Cisco ASA 5505 - Can't Login from Public & Local IP Anymore!

Hello,
We've a Cisco ASA 5505 connected directly to Verizon FiOS Circuit (ONT) box using Ethernet cable. As per the existing documention that I have, the previous configured this as a dedicated router to establish a seperate VPN connection our software provider. They assigned both Public Static and Local Static IP address. When I try to ping the public IP address, it says request time out; so the public IP address is no longer working.
When I ping the local IP address of 192.168.100.11, it responds. The SolarWind tool also shows Always UP signal. How can I login into this router either from remotely or locally to check the configuration, backup and do the fimrware upgrade?
I also tried to connect my laptop directly to the ASA 5505 router LAN port. After 3 minutes, I'm able to connect to Internet without any issues. However I don't know the IP address to use to login.
Any advice would be greatly appreciated. Thank you.
UPDATE: I'm able to find the way! I need to use https to login! I'm able to download ASDM tool and login! Thanks to these resources:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml
http://cyruslab.wordpress.com/2010/09/09/how-to-download-asdm-from-asa5505-and-install-it/

Hi Srinath,
If that ASA5505 has factory-default configuration on it , then it probably has 192.168.1.1 ip address on the LAN side and has got dhcp server turned on to provide you ip address dynamically the moment you hook up a machine to it directly or through a switch.
If you've access to ASDM.
You can go the Configuration Tab>>Device Management>>Device Access and turn on the SSH & Telnet from the LAN interface because by default only HTTPS/ASDM is enabled on LAN interface.
You will still need to generate crypto keys and create a username in order to get ssh working
For this you can click at the TOP at TOOLS>> Command Line Interface.
And in the box below type this
crypto key generate rsa modulus 1024
add a username
username <> password <> priv 15
and enable aaa authentication for ssh like this
aaa authentication ssh console LOCAL
Let me know if this helps.
Puneet

Similar Messages

  • Cisco ASA 5505 can ping gateway but can't ping internet

    Good day to all!
    Sorry if I post this on the wrong group, I am having a bit of a problem on configuring an ASA 5505 firewall. And I scoured google but can't seem to find a specific link to my issues.
    It is on a routed mode, have successfully configured inside and outside vlans. Hosts inside vlan can ping each other. Hosts on outside vlan can also ping each other. Problem is, when I am pinging 8.8.8.8, I received ????? Please see config below.
    Any help greatly appreciated.
    TIA!
    : Saved
    ASA Version 8.4(3)
    hostname ciscoasan
    enable password bD3fGYMFeJJTATOJ encrypted
    passwd 2KF1w9ErdI.2KYOU encrypted
    names
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
     description INSIDE
     nameif inside
     security-level 100
     ip address 10.10.10.2 255.255.255.0
    interface Vlan2
     description OUTSIDE
     nameif outside
     security-level 0
     ip address 203.127.68.2 255.255.255.240
    ftp mode passive
    object network obj_any
     subnet 0.0.0.0 0.0.0.0
    access-list outside_access_in extended permit ip any any
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    object network obj_any
     nat (inside,outside) dynamic interface
    nat (inside,outside) after-auto source dynamic any interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 203.127.68.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    http server enable
    http 10.10.10.0 255.255.255.0 inside
    http authentication-certificate inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh 10.10.10.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
     anyconnect-essentials
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny  
      inspect sunrpc
      inspect xdmcp
      inspect sip  
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:6b3e0ce99eda3d2563cf9f392f8001b7
    : end

    Hi badingdong,
    Remove these lines:
    no nat (inside,outside) after-auto source dynamic any interface
    no access-group outside_access_in in interface outside
    If you have more inside subnets need access to internet, please make sure that you have a static route in place as shown below.
    route inside 10.0.0.0 255.0.0.0 10.10.10.1
    Also make sure that you have a correct DNS server is assigned on your internal hosts.
    Thanks
    Rizwan Rafeek

  • Fairly new to cisco ASA 5505 - Can someone look through my config?

    Hi.
    Can some one tell me if I did the NAT part right? Both dynamic and static.
    To be able to reach one vlan from another I created a Nat between them, is this the right way to do it?
    I can still limit the access between the vlans based on the access list.
    I also getting slow throughput over the VPN tunnel. Is there something wrong with my config. I used the wizard to set it up. There is also a cisco asa5505 on the other end.
    If there is some thing else that seems wrong, please let me know.
    Any help would be greatfully appreciated!
    Config:
    : Saved
    ASA Version 7.2(2)
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password x encrypted
    names
    name 192.168.1.250 DomeneServer
    name 192.168.1.10 NotesServer
    name 192.168.1.90 OvServer
    name 192.168.1.97 TerminalServer
    name 192.168.1.98 w8-eyeshare
    name 192.168.50.10 w8-print
    name 192.168.1.94 w8-app
    name 192.168.1.89 FonnaFlyMedia
    interface Vlan1
    nameif Vlan1
    security-level 100
    ip address 192.168.200.100 255.255.255.0
    ospf cost 10
    interface Vlan2
    nameif outside
    security-level 0
    ip address 79.x.x.226 255.255.255.224
    ospf cost 10
    interface Vlan400
    nameif vlan400
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    ospf cost 10
    interface Vlan450
    nameif Vlan450
    security-level 100
    ip address 192.168.210.1 255.255.255.0
    ospf cost 10
    interface Vlan460
    nameif Vlan460-SuldalHotell
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    ospf cost 10
    interface Vlan461
    nameif Vlan461-SuldalHotellGjest
    security-level 100
    ip address 192.168.3.1 255.255.255.0
    ospf cost 10
    interface Vlan462
    nameif Vlan462-Suldalsposten
    security-level 100
    ip address 192.168.4.1 255.255.255.0
    ospf cost 10
    interface Vlan470
    nameif vlan470-Kyrkjekontoret
    security-level 100
    ip address 192.168.202.1 255.255.255.0
    ospf cost 10
    interface Vlan480
    nameif vlan480-Telefoni
    security-level 100
    ip address 192.168.20.1 255.255.255.0
    ospf cost 10
    interface Vlan490
    nameif Vlan490-QNapBackup
    security-level 100
    ip address 192.168.10.1 255.255.255.0
    ospf cost 10
    interface Vlan500
    nameif Vlan500-HellandBadlands
    security-level 100
    ip address 192.168.30.1 255.255.255.0
    ospf cost 10
    interface Vlan510
    nameif Vlan510-IsTak
    security-level 100
    ip address 192.168.40.1 255.255.255.0
    ospf cost 10
    interface Vlan600
    nameif Vlan600-SafeQ
    security-level 100
    ip address 192.168.50.1 255.255.255.0
    ospf cost 10
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    switchport access vlan 500
    switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610
    switchport mode trunk
    interface Ethernet0/3
    switchport access vlan 490
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    passwd x encrypted
    ftp mode passive
    clock timezone WAT 1
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group service Lotus_Notes_Utgaaande tcp
    description Frim Notes og ut til alle
    port-object eq domain
    port-object eq ftp
    port-object eq www
    port-object eq https
    port-object eq lotusnotes
    port-object eq pop3
    port-object eq pptp
    port-object eq smtp
    object-group service Lotus_Notes_inn tcp
    description From alle og inn til Notes
    port-object eq www
    port-object eq lotusnotes
    port-object eq pop3
    port-object eq smtp
    object-group service Reisebyraa tcp-udp
    port-object range 3702 3702
    port-object range 5500 5500
    port-object range 9876 9876
    object-group service Remote_Desktop tcp-udp
    description Tilgang til Remote Desktop
    port-object range 3389 3389
    object-group service Sand_Servicenter_50000 tcp-udp
    description Program tilgang til Sand Servicenter AS
    port-object range 50000 50000
    object-group service VNC_Remote_Admin tcp
    description Frå oss til alle
    port-object range 5900 5900
    object-group service Printer_Accept tcp-udp
    port-object range 9100 9100
    port-object eq echo
    object-group icmp-type Echo_Ping
    icmp-object echo
    icmp-object echo-reply
    object-group service Print tcp
    port-object range 9100 9100
    object-group service FTP_NADA tcp
    description Suldalsposten NADA tilgang
    port-object eq ftp
    port-object eq ftp-data
    object-group service Telefonsentral tcp
    description Hoftun
    port-object eq ftp
    port-object eq ftp-data
    port-object eq www
    port-object eq https
    port-object eq telnet
    object-group service Printer_inn_800 tcp
    description Fra 800  nettet og inn til 400 port 7777
    port-object range 7777 7777
    object-group service Suldalsposten tcp
    description Sending av mail vha Mac Mail programmet - åpner smtp
    port-object eq pop3
    port-object eq smtp
    object-group service http2 tcp
    port-object range 81 81
    object-group service DMZ_FTP_PASSIVE tcp-udp
    port-object range 55536 56559
    object-group service DMZ_FTP tcp-udp
    port-object range 20 21
    object-group service DMZ_HTTPS tcp-udp
    port-object range 443 443
    object-group service DMZ_HTTP tcp-udp
    port-object range 8080 8080
    object-group service DNS_Query tcp
    port-object range domain domain
    object-group service DUETT_SQL_PORT tcp-udp
    description For kobling mellom andre nett og duett server
    port-object range 54659 54659
    access-list outside_access_in extended permit ip any any
    access-list outside_access_out extended permit ip any any
    access-list vlan400_access_in extended deny ip any host 149.20.56.34
    access-list vlan400_access_in extended deny ip any host 149.20.56.32
    access-list vlan400_access_in extended permit ip any any
    access-list Vlan450_access_in extended deny ip any host 149.20.56.34
    access-list Vlan450_access_in extended deny ip any host 149.20.56.32
    access-list Vlan450_access_in extended permit ip any any
    access-list Vlan460_access_in extended deny ip any host 149.20.56.34
    access-list Vlan460_access_in extended deny ip any host 149.20.56.32
    access-list Vlan460_access_in extended permit ip any any
    access-list vlan400_access_out extended permit icmp any any object-group Echo_Ping
    access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande
    access-list vlan400_access_out extended permit tcp any host DomeneServer object-group Remote_Desktop
    access-list vlan400_access_out extended permit tcp any host TerminalServer object-group Remote_Desktop
    access-list vlan400_access_out extended permit tcp any host OvServer object-group http2
    access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_inn
    access-list vlan400_access_out extended permit tcp any host NotesServer object-group Remote_Desktop
    access-list vlan400_access_out extended permit tcp any host w8-eyeshare object-group Remote_Desktop
    access-list vlan400_access_out extended permit tcp any host w8-app object-group Remote_Desktop
    access-list vlan400_access_out extended permit tcp any host FonnaFlyMedia range 8400 8600
    access-list vlan400_access_out extended permit udp any host FonnaFlyMedia range 9000 9001
    access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host DomeneServer
    access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host w8-app object-group DUETT_SQL_PORT
    access-list Vlan500_access_in extended deny ip any host 149.20.56.34
    access-list Vlan500_access_in extended deny ip any host 149.20.56.32
    access-list Vlan500_access_in extended permit ip any any
    access-list vlan470_access_in extended deny ip any host 149.20.56.34
    access-list vlan470_access_in extended deny ip any host 149.20.56.32
    access-list vlan470_access_in extended permit ip any any
    access-list Vlan490_access_in extended deny ip any host 149.20.56.34
    access-list Vlan490_access_in extended deny ip any host 149.20.56.32
    access-list Vlan490_access_in extended permit ip any any
    access-list Vlan450_access_out extended permit icmp any any object-group Echo_Ping
    access-list Vlan1_access_out extended permit ip any any
    access-list Vlan1_access_out extended permit tcp any host w8-print object-group Remote_Desktop
    access-list Vlan1_access_out extended deny ip any any
    access-list Vlan1_access_out extended permit icmp any any echo-reply
    access-list Vlan460_access_out extended permit icmp any any object-group Echo_Ping
    access-list Vlan490_access_out extended permit icmp any any object-group Echo_Ping
    access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP
    access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE
    access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTPS
    access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTP
    access-list Vlan500_access_out extended permit icmp any any object-group Echo_Ping
    access-list vlan470_access_out extended permit icmp any any object-group Echo_Ping
    access-list vlan470_access_out extended permit tcp any host 192.168.202.10 object-group Remote_Desktop
    access-list Vlan510_access_out extended permit icmp any any object-group Echo_Ping
    access-list vlan480_access_out extended permit ip any any
    access-list Vlan510_access_in extended permit ip any any
    access-list Vlan600_access_in extended permit ip any any
    access-list Vlan600_access_out extended permit icmp any any
    access-list Vlan600_access_out extended permit tcp any host w8-print object-group Remote_Desktop
    access-list Vlan600_access_out extended permit tcp 192.168.1.0 255.255.255.0 host w8-print eq www
    access-list Vlan600_access_out extended permit tcp 192.168.202.0 255.255.255.0 host w8-print eq www
    access-list Vlan600_access_out extended permit tcp 192.168.210.0 255.255.255.0 host w8-print eq www
    access-list Vlan600_access_in_1 extended permit ip any any
    access-list Vlan461_access_in extended permit ip any any
    access-list Vlan461_access_out extended permit icmp any any object-group Echo_Ping
    access-list vlan400_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
    access-list outside_20_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
    access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
    access-list Vlan462-Suldalsposten_access_in extended permit ip any any
    access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo-reply
    access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo-reply
    access-list Vlan462-Suldalsposten_access_in_1 extended permit ip any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu Vlan1 1500
    mtu outside 1500
    mtu vlan400 1500
    mtu Vlan450 1500
    mtu Vlan460-SuldalHotell 1500
    mtu Vlan461-SuldalHotellGjest 1500
    mtu vlan470-Kyrkjekontoret 1500
    mtu vlan480-Telefoni 1500
    mtu Vlan490-QNapBackup 1500
    mtu Vlan500-HellandBadlands 1500
    mtu Vlan510-IsTak 1500
    mtu Vlan600-SafeQ 1500
    mtu Vlan462-Suldalsposten 1500
    no failover
    monitor-interface Vlan1
    monitor-interface outside
    monitor-interface vlan400
    monitor-interface Vlan450
    monitor-interface Vlan460-SuldalHotell
    monitor-interface Vlan461-SuldalHotellGjest
    monitor-interface vlan470-Kyrkjekontoret
    monitor-interface vlan480-Telefoni
    monitor-interface Vlan490-QNapBackup
    monitor-interface Vlan500-HellandBadlands
    monitor-interface Vlan510-IsTak
    monitor-interface Vlan600-SafeQ
    monitor-interface Vlan462-Suldalsposten
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (vlan400) 0 access-list vlan400_nat0_outbound
    nat (vlan400) 1 0.0.0.0 0.0.0.0 dns
    nat (Vlan450) 1 0.0.0.0 0.0.0.0 dns
    nat (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0
    nat (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0
    nat (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0
    nat (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns
    nat (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0
    nat (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0
    nat (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0
    nat (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0
    static (vlan400,outside) 79.x.x.x DomeneServer netmask 255.255.255.255
    static (vlan470-Kyrkjekontoret,outside) 79.x.x.x 192.168.202.10 netmask 255.255.255.255
    static (vlan400,outside) 79.x.x.x NotesServer netmask 255.255.255.255 dns
    static (vlan400,outside) 79.x.x.231 TerminalServer netmask 255.255.255.255
    static (vlan400,outside) 79.x.x.234 OvServer netmask 255.255.255.255
    static (vlan400,outside) 79.x.x.232 w8-eyeshare netmask 255.255.255.255
    static (Vlan490-QNapBackup,outside) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns
    static (Vlan600-SafeQ,outside) 79.x.x.235 w8-print netmask 255.255.255.255
    static (vlan400,outside) 79.x.x.236 w8-app netmask 255.255.255.255
    static (Vlan450,vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
    static (Vlan500-HellandBadlands,vlan400) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
    static (vlan400,Vlan500-HellandBadlands) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
    static (vlan400,Vlan450) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
    static (vlan400,outside) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255
    static (Vlan462-Suldalsposten,vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
    static (vlan400,Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
    static (vlan400,Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
    static (Vlan600-SafeQ,vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
    static (Vlan600-SafeQ,Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
    static (Vlan600-SafeQ,vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
    static (Vlan450,Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
    static (vlan470-Kyrkjekontoret,Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0
    access-group Vlan1_access_out out interface Vlan1
    access-group outside_access_in in interface outside
    access-group outside_access_out out interface outside
    access-group vlan400_access_in in interface vlan400
    access-group vlan400_access_out out interface vlan400
    access-group Vlan450_access_in in interface Vlan450
    access-group Vlan450_access_out out interface Vlan450
    access-group Vlan460_access_in in interface Vlan460-SuldalHotell
    access-group Vlan460_access_out out interface Vlan460-SuldalHotell
    access-group Vlan461_access_in in interface Vlan461-SuldalHotellGjest
    access-group Vlan461_access_out out interface Vlan461-SuldalHotellGjest
    access-group vlan470_access_in in interface vlan470-Kyrkjekontoret
    access-group vlan470_access_out out interface vlan470-Kyrkjekontoret
    access-group vlan480_access_out out interface vlan480-Telefoni
    access-group Vlan490_access_in in interface Vlan490-QNapBackup
    access-group Vlan490_access_out out interface Vlan490-QNapBackup
    access-group Vlan500_access_in in interface Vlan500-HellandBadlands
    access-group Vlan500_access_out out interface Vlan500-HellandBadlands
    access-group Vlan510_access_in in interface Vlan510-IsTak
    access-group Vlan510_access_out out interface Vlan510-IsTak
    access-group Vlan600_access_in_1 in interface Vlan600-SafeQ
    access-group Vlan600_access_out out interface Vlan600-SafeQ
    access-group Vlan462-Suldalsposten_access_in_1 in interface Vlan462-Suldalsposten
    access-group Vlan462-Suldalsposten_access_out_1 out interface Vlan462-Suldalsposten
    route outside 0.0.0.0 0.0.0.0 79.x.x.225 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    username x password x encrypted privilege 15
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.210.0 255.255.255.0 Vlan450
    http 192.168.200.0 255.255.255.0 Vlan1
    http 192.168.1.0 255.255.255.0 vlan400
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 20 match address outside_20_cryptomap_1
    crypto map outside_map 20 set pfs
    crypto map outside_map 20 set peer 62.92.159.137
    crypto map outside_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp enable vlan400
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    tunnel-group 62.92.159.137 type ipsec-l2l
    tunnel-group 62.92.159.137 ipsec-attributes
    pre-shared-key *
    telnet 192.168.200.0 255.255.255.0 Vlan1
    telnet 192.168.1.0 255.255.255.0 vlan400
    telnet timeout 5
    ssh 171.68.225.216 255.255.255.255 outside
    ssh timeout 5
    console timeout 0
    dhcpd update dns both
    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1
    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface outside
    dhcpd address 192.168.1.100-192.168.1.225 vlan400
    dhcpd option 6 ip DomeneServer 81.167.36.11 interface vlan400
    dhcpd option 3 ip 192.168.1.1 interface vlan400
    dhcpd enable vlan400
    dhcpd address 192.168.210.100-192.168.210.200 Vlan450
    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450
    dhcpd option 3 ip 192.168.210.1 interface Vlan450
    dhcpd enable Vlan450
    dhcpd address 192.168.2.100-192.168.2.150 Vlan460-SuldalHotell
    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell
    dhcpd option 3 ip 192.168.2.1 interface Vlan460-SuldalHotell
    dhcpd enable Vlan460-SuldalHotell
    dhcpd address 192.168.3.100-192.168.3.200 Vlan461-SuldalHotellGjest
    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest
    dhcpd option 3 ip 192.168.3.1 interface Vlan461-SuldalHotellGjest
    dhcpd enable Vlan461-SuldalHotellGjest
    dhcpd address 192.168.202.100-192.168.202.199 vlan470-Kyrkjekontoret
    dhcpd option 3 ip 192.168.202.1 interface vlan470-Kyrkjekontoret
    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret
    dhcpd enable vlan470-Kyrkjekontoret
    dhcpd option 3 ip 192.168.20.1 interface vlan480-Telefoni
    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni
    dhcpd address 192.168.10.80-192.168.10.90 Vlan490-QNapBackup
    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup
    dhcpd option 3 ip 192.168.10.1 interface Vlan490-QNapBackup
    dhcpd address 192.168.30.100-192.168.30.199 Vlan500-HellandBadlands
    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands
    dhcpd option 3 ip 192.168.30.1 interface Vlan500-HellandBadlands
    dhcpd enable Vlan500-HellandBadlands
    dhcpd address 192.168.40.100-192.168.40.150 Vlan510-IsTak
    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak
    dhcpd option 3 ip 192.168.40.1 interface Vlan510-IsTak
    dhcpd enable Vlan510-IsTak
    dhcpd address 192.168.50.150-192.168.50.199 Vlan600-SafeQ
    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ
    dhcpd enable Vlan600-SafeQ
    dhcpd address 192.168.4.100-192.168.4.150 Vlan462-Suldalsposten
    dhcpd option 6 ip DomeneServer 81.167.36.11 interface Vlan462-Suldalsposten
    dhcpd option 3 ip 192.168.4.1 interface Vlan462-Suldalsposten
    dhcpd enable Vlan462-Suldalsposten
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    prompt hostname context
    Cryptochecksum:x
    : end

    I was just wondering if this is the way to do the "connection" between vlans.. or should it be routed?
    The traffic between the vlan is working as intended. There are not much traffice only some RDP connection and some printing jobs.
    But i'm getting some of these errors: (not alle like this, but portmap translation creation failed)
    305006    192.168.10.200 portmap translation creation failed for udp src Vlan460-SuldalHotell:192.168.2.112/59133 dst Vlan490-QNapBackup:192.168.10.200/161
    I did the sh interface commends:
    Result of the command: "sh interface"
    Interface Vlan1 "Vlan1", is down, line protocol is down
      Hardware is EtherSVI
        MAC address 001d.453a.ea0e, MTU 1500
        IP address 192.168.200.100, subnet mask 255.255.255.0
      Traffic Statistics for "Vlan1":
        0 packets input, 0 bytes
        0 packets output, 0 bytes
        0 packets dropped
          1 minute input rate 0 pkts/sec,  0 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  0 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Interface Vlan2 "outside", is up, line protocol is up
      Hardware is EtherSVI
        MAC address 001d.453a.ea0e, MTU 1500
        IP address 79.x.x.226, subnet mask 255.255.255.224
      Traffic Statistics for "outside":
        1780706730 packets input, 1221625431570 bytes
        1878320718 packets output, 1743030863134 bytes
        5742216 packets dropped
          1 minute input rate 558 pkts/sec,  217568 bytes/sec
          1 minute output rate 803 pkts/sec,  879715 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 621 pkts/sec,  482284 bytes/sec
          5 minute output rate 599 pkts/sec,  428957 bytes/sec
          5 minute drop rate, 1 pkts/sec
    Interface Vlan400 "vlan400", is up, line protocol is up
      Hardware is EtherSVI
        MAC address 001d.453a.ea0e, MTU 1500
        IP address 192.168.1.1, subnet mask 255.255.255.0
      Traffic Statistics for "vlan400":
        1093422654 packets input, 1191121436317 bytes
        784209789 packets output, 374041914789 bytes
        11465163 packets dropped
          1 minute input rate 751 pkts/sec,  870445 bytes/sec
          1 minute output rate 462 pkts/sec,  116541 bytes/sec
          1 minute drop rate, 11 pkts/sec
          5 minute input rate 474 pkts/sec,  415304 bytes/sec
          5 minute output rate 379 pkts/sec,  197861 bytes/sec
          5 minute drop rate, 7 pkts/sec
    Interface Vlan450 "Vlan450", is up, line protocol is up
      Hardware is EtherSVI
        MAC address 001d.453a.ea0e, MTU 1500
        IP address 192.168.210.1, subnet mask 255.255.255.0
      Traffic Statistics for "Vlan450":
        139711812 packets input, 27519985266 bytes
        202793062 packets output, 233679075458 bytes
        12523100 packets dropped
          1 minute input rate 68 pkts/sec,  9050 bytes/sec
          1 minute output rate 83 pkts/sec,  88025 bytes/sec
          1 minute drop rate, 6 pkts/sec
          5 minute input rate 145 pkts/sec,  15068 bytes/sec
          5 minute output rate 241 pkts/sec,  287093 bytes/sec
          5 minute drop rate, 6 pkts/sec
    Interface Vlan460 "Vlan460-SuldalHotell", is up, line protocol is up
      Hardware is EtherSVI
        MAC address 001d.453a.ea0e, MTU 1500
        IP address 192.168.2.1, subnet mask 255.255.255.0
      Traffic Statistics for "Vlan460-SuldalHotell":
        177971988 packets input, 161663208458 bytes
        193137004 packets output, 137418896469 bytes
        4003957 packets dropped
          1 minute input rate 13 pkts/sec,  2295 bytes/sec
          1 minute output rate 14 pkts/sec,  15317 bytes/sec
          1 minute drop rate, 2 pkts/sec
          5 minute input rate 4 pkts/sec,  794 bytes/sec
          5 minute output rate 1 pkts/sec,  477 bytes/sec
          5 minute drop rate, 2 pkts/sec
    Interface Vlan461 "Vlan461-SuldalHotellGjest", is up, line protocol is up
      Hardware is EtherSVI
        MAC address 001d.453a.ea0e, MTU 1500
        IP address 192.168.3.1, subnet mask 255.255.255.0
      Traffic Statistics for "Vlan461-SuldalHotellGjest":
        332909692 packets input, 351853184942 bytes
        312038518 packets output, 156669956740 bytes
        583171 packets dropped
          1 minute input rate 0 pkts/sec,  6 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  6 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Interface Vlan462 "Vlan462-Suldalsposten", is up, line protocol is up
      Hardware is EtherSVI
        MAC address 001d.453a.ea0e, MTU 1500
        IP address 192.168.4.1, subnet mask 255.255.255.0
      Traffic Statistics for "Vlan462-Suldalsposten":
        33905 packets input, 14303320 bytes
        28285 packets output, 27536357 bytes
        10199 packets dropped
          1 minute input rate 0 pkts/sec,  6 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  6 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Interface Vlan470 "vlan470-Kyrkjekontoret", is up, line protocol is up
      Hardware is EtherSVI
        MAC address 001d.453a.ea0e, MTU 1500
        IP address 192.168.202.1, subnet mask 255.255.255.0
      Traffic Statistics for "vlan470-Kyrkjekontoret":
        12176257 packets input, 4305665570 bytes
        10618750 packets output, 5982598969 bytes
        974796 packets dropped
          1 minute input rate 2 pkts/sec,  770 bytes/sec
          1 minute output rate 1 pkts/sec,  861 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 2 pkts/sec,  708 bytes/sec
          5 minute output rate 1 pkts/sec,  980 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Interface Vlan480 "vlan480-Telefoni", is up, line protocol is up
      Hardware is EtherSVI
        MAC address 001d.453a.ea0e, MTU 1500
        IP address 192.168.20.1, subnet mask 255.255.255.0
      Traffic Statistics for "vlan480-Telefoni":
        246638 packets input, 43543149 bytes
        10 packets output, 536 bytes
        226674 packets dropped
          1 minute input rate 0 pkts/sec,  126 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  56 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Interface Vlan490 "Vlan490-QNapBackup", is up, line protocol is up
      Hardware is EtherSVI
        MAC address 001d.453a.ea0e, MTU 1500
        IP address 192.168.10.1, subnet mask 255.255.255.0
      Traffic Statistics for "Vlan490-QNapBackup":
        137317833 packets input, 6066713912 bytes
        223933623 packets output, 263191563744 bytes
        531738 packets dropped
          1 minute input rate 0 pkts/sec,  135 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  68 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Interface Vlan500 "Vlan500-HellandBadlands", is up, line protocol is up
      Hardware is EtherSVI
        MAC address 001d.453a.ea0e, MTU 1500
        IP address 192.168.30.1, subnet mask 255.255.255.0
      Traffic Statistics for "Vlan500-HellandBadlands":
        30816778 packets input, 4887486069 bytes
        42403099 packets output, 47831750415 bytes
        948717 packets dropped
          1 minute input rate 3 pkts/sec,  707 bytes/sec
          1 minute output rate 3 pkts/sec,  3459 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  23 bytes/sec
          5 minute output rate 0 pkts/sec,  31 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Interface Vlan510 "Vlan510-IsTak", is up, line protocol is up
      Hardware is EtherSVI
        MAC address 001d.453a.ea0e, MTU 1500
        IP address 192.168.40.1, subnet mask 255.255.255.0
      Traffic Statistics for "Vlan510-IsTak":
        1253148 packets input, 245364736 bytes
        1225385 packets output, 525528101 bytes
        161567 packets dropped
          1 minute input rate 0 pkts/sec,  6 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  6 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Interface Vlan600 "Vlan600-SafeQ", is up, line protocol is up
      Hardware is EtherSVI
        MAC address 001d.453a.ea0e, MTU 1500
        IP address 192.168.50.1, subnet mask 255.255.255.0
      Traffic Statistics for "Vlan600-SafeQ":
        1875377 packets input, 1267279709 bytes
        1056139 packets output, 290728055 bytes
        521943 packets dropped
          1 minute input rate 0 pkts/sec,  165 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  178 bytes/sec
          5 minute output rate 0 pkts/sec,  9 bytes/sec
          5 minute drop rate, 0 pkts/sec
    Interface Ethernet0/0 "", is up, line protocol is up
      Hardware is 88E6095, BW 100 Mbps
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Available but not configured via nameif
        MAC address 001d.453a.ea06, MTU not set
        IP address unassigned
        1782670655 packets input, 1256666911856 bytes, 0 no buffer
        Received 95709 broadcasts, 0 runts, 0 giants
        1978 input errors, 1978 CRC, 0 frame, 0 overrun, 1978 ignored, 0 abort
        0 L2 decode drops
        17179928790 switch ingress policy drops
        1878320261 packets output, 1778955488577 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        0 rate limit drops
        0 switch egress policy drops
    Interface Ethernet0/2 "", is up, line protocol is up
      Hardware is 88E6095, BW 100 Mbps
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Available but not configured via nameif
        MAC address 001d.453a.ea08, MTU not set
        IP address unassigned
        1790819459 packets input, 1783854920873 bytes, 0 no buffer
        Received 27571913 broadcasts, 0 runts, 0 giants
        614 input errors, 614 CRC, 0 frame, 0 overrun, 614 ignored, 0 abort
        0 L2 decode drops
        19768 switch ingress policy drops
        1547507675 packets output, 991527977853 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        0 rate limit drops
        0 switch egress policy drops
    Interface Ethernet0/3 "", is up, line protocol is up
      Hardware is 88E6095, BW 100 Mbps
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Available but not configured via nameif
        MAC address 001d.453a.ea09, MTU not set
        IP address unassigned
        137318166 packets input, 9176625008 bytes, 0 no buffer
        Received 290030 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        335 switch ingress policy drops
        223933623 packets output, 267222625073 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        0 rate limit drops
        0 switch egress policy drops

  • How to sync clock of Cisco ASA 5505 from NTP Server on internet

    Hi there!
    i've setup a site, with cisco ASA 5505. It has public ip also.
    i want to sync the clock of firewall from on ntp server on internet, or with internal domain controller that is inside LAN.
    The firewall has public IP also.
    how can i do this?
    Regards!

    Hello Lasandro,
    This should do it!
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/basic_hostname_pw.html#wp1236530
    Looking for some Networking Assistance? 
    Contact me directly at [email protected]
    I will fix your problem ASAP.
    Cheers,
    Julio Carvajal Segura
    http://laguiadelnetworking.com

  • Unable to access/lan2lan ping from VPN Fortigate to Cisco ASA 5505

    Problem : Unable to access user A to user B
    User A --- router A (122, fortigate 80c) --- (Site to Site VPN between fortigate & cisco asa) --- router B (93, cisco Asa 5505{in front asa got cisco800[81] before to internet} )  --- User B
    After using wizard to configure the cisco ASA site to site VPN, the site-to-site tunnel is up.
    Ping is unsuccessful from user A to user B
    Ping is successful from user B to user A, data is accessable
    After done the packet tracer from user A to user B,
    Result :
    Flow-lookup
    Action : allow
    Info: Found no matching flow, creating a new flow
    Route-lookup
    Action : allow
    Info : 192.168.5.203 255.255.255.255 identity
    Access-list
    Action : drop
    Config Implicit Rule
    Result - The packet is dropped
    Input Interface : inside
    Output Interface : NP Identify Ifc
    Info: (acl-drop)flow is denied by configured rule
    Below is Cisco ASA 5505's show running-config
    ASA Version 8.2(1)
    hostname Asite
    domain-name ssms1.com
    enable password ZZZZ encrypted
    passwd WWWW encrypted
    names
    name 82 B-firewall description Singapore office firewall
    name 192.168.1.0 B-inside-subnet description Singapore office internal LAN IP
    name 192.168.200.0 A-inside-VLAN12 description A-inside-VLAN12 (fortinet)
    name 192.168.2.0 fw-inside-subnet description A office internal LAN IP
    name 122 A-forti
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.5.203 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 93 255.255.255.240
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name ssms1.com
    object-group network obj_any
    network-object 0.0.0.0 0.0.0.0
    access-list inside_nat0_outbound extended permit ip any 80 255.255.255.240
    access-list inside_nat0_outbound extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
    access-list outside_cryptomap extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
    access-list Outside_nat-inbound extended permit ip A-inside-VLAN12 255.255.255.0 192.168.5.0 255.255.255.0
    access-list Outside_nat-inbound extended permit ip host A-forti 192.168.5.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-631.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 101 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 101 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 81 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http B-inside-subnet 255.255.255.0 inside
    http fw-inside-subnet 255.255.255.0 inside
    http 0.0.0.0 255.255.255.255 outside
    http 0.0.0.0 0.0.0.0 outside
    http 192.168.5.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer A-forti
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map 2 match address outside_cryptomap
    crypto map outside_map 2 set peer B-firewall
    crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 20
    authentication pre-share
    encryption aes-192
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption aes-256
    hash md5
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 192.168.5.10-192.168.5.20 inside
    dhcpd dns 165 165 interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    username admin password XXX encrypted privilege 15
    tunnel-group 122 type ipsec-l2l
    tunnel-group 122 ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    class-map outside-class
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
      message-length maximum client auto
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect icmp
    policy-map outside-policy
    description ok
    class outside-class
      inspect dns
      inspect esmtp
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect icmp
      inspect icmp error
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect sip
      inspect skinny
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect xdmcp
    service-policy global_policy global
    service-policy outside-policy interface outside
    prompt hostname context
    Cryptochecksum: XXX
    : end
    Kindly need your expertise&help to solve the problem

    any1 can help me ?

  • Dear All, I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me. Thanks Vijay

    Dear All,
                         I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me.
    Thanks
    Vijay

    Hi Vijay,
    If can be done but you need any network management software. I personally dont think you can ask your ask to send mails. ASA can trigger alert to a SNMP configured server which will intern send mail to you 
    HTH,

  • I need helping!!! configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.

    I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
    I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
    I need to allow the following IP addresses to have RDP access to my server:
    66.237.238.193-66.237.238.222
    69.195.249.177-69.195.249.190
    69.65.80.240-69.65.80.249
    My external WAN server info is - 99.89.69.333
    The internal IP address of my server is - 192.168.6.2
    The other server shows up as 99.89.69.334 but is working fine.
    I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
    THE FOLLOWING IS MY CONFIGURATION FILE
    Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
    Also the bolded lines are the modifications I made but that arent working.
    ASA Version 7.2(4)
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password DowJbZ7jrm5Nkm5B encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.6.254 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 99.89.69.233 255.255.255.248
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    object-group network EMRMC
    network-object 10.1.2.0 255.255.255.0
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.11.0 255.255.255.0
    network-object 172.16.0.0 255.255.0.0
    network-object 192.168.9.0 255.255.255.0
    object-group service RDP tcp
    description RDP
    port-object eq 3389
    object-group service GMED tcp
    description GMED
    port-object eq 3390
    object-group service MarsAccess tcp
    description MarsAccess
    port-object range pcanywhere-data 5632
    object-group service MarsFTP tcp
    description MarsFTP
    port-object range ftp-data ftp
    object-group service MarsSupportAppls tcp
    description MarsSupportAppls
    port-object eq 1972
    object-group service MarsUpdatePort tcp
    description MarsUpdatePort
    port-object eq 7835
    object-group service NM1503 tcp
    description NM1503
    port-object eq 1503
    object-group service NM1720 tcp
    description NM1720
    port-object eq h323
    object-group service NM1731 tcp
    description NM1731
    port-object eq 1731
    object-group service NM389 tcp
    description NM389
    port-object eq ldap
    object-group service NM522 tcp
    description NM522
    port-object eq 522
    object-group service SSL tcp
    description SSL
    port-object eq https
    object-group service rdp tcp
    port-object eq 3389
    access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
    access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
    access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
    access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
    access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
    access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
    access-list outside_access_in extended permit tcp any interface outside eq 3389
    access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
    access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
    access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
    access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
    static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.6.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer 68.156.148.5
    crypto map outside_map 1 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 1
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    tunnel-group 68.156.148.5 type ipsec-l2l
    tunnel-group 68.156.148.5 ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
    : end
    ciscoasa(config-network)#

    Unclear what did not work.  In your original post you include said some commands were added but don't work:
    static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
    and later you state you add another command that gets an error:
    static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
    You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
    The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface.  Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
    Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive?  Static PAT usually makes sense when you need to change the TCP port number.  In your example, you are not changing the TCP port 3389.

  • Cisco ASA 5505 Site to Site VPN

    Hello All,
    First time posting to the forums. I've been working with Cisco ASA 5505 for a number of months and recently I purchased a 2nd ASA with the goal of setting up Site to Site VPN tunnel. It look so simple from the number of videos that I have watched on the internet. But when I have done it suprise suprise it didn't work for me ... I have deleted the tunnels a number of times and attempted to recreate them. I am using the VPN wizard in the ADM to create the tunnel. Both the asa are 5505 and have the same same firmware etc.
    I would appreciate any help that can be directed towards this issue please.  Slowly losing my mind
    Please see details below:
    Both ADM are 7.1
    IOS
    ASA 1
    aved
    ASA Version 9.0(1)
    hostname PAYBACK
    enable password HSMurh79NVmatjY0 encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    description Trunk link to SW1
    switchport trunk allowed vlan 1,10,20,30,40
    switchport trunk native vlan 1
    switchport mode trunk
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    no nameif
    no security-level
    no ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address 92.51.193.158 255.255.255.252
    interface Vlan10
    nameif inside
    security-level 100
    ip address 192.168.10.1 255.255.255.0
    interface Vlan20
    nameif servers
    security-level 100
    ip address 192.168.20.1 255.255.255.0
    interface Vlan30
    nameif printers
    security-level 100
    ip address 192.168.30.1 255.255.255.0
    interface Vlan40
    nameif wireless
    security-level 100
    ip address 192.168.40.1 255.255.255.0
    banner login line Welcome to Payback Loyalty Systems
    boot system disk0:/asa901-k8.bin
    ftp mode passive
    clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns domain-lookup servers
    dns domain-lookup printers
    dns domain-lookup wireless
    dns server-group DefaultDNS
    name-server 83.147.160.2
    name-server 83.147.160.130
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network ftp_server
    object network Internal_Report_Server
    host 192.168.20.21
    description Automated Report Server Internal Address
    object network Report_Server
    host 89.234.126.9
    description Automated Report Server
    object service RDP
    service tcp destination eq 3389
    description RDP to Server
    object network Host_QA_Server
    host 89.234.126.10
    description QA Host External Address
    object network Internal_Host_QA
    host 192.168.20.22
    description Host of VM machine for QA
    object network Internal_QA_Web_Server
    host 192.168.20.23
    description Web Server in QA environment
    object network Web_Server_QA_VM
    host 89.234.126.11
    description Web server in QA environment
    object service SQL_Server
    service tcp destination eq 1433
    object network Demo_Server
    host 89.234.126.12
    description Server set up to Demo Product
    object network Internal_Demo_Server
    host 192.168.20.24
    description Internal IP Address of Demo Server
    object network NETWORK_OBJ_192.168.20.0_24
    subnet 192.168.20.0 255.255.255.0
    object network NETWORK_OBJ_192.168.50.0_26
    subnet 192.168.50.0 255.255.255.192
    object network NETWORK_OBJ_192.168.0.0_16
    subnet 192.168.0.0 255.255.0.0
    object service MSSQL
    service tcp destination eq 1434
    description MSSQL port
    object network VPN-network
    subnet 192.168.50.0 255.255.255.0
    object network NETWORK_OBJ_192.168.50.0_24
    subnet 192.168.50.0 255.255.255.0
    object service TS
    service tcp destination eq 4400
    object service TS_Return
    service tcp source eq 4400
    object network External_QA_3
    host 89.234.126.13
    object network Internal_QA_3
    host 192.168.20.25
    object network Dev_WebServer
    host 192.168.20.27
    object network External_Dev_Web
    host 89.234.126.14
    object network CIX_Subnet
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.10.0_24
    subnet 192.168.10.0 255.255.255.0
    object network NETWORK_OBJ_84.39.233.50
    host 84.39.233.50
    object network NETWORK_OBJ_92.51.193.158
    host 92.51.193.158
    object network NETWORK_OBJ_192.168.100.0_24
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.1.0_24
    subnet 192.168.1.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_1
    service-object tcp destination eq ftp
    service-object tcp destination eq netbios-ssn
    service-object tcp destination eq smtp
    service-object object TS
    object-group network Payback_Internal
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.20.0 255.255.255.0
    network-object 192.168.40.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_3
    service-object tcp destination eq www
    service-object tcp destination eq https
    service-object object TS
    service-object object TS_Return
    object-group service DM_INLINE_SERVICE_4
    service-object object RDP
    service-object tcp destination eq www
    service-object tcp destination eq https
    object-group service DM_INLINE_SERVICE_5
    service-object object MSSQL
    service-object object RDP
    service-object object TS
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_SERVICE_6
    service-object object TS
    service-object object TS_Return
    service-object tcp destination eq www
    service-object tcp destination eq https
    access-list outside_access_in remark This rule is allowing from internet to interal server.
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark FTP
    access-list outside_access_in remark RDP
    access-list outside_access_in remark SMTP
    access-list outside_access_in remark Net Bios
    access-list outside_access_in remark SQL
    access-list outside_access_in remark TS - 4400
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
    access-list outside_access_in remark Access rule to internal host QA
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark HTTP
    access-list outside_access_in remark RDP
    access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
    access-list outside_access_in remark Access to INternal Web Server:
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark HTTP
    access-list outside_access_in remark RDP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
    access-list outside_access_in remark Rule for allowing access to Demo server
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark RDP
    access-list outside_access_in remark MSSQL
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
    access-list outside_access_in remark Access for Development WebServer
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
    access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
    access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
    access-list AnyConnect_Client_Local_Print remark Windows' printing port
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
    access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
    access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
    access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
    access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
    access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
    access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
    pager lines 24
    logging enable
    logging console informational
    logging asdm informational
    logging from-address
    [email protected]
    logging recipient-address
    [email protected]
    level alerts
    mtu outside 1500
    mtu inside 1500
    mtu servers 1500
    mtu printers 1500
    mtu wireless 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-711-52.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source dynamic any interface
    nat (wireless,outside) source dynamic any interface
    nat (servers,outside) source dynamic any interface
    nat (servers,outside) source static Internal_Report_Server Report_Server
    nat (servers,outside) source static Internal_Host_QA Host_QA_Server
    nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
    nat (servers,outside) source static Internal_Demo_Server Demo_Server
    nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
    nat (servers,outside) source static Internal_QA_3 External_QA_3
    nat (servers,outside) source static Dev_WebServer External_Dev_Web
    nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
    nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.10.0 255.255.255.0 inside
    http 192.168.40.0 255.255.255.0 wireless
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 84.39.233.50
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 77.75.100.208 255.255.255.240 outside
    ssh 192.168.10.0 255.255.255.0 inside
    ssh 192.168.40.0 255.255.255.0 wireless
    ssh timeout 5
    console timeout 0
    dhcpd dns 192.168.0.1
    dhcpd auto_config outside
    dhcpd address 192.168.10.21-192.168.10.240 inside
    dhcpd dns 192.168.20.21 83.147.160.2 interface inside
    dhcpd option 15 ascii paybackloyalty.com interface inside
    dhcpd enable inside
    dhcpd address 192.168.40.21-192.168.40.240 wireless
    dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
    dhcpd update dns interface wireless
    dhcpd option 15 ascii paybackloyalty.com interface wireless
    dhcpd enable wireless
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy Payback_VPN internal
    group-policy Payback_VPN attributes
    vpn-simultaneous-logins 10
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Payback_VPN_splitTunnelAcl
    group-policy DfltGrpPolicy attributes
    dns-server value 83.147.160.2 83.147.160.130
    vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
    group-policy GroupPolicy_84.39.233.50 internal
    group-policy GroupPolicy_84.39.233.50 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username Noelle password XB/IpvYaATP.2QYm encrypted
    username Noelle attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
    username Eanna attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Michael password qpbleUqUEchRrgQX encrypted
    username Michael attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
    username Danny attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
    username Aileen attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
    username Aidan attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
    username shane.c password iqGMoWOnfO6YKXbw encrypted
    username shane.c attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Shane password uYePLcrFadO9pBZx encrypted
    username Shane attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username James password TdYPv1pvld/hPM0d encrypted
    username James attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username mark password yruxpddqfyNb.qFn encrypted
    username mark attributes
    service-type admin
    username Mary password XND5FTEiyu1L1zFD encrypted
    username Mary attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
    username Massimo attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    tunnel-group Payback_VPN type remote-access
    tunnel-group Payback_VPN general-attributes
    address-pool VPN1
    default-group-policy Payback_VPN
    tunnel-group Payback_VPN ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 84.39.233.50 type ipsec-l2l
    tunnel-group 84.39.233.50 general-attributes
    default-group-policy GroupPolicy_84.39.233.50
    tunnel-group 84.39.233.50 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map global-class
    match default-inspection-traffic
    policy-map global-policy
    class global-class
      inspect dns
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect pptp
      inspect rsh
      inspect rtsp
      inspect sip
      inspect snmp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect xdmcp
      inspect icmp error
      inspect icmp
    service-policy global-policy global
    smtp-server 192.168.20.21
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1
    ASA 2
    ASA Version 9.0(1)
    hostname Payback-CIX
    enable password HSMurh79NVmatjY0 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    description This port connects to VLAN 100
    switchport access vlan 100
    interface Ethernet0/2
    interface Ethernet0/3
    switchport access vlan 100
    interface Ethernet0/4
    switchport access vlan 100
    interface Ethernet0/5
    switchport access vlan 100
    interface Ethernet0/6
    switchport access vlan 100
    interface Ethernet0/7
    switchport access vlan 100
    interface Vlan2
    nameif outside
    security-level 0
    ip address 84.39.233.50 255.255.255.240
    interface Vlan100
    nameif inside
    security-level 100
    ip address 192.168.100.1 255.255.255.0
    banner login line Welcome to Payback Loyalty - CIX
    ftp mode passive
    clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns server-group defaultDNS
    name-server 8.8.8.8
    name-server 8.8.4.4
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network CIX-Host-1
    host 192.168.100.2
    description This is the host machine of the VM servers
    object network External_CIX-Host-1
    host 84.39.233.51
    description This is the external IP address of the host server for the VM server
    object service RDP
    service tcp source range 1 65535 destination eq 3389
    object network Payback_Office
    host 92.51.193.158
    object service MSQL
    service tcp destination eq 1433
    object network Development_OLTP
    host 192.168.100.10
    description VM for Eiresoft
    object network External_Development_OLTP
    host 84.39.233.52
    description This is the external IP address for the VM for Eiresoft
    object network Eiresoft
    host 146.66.160.70
    description DBA Contractor
    object network External_TMC_Web
    host 84.39.233.53
    description Public Address of TMC Webserver
    object network TMC_Webserver
    host 192.168.100.19
    description Internal Address of TMC Webserver
    object network External_TMC_OLTP
    host 84.39.233.54
    description Targets OLTP external IP
    object network TMC_OLTP
    host 192.168.100.18
    description Targets interal IP address
    object network External_OLTP_Failover
    host 84.39.233.55
    description Public IP of OLTP Failover
    object network OLTP_Failover
    host 192.168.100.60
    description Server for OLTP failover
    object network Servers
    subnet 192.168.20.0 255.255.255.0
    object network Wired
    subnet 192.168.10.0 255.255.255.0
    object network Wireless
    subnet 192.168.40.0 255.255.255.0
    object network NETWORK_OBJ_192.168.100.0_24
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.10.0_24
    subnet 192.168.10.0 255.255.255.0
    object network Eiresoft_2nd
    host 137.117.217.29
    description Eiresoft 2nd IP
    object network Dev_Test_Webserver
    host 192.168.100.12
    description Dev Test Webserver Internal Address
    object network External_Dev_Test_Webserver
    host 84.39.233.56
    description This is the PB Dev Test Webserver
    object network NETWORK_OBJ_192.168.1.0_24
    subnet 192.168.1.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_1
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_2
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_3
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_4
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_5
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_6
    service-object object MSQL
    service-object object RDP
    object-group network Payback_Intrernal
    network-object object Servers
    network-object object Wired
    network-object object Wireless
    object-group service DM_INLINE_SERVICE_7
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_8
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_9
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_10
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_11
    service-object object RDP
    service-object tcp destination eq ftp
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
    access-list outside_access_in remark Development OLTP from Payback Office
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
    access-list outside_access_in remark Access for Eiresoft
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
    access-list outside_access_in remark Access to OLTP for target from Payback Office
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
    access-list outside_access_in remark This is allowing access from Eiresoft to the OLTP Failover server
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover
    access-list outside_access_in remark Access for the 2nd IP from Eiresoft
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
    access-list outside_access_in remark Access from the 2nd Eiresoft IP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
    access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source dynamic any interface
    nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
    nat (inside,outside) source static Development_OLTP External_Development_OLTP
    nat (inside,outside) source static TMC_Webserver External_TMC_Web
    nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
    nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
    nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
    nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
    nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 92.51.193.156 255.255.255.252 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 92.51.193.158
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 77.75.100.208 255.255.255.240 outside
    ssh 92.51.193.156 255.255.255.252 outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy GroupPolicy_92.51.193.158 internal
    group-policy GroupPolicy_92.51.193.158 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
    tunnel-group 92.51.193.158 type ipsec-l2l
    tunnel-group 92.51.193.158 general-attributes
    default-group-policy GroupPolicy_92.51.193.158
    tunnel-group 92.51.193.158 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
    : end

    Hi,
    Thanks for the help to date
    I now have the Site to Site working but there is one little issue I have. If I try to RD to a server through the tunnel it will not allow connection on the first attempt however if I ping that host and then attempt to RD it will allow the connection. It looks like the host is asleep until it receives traffic through the tunnel. Is this thje correct behaviour.
    See below the details:
    ASA1:
    hostname PAYBACK
    enable password HSMurh79NVmatjY0 encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    description Trunk link to SW1
    switchport trunk allowed vlan 1,10,20,30,40
    switchport trunk native vlan 1
    switchport mode trunk
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    no nameif
    no security-level
    no ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address XX.XX.XX.XX 255.255.255.252
    interface Vlan10
    nameif inside
    security-level 100
    ip address 192.168.10.1 255.255.255.0
    interface Vlan20
    nameif servers
    security-level 100
    ip address 192.168.20.1 255.255.255.0
    interface Vlan30
    nameif printers
    security-level 100
    ip address 192.168.30.1 255.255.255.0
    interface Vlan40
    nameif wireless
    security-level 100
    ip address 192.168.40.1 255.255.255.0
    banner login line Welcome to Payback Loyalty Systems
    boot system disk0:/asa901-k8.bin
    ftp mode passive
    clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns domain-lookup servers
    dns domain-lookup printers
    dns domain-lookup wireless
    dns server-group DefaultDNS
    name-server 83.147.160.2
    name-server 83.147.160.130
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network ftp_server
    object network Internal_Report_Server
    host 192.168.20.21
    description Automated Report Server Internal Address
    object network Report_Server
    host 89.234.126.9
    description Automated Report Server
    object service RDP
    service tcp destination eq 3389
    description RDP to Server
    object network Host_QA_Server
    host 89.234.126.10
    description QA Host External Address
    object network Internal_Host_QA
    host 192.168.20.22
    description Host of VM machine for QA
    object network Internal_QA_Web_Server
    host 192.168.20.23
    description Web Server in QA environment
    object network Web_Server_QA_VM
    host 89.234.126.11
    description Web server in QA environment
    object service SQL_Server
    service tcp destination eq 1433
    object network Demo_Server
    host 89.234.126.12
    description Server set up to Demo Product
    object network Internal_Demo_Server
    host 192.168.20.24
    description Internal IP Address of Demo Server
    object network NETWORK_OBJ_192.168.20.0_24
    subnet 192.168.20.0 255.255.255.0
    object network NETWORK_OBJ_192.168.50.0_26
    subnet 192.168.50.0 255.255.255.192
    object network NETWORK_OBJ_192.168.0.0_16
    subnet 192.168.0.0 255.255.0.0
    object service MSSQL
    service tcp destination eq 1434
    description MSSQL port
    object network VPN-network
    subnet 192.168.50.0 255.255.255.0
    object network NETWORK_OBJ_192.168.50.0_24
    subnet 192.168.50.0 255.255.255.0
    object service TS
    service tcp destination eq 4400
    object service TS_Return
    service tcp source eq 4400
    object network External_QA_3
    host 89.234.126.13
    object network Internal_QA_3
    host 192.168.20.25
    object network Dev_WebServer
    host 192.168.20.27
    object network External_Dev_Web
    host 89.234.126.14
    object network NETWORK_OBJ_192.168.100.0_24
    subnet 192.168.100.0 255.255.255.0
    object network Wireless
    subnet 192.168.40.0 255.255.255.0
    description Wireless network
    object network Servers
    subnet 192.168.20.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_1
    service-object tcp destination eq ftp
    service-object tcp destination eq netbios-ssn
    service-object tcp destination eq smtp
    service-object object TS
    service-object object SQL_Server
    object-group service DM_INLINE_SERVICE_3
    service-object tcp destination eq www
    service-object tcp destination eq https
    service-object object TS
    service-object object TS_Return
    object-group service DM_INLINE_SERVICE_4
    service-object object RDP
    service-object tcp destination eq www
    service-object tcp destination eq https
    object-group service DM_INLINE_SERVICE_5
    service-object object MSSQL
    service-object object RDP
    service-object object TS
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_SERVICE_6
    service-object object TS
    service-object object TS_Return
    service-object tcp destination eq www
    service-object tcp destination eq https
    object-group network DM_INLINE_NETWORK_1
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.20.0 255.255.255.0
    network-object 192.168.40.0 255.255.255.0
    object-group network Payback_Internal
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.20.0 255.255.255.0
    network-object 192.168.40.0 255.255.255.0
    access-list outside_access_in remark This rule is allowing from internet to interal server.
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark FTP
    access-list outside_access_in remark RDP
    access-list outside_access_in remark SMTP
    access-list outside_access_in remark Net Bios
    access-list outside_access_in remark SQL
    access-list outside_access_in remark TS - 4400
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
    access-list outside_access_in remark Access rule to internal host QA
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark HTTP
    access-list outside_access_in remark RDP
    access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
    access-list outside_access_in remark Access to INternal Web Server:
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark HTTP
    access-list outside_access_in remark RDP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
    access-list outside_access_in remark Rule for allowing access to Demo server
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark RDP
    access-list outside_access_in remark MSSQL
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
    access-list outside_access_in remark Access for Development WebServer
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
    access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
    access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
    access-list AnyConnect_Client_Local_Print remark Windows' printing port
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
    access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
    access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
    access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
    access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
    access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
    access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.100.0 255.255.255.0
    pager lines 24
    logging enable
    logging console informational
    logging asdm informational
    logging from-address [email protected]
    logging recipient-address [email protected] level alerts
    mtu outside 1500
    mtu inside 1500
    mtu servers 1500
    mtu printers 1500
    mtu wireless 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-711-52.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
    nat (wireless,outside) source static Wireless Wireless destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
    nat (servers,outside) source static Servers Servers destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
    nat (inside,outside) source dynamic any interface
    nat (wireless,outside) source dynamic any interface
    nat (servers,outside) source dynamic any interface
    nat (servers,outside) source static Internal_Report_Server Report_Server
    nat (servers,outside) source static Internal_Host_QA Host_QA_Server
    nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
    nat (servers,outside) source static Internal_Demo_Server Demo_Server
    nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
    nat (servers,outside) source static Internal_QA_3 External_QA_3
    nat (servers,outside) source static Dev_WebServer External_Dev_Web
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.10.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer XX.XX.XX.XX
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto map servers_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map servers_map interface servers
    crypto ca trustpool policy
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 enable inside client-services port 443
    crypto ikev1 enable outside
    crypto ikev1 enable inside
    crypto ikev1 enable servers
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.10.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd dns 192.168.0.1
    dhcpd auto_config outside
    dhcpd address 192.168.10.21-192.168.10.240 inside
    dhcpd dns 192.168.20.21 83.147.160.2 interface inside
    dhcpd option 15 ascii paybackloyalty.com interface inside
    dhcpd enable inside
    dhcpd address 192.168.40.21-192.168.40.240 wireless
    dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
    dhcpd update dns interface wireless
    dhcpd option 15 ascii paybackloyalty.com interface wireless
    dhcpd enable wireless
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy Payback_VPN internal
    group-policy Payback_VPN attributes
    vpn-simultaneous-logins 10
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Payback_VPN_splitTunnelAcl
    group-policy DfltGrpPolicy attributes
    dns-server value 83.147.160.2 83.147.160.130
    vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
    group-policy GroupPolicy_84.39.233.50 internal
    group-policy GroupPolicy_84.39.233.50 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username Noelle password XB/IpvYaATP.2QYm encrypted
    username Noelle attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
    username Eanna attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Michael password qpbleUqUEchRrgQX encrypted
    username Michael attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
    username Danny attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username niamh password MlFlIlEiy8vismE0 encrypted
    username niamh attributes
    service-type admin
    username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
    username Aileen attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
    username Aidan attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
    username shane.c password iqGMoWOnfO6YKXbw encrypted
    username shane.c attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Shane password yQeVtvLLKqapoUje encrypted privilege 0
    username Shane attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username James password TdYPv1pvld/hPM0d encrypted
    username James attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username mark password yruxpddqfyNb.qFn encrypted
    username mark attributes
    service-type admin
    username Mary password XND5FTEiyu1L1zFD encrypted
    username Mary attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
    username Massimo attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    tunnel-group Payback_VPN type remote-access
    tunnel-group Payback_VPN general-attributes
    address-pool VPN1
    default-group-policy Payback_VPN
    tunnel-group Payback_VPN ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 84.39.233.50 type ipsec-l2l
    tunnel-group 84.39.233.50 general-attributes
    default-group-policy GroupPolicy_84.39.233.50
    tunnel-group 84.39.233.50 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map global-class
    match default-inspection-traffic
    policy-map global-policy
    class global-class
      inspect dns
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect pptp
      inspect rsh
      inspect rtsp
      inspect sip
      inspect snmp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect xdmcp
      inspect icmp error
      inspect icmp
    service-policy global-policy global
    smtp-server 192.168.20.21
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:83fa7ce1d93375645205f6e79b526381
    ASA2:
    ASA Version 9.0(1)
    hostname Payback-CIX
    enable password HSMurh79NVmatjY0 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    description This port connects to VLAN 100
    switchport access vlan 100
    interface Ethernet0/2
    interface Ethernet0/3
    switchport access vlan 100
    interface Ethernet0/4
    switchport access vlan 100
    interface Ethernet0/5
    switchport access vlan 100
    interface Ethernet0/6
    switchport access vlan 100
    interface Ethernet0/7
    switchport access vlan 100
    interface Vlan2
    nameif outside
    security-level 0
    ip address X.X.X.X 255.255.255.240
    interface Vlan100
    nameif inside
    security-level 100
    ip address 192.168.100.1 255.255.255.0
    banner login line Welcome to Payback Loyalty - CIX
    ftp mode passive
    clock timezone GMT 0
    clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns server-group defaultDNS
    name-server 8.8.8.8
    name-server 8.8.4.4
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network CIX-Host-1
    host 192.168.100.2
    description This is the host machine of the VM servers
    object network External_CIX-Host-1
    host 84.39.233.51
    description This is the external IP address of the host server for the VM server
    object service RDP
    service tcp source range 1 65535 destination eq 3389
    object network Payback_Office
    host 92.51.193.158
    object service MSQL
    service tcp destination eq 1433
    object network Development_OLTP
    host 192.168.100.10
    description VM for Eiresoft
    object network External_Development_OLTP
    host 84.39.233.52
    description This is the external IP address for the VM for Eiresoft
    object network External_TMC_Web
    host 84.39.233.53
    description Public Address of TMC Webserver
    object network TMC_Webserver
    host 192.168.100.19
    description Internal Address of TMC Webserver
    object network External_TMC_OLTP
    host 84.39.233.54
    description Targets OLTP external IP
    object network TMC_OLTP
    host 192.168.100.18
    description Targets interal IP address
    object network External_OLTP_Failover
    host 84.39.233.55
    description Public IP of OLTP Failover
    object network OLTP_Failover
    host 192.168.100.60
    description Server for OLTP failover
    object network Servers
    subnet 192.168.20.0 255.255.255.0
    object network Wired
    subnet 192.168.10.0 255.255.255.0
    object network Wireless
    subnet 192.168.40.0 255.255.255.0
    object network NETWORK_OBJ_192.168.100.0_24
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.10.0_24
    subnet 192.168.10.0 255.255.255.0
    object network Eiresoft_2nd
    host 137.117.217.29
    description Eiresoft 2nd IP
    object network Dev_Test_Webserver
    host 192.168.100.12
    description Dev Test Webserver Internal Address
    object network External_Dev_Test_Webserver
    host 84.39.233.56
    description This is the PB Dev Test Webserver
    object network NETWORK_OBJ_192.168.1.0_24
    subnet 192.168.1.0 255.255.255.0
    object network LAN
    subnet 192.168.100.0 255.255.255.0
    object network REMOTE-LAN
    subnet 192.168.10.0 255.255.255.0
    object network TargetMC
    host 83.71.194.145
    description This is Target Location that will be accessing the Webserver
    object network Rackspace_OLTP
    host 162.13.34.56
    description This is the IP address of production OLTP
    object service DB
    service tcp destination eq 5022
    object network Topaz_Target_VM
    host 82.198.151.168
    description This is Topaz IP that will be accessing Targets VM
    object service DB_2
    service tcp destination eq 5023
    object network EireSoft_NEW_IP
    host 146.66.161.3
    description Eiresoft latest IP form ISP DHCP
    object-group service DM_INLINE_SERVICE_1
    service-object object MSQL
    service-object object RDP
    service-object icmp echo
    service-object icmp echo-reply
    object-group service DM_INLINE_SERVICE_2
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_4
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    service-object tcp destination eq www
    object-group service DM_INLINE_SERVICE_5
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_6
    service-object object MSQL
    service-object object RDP
    object-group network Payback_Intrernal
    network-object object Servers
    network-object object Wired
    network-object object Wireless
    object-group service DM_INLINE_SERVICE_8
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_9
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_10
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    service-object icmp echo
    service-object icmp echo-reply
    service-object object DB
    object-group service DM_INLINE_SERVICE_11
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_12
    service-object object MSQL
    service-object icmp echo
    service-object icmp echo-reply
    service-object object DB
    service-object object DB_2
    object-group service DM_INLINE_SERVICE_13
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_14
    service-object object MSQL
    service-object object RDP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
    access-list outside_access_in remark Development OLTP from Payback Office
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
    access-list outside_access_in remark Access to OLTP for target from Payback Office
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
    access-list outside_access_in remark Access for the 2nd IP from Eiresoft
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
    access-list outside_access_in remark Access from the 2nd Eiresoft IP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
    access-list outside_access_in remark Access rules from Traget to CIX for testing
    access-list outside_access_in extended permit tcp object TargetMC object TMC_Webserver eq www
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12 object Rackspace_OLTP object OLTP_Failover
    access-list outside_access_in remark Topaz access to Target VM
    access-list outside_access_in extended permit tcp object Topaz_Target_VM object TMC_Webserver eq www
    access-list outside_access_in remark Opened up for Target for the weekend. Closing on Monday 20th
    access-list outside_access_in extended permit tcp any object TMC_Webserver eq www
    access-list outside_access_in remark Access for Eiresoft after their ISP changed their IP Address
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13 object EireSoft_NEW_IP object Development_OLTP
    access-list outside_access_in remark Eiresoft Access after ISP changed their IP Address
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14 object EireSoft_NEW_IP object OLTP_Failover
    access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object-group Payback_Intrernal
    pager lines 24
    logging enable
    logging console debugging
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static Payback_Intrernal Payback_Intrernal no-proxy-arp route-lookup
    nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
    nat (inside,outside) source static Development_OLTP External_Development_OLTP
    nat (inside,outside) source static TMC_Webserver External_TMC_Web
    nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
    nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
    nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
    nat (inside,outside) source dynamic LAN interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http X.X.X.X 255.255.255.252 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer X.X.X.X
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh X.X.X.X  255.255.255.240 outside
    ssh X.X.X.X 255.255.255.252 outside
    ssh 192.168.40.0 255.255.255.0 outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy GroupPolicy_92.51.193.158 internal
    group-policy GroupPolicy_92.51.193.158 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
    tunnel-group 92.51.193.158 type ipsec-l2l
    tunnel-group 92.51.193.158 general-attributes
    default-group-policy GroupPolicy_92.51.193.158
    tunnel-group 92.51.193.158 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:78a7b9ccec2fa048306092eb29a2b769

  • Setting up site to site vpn with cisco asa 5505

    I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
    IP of remote office router is 71.37.178.142
    IP of the main office firewall is 209.117.141.82
    Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
    ciscoasa# show run
    : Saved
    ASA Version 7.2(4)
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password TMACBloMlcBsq1kp encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
    access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group5
    crypto map outside_map 1 set peer 209.117.141.82
    crypto map outside_map 1 set transform-set ESP-AES-256-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn username [email protected] password ********* store-local
    dhcpd auto_config outside
    dhcpd address 192.168.1.2-192.168.1.129 inside
    dhcpd enable inside
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
    : end
    ciscoasa#
    Thanks!

    Hi Mandy,
    By using following access list define Peer IP as source and destination
    access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
    you are not defining the interesting traffic / subnets from both ends.
    Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
    !.1..source subnet(called local encryption domain) at your end  192.168.200.0
    !..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
    !..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
    !...at your end  192.168.200.0
    !..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
    !...at other end 192.168.100.0
    Please use Baisc Steps as follows:
    A. Configuration in your MAIN office  having IP = 209.117.141.82  (follow step 1 to 6)
    Step 1.
    Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    Step 2.
    Config ISAKMP Policy with minimum 4 parameters are to be config for
    crypto isakmp policy 10
    authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
    encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
    hash sha   --->  3rd parameter of ISAKMP Policy is OK
    group 5  --->  4th parameter of ISAKMP Policy is OK
    lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
    Step 3.
    Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
    Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
    Use following command:
    crypto isakmp key 0 CISCO123 address 71.37.178.142
    or , but not both
    crypto isakmp key 6 CISCO123 address71.37.178.142
    step 4.
    Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
    Here is yours one:
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
    crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
    or
    crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
    Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
    ah-sha-hmac or  ah-md5-hmac
    crypto ipsec transform-set TSET1 ah-sha-hmac
    or
    crypto ipsec transform-set TSET1 ah-md5-hmac
    Step 5.
    Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
    crypto map ipsec-isakmp
    1. Define peer -- called WHO to set tunnel with
    2. Define or call WHICH - Transform Set
    3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
    Like in your case it is but ipsec-isakmp keyword missing in the ;ast
    crypto map outside_map 10 ipsec-isakmp
    1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
    2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
    !..In you case it is correct
    !...set transform-set ESP-AES-256-SHA (also correct)
    3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
    4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
    Step 6.
    Now apply this one crypto MAP to your OUTSIDE interface always
    interface outside
    crypto map outside_map
    Configure the same but just change ACL on other end in step one  by reversing source and destination
    and also set the peer IP of this router in other end.
    So other side config should look as follows:
    B.  Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
    Step 7.
    Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
    access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
    Step 8.
    Config ISAKMP Policy with minimum 4 parameters are to be config for
    crypto isakmp policy 10
    authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
    encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
    hash sha   --->  3rd parameter of ISAKMP Policy is OK
    group 5  --->  4th parameter of ISAKMP Policy is OK
    lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
    Step 9.
    Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
    Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
    Use following command:
    crypto isakmp key 0 CISCO123 address 209.117.141.82
    or , but not both
    crypto isakmp key 6 CISCO123 address 209.117.141.82
    step 10.
    Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
    Here is yours one:
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
    crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
    or
    crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
    Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
    ah-sha-hmac or  ah-md5-hmac
    crypto ipsec transform-set TSET1 ah-sha-hmac
    or
    crypto ipsec transform-set TSET1 ah-md5-hmac
    Step 11.
    Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
    crypto map    ipsec-isakmp
    1. Define peer -- called WHO to set tunnel with
    2. Define or call WHICH - Transform Set, only one is permissible
    3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
    Like in your case it is but ipsec-isakmp keyword missing in the ;ast
    crypto map outside_map 10 ipsec-isakmp
    1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
    2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
    !..In you case it is correct
    !...set transform-set ESP-AES-256-SHA (also correct)
    3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
    4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
    Step 12.
    Now apply this one crypto MAP to your OUTSIDE interface always
    interface outside
    crypto map outside_map
    Now initite a ping
    Here is for your summary:
    IPSec: Site to Site - Routers
    Configuration Steps
    Phase 1
    Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
    Step 2: Configure ISAKMP Policy
    Step 3: Configure ISAKMP Key
    Phase 2
    Step 4: Configure Transform Set
    Step 5: Configure Crypto Map
    Step 6: Apply Crypto Map to an Interface
    To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
    Router#debug crpyto isakmp
    Router#debug crpyto ipsec
    Router(config)# logging buffer 7
    Router(config)# logging buffer 99999
    Router(config)# logging console 6
    Router# clear logging
    Configuration
    In R1:
    (config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
    (config)# crypto isakmp policy 10
    (config-policy)# encryption 3des
    (config-policy)# authentication pre-share
    (config-policy)# group 2
    (config-policy)# hash sha1
    (config)# crypto isakmp key 0 cisco address 2.2.2.1
    (config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
    (config)# crypto map CMAP 10 ipsec-isakmp
    (config-crypto-map)# set peer 2.2.2.1
    (config-crypto-map)# match address 101
    (config-crypto-map)# set transform-set TSET
    (config)# int f0/0
    (config-if)# crypto map CMAP
    Similarly in R2
    Verification Commands
    #show crypto isakmp SA
    #show crypto ipsec SA
    Change to Transport Mode, add the following command in Step 4:
    (config-tranform-set)# mode transport
    Even after  doing this change, the ipsec negotiation will still be done through  tunnel mode if pinged from Loopback to Loopback. To overcome this we  make changes to ACL.
    Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
    (config)# crypto isakmp peer address 2.2.2.1
    (config-peer)# set aggressive-mode password cisco
    (config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1
    Similarly on R2.
    The below process is for the negotiation using RSA-SIG (PKI) as authentication type
    Debug Process:
    After  we debug, we can see the negotiation between the two peers. The first  packet of the interesting traffic triggers the ISAKMP (Phase1)  negotiation. Important messages are marked in BOLD and explanation in  RED
    R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
    Packet sent with a source address of 2.2.2.2
    Mar  2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) //  Router tried to find any IPSec SA matching the outgoing connection but  no valid SA has been found in Security Association Database (SADB)
    Mar  2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
    Mar  2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
    Mar  2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
    Mar  2 16:18:42.939: ISAKMP: local port 500, remote port 500
    Mar  2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE    
    Mar  2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
    Mar  2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
    Mar  2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
    Mar  2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    Mar  2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
    Mar  2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
    Mar  2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
    Mar  2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Mar  2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
    Mar  2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
    Mar  2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
    Mar  2 16:18:42.947:.!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
    R2(config)# ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Mar  2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
    Mar  2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
    Mar  2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
    Mar  2 16:18:42.947: ISAKMP:      hash SHA
    Mar  2 16:18:42.947: ISAKMP:      default group 2
    Mar  2 16:18:42.947: ISAKMP:      auth RSA sig
    Mar  2 16:18:42.947: ISAKMP:      life type in seconds
    Mar  2 16:18:42.947: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
    Mar  2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
    Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
    Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
    Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
    Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    Mar  2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
    Mar  2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
    Mar  2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
    Mar  2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
    Mar  2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
    Mar  2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
    Mar  2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
    Mar  2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
    Mar  2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
    Mar  2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
    Mar  2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
    Mar  2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
    Mar  2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
    Mar  2 16:18:43.007:  Choosing trustpoint CA_Server as issuer
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
    Mar  2 16:18:43.007: ISAKMP:received payload type 20
    Mar  2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
    Mar  2 16:18:43.007: ISAKMP:received payload type 20
    Mar  2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
    Mar  2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4
    Mar  2 16:18:43.011: ISAKMP:(1008):Send initial contact
    Mar  2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
    Mar  2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
    Mar  2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
    Mar  2 16:18:43.011: ISAKMP (1008): ID payload
              next-payload : 6
              type         : 2
              FQDN name    : R2
              protocol     : 17
              port         : 500
              length       : 10
    Mar  2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
    Mar  2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
    Mar  2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
    Mar  2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Mar  2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5
    Mar  2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
    // "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
    Mar  2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
    Mar  2 16:18:43.047: ISAKMP (1008): ID payload
              next-payload : 6
              type         : 2
              FQDN name    : ASA1
              protocol     : 0
              port         : 0
              length       : 12
    Mar  2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
    Mar  2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
    Mar  2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
    Mar  2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
    Mar  2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
    Mar  2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
    Mar  2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
    Mar  2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
    Mar  2 16:18:43.067: ISAKMP:received payload type 17
    Mar  2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
    Mar  2 16:18:43.067: ISAKMP:(1008):SA authentication status:
              authenticated
    Mar  2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
    Mar  2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/,  and inserted successfully 46519678. // SA inserted into SADB
    Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6
    Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6
    Mar  2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
    Mar  2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
    Mar  2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
    Mar  2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
    Mar  2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
    Mar  2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
    Mar  2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
    Mar  2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
    Mar  2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
    Mar  2 16:18:43.079: ISAKMP:   attributes in transform:
    Mar  2 16:18:43.079: ISAKMP:      SA life type in seconds
    Mar  2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
    Mar  2 16:18:43.079: ISAKMP:      SA life type in kilobytes
    Mar  2 16:18:43.079: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
    Mar  2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
    Mar  2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
    Mar  2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
    Mar  2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
    Mar  2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
    Mar  2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i)  0/ 0
              (proxy 1.1.1.1 to 2.2.2.2)
    Mar  2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
    Mar  2 16:18:43.083:         lifetime of 3600 seconds
    Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
    Mar  2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
              (proxy 2.2.2.2 to 1.1.1.1)
    Mar  2 16:18:43.083:         has spi  0x2B367FB4 and conn_id 0
    Mar  2 16:18:43.083:         lifetime of 3600 seconds
    Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
    Mar  2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
    Mar  2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
    Mar  2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    Mar  2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
    Verification Commands
    #show crypto isakmp SA
    #show crypto ipsec SA
    Kindly rate if you find the explanation useful !!
    Best Regards
    Sachin Garg

  • Cisco ASA 5505 not able to access flash

    Hi All:
    I have searched and searched all over the net for an answer to this question and have decided to just post it. I have a 5505 that was given to me by my job to use for working on my CCNA Sec. cert and did the following:
    I plugged it in and booted it up just fine. Made config changes as I followed along with the examples in my CCNA Security book. Got to the point in chapter 14 where the initial setup happens to configure it for working with ASDM. I never did a write mem on it and decided to take it back to square one by unplugging it to allow it to lose the changes that I made. This is where things got ugly.
    When it booted back up it got stuck in a bootup loop and couldn't find an IOS. After following all kinds of steps to boot to rommon and tftp another IOS and such (several times) I decided to follow another posting that said that the flash could be corrupted and to just delete it and start anew. Did that and through rommon as it would not boot up normally any more. After trying this over and over for the last couple hours I realized that it would boot from tftp so I did that in hopes of fixing the flash issue.
    I've tried deleting it, and re-initializing it and formating it. But the thing is that it no longer SEES the disk0: mount point. I've used two different flash cards...the one that came with it and the one that I already had. With the cover off I can see that there is no activity light next to the flash drive when I issue a delete or initialize or format command.
    Here is a copy of some of the output file. Any help or suggestions are greatly appreciated.
    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
    Low Memory: 632 KB
    High Memory: 507 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class              Irq
    00  01  00   1022   2080  Host Bridge       
    00  01  02   1022   2082  Chipset En/Decrypt 11
    00  0C  00   1148   4320  Ethernet           11
    00  0D  00   177D   0003  Network En/Decrypt 10
    00  0F  00   1022   2090  ISA Bridge        
    00  0F  02   1022   2092  IDE Controller    
    00  0F  03   1022   2093  Audio              10
    00  0F  04   1022   2094  Serial Bus         9
    00  0F  05   1022   2095  Serial Bus         9
    Evaluating BIOS Options ...
    Launch BIOS Extension to setup ROMMON
    Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
    Platform ASA5505
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Ethernet0/0
    MAC Address: 0023.339e.2a91
    Link is UP
    Please set ADDRESS Variable.
    Please set SERVER Variable.
    Please set IMAGE Variable.
    Launching BootLoader...
    Default configuration file contains 1 entry.
    Boot mode is 1. Default entry is 1.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Failsafe booting engaged.
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
    Low Memory: 632 KB
    High Memory: 507 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class              Irq
    00  01  00   1022   2080  Host Bridge       
    00  01  02   1022   2082  Chipset En/Decrypt 11
    00  0C  00   1148   4320  Ethernet           11
    00  0D  00   177D   0003  Network En/Decrypt 10
    00  0F  00   1022   2090  ISA Bridge        
    00  0F  02   1022   2092  IDE Controller    
    00  0F  03   1022   2093  Audio              10
    00  0F  04   1022   2094  Serial Bus         9
    00  0F  05   1022   2095  Serial Bus         9
    Evaluating BIOS Options ...
    Launch BIOS Extension to setup ROMMON
    Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
    Platform ASA5505
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Ethernet0/0
    MAC Address: 0023.339e.2a91
    Link is UP
    Please set ADDRESS Variable.
    Please set SERVER Variable.
    Please set IMAGE Variable.
    Launching BootLoader...
    Default configuration file contains 1 entry.
    Boot mode is 1. Default entry is 1.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Failsafe booting engaged.
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
    Low Memory: 632 KB
    High Memory: 507 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class              Irq
    00  01  00   1022   2080  Host Bridge       
    00  01  02   1022   2082  Chipset En/Decrypt 11
    00  0C  00   1148   4320  Ethernet           11
    00  0D  00   177D   0003  Network En/Decrypt 10
    00  0F  00   1022   2090  ISA Bridge        
    00  0F  02   1022   2092  IDE Controller    
    00  0F  03   1022   2093  Audio              10
    00  0F  04   1022   2094  Serial Bus         9
    00  0F  05   1022   2095  Serial Bus         9
    Evaluating BIOS Options ...
    Launch BIOS Extension to setup ROMMON
    Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
    Platform ASA5505
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Ethernet0/0
    MAC Address: 0023.339e.2a91
    Link is UP
    Please set ADDRESS Variable.
    Please set SERVER Variable.
    Please set IMAGE Variable.
    Launching BootLoader...
    Default configuration file contains 1 entry.
    Boot mode is 1. Default entry is 1.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Failsafe booting engaged.
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
    Low Memory: 632 KB
    High Memory: 507 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class              Irq
    00  01  00   1022   2080  Host Bridge       
    00  01  02   1022   2082  Chipset En/Decrypt 11
    00  0C  00   1148   4320  Ethernet           11
    00  0D  00   177D   0003  Network En/Decrypt 10
    00  0F  00   1022   2090  ISA Bridge        
    00  0F  02   1022   2092  IDE Controller    
    00  0F  03   1022   2093  Audio              10
    00  0F  04   1022   2094  Serial Bus         9
    00  0F  05   1022   2095  Serial Bus         9
    Evaluating BIOS Options ...
    Launch BIOS Extension to setup ROMMON
    Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
    Platform ASA5505
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Ethernet0/0
    MAC Address: 0023.339e.2a91
    Link is UP
    Please set ADDRESS Variable.
    Please set SERVER Variable.
    Please set IMAGE Variable.
    Launching BootLoader...
    Default configuration file contains 1 entry.
    Boot mode is 1. Default entry is 1.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Failsafe booting engaged.
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
    Low Memory: 632 KB
    High Memory: 507 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class              Irq
    00  01  00   1022   2080  Host Bridge       
    00  01  02   1022   2082  Chipset En/Decrypt 11
    00  0C  00   1148   4320  Ethernet           11
    00  0D  00   177D   0003  Network En/Decrypt 10
    00  0F  00   1022   2090  ISA Bridge        
    00  0F  02   1022   2092  IDE Controller    
    00  0F  03   1022   2093  Audio              10
    00  0F  04   1022   2094  Serial Bus         9
    00  0F  05   1022   2095  Serial Bus         9
    Evaluating BIOS Options ...
    Launch BIOS Extension to setup ROMMON
    Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
    Platform ASA5505
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Ethernet0/0
    MAC Address: 0023.339e.2a91
    Link is UP
    Please set ADDRESS Variable.
    Please set SERVER Variable.
    Please set IMAGE Variable.
    Launching BootLoader...
    Default configuration file contains 1 entry.
    Boot mode is 1. Default entry is 1.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Failsafe booting engaged.
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
    Low Memory: 632 KB
    High Memory: 507 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class              Irq
    00  01  00   1022   2080  Host Bridge       
    00  01  02   1022   2082  Chipset En/Decrypt 11
    00  0C  00   1148   4320  Ethernet           11
    00  0D  00   177D   0003  Network En/Decrypt 10
    00  0F  00   1022   2090  ISA Bridge        
    00  0F  02   1022   2092  IDE Controller    
    00  0F  03   1022   2093  Audio              10
    00  0F  04   1022   2094  Serial Bus         9
    00  0F  05   1022   2095  Serial Bus         9
    Evaluating BIOS Options ...
    Launch BIOS Extension to setup ROMMON
    Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
    Platform ASA5505
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Ethernet0/0
    MAC Address: 0023.339e.2a91
    Link is UP
    Please set ADDRESS Variable.
    Please set SERVER Variable.
    Please set IMAGE Variable.
    Launching BootLoader...
    Default configuration file contains 1 entry.
    Boot mode is 1. Default entry is 1.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    Failsafe booting engaged.
    Default configuration file contains 1 entry.
    Searching / for images to boot.
    No images in /
    Error 15: File not found
    unable to boot an image
    CISCO SYSTEMS
    Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
    Low Memory: 632 KB
    High Memory: 507 MB
    PCI Device Table.
    Bus Dev Func VendID DevID Class              Irq
    00  01  00   1022   2080  Host Bridge       
    00  01  02   1022   2082  Chipset En/Decrypt 11
    00  0C  00   1148   4320  Ethernet           11
    00  0D  00   177D   0003  Network En/Decrypt 10
    00  0F  00   1022   2090  ISA Bridge        
    00  0F  02   1022   2092  IDE Controller    
    00  0F  03   1022   2093  Audio              10
    00  0F  04   1022   2094  Serial Bus         9
    00  0F  05   1022   2095  Serial Bus         9
    Evaluating BIOS Options ...
    Launch BIOS Extension to setup ROMMON
    Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
    Platform ASA5505
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Boot interrupted.                              
    Ethernet0/0
    MAC Address: 0023.339e.2a91
    Link is UP
    Use ? for help.
    rommon #0> format disk0:
    Invalid or incorrect command.  Use 'help' for help.
    rommon #0> ADDRESS=10.10.10.110
    rommon #1> GATEWAY=10.10.10.1
    rommon #2> SERVER=10.10.10.98
    rommon #3> IMAGE=asa914-k8.bin
    rommon #4> tftp
    ROMMON Variable Settings:
      ADDRESS=10.10.10.110
      SERVER=10.10.10.98
      GATEWAY=10.10.10.1
      PORT=Ethernet0/0
      VLAN=untagged
      IMAGE=asa914-k8.bin
      CONFIG=
      LINKTIMEOUT=20
      PKTTIMEOUT=4
      RETRY=20
    tftp [email protected] via 10.10.10.1
    Received 27076608 bytes
    Launching TFTP Image...
    Cisco Security Appliance admin loader (3.0) #0: Thu Dec  5 19:38:43 PST 2013
    Platform ASA5505
    Loading...
    IO memory blocks requested from bigphys 32bit: 9956
    Àdosfsck 2.11, 12 Mar 2005, FAT32, LFN
    Currently, only 1 or 2 FATs are supported, not 42.
    dosfsck(/dev/hda1) returned 1
    mount: mounting /dev/hda1 on /mnt/disk0 failed: Invalid argument
    mount: mounting /dev/hda1 on /mnt/disk0 failed: Invalid argument
    Processor memory 343932928, Reserved memory: 62914560
    Total SSMs found: 0
    Total NICs found: 10
    88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
    88E6095 rev 2 Ethernet @ index 08 MAC: 0023.339e.2a90
    88E6095 rev 2 Ethernet @ index 07 MAC: 0023.339e.2a8f
    88E6095 rev 2 Ethernet @ index 06 MAC: 0023.339e.2a8e
    88E6095 rev 2 Ethernet @ index 05 MAC: 0023.339e.2a8d
    88E6095 rev 2 Ethernet @ index 04 MAC: 0023.339e.2a8c
    88E6095 rev 2 Ethernet @ index 03 MAC: 0023.339e.2a8b
    88E6095 rev 2 Ethernet @ index 02 MAC: 0023.339e.2a8a
    88E6095 rev 2 Ethernet @ index 01 MAC: 0023.339e.2a89
    y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 0023.339e.2a91
    INFO: Unable to read firewall mode from flash
           Writing default firewall mode (single) to flash
    INFO: Unable to read cluster interface-mode from flash
           Writing default mode "None" to flash
    Verify the activation-key, it might take a while...
    Failed to retrieve permanent activation key.
    Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
    The Running Activation Key is not valid, using default settings:
    Licensed features for this platform:
    Maximum Physical Interfaces       : 8              perpetual
    VLANs                             : 3              DMZ Restricted
    Dual ISPs                         : Disabled       perpetual
    VLAN Trunk Ports                  : 0              perpetual
    Inside Hosts                      : 10             perpetual
    Failover                          : Disabled       perpetual
    Encryption-DES                    : Enabled        perpetual
    Encryption-3DES-AES               : Disabled       perpetual
    AnyConnect Premium Peers          : 2              perpetual
    AnyConnect Essentials             : Disabled       perpetual
    Other VPN Peers                   : 10             perpetual
    Total VPN Peers                   : 12             perpetual
    Shared License                    : Disabled       perpetual
    AnyConnect for Mobile             : Disabled       perpetual
    AnyConnect for Cisco VPN Phone    : Disabled       perpetual
    Advanced Endpoint Assessment      : Disabled       perpetual
    UC Phone Proxy Sessions           : 2              perpetual
    Total UC Proxy Sessions           : 2              perpetual
    Botnet Traffic Filter             : Disabled       perpetual
    Intercompany Media Engine         : Disabled       perpetual
    Cluster                           : Disabled       perpetual
    This platform has a Base license.
    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                                 Boot microcode        : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2_05
                                 IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.09
    Cisco Adaptive Security Appliance Software Version 9.1(4)
      ****************************** Warning *******************************
      This product contains cryptographic features and is
      subject to United States and local country laws
      governing, import, export, transfer, and use.
      Delivery of Cisco cryptographic products does not
      imply third-party authority to import, export,
      distribute, or use encryption. Importers, exporters,
      distributors and users are responsible for compliance
      with U.S. and local country laws. By using this
      product you agree to comply with applicable laws and
      regulations. If you are unable to comply with U.S.
      and local laws, return the enclosed items immediately.
      A summary of U.S. laws governing Cisco cryptographic
      products may be found at:
      http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
      If you require further assistance please contact us by
      sending email to [email protected].
      ******************************* Warning *******************************
    This product includes software developed by the OpenSSL Project
    for use in the OpenSSL Toolkit (http://www.openssl.org/)
    Copyright (C) 1995-1998 Eric Young ([email protected])
    All rights reserved.
    Copyright (c) 1998-2011 The OpenSSL Project.
    All rights reserved.
    This product includes software developed at the University of
    California, Irvine for use in the DAV Explorer project
    (http://www.ics.uci.edu/~webdav/)
    Copyright (c) 1999-2005 Regents of the University of California.
    All rights reserved.
    Busybox, version 1.16.1, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
    51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
    Busybox comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    DOSFSTOOLS, version 2.11, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
    59 Temple Place, Suite 330, Boston, MA 02111-1307
    675 Mass Ave, Cambridge, MA 02139
    DOSFSTOOLS comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    grub, version 0.94, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
    59 Temple Place, Suite 330, Boston, MA 02111-1307
    grub comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    libgcc, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
    libgcc comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenseSee User Manual (''Licensing'') for details.
    libstdc++, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
    libstdc++ comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    Linux kernel, version 2.6.29.6, Copyright (C) 1989, 1991 Free Software
    Foundation, Inc.
    51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
    Linux kernel comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    module-init-tools, version 3.10, Copyright (C) 1989, 1991 Free Software
    Foundation, Inc.
    59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
    module-init-tools comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    numactl, version 2.0.3, Copyright (C) 2008 SGI.
    Author: Andi Kleen, SUSE Labs
    Version 2.0.0 by Cliff Wickman, Chritopher Lameter and Lee Schermerhorn
    numactl comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    pciutils, version 3.1.4, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
    51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
    pciutils comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    readline, version 5.2, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
    59 Temple Place, Suite 330, Boston, MA 02111 USA
    readline comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    udev, version 146, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
    51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
    udev comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under the General
    Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
    See User Manual (''Licensing'') for details.
    Cisco Adapative Security Appliance Software, version 9.1,
    Copyright (c) 1996-2013 by Cisco Systems, Inc.
    Certain components of Cisco ASA Software, Version 9.1 are licensed under the GNU
    Lesser Public License (LGPL) Version 2.1.  The software code licensed under LGPL
    Version 2.1 is free software that comes with ABSOLUTELY NO WARRANTY.  You can
    redistribute and/or modify such LGPL code under the terms of LGPL Version 2.1
    (http://www.gnu.org/licenses/lgpl-2.1.html).  See User Manual for licensing
    details.
                    Restricted Rights Legend
    Use, duplication, or disclosure by the Government is
    subject to restrictions as set forth in subparagraph
    (c) of the Commercial Computer Software - Restricted
    Rights clause at FAR sec. 52.227-19 and subparagraph
    (c) (1) (ii) of the Rights in Technical Data and Computer
    Software clause at DFARS sec. 252.227-7013.
                    Cisco Systems, Inc.
                    170 West Tasman Drive
                    San Jose, California 95134-1706
    Insufficient flash space available for this request:
      Size info: request:32 free:0  delta:32
    Could not initialize system files in flash.
    config_fetcher: channel open failed
    ERROR: MIGRATION - Could not get the startup configuration.
    INFO: Power-On Self-Test in process.
    INFO: Power-On Self-Test complete.
    INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_200804300128.log'
    Pre-configure Firewall now through interactive prompts [yes]? n
    Type help or '?' for a list of available commands.
    ciscoasa> en
    Password:
    ciscoasa# format disk0:
    Format operation may take a while. Continue? [confirm]
    Format operation will destroy all data in "disk0:".  Continue? [confirm]
    Initializing partition - done!
    Creating FAT16 filesystem
    mkdosfs 2.11 (12 Mar 2005)
    System tables written to disk
    Format of disk0 complete
    ciscoasa# format disk:
                     ^
    ERROR: % Invalid input detected at '^' marker.
    ciscoasa# format flash:
    Format operation may take a while. Continue? [confirm]
    Format operation will destroy all data in "flash:".  Continue? [confirm]
    Initializing partition - done!

    Yeah...I think I found that one out the hard way already. I'll cross that bridge when I get to it. I want to get this issue fixed before I start thinking about the license issue.
    ciscoasa#
    ciscoasa#
    ciscoasa#
    ciscoasa# sh flash
    --#--  --length--  -----date/time------  path
    2403  0           Apr 30 2008 02:00:56  test
    2285  196         Apr 30 2008 01:28:20  upgrade_startup_errors_200804300128.log
    2283  0           Apr 30 2008 01:28:20  coredumpinfo
    2284  59          Apr 30 2008 01:28:20  coredumpinfo/coredump.cfg
    2280  0           Apr 30 2008 01:27:56  crypto_archive
    2267  0           Apr 30 2008 01:27:38  log
    0 bytes total (0 bytes free)
    ciscoasa#
    ciscoasa#
    ciscoasa#
    ciscoasa# sh disk0
    --#--  --length--  -----date/time------  path
    2403  0           Apr 30 2008 02:00:56  test
    2285  196         Apr 30 2008 01:28:20  upgrade_startup_errors_200804300128.log
    2283  0           Apr 30 2008 01:28:20  coredumpinfo
    2284  59          Apr 30 2008 01:28:20  coredumpinfo/coredump.cfg
    2280  0           Apr 30 2008 01:27:56  crypto_archive
    2267  0           Apr 30 2008 01:27:38  log
    0 bytes total (0 bytes free)
    ciscoasa#

  • Cisco ASA 5505 doesn't forware incoming connection to LAN

    Hello everybody.
    I just got a Cisco asa 5505 with the next OS and ASDM info
    ASA 5505 OS 8.4(3) ASDM 6.47
    I configured and enter all rules to allow incoming traffic to LAN but it's not working also, I have one host inside that is configured in a second IP and create the rule to allow traffic to it but it doesn't work too.
    Problem 1
    I have VNC running in port 5900 tcp and I want to connect from Internet using port 6001 and this has to forware the connection to the real VNC port. In the configuration I have a few host with the same configuration but I use different outside port to get it.
    Problem 2.
    I have a second IP with services: SMTP, HTTP, HTTPS and port 444 all TCP forwarding to a server in the LAN.
    Facts:
    SMTP.
    Every time that I do telnet to the second IP looking for the SMTP port, the firewall doesn't let the incoming connection goes through and the LOGGING screen doesn't how that connection.
    PORT 6001 (outside)
    this port is configured to work with the IP in the outside internface and it was to send the incoming connection to a host inside to the real port 5900.
    Can any one check my configuration if I'm missing anything? for sure I'm but I didn't find it. Bellow is the configuration, I masked the Public IPs just left the last number in the IP, also I left the LAN network to see better the configuration.
    I will appreciate any help.
    Thanks a lot..
    CONFIGURATION.
    : Saved
    ASA Version 8.4(3)
    hostname saturn1
    domain-name mydominio.com
    enable password SOMEPASS encrypted
    passwd SOMEPASS encrypted
    names
    name 192.168.250.11 CAPITOLA-LAN
    name 192.168.250.15 OBIi110-LAN
    name 192.168.250.21 DRP1260-LAN
    name 192.168.250.22 HPOJ8500-LAN
    name 192.168.250.30 AP-W77-NG-LAN
    name 192.168.250.97 AJ-DTOP-PC-LAN
    name 192.168.250.96 SWEETHEART-PC-LAN
    name 192.168.250.94 KIDS-PC-LAN
    name XX.YY.ZZ.250 EXTERNALIP
    name XX.YY.ZZ.251 EXTERNALIP2
    name XX.YY.ZZ.1 GTWAY
    dns-guard
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.250.2 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address EXTERNALIP 255.255.255.0
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name mydominio.com
    object network CAPITOLA-LAN
    host 192.168.250.11
    object network EXTERNALIP
    host XX.YY.ZZ.250
    description Created during name migration
    object network CAPITOLA-PUBLIC
    host XX.YY.ZZ.251
    object network capitola-int
    host 192.168.250.11
    object network capitola-int-vnc
    host 192.168.250.11
    object network aj-dtop-int-vnc
    host 192.168.250.97
    object network sweetheart-int-vnc
    host 192.168.250.96
    object network kids-int-vnc
    host 192.168.250.94
    object network VPNNetwork
    subnet 10.10.20.0 255.255.255.0
    object network InsideNetwork
    subnet 192.168.250.0 255.255.255.0
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network capitola-int-smtp
    host 192.168.250.11
    object-group service capitola-int-smtp-service tcp
    port-object eq smtp
    object-group service capitola-int-services tcp
    port-object eq smtp
    port-object eq https
    port-object eq www
    port-object eq 444
    object-group service capitola-int-vnc-service tcp
    port-object eq 6001
    object-group service aj-dtop-int-vnc-service tcp
    port-object eq 6002
    object-group service sweetheart-int-vnc-service tcp
    port-object eq 6003
    object-group service kids-int-vnc-service tcp
    port-object eq 6004
    access-list incoming extended permit icmp any any
    access-list incoming extended permit tcp any object capitola-int object-group capitola-int-services
    access-list incoming extended permit tcp any object capitola-int-vnc object-group capitola-int-vnc-service
    access-list incoming extended permit tcp any object aj-dtop-int-vnc object-group aj-dtop-int-vnc-service
    access-list incoming extended permit tcp any object sweetheart-int-vnc object-group sweetheart-int-vnc-service
    access-list incoming extended permit tcp any object kids-int-vnc object-group kids-int-vnc-service
    access-list incoming extended permit tcp any object capitola-int-smtp object-group capitola-int-smtp-service
    access-list split-tunnel standard permit 192.168.250.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any object VPNNetwork
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool vpnpool 10.10.20.1-10.10.20.50 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-647.bin
    no asdm history enable
    arp timeout 14400
    nat (inside,any) source static any any destination static VPNNetwork VPNNetwork no-proxy-arp
    object network capitola-int
    nat (any,any) static XX.YY.ZZ.251
    object network capitola-int-vnc
    nat (inside,outside) static interface service tcp 5900 6001
    object network aj-dtop-int-vnc
    nat (inside,outside) static interface service tcp 5900 6002
    object network sweetheart-int-vnc
    nat (inside,outside) static interface service tcp 5900 6003
    object network kids-int-vnc
    nat (inside,outside) static interface service tcp 5900 6004
    object network obj_any
    nat (inside,outside) dynamic interface
    object network capitola-int-smtp
    nat (any,outside) static interface service tcp smtp smtp
    access-group incoming in interface outside
    route outside 0.0.0.0 0.0.0.0 GTWAY 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http server idle-timeout 2
    http server session-timeout 1
    http 192.168.1.0 255.255.255.0 inside
    http CAPITOLA-LAN 255.255.255.255 inside
    http AJ-DTOP-PC-LAN 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh CAPITOLA-LAN 255.255.255.255 inside
    ssh AJ-DTOP-PC-LAN 255.255.255.255 inside
    ssh timeout 15
    console timeout 0
    vpn-addr-assign local reuse-delay 2
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username admin password SOMEPASS encrypted privilege 15
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect pptp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:036b82d3eb5cffc1c65a3b381246d043
    : end
    asdm image disk0:/asdm-647.bin
    no asdm history enable

    Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface.  Try to be more restrictive than an '...ip any any' rule for outside_in connections.  For instance, this is what I have for incoming VOIP (access list and nat rules):
    access list rule:
    access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
    nat rule:
    nat (inside,outside) source static server interface service voip-range voip-range
    - 'server' is a network object *
    - 'voip-range' is a service group range
    I'd assume you can do something similar here in combination with my earlier comment:
    access-list incoming extended permit tcp any any eq 5900
    Can you explain your forwarding methodology a little more?  I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to.  Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ?

  • Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

    Hello,
    I am wondering if there is a very friendly cisco guru out there who can help me out.  I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall.  I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one.  Unfortunately, my script is not working with the 5505.  Can someone please let me know what I am doing wrong with the following script?  I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults.  I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded 
    access-list 100 permit icmp any any unreachable
    ip address outside xxx.xxx.xxx.94 255.255.255.224
    ip address inside 192.168.1.1 255.255.255.0
    global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
    global (outside) 1 xxx.xxx.xxx.95
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0 0 xxx.xxx.xxx.93
    access-group 100 in interface outside
    nat (inside) 1 192.168.1.0 255.255.255.0
    nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
    static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
    access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
    static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
    access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www

    Hey Craig,
    Based on your commands I think you were using 6.3 version on PIX and now you must be  moving to ASA ver 8.2.x.
    On 8.4 for interface defining use below mentioned example :
    int eth0/0
    ip add x.x.x.x y.y.y.y
    nameif outside
    no shut
    int eth0/1
    ip add x.x.x.x y.y.y.y
    nameif inside
    no shut
    nat (inside) 1 192.168.1.0 255.255.255.0
    global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
    global (outside) 1 xxx.xxx.xxx.95
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded 
    access-list 100 permit icmp any any unreachable
    static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
    access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
    static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
    access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
    route outside 0 0 xxx.xxx.xxx.93
    access-group 100 in interface outside
    You can use two global statements as first statement would be used a dynamic NAT and second as PAT.
    If you're still not able to reach.Paste your entire config and version that you are using on ASA.

  • Cisco ASA 5505, Cisco VPN Client and Novell Netware

    Hi,
    Our ISP have installed Cisco ASA 5505 firewall. We are trying to connect to our Novell 5.1 server using VPN client.
    I installed VPN client on a laptop that is using wireless connection. I connect using wireless signal from near by hotel and I am able to connect to my firewall usinging vpn client and also able to login in using Novell client for XP.
    When I use same vpn client and Novell client at home that is not using wireless connection, but DSL connection amd not able to login or find the tree.
    The only difference in two machine is laptop using wireless connection and my home machine is using wired connection using DSL.

    If your remote end of the services in question support IPsec IKEv1 as the VPN type then, yes - the 5505 can be a client for that service. At that point it looks like a regular LAN-LAN VPN which is documented in many Cisco and 3rd party how-to documents.

  • Cisco ASA 5505 and comodo SSL certificate

    Hey All,
    I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
    Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
    On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
    What am I missing here? I can post config if anyone needs it.
    (My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))

    It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
    ASA Version 9.0(2)
    hostname MyDomain-firewall-1
    domain-name MyDomain.com
    enable password omitted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd omitted
    names
    name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
    name 10.200.0.0 MyDomain_New_IP description MyDomain_New
    name 10.100.0.0 MyDomain-Old description Inside_Old
    name XXX.XXX.XX.XX Provider description Provider_Wireless
    name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
    name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
    ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
    ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address Cisco_ASA_5505 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address Provider 255.255.255.252
    boot system disk0:/asa902-k8.bin
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns domain-lookup inside
    dns server-group DefaultDNS
    name-server 10.0.3.21
    domain-name MyDomain.com
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network MyDomain-Employee
    subnet 192.168.208.0 255.255.255.0
    description MyDomain-Employee
    object-group network Inside-all
    description All Networks
    network-object MyDomain-Old 255.255.254.0
    network-object MyDomain_New_IP 255.255.192.0
    network-object host MyDomain-Inside
    access-list inside_access_in extended permit ip any4 any4
    access-list split-tunnel standard permit host 10.0.13.1
    pager lines 24
    logging enable
    logging buffered errors
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-712.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
    route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
    route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
    route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    action terminate
    dynamic-access-policy-record "Network Access Policy Allow VPN"
    description "Must have the Network Access Policy Enabled to get VPN access"
    aaa-server LDAP_Group protocol ldap
    aaa-server LDAP_Group (inside) host 10.0.3.21
    ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
    ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
    server-type microsoft
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http MyDomain_New_IP 255.255.192.0 inside
    http redirect outside 80
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint LOCAL-CA-SERVER
    keypair LOCAL-CA-SERVER
    no validation-usage
    no accept-subordinates
    no id-cert-issuer
    crl configure
    crypto ca trustpoint VPN
    enrollment terminal
    fqdn vpn.mydomain.com
    subject-name CN=vpn.mydomain.com,OU=IT
    keypair vpn.mydomain.com
    crl configure
    crypto ca trustpoint ASDM_TrustPoint1
    enrollment terminal
    crl configure
    crypto ca trustpool policy
    crypto ca server
    shutdown
    crypto ca certificate chain LOCAL-CA-SERVER
    certificate ca 01
        omitted
      quit
    crypto ca certificate chain VPN
    certificate
        omitted
      quit
    crypto ca certificate chain ASDM_TrustPoint1
    certificate ca
        omitted
      quit
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 remote-access trustpoint VPN
    telnet timeout 5
    ssh MyDomain_New_IP 255.255.192.0 inside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    dynamic-filter updater-client enable
    dynamic-filter use-database
    dynamic-filter enable
    ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
    ssl trust-point VPN outside
    webvpn
    enable outside
    anyconnect-essentials
    anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
    anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
    anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
    anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
    anyconnect enable
    tunnel-group-list enable
    group-policy DfltGrpPolicy attributes
    dns-server value 10.0.3.21
    vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
    default-domain value MyDomain.com
    group-policy MyDomain-Employee internal
    group-policy MyDomain-Employee attributes
    wins-server none
    dns-server value 10.0.3.21
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    default-domain value MyDomain.com
    webvpn
      anyconnect profiles value MyDomain-employee type user
    username MyDomainadmin password omitted encrypted privilege 15
    tunnel-group MyDomain-Employee type remote-access
    tunnel-group MyDomain-Employee general-attributes
    address-pool MyDomain-Employee-Pool
    authentication-server-group LDAP_Group LOCAL
    default-group-policy MyDomain-Employee
    tunnel-group MyDomain-Employee webvpn-attributes
    group-alias MyDomain-Employee enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
    : end
    asdm image disk0:/asdm-712.bin
    asdm location MyDomain_New_IP 255.255.192.0 inside
    asdm location MyDomain-Inside 255.255.255.255 inside
    asdm location MyDomain-Old 255.255.254.0 inside
    no asdm history enable

  • Cisco ASA 5505 - 2 PPPoE connection

    Hi,
    Please I would be very pleased if someone could give me a hand in this matter.
    I have a Cisco ASA 5505 9.0(2), 2 dial-up connection (ADSL) with fix IP from the same ISP. I have 2 Linksys router (each dial-up has a router) as well. Both Linksys are connected directly to ASA configured in bridge mode.
    I set up one dial-up on interface called “outside” with PPPoE configuration which is, in fact, up and running. I’m able to get my fix public IP.
    My problem come from when I try to set up the second dial-up on interface called “outside-other”. I configure properly all PPPoE parameters however I’m not able to get my second fix public IP. Somehow, it’s not able to establish a connection with the ISP. (PPPoE session has not been established yet)
    This could be useful information: the PPPoE Username is the same in both dial-up connection (given by my ISP).
    I hope someone can shed light on this issue.
    Thanks in advance,
    Apologies for my lack of awareness.
    Antonio

    Hi,
    This is my schema:
    connection A ( interface outside) --> DSL --> Router Linksys mode bridge --> Cisco ASA , up and running with IP fix.
    connection B ( interface outside-other) --> DSL --> Router Linksys mode bridge --> Cisco ASA, down : Status PADR_SENT
    I tried to use two different VPDN_groups for the two connections A and B. However, B is still not working. Just one of them is able to get IP from ISP, connection A.
    When I set up the Linksys router (connection B) in PPPoE, the connection works and get an IP fix from ISP.
    What I want to do is set up a VPN on connection B so I need to configure this second dial-up on Cisco ASA. I cannot use connection A due to security reasons.
    Thanks

Maybe you are looking for

  • Muse JS Assert error

    My Safari browser on my iPhone4s reads the following error when I visit my site www.premiercreativegroup.com:                   MuseJSAssert: Error calling selector function:TypeError: 'undefined' is not an object (evaluating 'this.elem.get(0).curren

  • How Create bookmark

    Hi can any one tell me how create bookmark using java script ? I want to create a bookmark on a Billjoy, there is a problem in parameter of  bookmarks.Add() function. INDESIGN::_Application oApplication; INDESIGN::Document objDoc; objDoc=oApplication

  • Audio nearly non-existant when overdubbing- controls?

    I'm overdubbing using a decent microphone in the mic input on the back of the case. I've tried everything suggested in help to bring the input volume up, but nothing works. I can hear the sound track if I bring all volume controls up to full, so it i

  • Anybody else looking at obtaining licenses via BPM Suite?

    Just wondering if anyone else is looking to acquire WebCenter Suite via Oracle BPM Suite. BPM Suite appears to include a copy of WebCenter suite that is not usage restricted. So for about the same cost as just WebCenter Suite you can also get all the

  • Dispatching Event ...first trial ....

    Hello .....see code next....EventTrial object will dispatch an "trialObjectCreated" event. This is caught correctly with the method test in the same object. The object "MyFirstApplication" which creates the EventTrial object also listens to the same