Cisco Asa 5505 and Layer 3 Switch With Remote VPN Access

i got today a new CISCO LAYER 3 Switch .. so here is my scenrio
Cisco Asa 5505
I
Outside  == 155.155.155.x
Inside  =      192.168.7.1
VPN POOL Address =   10.10.10.1   -   10.10.10.20
Layer 3 Switch Config
Vlan 2
interface ip address =  192.168.1.1
Vlan 2
interface ip address =  192.168.2.1
Vlan 2
interface ip address =  192.168.3.1
Vlan 2
interface ip address =  192.168.4.1
Vlan 2
interface ip address =  192.168.5.1
ip Routing
So i want My Remote Access VPN clients to access all this Networks. So Please can you give me a helpfull trick or Link to configure the rest of my routing
Thank You all

When My Remote VPN is Connected , it reaches 192.168.7.2 of the Layer 3 VLan that's Connected to The ASA 5505 ,
But i can't reach the rest of the VLAN - example
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
But i can reach the Connected Interface Vlan to My ASA ..
So here i think iam miss configuration to my Route
Any Help Please this is urgent

Similar Messages

  • Cisco ASA 5505 and comodo SSL certificate

    Hey All,
    I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
    Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
    On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
    What am I missing here? I can post config if anyone needs it.
    (My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))

    It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
    ASA Version 9.0(2)
    hostname MyDomain-firewall-1
    domain-name MyDomain.com
    enable password omitted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd omitted
    names
    name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
    name 10.200.0.0 MyDomain_New_IP description MyDomain_New
    name 10.100.0.0 MyDomain-Old description Inside_Old
    name XXX.XXX.XX.XX Provider description Provider_Wireless
    name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
    name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
    ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
    ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address Cisco_ASA_5505 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address Provider 255.255.255.252
    boot system disk0:/asa902-k8.bin
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns domain-lookup inside
    dns server-group DefaultDNS
    name-server 10.0.3.21
    domain-name MyDomain.com
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network MyDomain-Employee
    subnet 192.168.208.0 255.255.255.0
    description MyDomain-Employee
    object-group network Inside-all
    description All Networks
    network-object MyDomain-Old 255.255.254.0
    network-object MyDomain_New_IP 255.255.192.0
    network-object host MyDomain-Inside
    access-list inside_access_in extended permit ip any4 any4
    access-list split-tunnel standard permit host 10.0.13.1
    pager lines 24
    logging enable
    logging buffered errors
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-712.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
    route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
    route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
    route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    action terminate
    dynamic-access-policy-record "Network Access Policy Allow VPN"
    description "Must have the Network Access Policy Enabled to get VPN access"
    aaa-server LDAP_Group protocol ldap
    aaa-server LDAP_Group (inside) host 10.0.3.21
    ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
    ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
    server-type microsoft
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http MyDomain_New_IP 255.255.192.0 inside
    http redirect outside 80
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint LOCAL-CA-SERVER
    keypair LOCAL-CA-SERVER
    no validation-usage
    no accept-subordinates
    no id-cert-issuer
    crl configure
    crypto ca trustpoint VPN
    enrollment terminal
    fqdn vpn.mydomain.com
    subject-name CN=vpn.mydomain.com,OU=IT
    keypair vpn.mydomain.com
    crl configure
    crypto ca trustpoint ASDM_TrustPoint1
    enrollment terminal
    crl configure
    crypto ca trustpool policy
    crypto ca server
    shutdown
    crypto ca certificate chain LOCAL-CA-SERVER
    certificate ca 01
        omitted
      quit
    crypto ca certificate chain VPN
    certificate
        omitted
      quit
    crypto ca certificate chain ASDM_TrustPoint1
    certificate ca
        omitted
      quit
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 remote-access trustpoint VPN
    telnet timeout 5
    ssh MyDomain_New_IP 255.255.192.0 inside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    dynamic-filter updater-client enable
    dynamic-filter use-database
    dynamic-filter enable
    ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
    ssl trust-point VPN outside
    webvpn
    enable outside
    anyconnect-essentials
    anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
    anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
    anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
    anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
    anyconnect enable
    tunnel-group-list enable
    group-policy DfltGrpPolicy attributes
    dns-server value 10.0.3.21
    vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
    default-domain value MyDomain.com
    group-policy MyDomain-Employee internal
    group-policy MyDomain-Employee attributes
    wins-server none
    dns-server value 10.0.3.21
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    default-domain value MyDomain.com
    webvpn
      anyconnect profiles value MyDomain-employee type user
    username MyDomainadmin password omitted encrypted privilege 15
    tunnel-group MyDomain-Employee type remote-access
    tunnel-group MyDomain-Employee general-attributes
    address-pool MyDomain-Employee-Pool
    authentication-server-group LDAP_Group LOCAL
    default-group-policy MyDomain-Employee
    tunnel-group MyDomain-Employee webvpn-attributes
    group-alias MyDomain-Employee enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
    : end
    asdm image disk0:/asdm-712.bin
    asdm location MyDomain_New_IP 255.255.192.0 inside
    asdm location MyDomain-Inside 255.255.255.255 inside
    asdm location MyDomain-Old 255.255.254.0 inside
    no asdm history enable

  • Cisco ASA 5505 and Airport Extreme

    We have an office that uses an Airport Extreme as part of the network. The Airport Extreme uses a Cisco ASA 5505 as its gateway. The Cisco provides site to site VPN capabilities with other remote offices. We just got this configuration partially working and it works great for outbound connections.
    But I have been unable to get an inbound connection to machines that are behind the Airport Extreme.
    The goal is to access machines behind the Airport Extreme by way of RDP and also for use as drive and printer shares.
    What do I need to do on the Airport to achieve this goal?
    Thank you,
    Lebby

    Lebby,
    I suspect it's not the AX that's the problem but the Cisco router, no doubt you have NAT enabled on that so that any inbound connection not initiated from inside just get's blocked.
    You'll need to configure NAT on the Cisco first.
    Regards,
    Shawn

  • Cisco ASA 5505 and DHCP Client Problems

    Hi, i have a problem. I've connected my ASA appliance to an ADSL modem, and i dont get an DHCP address on the outside interface (e0/0). I use the asa-722-19.bin firmware.
    I turned on the debugging for the DHCP client and could see that the ASA device was sending out broadcasts but a reply never came. Instead I connected the device to my internal network where the ASA got an address instantly.
    I read somewhere that if I was to use ?ip address dhcp client-id fastethernet 0″, then I got an address from the ISP.
    I tried looking for a similar command on the ASA5505 but I couldn?t find anything. I did however find a page on the Cisco site confirming my suspicions. It said some ISP?s require the client-id field of the DHCPDISCOVER request to be filled.
    I've also read that this issue has beed fixed since a few weeks, now they have released version 7.2(2).22 where you can define ?dhcp-client client-id interface outside? in global configuration mode. Im running 7.2(2).19 and i cannot find any command like that in my appaiance. How do i fix my problem ? Or how do i get about recieving the 7.2(2).22 firmware update.
    Regards !
    Leif

    Hi again! I thought I should share the solution that worked for me. I use software version 7.2(2) on this device. ASDM 5.2(2). In ASDM open configuration / Interfaces. Click in outside (my case 0/0) and press Edit. Then open the tab Advanced and set the correct Active Mac address. Fore some reason its empty by default and the ISP/modem don't like that. You will find the correct MAC address under the help menu / "About ASA". Im sure there is some another way to do this but this is a simple "how-to" that works with Swedens biggest ISP and their standard DSL modem.
    When I used a Linksys DSL modem in bridge mode without the MAC address set I got an inside IP adress (192.168.x.x) from the modem to the ASA. After setting the MAC address I just had to do a renew and got the outside address right away. /Bjorn
    (future users searchwords: no ip from isp, ASA 5505 and cable modem).

  • Cisco ASA 5505 and PAT

    So I have a weird problem that I'm hoping someone has a point in the right direction I can follow... At home I have a Cisco ASA 5505 - not very complex network some BCP configs and it's providing a NAT (PAT). I have a static IP and using a few RFC 1918 segments - like I said nothing earth shattering. I have a linksys E1200 802.11N WPA2 PSK - again pretty standard. I connect laptops, iPads, iPhones, Kindles, Androids no problem. Until recently my 60" Vizio had no issues using the network (wired or wireless). Now network is failing on the TV. I see it get to the FW and I can ping trace etc... to the TV. The FW logs show resets (log is below).
    Now here is the real interesting part - if I turn the tether feature on my iPhone on and connect the TV to it - it works - what's even more interesting is if I then go back to the home network it all works again no problem until I reboot the TV... HELP!
    Apr 19 15:34:09 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/60657 to outside:68.162.222.142/57003
    Apr 19 15:34:09 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61988 for outside:98.137.204.251/443 (98.137.204.251/443) to inside:10.10.10.139/60657 (68.162.222.142/57003)
    Apr 19 15:34:09 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61988 for outside:98.137.204.251/443 to inside:10.10.10.139/60657 duration 0:00:00 bytes 3689 TCP Reset-I
    Apr 19 15:34:12 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/60658 to outside:68.162.222.142/53332
    Apr 19 15:34:12 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61989 for outside:98.137.204.251/443 (98.137.204.251/443) to inside:10.10.10.139/60658 (68.162.222.142/53332)
    Apr 19 15:34:12 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/37006 to outside:68.162.222.142/40015
    Apr 19 15:34:12 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61990 for outside:98.136.10.32/443 (98.136.10.32/443) to inside:10.10.10.139/37006 (68.162.222.142/40015)
    Apr 19 15:34:12 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61989 for outside:98.137.204.251/443 to inside:10.10.10.139/60658 duration 0:00:00 bytes 3689 TCP Reset-I
    Apr 19 15:34:12 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61990 for outside:98.136.10.32/443 to inside:10.10.10.139/37006 duration 0:00:00 bytes 3689 TCP FINs
    A

    Hello ras,
    As you mentioned the TV is sending a reset packet to the remote address. I will recommend you to create a capture of the traffic and review the traffic at the packet level to see a posible reason for the drop.
    Here is how. Then you can download it to pcap format and uploaded to the forum for further analysis.
    http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html
    http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs.html#pgfId-6941209
    Hope this information is helpful.

  • Cisco ASA 5505 Reset-I Problem with TCP State Bypass

    Hello,
    I have a Cisco ASA 5505 that functions as my primary firewall and a Mitel 5000 controller behind it. I have two external phone users that have been connecting through the firewall with no issues for six months until about two weeks ago. I am now seeing the following log entry on the phone trying to connect to the Mitel Controller.
    6
    May 16 2014
    14:52:52
    302014
    72.135.115.37
    6915
    192.168.20.2
    6801
    Teardown TCP connection 1203584 for outside:72.135.115.37/6915 to inside:192.168.20.2/6801 duration 0:00:00 bytes 0 TCP Reset-I
    My phones are designed to work with the Mitel 5000 and Mitel 3300 phone controllers. The 5000 will only use port 6800 for call control, while the 3300 will use 6801 (Secured Minet), 6802 (Minet SSH), and if those fail, port 6800 (Minet Unsecured). When the phones initiate a connection, they try 6801 first. If 6801 is unavailable, the phone controller adds the RST flag to the ACK packet. When the phone sees the RST flag, it is supposed to reset and use the next port (6802). The same process happens again for port 6802, then the phone knows to try 6800. The problem is that the ASA sees the RST flag now and terminates the connection at the firewall. Therefore, the phones never see the RST flag, and continue to try the connection with port 6801.
    I have tried to use the TCP State Bypass feature to correct the situation, but the log shows that the connection is still being terminated immediately by the firewall. I am a novice when it comes to configuring the ASA. Any help would be greatly appreciated, as the company that I bought the phone system from is out of troubleshooting options. I do not think that I have made any changes to the firewall around this time. I have packet captures and logs from my ASA and I have wireshark data on the inside of my network. I need to figure out how to configure the ASA so that it ignores the RST flag and sends the packet back to the source.
    Any help would be greatly appreciated!

    Thanks Rizwan,
    Still no luck.  I can't even ping the otherside (office)..  I am not sure if i'm running the debug rightway.   Here are my results...
    homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side.  I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
    Success rate is 0
    homeasa(config)# debug crypto isakmp 7
    homeasa(config)# debug crypto ipsec 7
    homeasa(config)# sho crypto isakmp 7
                                       ^
    ERROR: % Invalid input detected at '^' marker.
    homeasa(config)# sho crypto isakmp
    There are no isakmp sas
    Global IKE Statistics
    Active Tunnels: 0
    Previous Tunnels: 0
    In Octets: 0
    In Packets: 0
    In Drop Packets: 0
    In Notifys: 0
    In P2 Exchanges: 0
    In P2 Exchange Invalids: 0
    In P2 Exchange Rejects: 0
    In P2 Sa Delete Requests: 0
    Out Octets: 0
    Out Packets: 0
    Out Drop Packets: 0
    Out Notifys: 0
    Out P2 Exchanges: 0
    Out P2 Exchange Invalids: 0
    Out P2 Exchange Rejects: 0
    Out P2 Sa Delete Requests: 0
    Initiator Tunnels: 0
    Initiator Fails: 0
    Responder Fails: 0
    System Capacity Fails: 0
    Auth Fails: 0
    Decrypt Fails: 0
    Hash Valid Fails: 0
    No Sa Fails: 0
    Global IPSec over TCP Statistics
    Embryonic connections: 0
    Active connections: 0
    Previous connections: 0
    Inbound packets: 0
    Inbound dropped packets: 0
    Outbound packets: 0
    Outbound dropped packets: 0
    RST packets: 0
    Recevied ACK heart-beat packets: 0
    Bad headers: 0
    Bad trailers: 0
    Timer failures: 0
    Checksum errors: 0
    Internal errors: 0
    hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
    There are no ipsec sas
    homeasa(config)#

  • CIsco ASA 5505 and VPN licenses

    Hi,
    Cisco ASA 5505 comes with 10 VPN licenses in a standard configuration.
    How those licenses are counted? Will I need a license per one IPSec SA?
    If I have two site connected with LAN-to-LAN VPN with 10 subnets at one site, how many licenses will be taken? 10 - one per IPSec SA or just 1 - one per point-to-point VPN?
    Thank you.
    Regards,
    Alex

    Alex,
    In an ASA 5505, it should say something like this...when you do sh ver.
    VPN Peers : 25
    It means that you can have so many peers connecting to the ASA. Its not per IPSec SA.
    Its a per tunnel license.
    Rate this, if it helps!
    Gilbert

  • VPN Between Cisco ASA 5505 and Cisco Router 881

    Hi All,
    I want to interconnect two office to each other but i have trouble: Please see below my configuration: What is missing to finalize the configuration properly?
    Cisco ASA 5505.
    Version 8.4(3)
    HQ-ASA5505(config)# crypto ikev1 policy 888
    HQ-ASA5505(config-ikev1-policy)# authentication pre-share
    HQ-ASA5505(config-ikev1-policy)# encryption 3des
    HQ-ASA5505(config-ikev1-policy)# hash md5
    HQ-ASA5505(config-ikev1-policy)# lifetime 86400
    HQ-ASA5505(config-ikev1-policy)# group 2
    HQ-ASA5505(config)# tunnel-group 1.1.1.1 type ipsec-l2l
    HQ-ASA5505(config)# tunnel-group 1.1.1.1 ipsec-attributes
    HQ-ASA5505(config-tunnel-ipsec)# ikev1 pre-shared-key test
    HQ-ASA5505(config)#object network HQ-Users
    HQ-ASA5505(config-network-object)#subnet 10.48.0.0 255.255.255.0
    HQ-ASA5505(config)# object-group network HQ.grp
    HQ-ASA5505(config-network-object-group)# network-object object HQ-Users
    HQ-ASA5505(config)#object network FSP_DATA
    HQ-ASA5505(config-network-object)#subnet 10.48.12.0 255.255.255.0
    HQ-ASA5505(config)#object-group network FSP.grp
    HQ-ASA5505(config-network-object-group)#network-object object FSP_DATA
    HQ-ASA5505(config)#access-list VPN_to_FSP extended permit ip object-group HQ.grp object-group FSP.grp
    HQ-ASA5505(config)# crypto ipsec ikev1 transform-set TS esp-3des esp-md5-hmac
    HQ-ASA5505(config)# crypto map ouside_map 888 set ikev1 transform-set TS
    HQ-ASA5505(config)# crypto map ouside_map 888 match address VPN_to_FSP
    HQ-ASA5505(config)# crypto map ouside_map 888 set peer 1.1.1.1
    HQ-ASA5505(config)# crypto map ouside_map 888 set pfs group2
    HQ-ASA5505(config)# crypto ikev1 enable outside
    HQ-ASA5505(config)# crypto map ouside_map interface outside
    Router 881
    Version 12.4
    License Information for 'c880-data'
        License Level: advipservices   Type: Permanent
        Next reboot license Level: advipservices
    LAB_ROuter(config)#object-group network HQ
    LAB_ROuter(config-network-group)#10.48.0.0 255.255.255.0
    LAB_ROuter(config)#object-group network FSP
    LAB_ROuter(config-network-group)#10.48.12.0 255.255.255.0
    ip access-list extended FSP_VPN
     permit ip object-group FSP object-group HQ
    LAB_ROuter(config)#crypto isakmp policy 888
    LAB_ROuter(config-isakmp)#encryption 3des
    LAB_ROuter(config-isakmp)#authentication pre-share
    LAB_ROuter(config-isakmp)#hash md5
    LAB_ROuter(config-isakmp)#group 2
    LAB_ROuter(config-isakmp)#lifetime 86400
    LAB_ROuter(config)#crypto isakmp key test address 2.2.2.2
    LAB_ROuter(config)#crypto ipsec transform-set TS esp-3des esp-md5-hmac
    crypto map outside_map 888 ipsec-isakmp
     set peer 2.2.2.2
     set transform-set TS
     match address FSP_VPN
    interface fast4 --> Outside Interface (where public IP address is assigned) 
    crypto map outside_map
    Thank you in advance for your prompt advice!

    If you do a show crypto map in the router you will see the VPN traffic to be "any to any".
    This is due a known bug on Cisco routers. The router does not support object-groups network for the VPN traffic. Use a regular ACL instead.

  • CISCO ASA 5505 Split Tunnel DNS with Site to Site VPN

    I have a working configuration for Site to Site VPN between our head office and a private AWS VPC instance.
    The tunnel is active and I can ping the IP address of the remote network and connect to the remote machines using the IP address, but we need to use the FQDN and not the IP.  We have a DNS server set up in AWS for any DNS queries for the remote domain name.
    My question is whether or not the ASA 5505 supports a DNS split tunnel for Site to Site VPN and how it can be configured.
    I can not find where I can interogate the DNS query to be redirected to the VPN tunnel when our domain name is used in a DNS query.  Thus, any pings I try with the FQDN of our servers in AWS are failing as they are going to the default DNS, which is the internet.
    Can any one point me in the right direction on how to configure this DNS rewrite so that we can access our AWS private cloud using FQDN from our AWS domain rather than an IP address?

    Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface.  Try to be more restrictive than an '...ip any any' rule for outside_in connections.  For instance, this is what I have for incoming VOIP (access list and nat rules):
    access list rule:
    access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
    nat rule:
    nat (inside,outside) source static server interface service voip-range voip-range
    - 'server' is a network object *
    - 'voip-range' is a service group range
    I'd assume you can do something similar here in combination with my earlier comment:
    access-list incoming extended permit tcp any any eq 5900
    Can you explain your forwarding methodology a little more?  I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to.  Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ?

  • Cisco ASA 5505 and 2Wire

    Hi all,
    I need some help from someone who has experience with configuring VPN on ASA over 2Wire router setup as dmzplus.
    Topology:
    ASA 5505 ---- 2Wire (dmzplus) -------------- ( cloud ) -------------- 2Wire (dmzplus) ---- ASA 5505
    BT is the ISP on both ends. Static IPs are currently forwarded to the firewalls on both ends (outside interface is DHCP client).
    All other services are working as expected (static NAT for few ports and so on).
    I have found on some other forums the solution is to setup router in full bridge mode and then configure PPPoE on ASA, but I am trying to avoid this (for few other reasons).
    The weird thing is when I am trying to initiate tunnel traffic from site A I can see IKE peer responder from site B, but not the opposite.
    IKE state is MM_WAIT_MSG2 so it’s not passing the phase one. What I also notice in the arp table despite only one IP is assigned per site, the BT router has IP one less than the public one.
    So my questions are:
    1.       Do I missing something in the config?
    2.       Is it possible to setup VPN on ASA over dmzplus?
    3.       Does the BT PPPoA service will become PPPoE after changing 2Wire to bridge mode?
    4.       Is there any different workaround or alternative solution?
    CONFIG (crypto policies and all different settings are mirrored on the other end so it doesn’t make sense to post both):
    : Saved
    ASA Version 8.2(5)
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    ftp mode passive
    access-list outside_in extended permit object-group PRS_PORTS any host 1.1.1.10
    access-list outside_in extended permit object-group CCTV_PORTS any host 1.1.1.10
    access-list VPN_traffic extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list no-nat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
    pager lines 24
    logging enable
    logging buffered debugging
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list no-nat
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface <omitted>
    static (inside,outside) tcp interface <omitted>
    static (inside,outside) tcp interface <omitted>
    static (inside,outside) tcp interface <omitted>
    static (inside,outside) tcp interface <omitted>
    static (inside,outside) tcp interface <omitted>
    static (inside,outside) tcp interface <omitted>
    static (inside,outside) tcp interface <omitted>
    static (inside,outside) tcp interface <omitted>
    static (inside,outside) tcp interface <omitted>
    static (inside,outside) tcp interface <omitted>
    access-group outside_in in interface outside
    route outside 0.0.0.0 0.0.0.0 1.1.1.9 1 (points
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication enable console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set L2LVPN esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map L2LCRYPTO 10 match address VPN_traffic
    crypto map L2LCRYPTO 10 set peer 2.2.2.10
    crypto map L2LCRYPTO 10 set transform-set L2LVPN
    crypto map L2LCRYPTO interface outside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    subject-name CN=ciscoasa
    crl configure
    crypto ca certificate chain ASDM_TrustPoint0
    certificate 569bb150
    <omitted>
    quit
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet timeout 5
    ssh <omitted>
    ssh timeout 15
    console timeout 0
    management-access inside
    dhcpd dns 194.72.0.98 194.74.65.68
    dhcpd auto_config outside
    dhcpd address 192.168.0.2-192.168.0.33 inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 84.45.87.84 source outside prefer
    webvpn
    tunnel-group <2.2.2.10> type ipsec-l2l
    tunnel-group <2.2.2.10> ipsec-attributes
    pre-shared-key *****
    isakmp keepalive threshold 100 retry 2
    ISAKMP debug:
    Feb 19 03:25:25 [IKEv1 DEBUG]: IP = <dest_ip>, IKE SA MM:8021bed6 terminating: flags 0x01000022, refcnt 0, tuncnt 0
    Feb 19 03:25:25 [IKEv1 DEBUG]: IP = <dest_ip>, sending delete/delete with reason message
    Feb 19 03:25:28 [IKEv1]: IP = <dest_ip>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
    Feb 19 03:25:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Feb 19 03:25:33 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Feb 19 03:25:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Feb 19 03:25:33 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Feb 19 03:25:36 [IKEv1]: IP = <dest_ip>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
    Feb 19 03:25:44 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Feb 19 03:25:44 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Feb 19 03:25:44 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Feb 19 03:25:44 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Feb 19 03:25:44 [IKEv1]: IP = <dest_ip>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
    Feb 19 03:25:52 [IKEv1 DEBUG]: IP = <dest_ip>, IKE MM Responder FSM error history (struct &0xc6dc3588) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent
    Feb 19 03:25:52 [IKEv1 DEBUG]: IP = <dest_ip>, IKE SA MM:a22d74b8 terminating: flags 0x01000002, refcnt 0, tuncnt 0
    Feb 19 03:25:52 [IKEv1 DEBUG]: IP = <dest_ip>, sending delete/delete with reason message
    Feb 19 03:25:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Feb 19 03:25:54 [IKEv1]: IP = <dest_ip>, IKE Initiator: New Phase 1, Intf inside, IKE Peer <dest_ip> local Proxy Address 192.168.0.0, remote Proxy Address 192.168.1.0, Crypto map (L2LCRYPTO)
    Feb 19 03:25:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Feb 19 03:25:54 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Feb 19 03:25:54 [IKEv1 DEBUG]: IP = <dest_ip>, constructing ISAKMP SA payload
    Feb 19 03:25:54 [IKEv1 DEBUG]: IP = <dest_ip>, constructing NAT-Traversal VID ver 02 payload
    Feb 19 03:25:54 [IKEv1 DEBUG]: IP = <dest_ip>, constructing NAT-Traversal VID ver 03 payload
    Feb 19 03:25:54 [IKEv1 DEBUG]: IP = <dest_ip>, constructing NAT-Traversal VID ver RFC payload
    Feb 19 03:25:54 [IKEv1 DEBUG]: IP = <dest_ip>, constructing Fragmentation VID + extended capabilities payload
    Feb 19 03:25:54 [IKEv1]: IP = <dest_ip>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
    Feb 19 03:25:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Feb 19 03:25:57 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Feb 19 03:26:02 [IKEv1]: IP = <dest_ip>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
    Feb 19 03:26:07 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Feb 19 03:26:07 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Feb 19 03:26:10 [IKEv1]: IP = <dest_ip>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
    Feb 19 03:26:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Feb 19 03:26:17 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Feb 19 03:26:18 [IKEv1]: IP = <dest_ip>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
    Feb 19 03:26:26 [IKEv1 DEBUG]: IP = <dest_ip>, IKE MM Initiator FSM error history (struct &0xc6aa7940) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
    Feb 19 03:26:26 [IKEv1 DEBUG]: IP = <dest_ip>, IKE SA MM:2e549563 terminating: flags 0x01000022, refcnt 0, tuncnt 0
    Feb 19 03:26:26 [IKEv1 DEBUG]: IP = <dest_ip>, sending delete/delete with reason message
    Feb 19 03:26:32 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Feb 19 03:26:32 [IKEv1]: IP = <dest_ip>, IKE Initiator: New Phase 1, Intf inside, IKE Peer <dest_ip> local Proxy Address 192.168.0.0, remote Proxy Address 192.168.1.0, Crypto map (L2LCRYPTO)
    Feb 19 03:26:32 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Feb 19 03:26:32 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Feb 19 03:26:32 [IKEv1 DEBUG]: IP = <dest_ip>, constructing ISAKMP SA payload
    Feb 19 03:26:32 [IKEv1 DEBUG]: IP = <dest_ip>, constructing NAT-Traversal VID ver 02 payload
    Feb 19 03:26:32 [IKEv1 DEBUG]: IP = <dest_ip>, constructing NAT-Traversal VID ver 03 payload
    Feb 19 03:26:32 [IKEv1 DEBUG]: IP = <dest_ip>, constructing NAT-Traversal VID ver RFC payload
    Feb 19 03:26:32 [IKEv1 DEBUG]: IP = <dest_ip>, constructing Fragmentation VID + extended capabilities payload
    Feb 19 03:26:32 [IKEv1]: IP = <dest_ip>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
    Feb 19 03:26:40 [IKEv1]: IP = <dest_ip>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
    Feb 19 03:26:43 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Feb 19 03:26:43 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Feb 19 03:26:43 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Feb 19 03:26:43 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    no debug crypto isakmp 127 Feb 19 03:26:48 [IKEv1]: IP = <dest_ip>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) totano debug crypto isakmp 127 Feb 19 03:26:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Feb 19 03:26:53 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Feb 19 03:26:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Feb 19 03:26:53 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Kind regards
    Mariusz

    Hi all,
    The latest update
    I've finally managed to get the VPN to work! As soon as I've reconfigure the router and the firewall it took 1 second to establish the tunnel. So the answer for the most important question number 2. Is it possible to setup VPN on ASA over dmzplus? is no. I think the issue is related to routing which doesn't look normal with the dmzplus (can't properly  traceroute to IPs etc)
    So my solution was :
    - changed 2Wire settings (Bridged LLC, ATM PVC disabled, Connection type: direct IP, save and uncheck Routing mode)
    - changed ASA external interface settings to pppoe with automatic routing and IP
    Regards
    Mariusz

  • S2S between Cisco ASA 5505 and Sonicwall TZ-170 but not able to ping across

    Hi,
    I am helping out a friend of mine with his Site-to-Site VPN between his companies Cisco ASA another company's SonicWall TZ-170.  I have checked the screenshots proivded by the other end and tried to match with ours.  The Tunnel shows but we are not able to Ping resources on the other end.  The other side insists that the problem is on our end but I am not sure where the issue resides.  Please take a look at our config and let me know if there is anything that I have missed.  I am pretty sure I didn't but extra eyes may be of need here.
    Our LAN is 10.200.x.x /16 and theirs is 192.168.9.0 /24
    ASA Version 8.2(2)
    terminal width 300
    hostname company-asa
    domain-name Company.com
    no names
    name 10.1.0.0 sacramento-network
    name 10.3.0.0 irvine-network
    name 10.2.0.0 portland-network
    name x.x.x.x MailLive
    name 192.168.9.0 revit-vpn-remote-subnet
    dns-guard
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address x.x.x.x 255.255.255.128
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 10.200.200.1 255.255.0.0
    interface Ethernet0/2
    nameif dmz
    security-level 50
    ip address 172.22.22.1 255.255.255.0
    interface Ethernet0/3
    description Internal Wireless
    shutdown
    nameif Wireless
    security-level 100
    ip address 10.201.201.1 255.255.255.0
    interface Management0/0
    shutdown
    nameif management
    security-level 100
    no ip address
    management-only
    boot system disk0:/asa822-k8.bin
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns domain-lookup outside
    dns server-group DefaultDNS
    domain-name company.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network local_net_group
    network-object 10.1.0.0 255.255.0.0
    network-object 10.2.0.0 255.255.0.0
    network-object 10.200.0.0 255.255.0.0
    network-object 10.3.0.0 255.255.0.0
    network-object 10.4.0.0 255.255.0.0
    network-object 10.5.0.0 255.255.0.0
    network-object 10.6.0.0 255.255.0.0
    network-object 10.7.0.0 255.255.0.0
    network-object 192.168.200.0 255.255.255.0
    object-group network NACIO123
    network-object 1.1.1.1 255.255.255.224
    object-group service MAIL_HTTPS_BORDERWARE tcp
    port-object eq smtp
    port-object eq https
    port-object eq 10101
    object-group service SYSLOG_SNMP_NETFLOW udp
    port-object eq syslog
    port-object eq snmp
    port-object eq 2055
    object-group service HTTP_HTTPS tcp
    port-object eq www
    port-object eq https
    object-group network OUTSIDECO_SERVERS
    network-object host x.x.x.34
    network-object host x.x.x.201
    network-object host x.x.x.63
    object-group network NO-LOG
    network-object host 10.200.200.13
    network-object host 10.200.200.25
    network-object host 10.200.200.32
    object-group service iPhoneSync-Services-TCP tcp
    port-object eq 993
    port-object eq 990
    port-object eq 998
    port-object eq 5678
    port-object eq 5721
    port-object eq 26675
    object-group service termserv tcp
    description terminal services
    port-object eq 3389
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DTI tcp
    description DCS CONTROL PROTOCOL
    port-object eq 3333
    object-group service H.245 tcp
    description h.245 signaling
    port-object range 1024 4999
    object-group service RAS udp
    port-object eq 1719
    port-object range 1718 1720
    object-group service XML tcp
    port-object range 3336 3341
    object-group service mpi tcp
    port-object eq 2010
    object-group service mvp_control tcp
    port-object eq 2946
    object-group service rpc tcp-udp
    port-object eq 1809
    object-group service tcp8080 tcp
    port-object eq 8080
    object-group service tcp8011 tcp
    port-object eq 8011
    object-group service rtp_rtcp_udp udp
    port-object range 1024 65535
    object-group service ecs_xml tcp-udp
    port-object eq 3271
    object-group service rtp20000 udp
    description 10000-65535
    port-object range 20000 25000
    port-object range 10000 65535
    object-group service tcp5222 tcp
    port-object range 5222 5269
    object-group service tcp7070 tcp
    port-object eq 7070
    object-group network videoco
    network-object host x.x.x.144
    network-object host x.x.x.145
    object-group service video tcp
    port-object range 1718 h323
    object-group service XML2 tcp-udp
    port-object range 3336 3345
    object-group service tcp_tls tcp
    port-object eq 5061
    object-group service Autodesk tcp
    port-object eq 2080
    port-object range 27000 27009
    access-list outside_policy remark ====== Begin Mail From Postini Network ======
    access-list outside_policy extended permit tcp x.x.x.x 255.255.240.0 host x.x.x.x eq smtp
    access-list outside_policy extended permit tcp x.x.x.x 255.255.255.240 host x.x.x.x eq smtp
    access-list outside_policy extended permit tcp x.x.x.0 255.255.240.0 host x.x.x.x eq smtp
    access-list outside_policy remark ****** End Mail From Postini Network ******
    access-list outside_policy remark ====== Begin Inbound Web Mail Access ======
    access-list outside_policy extended permit tcp any host x.x.x.x object-group HTTP_HTTPS
    access-list outside_policy remark ****** End Inbound Web Mail Access ******
    access-list outside_policy remark ====== Begin iPhone Sync Rules to Mail Server ======
    access-list outside_policy extended permit tcp any host x.x.x.x object-group iPhoneSync-Services-TCP
    access-list outside_policy remark ****** End iPhone Sync Rules to Mail Server ******
    access-list outside_policy remark ====== Begin MARS Monitoring ======
    access-list outside_policy extended permit udp x.x.x.x 255.255.255.128 host x.x.x.x object-group SYSLOG_SNMP_NETFLOW
    access-list outside_policy extended permit icmp x.x.x.x 255.255.255.128 host x.x.x.x
    access-list outside_policy remark ****** End MARS Monitoring ******
    access-list outside_policy extended permit tcp object-group NACIO123 host x.x.x.141 eq ssh
    access-list outside_policy extended permit tcp any host x.x.x.x eq www
    access-list outside_policy extended permit tcp any host x.x.x.x eq https
    access-list outside_policy extended permit tcp any host x.x.x.x eq h323
    access-list outside_policy extended permit tcp any host x.x.x.x range 60000 60001
    access-list outside_policy extended permit udp any host x.x.x.x range 60000 60007
    access-list outside_policy remark radvision 5110   port 80 both
    access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq www
    access-list outside_policy remark radvision
    access-list outside_policy extended permit tcp any object-group videoco object-group termserv
    access-list outside_policy remark radvision 5110  port21 out
    access-list outside_policy extended permit tcp any object-group videoco eq ftp
    access-list outside_policy remark rad5110   port22 both
    access-list outside_policy extended permit tcp any object-group videoco eq ssh
    access-list outside_policy remark rad 5110  port161 udp both
    access-list outside_policy extended permit udp any object-group videoco eq snmp
    access-list outside_policy remark rad5110 port443 both
    access-list outside_policy extended permit tcp any object-group videoco eq https
    access-list outside_policy remark rad5110 port 1024-4999  both
    access-list outside_policy extended permit tcp any object-group videoco object-group H.245
    access-list outside_policy remark rad5110 port 1719 udp both
    access-list outside_policy extended permit udp any object-group videoco object-group RAS
    access-list outside_policy remark rad5110 port 1720 both
    access-list outside_policy extended permit tcp any any eq h323
    access-list outside_policy remark RAD 5110 port 3333 tcp both
    access-list outside_policy extended permit tcp any object-group videoco object-group DTI
    access-list outside_policy remark rad5110 port 3336-3341 both
    access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group XML2
    access-list outside_policy remark port 5060 tcp/udp
    access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq sip
    access-list outside_policy remark rad 5110port 1809 rpc both
    access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group rpc
    access-list outside_policy remark rad 5110 port 2010 both
    access-list outside_policy extended permit tcp any object-group videoco object-group mpi
    access-list outside_policy remark rad 5110 port 2946 both
    access-list outside_policy extended permit tcp any object-group videoco object-group mvp_control
    access-list outside_policy extended permit tcp any object-group videoco object-group tcp8080
    access-list outside_policy extended permit tcp any object-group videoco object-group tcp8011
    access-list outside_policy remark 1024-65535
    access-list outside_policy extended permit udp any object-group videoco object-group rtp_rtcp_udp
    access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group ecs_xml
    access-list outside_policy extended permit udp any object-group videoco object-group rtp20000
    access-list outside_policy extended permit tcp any object-group videoco eq telnet
    access-list outside_policy remark port 53 dns
    access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq domain
    access-list outside_policy remark 7070
    access-list outside_policy extended permit tcp any object-group videoco object-group tcp7070
    access-list outside_policy remark 5222-5269 tcp
    access-list outside_policy extended permit tcp any object-group videoco range 5222 5269
    access-list outside_policy extended permit tcp any object-group videoco object-group video
    access-list outside_policy extended permit tcp any object-group videoco object-group tcp_tls
    access-list outside_policy remark ====== Begin Autodesk Activation access ======
    access-list outside_policy extended permit tcp any any object-group Autodesk
    access-list outside_policy remark ****** End Autodesk Activation access ******
    access-list outside_policy extended permit tcp x.x.x.x 255.255.255.248 host x.x.x.x eq smtp
    access-list outside_policy remark ****** End Autodesk Activation access ******
    access-list inside_policy extended deny tcp host 10.200.200.25 10.1.0.0 255.255.0.0 eq 2967 log disable
    access-list inside_policy extended deny tcp host 10.200.200.25 10.3.0.0 255.255.0.0 eq 2967 log disable
    access-list inside_policy extended deny tcp host 10.200.200.25 10.2.0.0 255.255.0.0 eq 2967 log disable
    access-list inside_policy extended deny tcp host 10.200.200.25 10.4.0.0 255.255.0.0 eq 2967 log disable
    access-list inside_policy extended deny tcp host 10.200.200.25 10.5.0.0 255.255.0.0 eq 2967 log disable
    access-list inside_policy extended deny udp object-group NO-LOG any eq 2967 log disable
    access-list inside_policy extended deny tcp object-group NO-LOG any eq 2967 log disable
    access-list inside_policy remark ====== Begin Outbound Mail Server Rules ======
    access-list inside_policy extended permit udp host 10.200.200.222 any eq 5679
    access-list inside_policy extended permit tcp host 10.200.200.222 any eq smtp
    access-list inside_policy remark ****** End Outbound Mail Server Rules ******
    access-list inside_policy extended permit ip object-group local_net_group any
    access-list inside_policy extended permit icmp object-group local_net_group any
    access-list OUTSIDECO_VPN extended permit ip host x.x.x.x object-group OUTSIDECO_SERVERS
    access-list company-split-tunnel standard permit 10.1.0.0 255.255.0.0
    access-list company-split-tunnel standard permit 10.2.0.0 255.255.0.0
    access-list company-split-tunnel standard permit 10.3.0.0 255.255.0.0
    access-list company-split-tunnel standard permit 10.4.0.0 255.255.0.0
    access-list company-split-tunnel standard permit 10.200.0.0 255.255.0.0
    access-list company-split-tunnel standard permit 10.5.0.0 255.255.0.0
    access-list company-split-tunnel standard permit 10.6.0.0 255.255.0.0
    access-list company-split-tunnel standard permit 10.7.0.0 255.255.0.0
    access-list company-split-tunnel standard permit 172.22.22.0 255.255.255.0
    access-list company-split-tunnel remark Video
    access-list company-split-tunnel standard permit 192.168.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 10.1.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 10.2.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 10.3.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 10.200.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 10.4.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 10.5.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 10.6.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 10.7.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 172.22.22.0 255.255.255.0
    access-list SSL_SPLIT remark Video
    access-list SSL_SPLIT standard permit 192.168.0.0 255.255.0.0
    access-list NONAT_SSL extended permit ip object-group local_net_group 172.20.20.0 255.255.255.0
    access-list NONAT_SSL extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
    access-list tom extended permit tcp host x.x.x.x any eq smtp
    access-list tom extended permit tcp host 10.200.200.222 any eq smtp
    access-list tom extended permit tcp any host x.x.x.x
    access-list aaron extended permit tcp any any eq 2967
    access-list capauth extended permit ip host 10.200.200.1 host 10.200.200.220
    access-list capauth extended permit ip host 10.200.200.220 host 10.200.200.1
    access-list DMZ extended permit icmp any any
    access-list dmz_access_in extended permit tcp any eq 51024 any eq 3336
    access-list dmz_access_in extended permit icmp any any
    access-list dmz_access_in extended permit tcp any any eq ftp
    access-list dmz_access_in extended permit tcp any any eq https
    access-list dmz_access_in remark rad5110 port 162 out
    access-list dmz_access_in extended permit udp any any eq snmptrap
    access-list dmz_access_in remark port 23 out
    access-list dmz_access_in extended permit tcp any any eq telnet
    access-list dmz_access_in remark port 53 dns out
    access-list dmz_access_in extended permit object-group TCPUDP any any eq domain
    access-list dmz_access_in extended permit object-group TCPUDP any any eq www
    access-list dmz_access_in extended permit tcp any any eq h323
    access-list dmz_access_in extended permit tcp any any object-group XML
    access-list dmz_access_in extended permit udp any any object-group RAS
    access-list dmz_access_in extended permit tcp any any range 1718 h323
    access-list dmz_access_in extended permit tcp any any object-group H.245
    access-list dmz_access_in extended permit object-group TCPUDP any any eq sip
    access-list dmz_access_in extended permit udp any any object-group rtp_rtcp_udp
    access-list dmz_access_in extended permit object-group TCPUDP any any object-group XML2
    access-list dmz_access_in extended permit ip object-group local_net_group any
    access-list dmz_access_in remark port 5061
    access-list dmz_access_in extended permit tcp any any object-group tcp_tls
    access-list outside_cryptomap extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
    pager lines 24
    logging enable
    logging buffered warnings
    logging trap informational
    logging history informational
    logging asdm warnings
    logging host outside x.x.x.x
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    mtu Wireless 1500
    mtu management 1500
    ip local pool SSL_VPN_POOL 172.20.20.1-172.20.20.75 mask 255.255.255.0
    ip verify reverse-path interface outside
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-631.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT_SSL
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) x.x.x.12 10.200.200.15 netmask 255.255.255.255
    static (inside,outside) x.x.x.15 10.5.0.11 netmask 255.255.255.255
    static (inside,outside) x.x.x.13 10.200.200.240 netmask 255.255.255.255
    static (inside,outside) x.x.x.16 10.200.200.222 netmask 255.255.255.255
    static (inside,outside) x.x.x.14 10.200.200.155 netmask 255.255.255.255
    static (inside,dmz) 10.200.200.0 10.200.200.0 netmask 255.255.255.0
    static (inside,dmz) 10.4.0.0 10.4.0.0 netmask 255.255.0.0
    static (dmz,outside) x.x.x.18 172.22.22.15 netmask 255.255.255.255
    static (dmz,outside) x.x.x.19 172.22.22.16 netmask 255.255.255.255
    static (inside,dmz) 10.3.0.0 10.3.0.0 netmask 255.255.0.0
    static (inside,dmz) 10.2.0.0 10.2.0.0 netmask 255.255.0.0
    static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
    static (inside,dmz) 10.6.0.0 10.6.0.0 netmask 255.255.0.0
    static (inside,dmz) 10.7.0.0 10.7.0.0 netmask 255.255.0.0
    static (inside,dmz) 10.5.0.0 10.5.0.0 netmask 255.255.0.0
    access-group outside_policy in interface outside
    access-group inside_policy in interface inside
    access-group dmz_access_in in interface dmz
    route outside 0.0.0.0 0.0.0.0 x.x.x.12 1
    route inside 10.1.0.0 255.255.0.0 10.200.200.254 1
    route inside 10.2.0.0 255.255.0.0 10.200.200.254 1
    route inside 10.3.0.0 255.255.0.0 10.200.200.254 1
    route inside 10.4.0.0 255.255.0.0 10.200.200.254 1
    route inside 10.5.0.0 255.255.0.0 10.200.200.254 1
    route inside 10.6.0.0 255.255.0.0 10.200.200.254 1
    route inside 10.7.0.0 255.255.0.0 10.200.200.150 1
    route inside x.x.x.0 255.255.255.0 10.200.200.2 1
    route inside x.x.x.0 255.255.255.0 10.200.200.2 1
    route inside 192.168.1.0 255.255.255.0 10.200.200.254 1
    route inside 192.168.2.0 255.255.255.0 10.200.200.254 1
    route inside 192.168.3.0 255.255.255.0 10.200.200.254 1
    route inside 192.168.4.0 255.255.255.0 10.200.200.254 1
    route inside 192.168.5.0 255.255.255.0 10.200.200.254 1
    route inside 192.168.6.0 255.255.255.0 10.200.200.254 1
    route inside 192.168.7.0 255.255.255.0 10.200.200.254 1
    route inside 192.168.200.0 255.255.255.0 10.200.200.254 1
    route inside 192.168.201.0 255.255.255.0 10.200.200.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 2:00:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server COMPANY-NT-AUTH protocol nt
    aaa-server COMPANY-NT-AUTH (inside) host 10.200.200.220
    nt-auth-domain-controller DC
    aaa authentication ssh console LOCAL
    aaa authorization command LOCAL
    http server enable
    http 10.200.200.0 255.255.255.0 inside
    http 10.200.0.0 255.255.0.0 inside
    http 10.3.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set AES256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set asa2transform esp-3des esp-sha-hmac
    crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 20 set transform-set 3DES-SHA
    crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
    crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
    crypto map OUTSIDE_MAP 5 match address outside_cryptomap
    crypto map OUTSIDE_MAP 5 set pfs
    crypto map OUTSIDE_MAP 5 set peer x.x.x.53
    crypto map OUTSIDE_MAP 5 set transform-set 3DES-SHA
    crypto map OUTSIDE_MAP 5 set security-association lifetime seconds 28800
    crypto map OUTSIDE_MAP 10 match address OUTSIDECO_VPN
    crypto map OUTSIDE_MAP 10 set peer x.x.x.25
    crypto map OUTSIDE_MAP 10 set transform-set AES256-SHA
    crypto map OUTSIDE_MAP 10 set security-association lifetime seconds 28800
    crypto map OUTSIDE_MAP 10 set security-association lifetime kilobytes 4608000
    crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map OUTSIDE_MAP interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 20
    console timeout 0
    dhcpd dns 10.200.200.220 10.200.200.225
    dhcpd wins 10.200.200.220 10.200.200.225
    dhcpd lease 18000
    dhcpd domain company.com
    dhcpd dns 10.200.200.220 10.200.200.225 interface Wireless
    dhcpd wins 10.200.200.220 10.200.200.225 interface Wireless
    dhcpd lease 18000 interface Wireless
    dhcpd domain company.com interface Wireless
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 192.5.41.40 source outside prefer
    ssl trust-point vpn.company.com outside
    webvpn
    enable outside
    anyconnect-essentials
    svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
    svc image disk0:/anyconnect-macosx-i386-2.5.2017-k9.pkg 2
    svc enable
    tunnel-group-list enable
    group-policy SSL_Client_Policy internal
    group-policy SSL_Client_Policy attributes
    wins-server value 10.200.200.220
    dns-server value 10.200.200.220
    vpn-tunnel-protocol IPSec svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value SSL_SPLIT
    default-domain value company.com
    webvpn
      sso-server none
      auto-signon allow uri * auth-type all
    group-policy no-split-test internal
    group-policy no-split-test attributes
    banner value Welcome to company and Associates
    banner value Welcome to company and Associates
    dns-server value 10.200.200.220
    vpn-tunnel-protocol IPSec
    ipsec-udp enable
    split-tunnel-policy tunnelall
    default-domain value company.com
    group-policy DfltGrpPolicy attributes
    dns-server value 10.200.200.220
    default-domain value company.com
    group-policy company internal
    group-policy company attributes
    banner value Welcome to company and Associates
    banner value Welcome to company and Associates
    dns-server value 10.200.200.220
    vpn-tunnel-protocol IPSec
    ipsec-udp enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value SSL_SPLIT
    default-domain value company.com
    username ciscoadmin password xxxxxxxxxxx encrypted privilege 15
    tunnel-group DefaultWEBVPNGroup general-attributes
    address-pool SSL_VPN_POOL
    authentication-server-group COMPANY-NT-AUTH
    default-group-policy SSL_Client_Policy
    tunnel-group DefaultWEBVPNGroup webvpn-attributes
    group-alias company_SSL_VPN enable
    tunnel-group company_group type remote-access
    tunnel-group company_group general-attributes
    address-pool SSL_VPN_POOL
    authentication-server-group COMPANY-NT-AUTH LOCAL
    default-group-policy company
    tunnel-group company_group ipsec-attributes
    pre-shared-key *****
    tunnel-group x.x.x.53 type ipsec-l2l
    tunnel-group x.x.x.53 ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect tftp
      inspect esmtp
      inspect ftp
      inspect icmp
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect skinny
      inspect sqlnet
      inspect sunrpc
      inspect xdmcp
      inspect mgcp
      inspect h323 h225
      inspect h323 ras
      inspect sip
    service-policy global_policy global
    privilege cmd level 5 mode exec command ping
    privilege cmd level 6 mode exec command write
    privilege show level 5 mode exec command running-config
    privilege show level 5 mode exec command version
    privilege show level 5 mode exec command conn
    privilege show level 5 mode exec command memory
    privilege show level 5 mode exec command cpu
    privilege show level 5 mode exec command xlate
    privilege show level 5 mode exec command traffic
    privilege show level 5 mode exec command interface
    privilege show level 5 mode exec command clock
    privilege show level 5 mode exec command ip
    privilege show level 5 mode exec command failover
    privilege show level 5 mode exec command arp
    privilege show level 5 mode exec command route
    privilege show level 5 mode exec command blocks
    prompt hostname context
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:a0689b4c837c79a51e7a0cfed591dec9
    : end
    COMPANY-asa#

    Hi Sian,
    Yes on their end the PFS is enabled for DH Group 2.
    Here is the information that you requested:
    company-asa# sh crypto isakmp sa
       Active SA: 3
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 3
    1   IKE Peer: x.x.x.87
        Type    : user            Role    : responder
        Rekey   : no              State   : AM_ACTIVE
    2   IKE Peer: x.x.x.53
        Type    : L2L             Role    : initiator
        Rekey   : no              State   : MM_ACTIVE
    3   IKE Peer: x.x.x.25
        Type    : user            Role    : initiator
        Rekey   : no              State   : MM_WAIT_MSG4
    company-asa# sh crypto ipsec sa
    interface: outside
        Crypto map tag: OUTSIDE_MAP, seq num: 5, local addr: x.x.x.13
          access-list outside_cryptomap extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
          local ident (addr/mask/prot/port): (10.200.0.0/255.255.0.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0)
          current_peer: x.x.x.53
          #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
          #pkts decaps: 10744, #pkts decrypt: 10744, #pkts verify: 10744
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: x.x.x.13, remote crypto endpt.: x.x.x.53
          path mtu 1500, ipsec overhead 58, media mtu 1500
          current outbound spi: 500EC8BF
          current inbound spi : 8DAE3436
        inbound esp sas:
          spi: 0x8DAE3436 (2377004086)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 2, }
             slot: 0, conn_id: 32768, crypto-map: OUTSIDE_MAP
             sa timing: remaining key lifetime (kB/sec): (3914946/24388)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0x500EC8BF (1343146175)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 2, }
             slot: 0, conn_id: 32768, crypto-map: OUTSIDE_MAP
             sa timing: remaining key lifetime (kB/sec): (3915000/24388)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
        Crypto map tag: outside_dyn_map, seq num: 20, local addr: x.x.x.13
          local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
          remote ident (addr/mask/prot/port): (172.20.20.8/255.255.255.255/0/0)
          current_peer: x.x.x.87, username: ewebb
          dynamic allocated peer ip: 172.20.20.8
          #pkts encaps: 16434, #pkts encrypt: 16464, #pkts digest: 16464
          #pkts decaps: 19889, #pkts decrypt: 19889, #pkts verify: 19889
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 16434, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 30, #pre-frag failures: 0, #fragments created: 60
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 60
          #send errors: 0, #recv errors: 0
          local crypto endpt.: x.x.x.13/4500, remote crypto endpt.: x.x.x.87/2252
          path mtu 1500, ipsec overhead 66, media mtu 1500
          current outbound spi: 2D712C9F
          current inbound spi : 0EDB79C8
        inbound esp sas:
          spi: 0x0EDB79C8 (249264584)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={RA, Tunnel,  NAT-T-Encaps, }
             slot: 0, conn_id: 65536, crypto-map: outside_dyn_map
             sa timing: remaining key lifetime (sec): 18262
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0x2D712C9F (762391711)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={RA, Tunnel,  NAT-T-Encaps, }
             slot: 0, conn_id: 65536, crypto-map: outside_dyn_map
             sa timing: remaining key lifetime (sec): 18261
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001

  • Cisco ASA 5505 and Xbox One

    I am running version asa922.8-k8.I have tried via CLI to setup my rules and my access rules are not showing up in ASDM. Here are the rules that I had entered;
    firewall>enable
    firewall#configure terminal
    firewall(config)#object network xbox
    firewall(config-network-object)#host 192.168.1.100
    firewall(config-network-object)#exit
    firewall(config)#
    firewall(config)#object network xbox-nat-tcp3074
    firewall(config-network-object)#host 192.168.1.100
    firewall(config-network-object)#exit
    firewall(config)#object network xbox-nat-udp3074
    firewall(config-network-object)#host 192.168.1.100
    firewall(config-network-object)#exit
    firewall(config)#object network xbox-nat-udp88
    firewall(config-network-object)#host 192.168.1.100
    firewall(config-network-object)#exit
    firewall(config)#
    firewall(config)#object network xbox-nat-tcp3074
    firewall(config-network-object)#host 192.168.1.100
    firewall(config-network-object)#exit
    firewall(config)#object network xbox-nat-udp3074
    firewall(config-network-object)#host 192.168.1.100
    firewall(config-network-object)#exit
    firewall(config)#object network xbox-nat-udp88
    firewall(config-network-object)#host 192.168.1.100
    firewall(config-network-object)#exit
    firewall(config)#
    firewall(config)#object-group service xbox-live-3074 tcp-udp
    firewall(config-service-object-group)#port-object eq 3074
    firewall(config-service-object-group)#exit
    firewall(config)#object service xbox-live-88
    firewall(config-service-object)#service udp destination eq 88
    firewall(config-service-object)#exit
    firewall(config)#
    firewall(config)#object network xbox-nat-tcp3074
    firewall(config-network-object)#nat (inside,outside) static interface service tcp 3074 3074
    firewall(config-network-object)#exit
    firewall(config)#object network xbox-nat-udp3074
    firewall(config-network-object)#nat (inside,outside) static interface service udp 3074 3074
    firewall(config-network-object)#exit
    firewall(config)#object network xbox-nat-udp88
    firewall(config-network-object)#nat (inside,outside) static interface service udp 88 88
    firewall(config-network-object)#exit
    firewall(config)#
    firewall(config)#access-list outside_access_in line 1 extended permit tcp any object xbox object-group xbox-live-3074
    firewall(config)#access-list outside_access_in line 2 extended permit udp any object xbox object-group xbox-live-3074
    firewall(config)#access-list outside_access_in line 3 extended permit object xbox-live-88 any object xbox
    how do i do the access list via ASDM? Running the latest version of asdm.

    The question is: What doesn't show up?
    If you only configured the lines above, then the ACL is not yet applied to an interface. It won't show up under "Access-Control", but it should show up under "ACL Manager". Same for the objects. They also should be visible in ASDM.
    If thats the case, then just apply the ACL to the interface:
    access-list outside_access_in in interface outside

  • Cisco asa 5505 vpn issue

    I have a cisco asa 5505 that I am setting up VPN access too. I have multiple subnets all routed through  a layer 3 switch conected to my asa. My problem is I can ping everything on VLAN1 (192.168.100.0/24) but no other VLANS (10.141.152.0/23 etc.) 

    Post the config of your ASA and someone will be able to assist.

  • Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

    Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
    I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
    Please help me to find where is the issue.
    I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
    192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
    Here is my current configuration.
    Thanks for your help.
    IOS Configuration
    version 15.2
    crypto isakmp policy 1
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp key cisco address 198.0.183.225
    crypto isakmp invalid-spi-recovery
    crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
    mode transport
    crypto map static-map 1 ipsec-isakmp
    set peer S2.S2.S2.S2
    set transform-set AES-SET
    set pfs group2
    match address 100
    interface GigabitEthernet0/0
    ip address S1.S1.S1.S1 255.255.255.240
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map static-map
    interface GigabitEthernet0/1
    ip address 192.168.17.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
    ASA Configuration
    ASA Version 8.4(3)
    interface Ethernet0/0
    switchport access vlan 2
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.83.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address S2.S2.S2.S2 255.255.255.248
    ftp mode passive
    same-security-traffic permit intra-interface
    object network inside-network
    subnet 192.168.83.0 255.255.255.0
    object network datacenter
    host S1.S1.S1.S1
    object network datacenter-network
    subnet 192.168.17.0 255.255.255.0
    object network NETWORK_OBJ_192.168.83.0_24
    subnet 192.168.83.0 255.255.255.0
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended deny ip any any log
    access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source dynamic inside-network interface
    nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
    nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
    nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
    crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set vpn-transform-set mode transport
    crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set L2L_SET mode transport
    crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
    crypto map vpn 1 match address outside_cryptomap
    crypto map vpn 1 set pfs
    crypto map vpn 1 set peer S1.S1.S1.S1
    crypto map vpn 1 set ikev1 transform-set L2L_SET
    crypto map vpn 20 ipsec-isakmp dynamic dyno
    crypto map vpn interface outside
    crypto isakmp nat-traversal 3600
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    group-policy GroupPolicy_S1.S1.S1.S1 internal
    group-policy GroupPolicy_S1.S1.S1.S1 attributes
    vpn-tunnel-protocol ikev1
    group-policy remote_vpn_policy internal
    group-policy remote_vpn_policy attributes
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
    username admin password rqiFSVJFung3fvFZ encrypted privilege 15
    tunnel-group DefaultRAGroup general-attributes
    address-pool vpn_pool
    default-group-policy remote_vpn_policy
    tunnel-group DefaultRAGroup ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group DefaultRAGroup ppp-attributes
    authentication ms-chap-v2
    tunnel-group S1.S1.S1.S1 type ipsec-l2l
    tunnel-group S1.S1.S1.S1 general-attributes
    default-group-policy GroupPolicy_S1.S1.S1.S1
    tunnel-group S1.S1.S1.S1 ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:f55f10c19a0848edd2466d08744556eb
    : end

    Thanks for helping me again. I really appreciate.
    I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
    Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
    Because on Cisco ASA I guess I have everything.
    Here is show crypto session detail
    router(config)#do show crypto session detail
    Crypto session current status
    Code: C - IKE Configuration mode, D - Dead Peer Detection
    K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
    X - IKE Extended Authentication, F - IKE Fragmentation
    Interface: GigabitEthernet0/0
    Session status: DOWN
    Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
          Desc: (none)
          Phase1_id: (none)
      IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
            Active SAs: 0, origin: crypto map
            Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
            Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
    Should I see something in crypto isakmp sa?
    pp-border#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    IPv6 Crypto ISAKMP SA
    Thanks again for your help.

  • Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

    Hi,
    I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
    When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
    After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
    They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
    Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
    3
    Nov 21 2012
    07:11:09
    713902
    Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
    3
    Nov 21 2012
    07:11:09
    713902
    Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
    3
    Nov 21 2012
    07:11:09
    713061
    Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
    5
    Nov 21 2012
    07:11:09
    713119
    Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
    Here is from the syntax: show crypto isakmp sa
    Result of the command: "show crypto isakmp sa"
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1   IKE Peer: 195.149.180.254
        Type    : L2L             Role    : responder
        Rekey   : no              State   : MM_ACTIVE
    Result of the command: "show crypto ipsec sa"
    interface: outside
        Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
          access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
          local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
          current_peer:195.149.180.254
          #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
          #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
          path mtu 1500, ipsec overhead 74, media mtu 1500
          current outbound spi: E715B315
        inbound esp sas:
          spi: 0xFAC769EB (4207372779)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 5, }
             slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
             sa timing: remaining key lifetime (kB/sec): (38738/2061)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0xE715B315 (3876958997)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 5, }
             slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
             sa timing: remaining key lifetime (kB/sec): (38673/2061)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
    And here are my Accesslists and vpn site to site config:
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 84600
    crypto isakmp nat-traversal 40
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map CustomerCryptoMap 10 match address VPN_Tunnel
    crypto map CustomerCryptoMap 10 set pfs group5
    crypto map CustomerCryptoMap 10 set peer 195.149.180.254
    crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
    crypto map CustomerCryptoMap interface outside
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
    nat (inside) 0 access-list nonat
    All these remote networks are at the Main Site Clavister Firewall.
    Best Regards
    Michael

    Hi,
    I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
    If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
    Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
    I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
    Maybe you could try to change the Encryption Domain configurations a bit and test it then.
    You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
    - Jouni

Maybe you are looking for

  • Steps to upgrade Bw Objects from BW 3.5 to BW 7.0

    I have upgraded a NW2004(BW3.5) system to NW2004s(BW 7.0) . After upgrade i see that the infocubes, infoobjects are still in BW 3.5 Concept itself. When i open each object and save it , it is changing to BW 7 Object. But there are about 10000 objects

  • Trigger file

    Greetings, I'm currently writing a very simple trigger... I'm using oracle 10.2 In the query analyser, I wrote: DROP TRIGGER TRIGMAXPARTIE; CREATE TRIGGER TRIGMAXPARTIE BEFORE INSERT ON PARTIE FOR EACH ROW         DECLARE nbparties number;     BEGIN

  • My play count is not recorded and doesn't sync with my last.fm account

    is anyone else having this problem? it's been going on since about january... i don't sync my music, i manually drag and drop songs to add them and then simply delete them when i don't want them on my phone anymore. my play count is not showing up at

  • Safari 6.0 go directly to website

    Prior to Safari 6.0, I was able to type in a name of a business and it would go straight to that business and not to a Google search. For example, in the prior version, if I typed in "Tingo", it would go directly to Tingo.com. But with 6.0, it goes t

  • Can I get movie to fade to black?

    I inserted a Youtube video into my project and used the slider in Widget, Interaction to stop it about midway through, the first part being all that I wanted to show. But then when I preview it, it simply stops abruptly and retains the last screen im