b0          0 034a4e38 15448/16384 IKE Daemon
    Mwe 00bf5c78 034ac7ac 01360680          0 034aa7f8 8100/8192 RADIUS Proxy Event Daemon
    Mwe 00bc32de 034ae79c 034dcbe0          0 034ac918 7208/8192 RADIUS Proxy Listener
    Mwe 00bf5e0f 034b099c 013e3250          0 034aea38 7968/8192 RADIUS Proxy Time Keeper
    Mwe 005aac4c 034b3154 013fb980          0 034b1250 7492/8192 Integrity FW Task
    M*  008550a5 0009fefc 013e33b0       3183 034e3b20 24896/32768 ci/console
    Msi 008eb694 034ed9d4 013e3250       2370 034ebc40 6176/8192 update_cpu_usage
    Msi 008e6415 034f7dac 013e3250       1096 034f5eb8 6124/8192 NIC status poll
    Mwe 005b63e6 03517d1c 013fbd10       1963 03515d78 7636/8192 IP Thread
    Mwe 005becbe 03519e4c 013fbcb0          3 03517e98 7384/8192 ARP Thread
    Mwe 004c2b36 0351befc 013fbae0          0 03519fe8 7864/8192 icmp_thread
    Mwe 00c7722e 0351e06c 013e3250          0 0351c108 7848/8192 udp_thread
    Mwe 00c5d126 0352008c 013fbd00          0 0351e228 7688/8192 tcp_thread
    Mwe 00bc32de 03a6982c 03a5ee18          0 03a679b8 7512/8192 EAPoUDP-sock
    Mwe 00266c15 03a6b614 013e3250          0 03a699e0 7032/8192 EAPoUDP
    Mwe 005a6728 01b27b94 013e3250          0 01b25c30 7968/8192 Integrity Fw Timer Thread
    -     -        -         -      47686621    -         -     scheduler
    -     -        -         -      51253819    -         -     total elapsed
    ------------------ show failover ------------------
    <--- More --->
    ERROR: Command requires failover license
    ------------------ show traffic ------------------
    inside:
    received (in 51429.740 secs):
    7749585 packets905087345 bytes
    67 pkts/sec17013 bytes/sec
    transmitted (in 51429.740 secs):
    10653162 packets10355908020 bytes
    40 pkts/sec201026 bytes/sec
          1 minute input rate 412 pkts/sec,  51803 bytes/sec
          1 minute output rate 475 pkts/sec,  522952 bytes/sec
          1 minute drop rate, 24 pkts/sec
          5 minute input rate 399 pkts/sec,  59676 bytes/sec
          5 minute output rate 483 pkts/sec,  503200 bytes/sec
          5 minute drop rate, 9 pkts/sec
    outside:
    received (in 51430.240 secs):
    10758403 packets10441440193 bytes
    42 pkts/sec203021 bytes/sec
    transmitted (in 51430.240 secs):
    7548339 packets872053854 bytes
    <--- More --->
    63 pkts/sec16037 bytes/sec
          1 minute input rate 479 pkts/sec,  523680 bytes/sec
          1 minute output rate 387 pkts/sec,  46796 bytes/sec
          1 minute drop rate, 3 pkts/sec
          5 minute input rate 485 pkts/sec,  503789 bytes/sec
          5 minute output rate 387 pkts/sec,  57681 bytes/sec
          5 minute drop rate, 2 pkts/sec
    _internal_loopback:
    received (in 51430.740 secs):
    1 packets28 bytes
    0 pkts/sec0 bytes/sec
    transmitted (in 51430.740 secs):
    1 packets28 bytes
    0 pkts/sec0 bytes/sec
          1 minute input rate 0 pkts/sec,  0 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  0 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Aggregated Traffic on Physical Interface
    <--- More --->
    Ethernet0/0:
    received (in 51431.740 secs):
    10758462 packets10640075825 bytes
    42 pkts/sec206042 bytes/sec
    transmitted (in 51431.740 secs):
    7548383 packets1029818127 bytes
    63 pkts/sec20023 bytes/sec
          1 minute input rate 485 pkts/sec,  537048 bytes/sec
          1 minute output rate 395 pkts/sec,  54546 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 485 pkts/sec,  511723 bytes/sec
          5 minute output rate 387 pkts/sec,  65495 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Ethernet0/1:
    received (in 51433.570 secs):
    7749780 packets1066328930 bytes
    67 pkts/sec20064 bytes/sec
    transmitted (in 51433.570 secs):
    10653359 packets10552787020 bytes
    40 pkts/sec205006 bytes/sec
          1 minute input rate 419 pkts/sec,  59621 bytes/sec
          1 minute output rate 480 pkts/sec,  533950 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 399 pkts/sec,  67618 bytes/sec
    <--- More --->
          5 minute output rate 482 pkts/sec,  511073 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Ethernet0/2:
    received (in 51434.730 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
    transmitted (in 51434.730 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
          1 minute input rate 0 pkts/sec,  0 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  0 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Ethernet0/3:
    received (in 51434.730 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
    transmitted (in 51434.730 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
          1 minute input rate 0 pkts/sec,  0 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
    <--- More --->
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  0 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Ethernet0/4:
    received (in 51434.870 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
    transmitted (in 51434.870 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
          1 minute input rate 0 pkts/sec,  0 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  0 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Ethernet0/5:
    received (in 51434.870 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
    transmitted (in 51434.870 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
    <--- More --->
          1 minute input rate 0 pkts/sec,  0 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  0 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Ethernet0/6:
    received (in 51435.010 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
    transmitted (in 51435.010 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
          1 minute input rate 0 pkts/sec,  0 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  0 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Ethernet0/7:
    received (in 51435.010 secs):
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
    transmitted (in 51435.010 secs):
    <--- More --->
    0 packets0 bytes
    0 pkts/sec0 bytes/sec
          1 minute input rate 0 pkts/sec,  0 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  0 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Internal-Data0/0:
    received (in 51435.510 secs):
    18513901 packets11784250044 bytes
    25 pkts/sec229023 bytes/sec
    transmitted (in 51435.510 secs):
    18207269 packets11641332179 bytes
    19 pkts/sec226078 bytes/sec
          1 minute input rate 891 pkts/sec,  595715 bytes/sec
          1 minute output rate 863 pkts/sec,  588935 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 885 pkts/sec,  584035 bytes/sec
          5 minute output rate 870 pkts/sec,  580393 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Internal-Data0/1:
    received (in 51436.010 secs):
    18207323 packets11641364184 bytes
    <--- More --->
    19 pkts/sec226076 bytes/sec
    transmitted (in 51436.010 secs):
    18513954 packets11784281987 bytes
    25 pkts/sec229022 bytes/sec
          1 minute input rate 855 pkts/sec,  575808 bytes/sec
          1 minute output rate 884 pkts/sec,  582339 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 869 pkts/sec,  578350 bytes/sec
          5 minute output rate 883 pkts/sec,  581924 bytes/sec
          5 minute drop rate, 0 pkts/sec
    ------------------ show perfmon ------------------
    PERFMON STATS:    Current      Average
    Xlates               0/s          0/s
    Connections         17/s          6/s
    TCP Conns            8/s          2/s
    UDP Conns            7/s          2/s
    URL Access           0/s          0/s
    URL Server Req       0/s          0/s
    TCP Fixup            0/s          0/s
    TCP Intercept        0/s          0/s
    HTTP Fixup           0/s          0/s
    <--- More --->
    FTP Fixup            0/s          0/s
    AAA Authen           0/s          0/s
    AAA Author           0/s          0/s
    AAA Account          0/s          0/s
    ------------------ show counters ------------------
    Protocol     Counter                     Value   Context
    IP           IN_PKTS                  168960   Summary
    IP           OUT_PKTS                 169304   Summary
    IP           TO_ARP                       61   Summary
    ------------------ show history ------------------
    ------------------ show firewall ------------------
    Firewall mode: Transparent
    ------------------ show running-config ------------------
    <--- More --->
    : Saved
    ASA Version 7.2(3)
    firewall transparent
    hostname ciscoasa
    enable password
    names
    interface Vlan1
    nameif inside
    security-level 100
    interface Vlan2
    nameif outside
    security-level 0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    <--- More --->
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    passwd
    regex domain1 ".facebook\.com"
    regex domain2 ".fb\.com"
    regex domain3 ".youtube\.com"
    ftp mode passive
    access-list ACL_IN extended permit ip any any
    pager lines 24
    mtu inside 1500
    mtu outside 1500
    ip address 192.168.1.254 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-523.bin
    no asdm history enable
    <--- More --->
    arp timeout 14400
    access-group ACL_IN in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    class-map type regex match-any DomainBlockList
    match regex domain1
    match regex domain2
    match regex domain3
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
    <--- More --->
      message-length maximum 512
    match domain-name regex class DomainBlockList
      drop-connection log
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:bb5115ea1d14ee42e7961ef0c9aaed86
    : end
    <--- More --->
    ------------------ show startup-config errors ------------------
    INFO: No configuration errors
    ------------------ console logs ------------------
    Message #1 : Message #2 : Message #3 : Message #4 : Message #5 : Message #6 : Message #7 : Message #8 : Message #9 : Message #10 : Message #11 : Message #12 : Message #13 : Message #14 :
    Total SSMs found: 0
    Message #15 :
    Total NICs found: 10
    Message #16 : 88E6095 rev 2 Gigabit Ethernet @ index 09Message #17 :  MAC: 0000.0003.0002
    Message #18 : 88E6095 rev 2 Ethernet @ index 08Message #19 :  MAC: 001f.9ee8.ffa1
    Message #20 : 88E6095 rev 2 Ethernet @ index 07Message #21 :  MAC: 001f.9ee8.ffa0
    Message #22 : 88E6095 rev 2 Ethernet @ index 06Message #23 :  MAC: 001f.9ee8.ff9f
    Message #24 : 88E6095 rev 2 Ethernet @ index 05Message #25 :  MAC: 001f.9ee8.ff9e
    Message #26 : 88E6095 rev 2 Ethernet @ index 04Message #27 :  MAC: 001f.9ee8.ff9d
    Message #28 : 88E6095 rev 2 Ethernet @ index 03Message #29 :  MAC: 001f.9ee8.ff9c
    Message #30 : 88E6095 rev 2 Ethernet @ index 02Message #31 :  MAC: 001f.9ee8.ff9b
    Message #32 : 88E6095 rev 2 Ethernet @ index 01Message #33 :  MAC: 001f.9ee8.ff9a
    Message #34 : y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 001f.9ee8.ffa2
    Message #35 :
    Licensed features for this platform:
    Message #36 : Maximum Physical Interfaces : 8        
    <--- More --->
    Message #37 : VLANs                       : 3, DMZ Restricted
    Message #38 : Inside Hosts                : Unlimited
    Message #39 : Failover                    : Disabled
    Message #40 : VPN-DES                     : Enabled  
    Message #41 : VPN-3DES-AES                : Enabled  
    Message #42 : VPN Peers                   : 10       
    Message #43 : WebVPN Peers                : 2        
    Message #44 : Dual ISPs                   : Disabled 
    Message #45 : VLAN Trunk Ports            : 0        
    Message #46 :
    This platform has a Base license.
    Message #47 :
    Message #48 : Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
    Message #49 :                              Boot microcode   : CNlite-MC-Boot-Cisco-1.2
    Message #50 :                              SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
    Message #51 :                              IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
    Message #52 :   --------------------------------------------------------------------------
    Message #53 :                                  .            .                            
    Message #54 :                                  |            |                            
    Message #55 :                                 |||          |||                           
    Message #56 :                               .|| ||.      .|| ||.                         
    Message #57 :                            .:||| | |||:..:||| | |||:.                      
    Message #58 :                             C i s c o  S y s t e m s                       
    Message #59 :   --------------------------------------------------------------------------
    <--- More --->
    Message #60 :
    Cisco Adaptive Security Appliance Software Version 7.2(3)
    Message #61 :
    Message #62 :   ****************************** Warning *******************************
    Message #63 :   This product contains cryptographic features and is
    Message #64 :   subject to United States and local country laws
    Message #65 :   governing, import, export, transfer, and use.
    Message #66 :   Delivery of Cisco cryptographic products does not
    Message #67 :   imply third-party authority to import, export,
    Message #68 :   distribute, or use encryption. Importers, exporters,
    Message #69 :   distributors and users are responsible for compliance
    Message #70 :   with U.S. and local country laws. By using this
    Message #71 :   product you agree to comply with applicable laws and
    Message #72 :   regulations. If you are unable to comply with U.S.
    Message #73 :   and local laws, return the enclosed items immediately.
    Message #74 :
    Message #75 :   A summary of U.S. laws governing Cisco cryptographic
    Message #76 :   products may be found at:
    Message #77 :   http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    Message #78 :
    Message #79 :   If you require further assistance please contact us by
    Message #80 :   sending email to [email protected].
    Message #81 :   ******************************* Warning *******************************
    Message #82 :
    <--- More --->
    Message #83 : Copyright (c) 1996-2007 by Cisco Systems, Inc.
    Message #84 :                 Restricted Rights Legend
    Message #85 : Use, duplication, or disclosure by the Government is
    Message #86 : subject to restrictions as set forth in subparagraph
    Message #87 : (c) of the Commercial Computer Software - Restricted
    Message #88 : Rights clause at FAR sec. 52.227-19 and subparagraph
    Message #89 : (c) (1) (ii) of the Rights in Technical Data and Computer
    Message #90 : Software clause at DFARS sec. 252.227-7013.
    Message #91 :                 Cisco Systems, Inc.
    Message #92 :                 170 West Tasman Drive
    Message #93 :                 San Jose, California 95134-1706
    ciscoasa#   

  • Cisco ASA 5505 can ping gateway but can't ping internet

    Good day to all!
    Sorry if I post this on the wrong group, I am having a bit of a problem on configuring an ASA 5505 firewall. And I scoured google but can't seem to find a specific link to my issues.
    It is on a routed mode, have successfully configured inside and outside vlans. Hosts inside vlan can ping each other. Hosts on outside vlan can also ping each other. Problem is, when I am pinging 8.8.8.8, I received ????? Please see config below.
    Any help greatly appreciated.
    TIA!
    : Saved
    ASA Version 8.4(3)
    hostname ciscoasan
    enable password bD3fGYMFeJJTATOJ encrypted
    passwd 2KF1w9ErdI.2KYOU encrypted
    names
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
     description INSIDE
     nameif inside
     security-level 100
     ip address 10.10.10.2 255.255.255.0
    interface Vlan2
     description OUTSIDE
     nameif outside
     security-level 0
     ip address 203.127.68.2 255.255.255.240
    ftp mode passive
    object network obj_any
     subnet 0.0.0.0 0.0.0.0
    access-list outside_access_in extended permit ip any any
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    object network obj_any
     nat (inside,outside) dynamic interface
    nat (inside,outside) after-auto source dynamic any interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 203.127.68.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    http server enable
    http 10.10.10.0 255.255.255.0 inside
    http authentication-certificate inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh 10.10.10.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
     anyconnect-essentials
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny  
      inspect sunrpc
      inspect xdmcp
      inspect sip  
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:6b3e0ce99eda3d2563cf9f392f8001b7
    : end

    Hi badingdong,
    Remove these lines:
    no nat (inside,outside) after-auto source dynamic any interface
    no access-group outside_access_in in interface outside
    If you have more inside subnets need access to internet, please make sure that you have a static route in place as shown below.
    route inside 10.0.0.0 255.0.0.0 10.10.10.1
    Also make sure that you have a correct DNS server is assigned on your internal hosts.
    Thanks
    Rizwan Rafeek

  • ASA 5505 not connecting to the internet

    My ASA 5505 9.1 previously worked but I recently swapped out my modem (different issue).  The new modem is bridged so my ASA gets an IP address from the ISP.
    Internet ------ SB6141 modem ---------- ASA ---------- rest of network (direct connection or router)
    I have no issues connecting to the ASA and when I remove the ASA my router properly connects to the internet.  
    Things I have tried
    Setting static address for ASA outside interface
    Pinging 8.8.8.8 from ASDM (ping fails in ASDM but works in CLI)
    Modifying the NAT
    Successful packet trace
    Reading multiple other forum entries
    I can't figure out what is blocking the traffic to the outside.  Below is my running-config.
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    xlate per-session deny tcp any4 any4
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 10.0.1.0 Wireless
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.1.1 255.255.255.0 
    interface Vlan2
     nameif outside
     security-level 0
     ip address dhcp setroute 
    boot system disk0:/asa914-k8.bin
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns domain-lookup inside
    object network obj-192.168.2.0
     subnet 192.168.2.0 255.255.255.248
    object network obj_any
     subnet 0.0.0.0 0.0.0.0
    object network Wireless
     subnet 10.0.1.0 255.255.255.0
     description Created during name migration
    object network NETWORK_OBJ_192.168.2.0_29
     subnet 192.168.2.0 255.255.255.248
    object network obj_any_1
     subnet 0.0.0.0 0.0.0.0
     description Outside
    object-group protocol TCPUDP
     protocol-object udp
     protocol-object tcp
    object-group service DM_INLINE_TCP_1 tcp
     port-object eq www
     port-object eq https
    object-group service DM_INLINE_TCP_2 tcp
     port-object eq 4444
     port-object eq 4445
     port-object eq 4446
    object-group service Wemo tcp-udp
     port-object eq 3478
    object-group service DM_INLINE_SERVICE_1
     service-object udp destination eq 1701 
     service-object tcp destination eq pptp 
     service-object udp destination eq 4500 
     service-object udp destination eq isakmp 
     service-object tcp destination eq 50 
     service-object tcp destination eq 51 
     service-object tcp destination eq 44000 
    object-group service DM_INLINE_TCP_3 tcp
     port-object eq 4444
     port-object eq 4445
     port-object eq 4446
     port-object eq 5900
     port-object eq 5901
    object-group network DM_INLINE_NETWORK_1
     network-object host 217.79.189.135
     network-object host 24.197.239.70
    object-group service DM_INLINE_TCP_4 tcp
     port-object eq 5900
     port-object eq 5901
    object-group service DM_INLINE_TCP_5 tcp
     port-object eq www
     port-object eq https
    access-list inside_access_in extended permit object-group TCPUDP object Wireless any 
    access-list inside_access_in extended permit icmp object Wireless any 
    access-list inside_access_in extended permit ip object Wireless any 
    access-list inside_access_in extended permit object-group TCPUDP 192.168.1.0 255.255.255.0 any 
    access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any 
    access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_5 
    access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any 
    access-list inside_access_in extended permit icmp 192.168.2.0 255.255.255.0 any 
    access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 any 
    access-list inside_access_in extended permit object-group TCPUDP 192.168.2.0 255.255.255.0 any 
    access-list inside_nat0_outbound extended permit ip any4 192.168.2.0 255.255.255.248 
    access-list inside_nat0_outbound extended permit tcp any4 192.168.2.0 255.255.255.248 
    access-list inside_nat0_outbound_1 extended permit ip any4 192.168.2.0 255.255.255.248 
    access-list outside_access_in extended permit tcp any object AppleRouter object-group DM_INLINE_TCP_2 
    access-list outside_access_in remark VNC
    access-list outside_access_in extended permit tcp any object AppleRouter object-group DM_INLINE_TCP_4 
    access-list outside_access_in extended deny tcp object-group DM_INLINE_NETWORK_1 any object-group DM_INLINE_TCP_3 
    access-list outside_access_in remark Migration, ACE (line 2) expanded: permit tcp any4 interface outside object-group DM_INLINE_TCP_1
    access-list outside_access_in extended permit tcp any4 0.0.0.0 0.0.0.0 eq www 
    access-list outside_access_in extended permit tcp any4 0.0.0.0 0.0.0.0 eq https 
    access-list outside_access_in remark ICMP config
    access-list outside_access_in extended permit icmp any4 0.0.0.0 0.0.0.0 
    access-list outside_access_in extended permit tcp any4 object AppleRouter object-group Wemo 
    access-list outside_access_in extended permit udp any4 object AppleRouter object-group Wemo 
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 interface outside 
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-715-100.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,any) source static any any destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup inactive
    nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.2.0_29 NETWORK_OBJ_192.168.2.0_29 no-proxy-arp route-lookup inactive
    object network AppleRouter-4500
     nat (inside,outside) static interface service tcp 4500 4500 
    object network AppleRouter-4444
     nat (inside,outside) static interface service tcp 4444 4444 
    object network AppleRouter-5901
     nat (inside,outside) static interface service tcp 5901 5901 
    object network AppleRouter-5900
     nat (inside,outside) static interface service tcp 5900 5900 
    object network AppleRouter-4445
     nat (inside,outside) static interface service tcp 4445 4445 
    object network AppleRouter-4446
     nat (inside,outside) static interface service tcp 4446 4446 
    object network Wemo-tcp
     nat (inside,outside) static interface service tcp 3478 3478 
    object network Wemo-udp
     nat (inside,outside) static interface service udp 3478 3478 
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    telnet 192.168.1.0 255.255.255.0 inside
    telnet Wireless 255.255.255.0 inside
    telnet timeout 10
    ssh 192.168.1.0 255.255.255.0 inside
    ssh Wireless 255.255.255.0 inside
    ssh timeout 10
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    dhcp-client client-id interface outside
    dhcpd auto_config outside
    dhcpd address 192.168.1.5-192.168.1.254 inside
    dhcpd auto_config outside interface inside
    dhcpd enable inside

    First lets eliminate the ASA as the problem, Connect a PC directly to one of the "inside" ports on the ASA and make sure it recieves an IP in the 192.168.1.0/24 range.
    add this command to the ASA
    object network obj_any
      nat (inside,outside) dynamic interface
    now try to ping 8.8.8.8 or 4.2.2.2
    If ping works, now add the router back into the loop and see if you are able to reach the internet again.
    Please remember to select a correct answer and rate helpful posts

  • Internet connexion problem for remote site in Site to site VPN asa 5505

    Hi all
    I'm configuring a site to site Ipsec VPN in 2 sites using ASA 5505 V 8.2, The VPN is working fine i can ping machine in the 2 sides but the problem is the remote site dont' have internet.
    The architecture is, we 2 site Site1 is the main site and Site2 is secondary site there will be Site3, ...
    The internet connection is based in Site1 and site2 and site 3 will have internet connection through Site1. Site1, Site2 and Site 3 is interconnected by Ipsec VPN.
    Here is my ASA 5505 Configuration :
    SITE 1:
    ASA Version 8.2(5)
    hostname test-malabo
    domain-name test.mg
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd ta.qizy4R//ChqQH encrypted
    names
    interface Ethernet0/0
     description "Sortie Internet"
     switchport access vlan 2
    interface Ethernet0/1
     description "Interconnexion"
     switchport access vlan 171
    interface Ethernet0/2
     description "management"
     switchport access vlan 10
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.1.1 255.255.255.0
    interface Vlan2
     nameif outside
     security-level 0
     ip address 41.79.49.42 255.255.255.192
    interface Vlan10
     nameif mgmt
     security-level 0
     ip address 10.12.1.100 255.255.0.0
    interface Vlan171
     nameif interco
     security-level 0
     ip address 10.22.19.254 255.255.255.0
    ftp mode passive
    dns server-group DefaultDNS
     domain-name test.mg
    object-group network LAN-MALABO
     description LAN DE MALABO
     network-object 192.168.1.0 255.255.255.0
    object-group network LAN-BATA
     description LAN DE BATA
     network-object 192.168.2.0 255.255.255.0
    object-group network LAN-LUBA
     description LAN DE LUBA
     network-object 192.168.3.0 255.255.255.0
    access-list interco_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
    pager lines 24
    mtu inside 1500
    mtu outside 1500
    mtu mgmt 1500
    mtu interco 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any outside
    icmp permit any interco
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (interco) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 41.79.49.1 1
    route interco 192.168.3.0 255.255.255.0 10.22.19.5 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map interco_map0 1 match address interco_1_cryptomap
    crypto map interco_map0 1 set pfs group1
    crypto map interco_map0 1 set peer 10.22.19.5
    crypto map interco_map0 1 set transform-set ESP-3DES-SHA
    crypto map interco_map0 interface interco
    crypto ca trustpoint _SmartCallHome_ServerCA
     crl configure
    crypto isakmp enable interco
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 10.12.0.0 255.255.0.0 mgmt
    telnet timeout 30
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 10.12.0.0 255.255.0.0 mgmt
    ssh timeout 30
    console timeout 0
    management-access interco
    dhcpd option 3 ip 192.168.1.1
    dhcpd address 192.168.1.100-192.168.1.254 inside
    dhcpd dns 41.79.48.66 8.8.8.8 interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
    tunnel-group 10.22.19.5 type ipsec-l2l
    tunnel-group 10.22.19.5 ipsec-attributes
     pre-shared-key *****
     isakmp keepalive threshold 60 retry 5
    class-map inspection_default
     match default-inspection-traffic
    policy-map global_policy
     class inspection_default
      inspect dns
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect snmp
      inspect icmp
    prompt hostname context
    call-home reporting anonymous
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:5aa0d27f15e49ea597c8097cfdb755b8
    : end
    SITE2:
    ASA Version 8.2(5)
    hostname test-luba
    domain-name test.eg
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
     description "Sortie Interco-Internet"
     switchport access vlan 2
    interface Ethernet0/1
     description "management"
     switchport access vlan 10
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.3.1 255.255.255.0
    interface Vlan2
     nameif outside
     security-level 0
     ip address 10.22.19.5 255.255.255.0
    interface Vlan10
     nameif mgmt
     security-level 0
     ip address 10.12.1.101 255.255.0.0
    ftp mode passive
    dns server-group DefaultDNS
     domain-name test.eg
    object-group network LAN-MALABO
     description LAN DE MALABO
     network-object 192.168.1.0 255.255.255.0
    object-group network LAN-BATA
     description LAN DE BATA
     network-object 192.168.2.0 255.255.255.0
    object-group network LAN-LUBA
     description LAN DE LUBA
     network-object 192.168.3.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
    pager lines 24
    mtu inside 1500
    mtu outside 1500
    mtu mgmt 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside) 0 access-list inside_nat0_outbound
    route outside 0.0.0.0 0.0.0.0 10.22.19.254 1
    route outside 192.168.1.0 255.255.255.0 10.22.19.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map0 1 match address outside_1_cryptomap
    crypto map outside_map0 1 set pfs group1
    crypto map outside_map0 1 set peer 10.22.19.254
    crypto map outside_map0 1 set transform-set ESP-3DES-SHA
    crypto map outside_map0 interface outside
    crypto ca trustpoint _SmartCallHome_ServerCA
     crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    telnet 10.12.0.0 255.255.0.0 mgmt
    telnet timeout 30
    ssh 192.168.3.0 255.255.255.0 inside
    ssh 10.12.0.0 255.255.0.0 mgmt
    ssh timeout 30
    console timeout 0
    management-access outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
    tunnel-group 10.22.19.254 type ipsec-l2l
    tunnel-group 10.22.19.254 ipsec-attributes
     pre-shared-key *****
     isakmp keepalive threshold 60 retry 5
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:185bd689118ba24f9a0ef2f7e80494f6
    Can anybody help why my remote site can't connect to Internet.
    REgards,
    Raitsarevo

    Hi Carv,
    Thanks for your reply. i have done finally
    i used no crypto ipsec nat-transparency udp-encapsulation in my end router only.
    and in remote access VPN i have enabled UDP for client configuration. the most imprtant is i have given IP add of same LAN pool to VPN user,
    Regards,
    Satya.M

  • Cisco ASA 5505 performance issues on downloads - data into the ASA from the Internet

    I have having serious issues with performance on my ASA 5505s that I am testing with 9.2.3 code.
    I stripped the config and removed as much stuff as I could - no VPN etc. and I am ONLY getting about 30-40Mbps downloads from sites but 95Mbps uploads????  Anyone else seeing these problems?   If I remove the firewall my PC can hit 300/300Mbps to the same sites using the same switch and cable.
    I installed 1Gb of mem on the ASA 5505 but it made no difference. The ASA has a UL IP Security license but I am only using and inside and outside address for these tests, no other ports configured.
    Is anyone else seeing this performance problem with the 9.2.3 code?  I went to this from 8.2.5 to try to resolve QOS failure bugs that I found in the 8.2.5 code. I did not expect to have a performance hit though and it is only on downloads TO the ASA from the Internet from all speed test sites that I try. Uploading speeds seem fine. No access-lists on my interfaces either...barebones config.
    My FIOS and switch interfaces are fine...no errors on any interfaces and the same switch interface hits 300/300Mbps when my laptop is directly attached. 
    Anyone have a barebones config on their ASA 5505 that flies...I will try it on mine and see if some command somewhere (hidden) is causing the issue. I even cleared the config and started with a clean slate just in case I was missing some command from the older configs that may have impacted performance.

    After changing the switch with a high end switch my performance increased but I am still not happy with the throughput out of my ASA. I have about 50+ ASAs 5505s and a dozen 5510s. Most remote sites have 5505s. All my sites right now have 8.2.5-51 and I wanted to put 9.2.3 out there to solve issues I have uncovered on the 8.2.5 code with regards to QOS issues.
    I get much better results using the Cisco 3750X attached to the FIOS  (right around 300/300 with my laptop directly attached to the 3750x bypassing the ASA - my FIOS circuit rating is also 300/300).  Going through the ASA to the same test site I get download speeds of 35 to 75. Changes randomly which really bothers me. My uploads speeds are ALWAYS faster then my download speeds.  Example - best download I would ever get is 75Mb and my upload would usually hit 95Mb during the same test period.
    I may have to live with it but the inconsistency is what really bothers me.
    Here is the config I am currently using. Nothing going on during testing since only a single PC is attached. VPN tunnel to the main site can be up or down...doesn't seem to make any difference. PC does to site directly from outside interface of ASA...split tunneling. Even when I removed tunnels and tested with just the ASA as a firewall to the Internet I was still seeing the same inconsistencies.
    Anything obviously  missing - new command or anything?   Xlates causing issues?

  • How to sync clock of Cisco ASA 5505 from NTP Server on internet

    Hi there!
    i've setup a site, with cisco ASA 5505. It has public ip also.
    i want to sync the clock of firewall from on ntp server on internet, or with internal domain controller that is inside LAN.
    The firewall has public IP also.
    how can i do this?
    Regards!

    Hello Lasandro,
    This should do it!
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/basic_hostname_pw.html#wp1236530
    Looking for some Networking Assistance? 
    Contact me directly at [email protected]
    I will fix your problem ASAP.
    Cheers,
    Julio Carvajal Segura
    http://laguiadelnetworking.com

  • Trying to pass internet with a Cisco ASA 5505

    Hello,
       I have not been having much success configuring my 5505 for Internet access, and I'm sure there are a few small things I'm missing.  At times I believe I got it to the point where I could ping, but still not pass through the Internet traffic.  At this point, I reset the 5505 and only changed a couple of settings. 
    I have an external range with these characteristics: Network Address 67.139.113.16 (.17 is Gateway), SM: 255.255.255.248, available IP: 67.139.113.218
    The external connection is through a T1 modem, and when I put those settings in my laptop, I can access just fine.
    When I went through the startup wizard in the ADSM, I maded the internal interface 10.209.0.3, subnet mask: 255.255.255.0
    I selected PAT in the Wizard, but don't know if I should have, or if the NAT rules I tried to put in are fine.
    Eventually I want to add a Site to Site VPN to the rest of the 10.0.0.0 network, but I can't even pass the Internet through to the inside.
    Also, this will eventually be behind another hosted firewall, so I'm not worried about restricting access, even currently.
    However, I suspect the problem is that traffic is being blocked with the NAT rules or Access rules.
    I wish I could just disable those inherent deny rules
    Outside of pings to 10.209.0.3, all pings come back as request timed out.
    Can someone please review this, and see if they notice anything I can change?
    I do appreciate it....
    Config:
    : Saved
    ASA Version 8.2(5)
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 10.0.0.0 Eventual
    name 10.209.0.0 Local
    name 67.139.113.216 T1
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 0
    ip address 10.209.0.3 255.0.0.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 67.139.113.218 255.255.255.248
    time-range Indefinite
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 Local 255.255.255.0 any time-range Indefinite
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 0.0.0.0 0.0.0.0 dns tcp 255 255  udp 255
    access-group inside_access_in in interface inside
    route inside 0.0.0.0 0.0.0.0 67.139.113.217 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http Eventual 255.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 10.209.0.201-10.209.0.232 inside
    dhcpd dns 8.8.8.8 8.8.4.4 interface inside
    dhcpd auto_config outside interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    Cryptochecksum:d3c4872f997a93984332213f98fbe12b
    : end
    asdm location Eventual 255.0.0.0 inside
    asdm location Local 255.255.255.0 inside
    asdm location T1 255.255.255.248 inside
    asdm history enable

    Unfortunately that didn't work....
    The new config:
    : Saved
    ASA Version 8.2(5)
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 10.0.0.0 Eventual
    name 10.209.0.0 Local
    name 67.139.113.216 T1
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 0
    ip address 10.209.0.3 255.0.0.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 67.139.113.218 255.255.255.248
    time-range Indefinite
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    route inside 0.0.0.0 0.0.0.0 67.139.113.217 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http Eventual 255.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 10.209.0.201-10.209.0.232 inside
    dhcpd dns 8.8.8.8 8.8.4.4 interface inside
    dhcpd auto_config outside interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    Cryptochecksum:64bbf533cf1bd591e797c053ea9e107a
    : end
    asdm location Eventual 255.0.0.0 inside
    asdm location Local 255.255.255.0 inside
    asdm location T1 255.255.255.248 inside
    asdm history enable
    I am getting some more encouraging messages in the Syslog, but I still cannot bing 8.8.8.8 or the outside interface.
    5
    Aug 29 2008
    01:42:55
    8.8.4.4
    53
    Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src inside:10.209.0.6/64477 dst inside:8.8.4.4/53 denied due to NAT reverse path failure
    6
    Aug 29 2008
    01:42:54
    10.209.0.6
    1686
    SSL session with client inside:10.209.0.6/1686 terminated.
    6
    Aug 29 2008
    01:42:54
    10.209.0.6
    1686
    10.209.0.3
    443
    Deny TCP (no connection) from 10.209.0.6/1686 to 10.209.0.3/443 flags FIN ACK on interface inside

  • Cisco ASA 5505 - Keeps dropping internet connection

    Hi,
    We are having some issues with our Cisco ASA 5505 unit, it intermittently drops the outside interface connection. Internally the network appears to be working correctly with no issues. Even though the outside interface indicates it is 'up' access to the internet is lost from our LAN. This seems to be ocourring more and more often! This is happening for all users on the network too. Reloading the ASA seems to correct the problem temporally but this isn't really an option during peak periods in the day as this would obviously hinder work being carried out by employees.
    Any ideas?
    Any help would be greatly appreciated!!
    Thanks,
    John
    Running Config Below:
    ASA Version 8.2(1)
    hostname ******************
    domain-name *************************
    enable password ************************* encrypted
    passwd **************************** encrypted
    names
    dns-guard
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.3.0.254 255.255.0.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address ***************** 255.255.255.248
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server *****************
    domain-name **********************
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list outside_access_in extended permit tcp any any eq smtp
    access-list outside_access_in extended permit tcp any any eq 3389
    access-list outside_access_in extended permit tcp any any eq https
    access-list outside_access_in extended permit tcp any any
    access-list outside_access_in extended permit tcp any any eq 3839
    pager lines 24
    logging enable
    logging asdm warnings
    mtu inside 1500
    mtu outside 1500
    failover timeout -1
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface smtp 10.3.0.2 smtp netmask 255.255.255.255
    static (inside,outside) tcp interface https 10.3.0.2 https netmask 255.255.255.255
    static (inside,outside) tcp interface 3839 10.3.0.1 3839 netmask 255.255.255.255
    static (inside,outside) tcp interface 3389 10.3.0.1 3389 netmask 255.255.255.255
    static (inside,inside) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 norandomseq nailed
    static (inside,inside) 172.16.63.0 172.16.63.0 netmask 255.255.255.240 norandomseq nailed
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 *************** 1
    route inside 172.16.63.0 255.255.255.240 10.3.0.253 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.3.0.0 255.255.0.0 inside
    http 10.3.0.0 255.255.255.0 inside
    http 10.10.2.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sysopt noproxyarp inside
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 1
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username ************ password *********************** encrypted privilege 15
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global

    Hello,
    What happens when you assign eth0 as internal interface and eth1 as outside if?
    Also configure logging (/debugging) to see if there are hardware issues or something else.
    And it seems you have a range of public addresses. What happens when you connect a device, e.g. a laptop directly on the internet access device and send continue ping to an internet host.
    When you loose internet connectivity, is the laptop still pinging to that host?
    Hopefully this helps you,
    Kind regards,
    Ralph Willemsen
    Arnhem, Netherlands

  • Setting up site to site vpn with cisco asa 5505

    I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
    IP of remote office router is 71.37.178.142
    IP of the main office firewall is 209.117.141.82
    Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
    ciscoasa# show run
    : Saved
    ASA Version 7.2(4)
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password TMACBloMlcBsq1kp encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
    access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group5
    crypto map outside_map 1 set peer 209.117.141.82
    crypto map outside_map 1 set transform-set ESP-AES-256-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn username [email protected] password ********* store-local
    dhcpd auto_config outside
    dhcpd address 192.168.1.2-192.168.1.129 inside
    dhcpd enable inside
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
    : end
    ciscoasa#
    Thanks!

    Hi Mandy,
    By using following access list define Peer IP as source and destination
    access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
    you are not defining the interesting traffic / subnets from both ends.
    Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
    !.1..source subnet(called local encryption domain) at your end  192.168.200.0
    !..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
    !..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
    !...at your end  192.168.200.0
    !..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
    !...at other end 192.168.100.0
    Please use Baisc Steps as follows:
    A. Configuration in your MAIN office  having IP = 209.117.141.82  (follow step 1 to 6)
    Step 1.
    Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    Step 2.
    Config ISAKMP Policy with minimum 4 parameters are to be config for
    crypto isakmp policy 10
    authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
    encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
    hash sha   --->  3rd parameter of ISAKMP Policy is OK
    group 5  --->  4th parameter of ISAKMP Policy is OK
    lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
    Step 3.
    Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
    Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
    Use following command:
    crypto isakmp key 0 CISCO123 address 71.37.178.142
    or , but not both
    crypto isakmp key 6 CISCO123 address71.37.178.142
    step 4.
    Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
    Here is yours one:
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
    crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
    or
    crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
    Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
    ah-sha-hmac or  ah-md5-hmac
    crypto ipsec transform-set TSET1 ah-sha-hmac
    or
    crypto ipsec transform-set TSET1 ah-md5-hmac
    Step 5.
    Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
    crypto map ipsec-isakmp
    1. Define peer -- called WHO to set tunnel with
    2. Define or call WHICH - Transform Set
    3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
    Like in your case it is but ipsec-isakmp keyword missing in the ;ast
    crypto map outside_map 10 ipsec-isakmp
    1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
    2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
    !..In you case it is correct
    !...set transform-set ESP-AES-256-SHA (also correct)
    3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
    4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
    Step 6.
    Now apply this one crypto MAP to your OUTSIDE interface always
    interface outside
    crypto map outside_map
    Configure the same but just change ACL on other end in step one  by reversing source and destination
    and also set the peer IP of this router in other end.
    So other side config should look as follows:
    B.  Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
    Step 7.
    Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
    access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
    Step 8.
    Config ISAKMP Policy with minimum 4 parameters are to be config for
    crypto isakmp policy 10
    authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
    encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
    hash sha   --->  3rd parameter of ISAKMP Policy is OK
    group 5  --->  4th parameter of ISAKMP Policy is OK
    lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
    Step 9.
    Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
    Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
    Use following command:
    crypto isakmp key 0 CISCO123 address 209.117.141.82
    or , but not both
    crypto isakmp key 6 CISCO123 address 209.117.141.82
    step 10.
    Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
    Here is yours one:
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
    crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
    or
    crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
    Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
    ah-sha-hmac or  ah-md5-hmac
    crypto ipsec transform-set TSET1 ah-sha-hmac
    or
    crypto ipsec transform-set TSET1 ah-md5-hmac
    Step 11.
    Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
    crypto map    ipsec-isakmp
    1. Define peer -- called WHO to set tunnel with
    2. Define or call WHICH - Transform Set, only one is permissible
    3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
    Like in your case it is but ipsec-isakmp keyword missing in the ;ast
    crypto map outside_map 10 ipsec-isakmp
    1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
    2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
    !..In you case it is correct
    !...set transform-set ESP-AES-256-SHA (also correct)
    3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
    4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
    Step 12.
    Now apply this one crypto MAP to your OUTSIDE interface always
    interface outside
    crypto map outside_map
    Now initite a ping
    Here is for your summary:
    IPSec: Site to Site - Routers
    Configuration Steps
    Phase 1
    Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
    Step 2: Configure ISAKMP Policy
    Step 3: Configure ISAKMP Key
    Phase 2
    Step 4: Configure Transform Set
    Step 5: Configure Crypto Map
    Step 6: Apply Crypto Map to an Interface
    To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
    Router#debug crpyto isakmp
    Router#debug crpyto ipsec
    Router(config)# logging buffer 7
    Router(config)# logging buffer 99999
    Router(config)# logging console 6
    Router# clear logging
    Configuration
    In R1:
    (config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
    (config)# crypto isakmp policy 10
    (config-policy)# encryption 3des
    (config-policy)# authentication pre-share
    (config-policy)# group 2
    (config-policy)# hash sha1
    (config)# crypto isakmp key 0 cisco address 2.2.2.1
    (config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
    (config)# crypto map CMAP 10 ipsec-isakmp
    (config-crypto-map)# set peer 2.2.2.1
    (config-crypto-map)# match address 101
    (config-crypto-map)# set transform-set TSET
    (config)# int f0/0
    (config-if)# crypto map CMAP
    Similarly in R2
    Verification Commands
    #show crypto isakmp SA
    #show crypto ipsec SA
    Change to Transport Mode, add the following command in Step 4:
    (config-tranform-set)# mode transport
    Even after  doing this change, the ipsec negotiation will still be done through  tunnel mode if pinged from Loopback to Loopback. To overcome this we  make changes to ACL.
    Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
    (config)# crypto isakmp peer address 2.2.2.1
    (config-peer)# set aggressive-mode password cisco
    (config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1
    Similarly on R2.
    The below process is for the negotiation using RSA-SIG (PKI) as authentication type
    Debug Process:
    After  we debug, we can see the negotiation between the two peers. The first  packet of the interesting traffic triggers the ISAKMP (Phase1)  negotiation. Important messages are marked in BOLD and explanation in  RED
    R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
    Packet sent with a source address of 2.2.2.2
    Mar  2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) //  Router tried to find any IPSec SA matching the outgoing connection but  no valid SA has been found in Security Association Database (SADB)
    Mar  2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
    Mar  2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
    Mar  2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
    Mar  2 16:18:42.939: ISAKMP: local port 500, remote port 500
    Mar  2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE    
    Mar  2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
    Mar  2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
    Mar  2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
    Mar  2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    Mar  2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
    Mar  2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
    Mar  2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
    Mar  2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Mar  2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
    Mar  2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
    Mar  2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
    Mar  2 16:18:42.947:.!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
    R2(config)# ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Mar  2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
    Mar  2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
    Mar  2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
    Mar  2 16:18:42.947: ISAKMP:      hash SHA
    Mar  2 16:18:42.947: ISAKMP:      default group 2
    Mar  2 16:18:42.947: ISAKMP:      auth RSA sig
    Mar  2 16:18:42.947: ISAKMP:      life type in seconds
    Mar  2 16:18:42.947: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
    Mar  2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
    Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
    Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
    Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
    Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    Mar  2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
    Mar  2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
    Mar  2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
    Mar  2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
    Mar  2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
    Mar  2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
    Mar  2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
    Mar  2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
    Mar  2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
    Mar  2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
    Mar  2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
    Mar  2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
    Mar  2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
    Mar  2 16:18:43.007:  Choosing trustpoint CA_Server as issuer
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
    Mar  2 16:18:43.007: ISAKMP:received payload type 20
    Mar  2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
    Mar  2 16:18:43.007: ISAKMP:received payload type 20
    Mar  2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
    Mar  2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4
    Mar  2 16:18:43.011: ISAKMP:(1008):Send initial contact
    Mar  2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
    Mar  2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
    Mar  2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
    Mar  2 16:18:43.011: ISAKMP (1008): ID payload
              next-payload : 6
              type         : 2
              FQDN name    : R2
              protocol     : 17
              port         : 500
              length       : 10
    Mar  2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
    Mar  2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
    Mar  2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
    Mar  2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Mar  2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5
    Mar  2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
    // "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
    Mar  2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
    Mar  2 16:18:43.047: ISAKMP (1008): ID payload
              next-payload : 6
              type         : 2
              FQDN name    : ASA1
              protocol     : 0
              port         : 0
              length       : 12
    Mar  2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
    Mar  2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
    Mar  2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
    Mar  2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
    Mar  2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
    Mar  2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
    Mar  2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
    Mar  2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
    Mar  2 16:18:43.067: ISAKMP:received payload type 17
    Mar  2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
    Mar  2 16:18:43.067: ISAKMP:(1008):SA authentication status:
              authenticated
    Mar  2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
    Mar  2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/,  and inserted successfully 46519678. // SA inserted into SADB
    Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6
    Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6
    Mar  2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
    Mar  2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
    Mar  2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
    Mar  2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
    Mar  2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
    Mar  2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
    Mar  2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
    Mar  2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
    Mar  2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
    Mar  2 16:18:43.079: ISAKMP:   attributes in transform:
    Mar  2 16:18:43.079: ISAKMP:      SA life type in seconds
    Mar  2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
    Mar  2 16:18:43.079: ISAKMP:      SA life type in kilobytes
    Mar  2 16:18:43.079: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
    Mar  2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
    Mar  2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
    Mar  2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
    Mar  2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
    Mar  2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
    Mar  2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i)  0/ 0
              (proxy 1.1.1.1 to 2.2.2.2)
    Mar  2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
    Mar  2 16:18:43.083:         lifetime of 3600 seconds
    Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
    Mar  2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
              (proxy 2.2.2.2 to 1.1.1.1)
    Mar  2 16:18:43.083:         has spi  0x2B367FB4 and conn_id 0
    Mar  2 16:18:43.083:         lifetime of 3600 seconds
    Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
    Mar  2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
    Mar  2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
    Mar  2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    Mar  2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
    Verification Commands
    #show crypto isakmp SA
    #show crypto ipsec SA
    Kindly rate if you find the explanation useful !!
    Best Regards
    Sachin Garg

  • Connect Inside to Outside in ASA 5505

    Hi there,
    I have a test ASA 5505 with the setting below:
    How can I connect to the internet (Vlan 1 to VLan 11)
    TestASA5505#  show run
    : Saved
    ASA Version 8.2(4)
    hostname TestASA5505
    domain-name default.domain.invalid
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 11
    interface Ethernet0/1
    switchport access vlan 3
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.99.1 255.255.255.0
    interface Vlan11
    nameif outside
    security-level 0
    ip address 192.168.1.4 255.255.255.0
    boot system disk0:/asa824-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-647.bin
    no asdm history enable
    arp timeout 14400
    route outside 0.0.0.0 255.255.255.255 192.168.1.4 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.99.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd address 192.168.99.3-192.168.99.30 inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5
    webvpn
    username admin password S1xyD1w.ZbjUT1yX encrypted privilege 15
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    prompt hostname context
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:096682b0996d6a1cad76597c01ffe5e2
    : end
    TestASA5505#
    Thank you in Advance for your time

    Hi,
    What device is in front of the ASA?
    Is there some ADSL modem doing NAT and providing Internet connection or something?
    One obvious problem in the above configuration is the route
    route outside 0.0.0.0 255.255.255.255 192.168.1.4 1
    Its not actually even a default route and furthermore its pointing to the ASA itself
    It should be something like this
    route outside 0.0.0.0 0.0.0.0 192.168.1.x
    Where the 192.168.1.x is the IP of the device providing the Internet connectivity to the ASA (Since ASA "outside" interface is using private IP address range)
    If there ASA doesnt need to do any NAT then you could also add this
    access-list INSIDE-NAT0 permit ip 192.168.99.0 255.255.255.0 any
    nat (inside) 0 access-list INSIDE-NAT0
    Also your DHCP configurations dont have any DNS servers defined.
    dhcpd dns
    - Jouni

  • Cisco ASA 5505 Site to Site VPN

    Hello All,
    First time posting to the forums. I've been working with Cisco ASA 5505 for a number of months and recently I purchased a 2nd ASA with the goal of setting up Site to Site VPN tunnel. It look so simple from the number of videos that I have watched on the internet. But when I have done it suprise suprise it didn't work for me ... I have deleted the tunnels a number of times and attempted to recreate them. I am using the VPN wizard in the ADM to create the tunnel. Both the asa are 5505 and have the same same firmware etc.
    I would appreciate any help that can be directed towards this issue please.  Slowly losing my mind
    Please see details below:
    Both ADM are 7.1
    IOS
    ASA 1
    aved
    ASA Version 9.0(1)
    hostname PAYBACK
    enable password HSMurh79NVmatjY0 encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    description Trunk link to SW1
    switchport trunk allowed vlan 1,10,20,30,40
    switchport trunk native vlan 1
    switchport mode trunk
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    no nameif
    no security-level
    no ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address 92.51.193.158 255.255.255.252
    interface Vlan10
    nameif inside
    security-level 100
    ip address 192.168.10.1 255.255.255.0
    interface Vlan20
    nameif servers
    security-level 100
    ip address 192.168.20.1 255.255.255.0
    interface Vlan30
    nameif printers
    security-level 100
    ip address 192.168.30.1 255.255.255.0
    interface Vlan40
    nameif wireless
    security-level 100
    ip address 192.168.40.1 255.255.255.0
    banner login line Welcome to Payback Loyalty Systems
    boot system disk0:/asa901-k8.bin
    ftp mode passive
    clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns domain-lookup servers
    dns domain-lookup printers
    dns domain-lookup wireless
    dns server-group DefaultDNS
    name-server 83.147.160.2
    name-server 83.147.160.130
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network ftp_server
    object network Internal_Report_Server
    host 192.168.20.21
    description Automated Report Server Internal Address
    object network Report_Server
    host 89.234.126.9
    description Automated Report Server
    object service RDP
    service tcp destination eq 3389
    description RDP to Server
    object network Host_QA_Server
    host 89.234.126.10
    description QA Host External Address
    object network Internal_Host_QA
    host 192.168.20.22
    description Host of VM machine for QA
    object network Internal_QA_Web_Server
    host 192.168.20.23
    description Web Server in QA environment
    object network Web_Server_QA_VM
    host 89.234.126.11
    description Web server in QA environment
    object service SQL_Server
    service tcp destination eq 1433
    object network Demo_Server
    host 89.234.126.12
    description Server set up to Demo Product
    object network Internal_Demo_Server
    host 192.168.20.24
    description Internal IP Address of Demo Server
    object network NETWORK_OBJ_192.168.20.0_24
    subnet 192.168.20.0 255.255.255.0
    object network NETWORK_OBJ_192.168.50.0_26
    subnet 192.168.50.0 255.255.255.192
    object network NETWORK_OBJ_192.168.0.0_16
    subnet 192.168.0.0 255.255.0.0
    object service MSSQL
    service tcp destination eq 1434
    description MSSQL port
    object network VPN-network
    subnet 192.168.50.0 255.255.255.0
    object network NETWORK_OBJ_192.168.50.0_24
    subnet 192.168.50.0 255.255.255.0
    object service TS
    service tcp destination eq 4400
    object service TS_Return
    service tcp source eq 4400
    object network External_QA_3
    host 89.234.126.13
    object network Internal_QA_3
    host 192.168.20.25
    object network Dev_WebServer
    host 192.168.20.27
    object network External_Dev_Web
    host 89.234.126.14
    object network CIX_Subnet
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.10.0_24
    subnet 192.168.10.0 255.255.255.0
    object network NETWORK_OBJ_84.39.233.50
    host 84.39.233.50
    object network NETWORK_OBJ_92.51.193.158
    host 92.51.193.158
    object network NETWORK_OBJ_192.168.100.0_24
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.1.0_24
    subnet 192.168.1.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_1
    service-object tcp destination eq ftp
    service-object tcp destination eq netbios-ssn
    service-object tcp destination eq smtp
    service-object object TS
    object-group network Payback_Internal
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.20.0 255.255.255.0
    network-object 192.168.40.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_3
    service-object tcp destination eq www
    service-object tcp destination eq https
    service-object object TS
    service-object object TS_Return
    object-group service DM_INLINE_SERVICE_4
    service-object object RDP
    service-object tcp destination eq www
    service-object tcp destination eq https
    object-group service DM_INLINE_SERVICE_5
    service-object object MSSQL
    service-object object RDP
    service-object object TS
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_SERVICE_6
    service-object object TS
    service-object object TS_Return
    service-object tcp destination eq www
    service-object tcp destination eq https
    access-list outside_access_in remark This rule is allowing from internet to interal server.
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark FTP
    access-list outside_access_in remark RDP
    access-list outside_access_in remark SMTP
    access-list outside_access_in remark Net Bios
    access-list outside_access_in remark SQL
    access-list outside_access_in remark TS - 4400
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
    access-list outside_access_in remark Access rule to internal host QA
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark HTTP
    access-list outside_access_in remark RDP
    access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
    access-list outside_access_in remark Access to INternal Web Server:
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark HTTP
    access-list outside_access_in remark RDP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
    access-list outside_access_in remark Rule for allowing access to Demo server
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark RDP
    access-list outside_access_in remark MSSQL
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
    access-list outside_access_in remark Access for Development WebServer
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
    access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
    access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
    access-list AnyConnect_Client_Local_Print remark Windows' printing port
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
    access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
    access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
    access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
    access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
    access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
    access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
    pager lines 24
    logging enable
    logging console informational
    logging asdm informational
    logging from-address
    [email protected]
    logging recipient-address
    [email protected]
    level alerts
    mtu outside 1500
    mtu inside 1500
    mtu servers 1500
    mtu printers 1500
    mtu wireless 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-711-52.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source dynamic any interface
    nat (wireless,outside) source dynamic any interface
    nat (servers,outside) source dynamic any interface
    nat (servers,outside) source static Internal_Report_Server Report_Server
    nat (servers,outside) source static Internal_Host_QA Host_QA_Server
    nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
    nat (servers,outside) source static Internal_Demo_Server Demo_Server
    nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
    nat (servers,outside) source static Internal_QA_3 External_QA_3
    nat (servers,outside) source static Dev_WebServer External_Dev_Web
    nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
    nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.10.0 255.255.255.0 inside
    http 192.168.40.0 255.255.255.0 wireless
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 84.39.233.50
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 77.75.100.208 255.255.255.240 outside
    ssh 192.168.10.0 255.255.255.0 inside
    ssh 192.168.40.0 255.255.255.0 wireless
    ssh timeout 5
    console timeout 0
    dhcpd dns 192.168.0.1
    dhcpd auto_config outside
    dhcpd address 192.168.10.21-192.168.10.240 inside
    dhcpd dns 192.168.20.21 83.147.160.2 interface inside
    dhcpd option 15 ascii paybackloyalty.com interface inside
    dhcpd enable inside
    dhcpd address 192.168.40.21-192.168.40.240 wireless
    dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
    dhcpd update dns interface wireless
    dhcpd option 15 ascii paybackloyalty.com interface wireless
    dhcpd enable wireless
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy Payback_VPN internal
    group-policy Payback_VPN attributes
    vpn-simultaneous-logins 10
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Payback_VPN_splitTunnelAcl
    group-policy DfltGrpPolicy attributes
    dns-server value 83.147.160.2 83.147.160.130
    vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
    group-policy GroupPolicy_84.39.233.50 internal
    group-policy GroupPolicy_84.39.233.50 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username Noelle password XB/IpvYaATP.2QYm encrypted
    username Noelle attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
    username Eanna attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Michael password qpbleUqUEchRrgQX encrypted
    username Michael attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
    username Danny attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
    username Aileen attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
    username Aidan attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
    username shane.c password iqGMoWOnfO6YKXbw encrypted
    username shane.c attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Shane password uYePLcrFadO9pBZx encrypted
    username Shane attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username James password TdYPv1pvld/hPM0d encrypted
    username James attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username mark password yruxpddqfyNb.qFn encrypted
    username mark attributes
    service-type admin
    username Mary password XND5FTEiyu1L1zFD encrypted
    username Mary attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
    username Massimo attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    tunnel-group Payback_VPN type remote-access
    tunnel-group Payback_VPN general-attributes
    address-pool VPN1
    default-group-policy Payback_VPN
    tunnel-group Payback_VPN ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 84.39.233.50 type ipsec-l2l
    tunnel-group 84.39.233.50 general-attributes
    default-group-policy GroupPolicy_84.39.233.50
    tunnel-group 84.39.233.50 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map global-class
    match default-inspection-traffic
    policy-map global-policy
    class global-class
      inspect dns
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect pptp
      inspect rsh
      inspect rtsp
      inspect sip
      inspect snmp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect xdmcp
      inspect icmp error
      inspect icmp
    service-policy global-policy global
    smtp-server 192.168.20.21
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1
    ASA 2
    ASA Version 9.0(1)
    hostname Payback-CIX
    enable password HSMurh79NVmatjY0 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    description This port connects to VLAN 100
    switchport access vlan 100
    interface Ethernet0/2
    interface Ethernet0/3
    switchport access vlan 100
    interface Ethernet0/4
    switchport access vlan 100
    interface Ethernet0/5
    switchport access vlan 100
    interface Ethernet0/6
    switchport access vlan 100
    interface Ethernet0/7
    switchport access vlan 100
    interface Vlan2
    nameif outside
    security-level 0
    ip address 84.39.233.50 255.255.255.240
    interface Vlan100
    nameif inside
    security-level 100
    ip address 192.168.100.1 255.255.255.0
    banner login line Welcome to Payback Loyalty - CIX
    ftp mode passive
    clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns server-group defaultDNS
    name-server 8.8.8.8
    name-server 8.8.4.4
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network CIX-Host-1
    host 192.168.100.2
    description This is the host machine of the VM servers
    object network External_CIX-Host-1
    host 84.39.233.51
    description This is the external IP address of the host server for the VM server
    object service RDP
    service tcp source range 1 65535 destination eq 3389
    object network Payback_Office
    host 92.51.193.158
    object service MSQL
    service tcp destination eq 1433
    object network Development_OLTP
    host 192.168.100.10
    description VM for Eiresoft
    object network External_Development_OLTP
    host 84.39.233.52
    description This is the external IP address for the VM for Eiresoft
    object network Eiresoft
    host 146.66.160.70
    description DBA Contractor
    object network External_TMC_Web
    host 84.39.233.53
    description Public Address of TMC Webserver
    object network TMC_Webserver
    host 192.168.100.19
    description Internal Address of TMC Webserver
    object network External_TMC_OLTP
    host 84.39.233.54
    description Targets OLTP external IP
    object network TMC_OLTP
    host 192.168.100.18
    description Targets interal IP address
    object network External_OLTP_Failover
    host 84.39.233.55
    description Public IP of OLTP Failover
    object network OLTP_Failover
    host 192.168.100.60
    description Server for OLTP failover
    object network Servers
    subnet 192.168.20.0 255.255.255.0
    object network Wired
    subnet 192.168.10.0 255.255.255.0
    object network Wireless
    subnet 192.168.40.0 255.255.255.0
    object network NETWORK_OBJ_192.168.100.0_24
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.10.0_24
    subnet 192.168.10.0 255.255.255.0
    object network Eiresoft_2nd
    host 137.117.217.29
    description Eiresoft 2nd IP
    object network Dev_Test_Webserver
    host 192.168.100.12
    description Dev Test Webserver Internal Address
    object network External_Dev_Test_Webserver
    host 84.39.233.56
    description This is the PB Dev Test Webserver
    object network NETWORK_OBJ_192.168.1.0_24
    subnet 192.168.1.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_1
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_2
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_3
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_4
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_5
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_6
    service-object object MSQL
    service-object object RDP
    object-group network Payback_Intrernal
    network-object object Servers
    network-object object Wired
    network-object object Wireless
    object-group service DM_INLINE_SERVICE_7
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_8
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_9
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_10
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_11
    service-object object RDP
    service-object tcp destination eq ftp
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
    access-list outside_access_in remark Development OLTP from Payback Office
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
    access-list outside_access_in remark Access for Eiresoft
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
    access-list outside_access_in remark Access to OLTP for target from Payback Office
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
    access-list outside_access_in remark This is allowing access from Eiresoft to the OLTP Failover server
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover
    access-list outside_access_in remark Access for the 2nd IP from Eiresoft
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
    access-list outside_access_in remark Access from the 2nd Eiresoft IP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
    access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source dynamic any interface
    nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
    nat (inside,outside) source static Development_OLTP External_Development_OLTP
    nat (inside,outside) source static TMC_Webserver External_TMC_Web
    nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
    nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
    nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
    nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
    nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 92.51.193.156 255.255.255.252 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 92.51.193.158
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 77.75.100.208 255.255.255.240 outside
    ssh 92.51.193.156 255.255.255.252 outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy GroupPolicy_92.51.193.158 internal
    group-policy GroupPolicy_92.51.193.158 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
    tunnel-group 92.51.193.158 type ipsec-l2l
    tunnel-group 92.51.193.158 general-attributes
    default-group-policy GroupPolicy_92.51.193.158
    tunnel-group 92.51.193.158 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
    : end

    Hi,
    Thanks for the help to date
    I now have the Site to Site working but there is one little issue I have. If I try to RD to a server through the tunnel it will not allow connection on the first attempt however if I ping that host and then attempt to RD it will allow the connection. It looks like the host is asleep until it receives traffic through the tunnel. Is this thje correct behaviour.
    See below the details:
    ASA1:
    hostname PAYBACK
    enable password HSMurh79NVmatjY0 encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    description Trunk link to SW1
    switchport trunk allowed vlan 1,10,20,30,40
    switchport trunk native vlan 1
    switchport mode trunk
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    no nameif
    no security-level
    no ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address XX.XX.XX.XX 255.255.255.252
    interface Vlan10
    nameif inside
    security-level 100
    ip address 192.168.10.1 255.255.255.0
    interface Vlan20
    nameif servers
    security-level 100
    ip address 192.168.20.1 255.255.255.0
    interface Vlan30
    nameif printers
    security-level 100
    ip address 192.168.30.1 255.255.255.0
    interface Vlan40
    nameif wireless
    security-level 100
    ip address 192.168.40.1 255.255.255.0
    banner login line Welcome to Payback Loyalty Systems
    boot system disk0:/asa901-k8.bin
    ftp mode passive
    clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns domain-lookup servers
    dns domain-lookup printers
    dns domain-lookup wireless
    dns server-group DefaultDNS
    name-server 83.147.160.2
    name-server 83.147.160.130
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network ftp_server
    object network Internal_Report_Server
    host 192.168.20.21
    description Automated Report Server Internal Address
    object network Report_Server
    host 89.234.126.9
    description Automated Report Server
    object service RDP
    service tcp destination eq 3389
    description RDP to Server
    object network Host_QA_Server
    host 89.234.126.10
    description QA Host External Address
    object network Internal_Host_QA
    host 192.168.20.22
    description Host of VM machine for QA
    object network Internal_QA_Web_Server
    host 192.168.20.23
    description Web Server in QA environment
    object network Web_Server_QA_VM
    host 89.234.126.11
    description Web server in QA environment
    object service SQL_Server
    service tcp destination eq 1433
    object network Demo_Server
    host 89.234.126.12
    description Server set up to Demo Product
    object network Internal_Demo_Server
    host 192.168.20.24
    description Internal IP Address of Demo Server
    object network NETWORK_OBJ_192.168.20.0_24
    subnet 192.168.20.0 255.255.255.0
    object network NETWORK_OBJ_192.168.50.0_26
    subnet 192.168.50.0 255.255.255.192
    object network NETWORK_OBJ_192.168.0.0_16
    subnet 192.168.0.0 255.255.0.0
    object service MSSQL
    service tcp destination eq 1434
    description MSSQL port
    object network VPN-network
    subnet 192.168.50.0 255.255.255.0
    object network NETWORK_OBJ_192.168.50.0_24
    subnet 192.168.50.0 255.255.255.0
    object service TS
    service tcp destination eq 4400
    object service TS_Return
    service tcp source eq 4400
    object network External_QA_3
    host 89.234.126.13
    object network Internal_QA_3
    host 192.168.20.25
    object network Dev_WebServer
    host 192.168.20.27
    object network External_Dev_Web
    host 89.234.126.14
    object network NETWORK_OBJ_192.168.100.0_24
    subnet 192.168.100.0 255.255.255.0
    object network Wireless
    subnet 192.168.40.0 255.255.255.0
    description Wireless network
    object network Servers
    subnet 192.168.20.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_1
    service-object tcp destination eq ftp
    service-object tcp destination eq netbios-ssn
    service-object tcp destination eq smtp
    service-object object TS
    service-object object SQL_Server
    object-group service DM_INLINE_SERVICE_3
    service-object tcp destination eq www
    service-object tcp destination eq https
    service-object object TS
    service-object object TS_Return
    object-group service DM_INLINE_SERVICE_4
    service-object object RDP
    service-object tcp destination eq www
    service-object tcp destination eq https
    object-group service DM_INLINE_SERVICE_5
    service-object object MSSQL
    service-object object RDP
    service-object object TS
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_SERVICE_6
    service-object object TS
    service-object object TS_Return
    service-object tcp destination eq www
    service-object tcp destination eq https
    object-group network DM_INLINE_NETWORK_1
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.20.0 255.255.255.0
    network-object 192.168.40.0 255.255.255.0
    object-group network Payback_Internal
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.20.0 255.255.255.0
    network-object 192.168.40.0 255.255.255.0
    access-list outside_access_in remark This rule is allowing from internet to interal server.
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark FTP
    access-list outside_access_in remark RDP
    access-list outside_access_in remark SMTP
    access-list outside_access_in remark Net Bios
    access-list outside_access_in remark SQL
    access-list outside_access_in remark TS - 4400
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
    access-list outside_access_in remark Access rule to internal host QA
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark HTTP
    access-list outside_access_in remark RDP
    access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
    access-list outside_access_in remark Access to INternal Web Server:
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark HTTP
    access-list outside_access_in remark RDP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
    access-list outside_access_in remark Rule for allowing access to Demo server
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark RDP
    access-list outside_access_in remark MSSQL
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
    access-list outside_access_in remark Access for Development WebServer
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
    access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
    access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
    access-list AnyConnect_Client_Local_Print remark Windows' printing port
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
    access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
    access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
    access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
    access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
    access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
    access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.100.0 255.255.255.0
    pager lines 24
    logging enable
    logging console informational
    logging asdm informational
    logging from-address [email protected]
    logging recipient-address [email protected] level alerts
    mtu outside 1500
    mtu inside 1500
    mtu servers 1500
    mtu printers 1500
    mtu wireless 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-711-52.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
    nat (wireless,outside) source static Wireless Wireless destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
    nat (servers,outside) source static Servers Servers destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
    nat (inside,outside) source dynamic any interface
    nat (wireless,outside) source dynamic any interface
    nat (servers,outside) source dynamic any interface
    nat (servers,outside) source static Internal_Report_Server Report_Server
    nat (servers,outside) source static Internal_Host_QA Host_QA_Server
    nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
    nat (servers,outside) source static Internal_Demo_Server Demo_Server
    nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
    nat (servers,outside) source static Internal_QA_3 External_QA_3
    nat (servers,outside) source static Dev_WebServer External_Dev_Web
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.10.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer XX.XX.XX.XX
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto map servers_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map servers_map interface servers
    crypto ca trustpool policy
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 enable inside client-services port 443
    crypto ikev1 enable outside
    crypto ikev1 enable inside
    crypto ikev1 enable servers
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.10.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd dns 192.168.0.1
    dhcpd auto_config outside
    dhcpd address 192.168.10.21-192.168.10.240 inside
    dhcpd dns 192.168.20.21 83.147.160.2 interface inside
    dhcpd option 15 ascii paybackloyalty.com interface inside
    dhcpd enable inside
    dhcpd address 192.168.40.21-192.168.40.240 wireless
    dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
    dhcpd update dns interface wireless
    dhcpd option 15 ascii paybackloyalty.com interface wireless
    dhcpd enable wireless
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy Payback_VPN internal
    group-policy Payback_VPN attributes
    vpn-simultaneous-logins 10
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Payback_VPN_splitTunnelAcl
    group-policy DfltGrpPolicy attributes
    dns-server value 83.147.160.2 83.147.160.130
    vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
    group-policy GroupPolicy_84.39.233.50 internal
    group-policy GroupPolicy_84.39.233.50 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username Noelle password XB/IpvYaATP.2QYm encrypted
    username Noelle attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
    username Eanna attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Michael password qpbleUqUEchRrgQX encrypted
    username Michael attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
    username Danny attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username niamh password MlFlIlEiy8vismE0 encrypted
    username niamh attributes
    service-type admin
    username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
    username Aileen attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
    username Aidan attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
    username shane.c password iqGMoWOnfO6YKXbw encrypted
    username shane.c attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Shane password yQeVtvLLKqapoUje encrypted privilege 0
    username Shane attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username James password TdYPv1pvld/hPM0d encrypted
    username James attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username mark password yruxpddqfyNb.qFn encrypted
    username mark attributes
    service-type admin
    username Mary password XND5FTEiyu1L1zFD encrypted
    username Mary attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
    username Massimo attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    tunnel-group Payback_VPN type remote-access
    tunnel-group Payback_VPN general-attributes
    address-pool VPN1
    default-group-policy Payback_VPN
    tunnel-group Payback_VPN ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 84.39.233.50 type ipsec-l2l
    tunnel-group 84.39.233.50 general-attributes
    default-group-policy GroupPolicy_84.39.233.50
    tunnel-group 84.39.233.50 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map global-class
    match default-inspection-traffic
    policy-map global-policy
    class global-class
      inspect dns
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect pptp
      inspect rsh
      inspect rtsp
      inspect sip
      inspect snmp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect xdmcp
      inspect icmp error
      inspect icmp
    service-policy global-policy global
    smtp-server 192.168.20.21
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:83fa7ce1d93375645205f6e79b526381
    ASA2:
    ASA Version 9.0(1)
    hostname Payback-CIX
    enable password HSMurh79NVmatjY0 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    description This port connects to VLAN 100
    switchport access vlan 100
    interface Ethernet0/2
    interface Ethernet0/3
    switchport access vlan 100
    interface Ethernet0/4
    switchport access vlan 100
    interface Ethernet0/5
    switchport access vlan 100
    interface Ethernet0/6
    switchport access vlan 100
    interface Ethernet0/7
    switchport access vlan 100
    interface Vlan2
    nameif outside
    security-level 0
    ip address X.X.X.X 255.255.255.240
    interface Vlan100
    nameif inside
    security-level 100
    ip address 192.168.100.1 255.255.255.0
    banner login line Welcome to Payback Loyalty - CIX
    ftp mode passive
    clock timezone GMT 0
    clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns server-group defaultDNS
    name-server 8.8.8.8
    name-server 8.8.4.4
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network CIX-Host-1
    host 192.168.100.2
    description This is the host machine of the VM servers
    object network External_CIX-Host-1
    host 84.39.233.51
    description This is the external IP address of the host server for the VM server
    object service RDP
    service tcp source range 1 65535 destination eq 3389
    object network Payback_Office
    host 92.51.193.158
    object service MSQL
    service tcp destination eq 1433
    object network Development_OLTP
    host 192.168.100.10
    description VM for Eiresoft
    object network External_Development_OLTP
    host 84.39.233.52
    description This is the external IP address for the VM for Eiresoft
    object network External_TMC_Web
    host 84.39.233.53
    description Public Address of TMC Webserver
    object network TMC_Webserver
    host 192.168.100.19
    description Internal Address of TMC Webserver
    object network External_TMC_OLTP
    host 84.39.233.54
    description Targets OLTP external IP
    object network TMC_OLTP
    host 192.168.100.18
    description Targets interal IP address
    object network External_OLTP_Failover
    host 84.39.233.55
    description Public IP of OLTP Failover
    object network OLTP_Failover
    host 192.168.100.60
    description Server for OLTP failover
    object network Servers
    subnet 192.168.20.0 255.255.255.0
    object network Wired
    subnet 192.168.10.0 255.255.255.0
    object network Wireless
    subnet 192.168.40.0 255.255.255.0
    object network NETWORK_OBJ_192.168.100.0_24
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.10.0_24
    subnet 192.168.10.0 255.255.255.0
    object network Eiresoft_2nd
    host 137.117.217.29
    description Eiresoft 2nd IP
    object network Dev_Test_Webserver
    host 192.168.100.12
    description Dev Test Webserver Internal Address
    object network External_Dev_Test_Webserver
    host 84.39.233.56
    description This is the PB Dev Test Webserver
    object network NETWORK_OBJ_192.168.1.0_24
    subnet 192.168.1.0 255.255.255.0
    object network LAN
    subnet 192.168.100.0 255.255.255.0
    object network REMOTE-LAN
    subnet 192.168.10.0 255.255.255.0
    object network TargetMC
    host 83.71.194.145
    description This is Target Location that will be accessing the Webserver
    object network Rackspace_OLTP
    host 162.13.34.56
    description This is the IP address of production OLTP
    object service DB
    service tcp destination eq 5022
    object network Topaz_Target_VM
    host 82.198.151.168
    description This is Topaz IP that will be accessing Targets VM
    object service DB_2
    service tcp destination eq 5023
    object network EireSoft_NEW_IP
    host 146.66.161.3
    description Eiresoft latest IP form ISP DHCP
    object-group service DM_INLINE_SERVICE_1
    service-object object MSQL
    service-object object RDP
    service-object icmp echo
    service-object icmp echo-reply
    object-group service DM_INLINE_SERVICE_2
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_4
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    service-object tcp destination eq www
    object-group service DM_INLINE_SERVICE_5
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_6
    service-object object MSQL
    service-object object RDP
    object-group network Payback_Intrernal
    network-object object Servers
    network-object object Wired
    network-object object Wireless
    object-group service DM_INLINE_SERVICE_8
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_9
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_10
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    service-object icmp echo
    service-object icmp echo-reply
    service-object object DB
    object-group service DM_INLINE_SERVICE_11
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_12
    service-object object MSQL
    service-object icmp echo
    service-object icmp echo-reply
    service-object object DB
    service-object object DB_2
    object-group service DM_INLINE_SERVICE_13
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_14
    service-object object MSQL
    service-object object RDP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
    access-list outside_access_in remark Development OLTP from Payback Office
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
    access-list outside_access_in remark Access to OLTP for target from Payback Office
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
    access-list outside_access_in remark Access for the 2nd IP from Eiresoft
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
    access-list outside_access_in remark Access from the 2nd Eiresoft IP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
    access-list outside_access_in remark Access rules from Traget to CIX for testing
    access-list outside_access_in extended permit tcp object TargetMC object TMC_Webserver eq www
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12 object Rackspace_OLTP object OLTP_Failover
    access-list outside_access_in remark Topaz access to Target VM
    access-list outside_access_in extended permit tcp object Topaz_Target_VM object TMC_Webserver eq www
    access-list outside_access_in remark Opened up for Target for the weekend. Closing on Monday 20th
    access-list outside_access_in extended permit tcp any object TMC_Webserver eq www
    access-list outside_access_in remark Access for Eiresoft after their ISP changed their IP Address
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13 object EireSoft_NEW_IP object Development_OLTP
    access-list outside_access_in remark Eiresoft Access after ISP changed their IP Address
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14 object EireSoft_NEW_IP object OLTP_Failover
    access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object-group Payback_Intrernal
    pager lines 24
    logging enable
    logging console debugging
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static Payback_Intrernal Payback_Intrernal no-proxy-arp route-lookup
    nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
    nat (inside,outside) source static Development_OLTP External_Development_OLTP
    nat (inside,outside) source static TMC_Webserver External_TMC_Web
    nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
    nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
    nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
    nat (inside,outside) source dynamic LAN interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http X.X.X.X 255.255.255.252 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer X.X.X.X
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh X.X.X.X  255.255.255.240 outside
    ssh X.X.X.X 255.255.255.252 outside
    ssh 192.168.40.0 255.255.255.0 outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy GroupPolicy_92.51.193.158 internal
    group-policy GroupPolicy_92.51.193.158 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
    tunnel-group 92.51.193.158 type ipsec-l2l
    tunnel-group 92.51.193.158 general-attributes
    default-group-policy GroupPolicy_92.51.193.158
    tunnel-group 92.51.193.158 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:78a7b9ccec2fa048306092eb29a2b769

Maybe you are looking for

  • Exporting Options in Crystal Reports 2008

    I am using Crystal Reports 2008 to make my report for my users.   I am also programming a viewer in vb 2005 so the users can view the report without changing it.  In the viewer I need to be able to export to excel or pdf or any other format.  I want

  • SAP GUI (SAP LOGON 620).Problem connecting to R/3

    Hi I Installed SAP 4.7 successfully.I could see SAP R3 Management console started properly.After Installing SAP GUI,I tried to connect from SAP Logon.I get an error ,A box opens Which has title 'Syntax Errors' and fields in the box are, Syntax error

  • Mail/News (thunderbird) do not open URLs in Bon Echo (firefox)

    Hi! I have installed thunderbird and firefox... but when I clic an url in an e-mail or news thunderbird do not open it in nothing, neither firefox or konkeror, whatever... just nothing... ANy idea? luciano

  • Suppressing sql statement in spool file

    I am trying to run a report in sql and I am spooling the output to a file. I cannot seem to figure out what set command will suppress the sql statement.

  • Connecting to a Ad Hoc connection

    I cannot connect to my Ad Hoc wireless with my IPOD Touch. I can see that it is connected, but no data moves back and forth....any insight as to why?