Cisco ASA 5505 SSL VPN

Hi Everyone,
In my study home lab, I wanted to configure a cisco ASA 5505 ( Base license) to allow SSL VPN. I follow carefully the configuration procedure as instructed on a short videos I downloaded on youtube.
I configured my outside e0/0 with a valid static IP address, unfortunately the vpn connection is timeout on a remote ( different) internet connection. But if  I connect to my own internet line using a WIFI the VPN ( AnyConnect SSL VPN client ) connection is established.
I need help to solve this mystery. Please find attached the ASA config: #show run
I hope my explaination does make sense, if not accept my apology I am just new in cisco technology.
Best regards,
BEN

If you can connect with your own internet line, then most probably it's not an issue with the ASA configuration.
I would check how you are routing the ASA to the internet, and if there is any ACL that might be blocking inbound access to the ASA on the device in front of the ASA.

Similar Messages

  • Cisco ASA 5505 as VPN client

    Hello all thanks for looking,
    I need to know how to setup my cisco asa 5505 as a vpn client to services like HMA or privateinternet and other paid VPN services. If someone else has already written a guide to this then that would be great. What I want to do is route all my secure traffice through the asa and have it go across the internet as encrypted VPN stuff and have my other stuff that does not need to be encrypted just go through to my other router. 
    Thanks in advance,

    If your remote end of the services in question support IPsec IKEv1 as the VPN type then, yes - the 5505 can be a client for that service. At that point it looks like a regular LAN-LAN VPN which is documented in many Cisco and 3rd party how-to documents.

  • Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

    Hi Guys,
    I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
    Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
    For some odd reason, I am able to ping the following, with no issues.
    Cisco 3750 SVI (192.168.1.3)
    CentOS web server (connected directly to the Cisco ASA 5505)
    I have checked and enable the following:
    Nat Exemption
    Sysopt connection permit-vpn
    ACL's
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    Added ICMP in the inspection policy
    Packet-capture - Only getting echo requests.
    Thanks in advance!

    Hi,
    I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
    object network acvpnpool
    subnet <anyconnect VPN Subnet>
    object network insidelan
    subnet <inside lan subnet>
    nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
    Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
    Regards
    Karthik

  • Cisco ASA 5505 Ipsec VPN and random connection dropping issues.

    Hello,
    We are currently having issues with a ASA 5505 Ipsec VPN. It was configured about 7-8 months ago and has been running very well..up until the last few weeks.  For some reason, the VPN tends to randomly disconnect any user clients connected a lot.  Furthermore, sometimes it actually connects; however does not put us on the local network for some reason and unable to browse file server.  We have tried rebooting the ASA a few times and our ISP Time Warner informed us there are no signs of packet loss but still unable to pinpoint the problem.  Sometimes users close out of VPN client completely, reopen several times and then it works.  However it's never really consistent enough and hasn't been the last few weeks.  No configuration changes have been made to ASA at all.  Furthermore, the Cisco Ipsec VPN client version is: 5.0.70
    Directly below is our current running config (modded for public).  Any help or ideas would be greatly appreciated.  Otherwise, if everything looks good...then I will defer back to our ISP Time Warner:
    : Saved
    ASA Version 8.4(2)
    hostname domainasa
    domain-name adomain.local
    enable password cTfsR84pqF5Xohw. encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 205.101.1.240 255.255.255.248
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 192.168.2.60
    domain-name adomain.local
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network SBS_2011
    host 192.168.2.60
    object network NETWORK_OBJ_192.168.2.0_24
    subnet 192.168.2.0 255.255.255.0
    object network NETWORK_OBJ_192.168.5.192_
    27
    subnet 192.168.5.192 255.255.255.224
    object network Https_Access
    host 192.168.2.90
    description Spam Hero
    object-group network DM_INLINE_NETWORK_1
    network-object object SPAM1
    network-object object SPAM2
    network-object object SPAM3
    network-object object SPAM4
    network-object object SPAM5
    network-object object SPAM6
    network-object object SPAM7
    network-object object SPAM8
    object-group service RDP tcp
    description Microsoft RDP
    port-object eq 3389
    access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SBS_2011 eq smtp
    access-list outside_access_in extended permit tcp any object SBS_2011 eq https
    access-list outside_access_in extended permit icmp any interface outside
    access-list outside_access_in remark External RDP Access
    access-list outside_access_in extended permit tcp any object SBS_2011 object-group RDP
    access-list domain_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool test 192.168.10.1-192.168.10.5 mask 255.255.255.0
    ip local pool VPN_Users 192.168.5.194-192.168.5.22
    0 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24
    NETWORK_OBJ_192.168.2.0_24
    destination static NETWORK_OBJ_192.168.5.192_
    27 NETWORK_OBJ_192.168.5.192_
    27 no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    object network SBS_2011
    nat (inside,outside) static interface service tcp smtp smtp
    object network Https_Access
    nat (inside,outside) static interface service tcp https https
    nat (inside,outside) after-auto source dynamic any interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 205.101.1.239 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-reco
    rd DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.2.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.2.160-192.168.2.19
    9 inside
    dhcpd dns 192.168.2.60 24.29.99.36 interface inside
    dhcpd wins 192.168.2.60 24.29.99.36 interface inside
    dhcpd domain adomain interface inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy domain internal
    group-policy domain attributes
    wins-server value 192.168.2.60
    dns-server value 192.168.2.60
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value domain_splitTunnelAcl
    default-domain value adomain.local
    username ben password zWCAaitV3CB.GA87 encrypted privilege 0
    username ben attributes
    vpn-group-policy domain
    username sdomain password FATqd4I1ZoqyQ/MN encrypted
    username sdomain attributes
    vpn-group-policy domain
    username adomain password V5.hvhZU4S8NwGg/ encrypted
    username adomain attributes
    vpn-group-policy domain
    service-type admin
    username jdomain password uODal3Mlensb8d.t encrypted privilege 0
    username jdomain attributes
    vpn-group-policy domain
    service-type admin
    tunnel-group domain type remote-access
    tunnel-group domain general-attributes
    address-pool VPN_Users
    default-group-policy domain
    tunnel-group domain ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:e2466a5b754
    eebcdb0cef
    f051bef91d
    9
    : end
    no asdm history enable
    Thanks again

    Hello Belnet,
    What do the logs show from the ASA.
    Can you post them ??
    Any other question..Sure..Just remember to rate all of the community answers.
    Julio

  • CIsco ASA 5505 and VPN licenses

    Hi,
    Cisco ASA 5505 comes with 10 VPN licenses in a standard configuration.
    How those licenses are counted? Will I need a license per one IPSec SA?
    If I have two site connected with LAN-to-LAN VPN with 10 subnets at one site, how many licenses will be taken? 10 - one per IPSec SA or just 1 - one per point-to-point VPN?
    Thank you.
    Regards,
    Alex

    Alex,
    In an ASA 5505, it should say something like this...when you do sh ver.
    VPN Peers : 25
    It means that you can have so many peers connecting to the ASA. Its not per IPSec SA.
    Its a per tunnel license.
    Rate this, if it helps!
    Gilbert

  • ASA 5505 SSL VPN LOG failed

    %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3293 for TLSv1 session.
    %ASA-6-725003: SSL client outside:58.211.122.212/3293 request to resume previous session.
    %ASA-6-725002: Device completed SSL handshake with client outside:58.211.122.212/3293
    %ASA-6-113012: AAA user authentication Successful : local database : user = admin
    %ASA-6-113009: AAA retrieved default group policy (SSLCLientPolicy) for user = admin
    %ASA-6-113008: AAA transaction status ACCEPT : user = admin
    %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.grouppolicy = SSLCLientPolicy
    %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.username = admin
    %ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.tunnelgroup = SSLClientProfile
    %ASA-6-734001: DAP: User admin, Addr 58.211.122.212, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy
    %ASA-4-716023: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> Session could not be established: session limit of 2 reached.
    %ASA-4-716007: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> WebVPN Unable to create session.
    %ASA-6-302013: Built inbound TCP connection 137616 for outside:58.211.122.212/3294 (58.211.122.212/3294) to identity:61.155.55.66/443 (61.155.55.66/443)
    %ASA-6-302013: Built inbound TCP connection 137617 for outside:58.211.122.212/3295 (58.211.122.212/3295) to identity:61.155.55.66/443 (61.155.55.66/443)
    %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3294 for TLSv1 session.
    %ASA-6-725003: SSL client outside:58.211.122.212/3294 request to resume previous session.
    %ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3295 for TLSv1 session.
    %ASA-6-725003: SSL client outside:58.211.122.212/3295 request to resume previous session.
    Red error what is the reason? Only appears in the window 2003 server.

    ciscoasa# show   activation-key 
    Serial Number:  JMX1314Z1UV
    Running Activation Key: 0x9625fa6a 0x68e90200 0x38c3adac 0xaa0448d0 0x4b3815b6
    Licensed features for this platform:
    Maximum Physical Interfaces    : 8        
    VLANs                          : 3, DMZ Restricted
    Inside Hosts                   : 10       
    Failover                       : Disabled
    VPN-DES                        : Enabled  
    VPN-3DES-AES                   : Enabled  
    SSL VPN Peers                  : 2        
    Total VPN Peers                : 10       
    Dual ISPs                      : Disabled 
    VLAN Trunk Ports               : 0        
    Shared License                 : Disabled
    AnyConnect for Mobile          : Disabled 
    AnyConnect for Cisco VPN Phone : Disabled 
    AnyConnect Essentials          : Disabled 
    Advanced Endpoint Assessment   : Disabled 
    UC Phone Proxy Sessions        : 2        
    Total UC Proxy Sessions        : 2        
    Botnet Traffic Filter          : Disabled 
    This platform has a Base license.
    The flash activation key is the SAME as the running key.
    ciscoasa#
    Sure ?it was licence question?

  • Cisco ASA 5505 L2TP VPN cannot access internal network

    Hi,
    I'm trying to configure Cisco L2TP VPN to my office. After successful connection I cannot access to internal network.
    Can you jhelp me to find out the issue?
    I have Cisco ASA:
    inside network - 192.168.1.0
    VPN network - 192.168.168.0
    I have router 192.168.1.2 and I cannot ping or get access to this router.
    Here is my config:
    ASA Version 8.4(3)
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 198.X.X.A 255.255.255.248
    ftp mode passive
    same-security-traffic permit intra-interface
    object network net-all
    subnet 0.0.0.0 0.0.0.0
    object network vpn_local
    subnet 192.168.168.0 255.255.255.0
    object network inside_nw
    subnet 192.168.1.0 255.255.255.0
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended deny ip any any log
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool sales_addresses 192.168.168.1-192.168.168.254
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source dynamic net-all interface
    nat (inside,outside) source static inside_nw inside_nw destination static vpn_local vpn_local
    nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup
    object network vpn_local
    nat (outside,outside) dynamic interface
    object network inside_nw
    nat (inside,outside) dynamic interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication enable console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
    crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1
    crypto map vpn 20 ipsec-isakmp dynamic dyno
    crypto map vpn interface outside
    crypto isakmp nat-traversal 3600
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 30
    console timeout 0
    management-access inside
    dhcpd address 192.168.1.5-192.168.1.132 inside
    dhcpd dns 75.75.75.75 76.76.76.76 interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy sales_policy internal
    group-policy sales_policy attributes
    dns-server value 75.75.75.75 76.76.76.76
    vpn-tunnel-protocol l2tp-ipsec
    username ----------
    username ----------
    tunnel-group DefaultRAGroup general-attributes
    address-pool sales_addresses
    default-group-policy sales_policy
    tunnel-group DefaultRAGroup ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group DefaultRAGroup ppp-attributes
    authentication ms-chap-v2
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
    : end
    Thanks for your help.

    You have to test it with "real" traffic to 192.168.1.2 and if you use ping, you have to add icmp-inspection:
    policy-map global_policy
      class inspection_default
        inspect icmp
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP

    Hi Rizwan,
    Thanks for your response.  I updated the configuration per your response below... It still doesn't work.  please see my new config files below.  Please help.  Thanks in advance for your help....
    Hi Pinesh,
    Please make follow changes on host: officeasa
    remove this line below highlighted.
    crypto dynamic-map L2LMap 1 match address Crypto_L2L
    It is only because group1 is weak, so please change it to group2
    crypto dynamic-map L2LMap 1 set pfs group1
    route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117
    Please make follow changes on host: homeasa
    It is only because group1 is weak, so please change it to group2
    crypto map L2Lmap 1 set pfs group1
    route outside 10.10.5.0 255.255.255.0 xxx.xxx.xxx.xxx default gateway on homeasa.
    Hope that helps, if not please open a new thread.
    Thanks
    Rizwan Rafeek
    New config files..
    Site-A:   (Office):
    Hostname: asaoffice
    Inside: 10.10.5.0/254
    Outside e0/0: Static IP 96.xxx.xxx.118/30
    Site-B:   (Home):
    Hostname: asahome
    Inside: 10.10.6.0/254
    Outside e0/0: Dynamic IP (DG: 66.xxx.xxx.1)
    SIte-A:
    officeasa(config)# sh config
    : Saved
    : Written by enable_15 at 15:34:23.899 UTC Sat Mar 3 2012
    ASA Version 8.2(5)
    hostname officeasa
    enable password xyz encrypted
    passwd xyz encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    switchport access vlan 3
    interface Ethernet0/2
    switchport access vlan 3
    interface Ethernet0/3
    switchport access vlan 3
    interface Ethernet0/4
    switchport access vlan 3
    interface Ethernet0/5
    switchport access vlan 3
    interface Ethernet0/6
    switchport access vlan 3
    interface Ethernet0/7
    switchport access vlan 3
    interface Vlan2
    nameif outside
    security-level 0
    ip address 96.xxx.xxx.118 255.255.255.252
    interface Vlan3
    nameif inside
    security-level 100
    ip address 10.10.5.254 255.255.255.0
    ftp mode passive
    same-security-traffic permit inter-interface
    access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 192.168.100.0 255.2
    access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.2
    access-list ormtST standard permit 10.10.5.0 255.255.255.0
    access-list OCrypto_L2L extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    ip local pool ormtIPP 192.168.100.100-192.168.100.110 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 96.xxx.xxx.117 1
    route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.10.5.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set OSite2Site esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map OL2LMap 1 set pfs
    crypto dynamic-map OL2LMap 1 set transform-set OSite2Site
    crypto dynamic-map OL2LMap 1 set reverse-route
    crypto map out_L2lMap 65535 ipsec-isakmp dynamic OL2LMap
    crypto map out_L2LMap interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    client-update enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 10.10.5.101-10.10.5.132 inside
    dhcpd dns 8.8.8.8 8.8.4.4 interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
    svc enable
    tunnel-group-list enable
    group-policy ormtGP internal
    group-policy ormtGP attributes
    dns-server value 8.8.8.8
    vpn-tunnel-protocol svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value ormtST
    address-pools value ormtIPP
    webvpn
    svc keep-installer installed
    svc rekey time 30
    svc rekey method ssl
    svc ask enable default svc timeout 20
    username user1 password abcxyz encrypted
    username user1 attributes
    service-type remote-access
    tunnel-group ormtProfile type remote-access
    tunnel-group ormtProfile general-attributes
    default-group-policy ormtGP
    tunnel-group ormtProfile webvpn-attributes
    group-alias OFFICE enable
    tunnel-group defaultL2LGroup type ipsec-l2l
    tunnel-group defaultL2LGroup ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:46d5c2e1ac91d73293f2fb1a0045180c
    officeasa(config)#
    Site-B:
    Home ASA Configuration:
    homeasa# sh config
    : Saved
    : Written by enable_15 at 15:48:42.479 UTC Sat Mar 3 2012
    ASA Version 8.2(5)
    hostname homeasa
    enable password xyz encrypted
    passwd xyz encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    switchport access vlan 3
    interface Ethernet0/2
    switchport access vlan 3
    interface Ethernet0/3
    switchport access vlan 3
    interface Ethernet0/4
    switchport access vlan 3
    interface Ethernet0/5
    switchport access vlan 3
    interface Ethernet0/6
    switchport access vlan 3
    interface Ethernet0/7
    switchport access vlan 3
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Vlan3
    nameif inside
    security-level 100
    ip address 10.10.6.254 255.255.255.0
    ftp mode passive
    same-security-traffic permit inter-interface
    access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 192.168.101.0 255.255.255.0
    access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
    access-list hrmtST standard permit 10.10.6.0 255.255.255.0
    access-list Crypto_L2L extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    ip local pool hrmtIPP 192.168.101.100-192.168.101.110 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 10.10.5.0 255.255.255.0 66.xxx.xxx.1 1   (IP address of the Dynamic IP from ISP)
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.10.6.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map L2Lmap 1 match address Crypto_L2L
    crypto map L2Lmap 1 set peer 96.xxx.xxx.118
    crypto map L2Lmap 1 set transform-set Site2Site
    crypto map L2LMap 1 set pfs
    crypto map L2LMap interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 10.10.6.101-10.10.6.132 inside
    dhcpd dns 8.8.8.8 8.8.4.4 interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
    svc enable
    tunnel-group-list enable
    group-policy hrmtGP internal
    group-policy hrmtGP attributes
    dns-server value 8.8.8.8
    vpn-tunnel-protocol svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value hrmtST
    address-pools value hrmtIPP
    webvpn
    svc keep-installer installed
    svc rekey time 30
    svc rekey method ssl
    svc ask enable default svc timeout 20
    username user1 password abcxyz encrypted
    username user1 attributes
    service-type admin
    tunnel-group hrmtProfile type remote-access
    tunnel-group hrmtProfile general-attributes
    default-group-policy hrmtGP
    tunnel-group hrmtProfile webvpn-attributes
    group-alias hrmtCGA enable
    tunnel-group 96.xxx.xxx.118 type ipsec-l2l
    tunnel-group 96.xxx.xxx.118 ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:d16a0d49f275612dff7e404f49bcc499
    homeasa#

    Thanks Rizwan,
    Still no luck.  I can't even ping the otherside (office)..  I am not sure if i'm running the debug rightway.   Here are my results...
    homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side.  I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
    Success rate is 0
    homeasa(config)# debug crypto isakmp 7
    homeasa(config)# debug crypto ipsec 7
    homeasa(config)# sho crypto isakmp 7
                                       ^
    ERROR: % Invalid input detected at '^' marker.
    homeasa(config)# sho crypto isakmp
    There are no isakmp sas
    Global IKE Statistics
    Active Tunnels: 0
    Previous Tunnels: 0
    In Octets: 0
    In Packets: 0
    In Drop Packets: 0
    In Notifys: 0
    In P2 Exchanges: 0
    In P2 Exchange Invalids: 0
    In P2 Exchange Rejects: 0
    In P2 Sa Delete Requests: 0
    Out Octets: 0
    Out Packets: 0
    Out Drop Packets: 0
    Out Notifys: 0
    Out P2 Exchanges: 0
    Out P2 Exchange Invalids: 0
    Out P2 Exchange Rejects: 0
    Out P2 Sa Delete Requests: 0
    Initiator Tunnels: 0
    Initiator Fails: 0
    Responder Fails: 0
    System Capacity Fails: 0
    Auth Fails: 0
    Decrypt Fails: 0
    Hash Valid Fails: 0
    No Sa Fails: 0
    Global IPSec over TCP Statistics
    Embryonic connections: 0
    Active connections: 0
    Previous connections: 0
    Inbound packets: 0
    Inbound dropped packets: 0
    Outbound packets: 0
    Outbound dropped packets: 0
    RST packets: 0
    Recevied ACK heart-beat packets: 0
    Bad headers: 0
    Bad trailers: 0
    Timer failures: 0
    Checksum errors: 0
    Internal errors: 0
    hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
    There are no ipsec sas
    homeasa(config)#

  • Cisco ASA 5505 - 1st VPN works, 2nd VPN can't get traffic across

    This is my first Cisco configuration ever so go easy on me.  A lot of the commands that I used here I don't really understand.  I got them from Googling configs.  I have the need for more than one VPN on this thing, and I've been fighting with this thing for hours today without any luck.
    The first VPN I setup, labeled vpn1 here works perfectly.  I connect via the public IP on the DSL and I can get traffic to my 192.168.1.0/24 network without any problems.
    I pretty much duplicated the configuration for the 2nd VPN, just replacing my 192.168.1.0/24 subnet w/ the network connected to a third interface on the ASA (10.4.0.0 255.255.240.0).  I successfully make connection to this VPN, but I cannot get traffic to traverse the VPN.  I'm using the address 10.4.0.1 to test pings.  The ASA itself can ping 10.4.0.1 as that interface of the ASA has 10.4.13.10 255.255.240.0, which is the same subnet (range is 10.4.0.0 - 10.4.15.255).
    Here is my config (edited for names and passwords)
    ciscoasa# show run
    : Saved
    ASA Version 8.2(5)
    hostname ciscoasa
    enable password ********** encrypted
    passwd ********** encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    switchport access vlan 3
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    pppoe client vpdn group ISP_DSL
    ip address pppoe setroute
    interface Vlan3
    no forward interface Vlan1
    nameif private
    security-level 100
    ip address 10.4.13.10 255.255.240.0
    ftp mode passive
    access-list 100 extended permit icmp any any
    access-list nonat remark ACL for Nat Bypass
    access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list nonat extended permit ip 10.4.0.0 255.255.240.0 192.168.3.0 255.255.255.0
    access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
    access-list vpn_SplitTunnel standard permit 192.168.1.0 255.255.255.0
    access-list vpn_SplitTunnel standard permit 10.4.0.0 255.255.240.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1492
    mtu private 1500
    ip local pool vpn1pool 192.168.2.100-192.168.2.110
    ip local pool vpn2pool 192.168.3.100-192.168.3.110
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (private) 0 access-list nonat
    access-group 100 in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map dynmap 30 set transform-set strong-des
    crypto map vpn1 65535 ipsec-isakmp dynamic dynmap
    crypto map vpn1 interface outside
    crypto map vpn2 65535 ipsec-isakmp dynamic dynmap
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 11
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 10
    console timeout 0
    vpdn group ISP_DSL request dialout pppoe
    vpdn group ISP_DSL localname [email protected]
    vpdn group ISP_DSL ppp authentication chap
    vpdn username [email protected] password **********
    dhcp-client update dns
    dhcpd auto_config outside
    dhcpd address 192.168.1.100-192.168.1.200 inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy vpn2 internal
    group-policy vpn2 attributes
    vpn-idle-timeout 120
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpn_SplitTunnel
    group-policy vpn1 internal
    group-policy vpn1 attributes
    vpn-idle-timeout 120
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpn_SplitTunnel
    username cssadmin password ********** encrypted
    username vpn2user password ********** encrypted
    username vpn1user password ********** encrypted
    tunnel-group vpn1-VPN type remote-access
    tunnel-group vpn1-VPN general-attributes
    address-pool vpn1pool
    default-group-policy vpn1
    tunnel-group vpn1-VPN ipsec-attributes
    pre-shared-key **********
    tunnel-group vpn2-VPN type remote-access
    tunnel-group vpn2-VPN general-attributes
    address-pool vpn2pool
    default-group-policy vpn2
    tunnel-group vpn2-VPN ipsec-attributes
    pre-shared-key *****
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:f5137c68c4b4a832c9dff8db808004ae
    : end
    Theories:  after fighting with it for a while and having another guy in my office look at it, we decided that the problem is probably that even though the pings are probably reaching 10.4.0.1, they have no route back to my VPN subnet 192.168.3.0/24.  I contacted the admins of the 10.4.0.0 network and asked if they could add a route to 192.168.3.0/24 via 10.4.13.10, but he said there is no router of default gateway on the network to even configure.
    So, what do I do?  Maybe NAT the VPN traffic?  If that is the correct answer, what lines would I put/change in the config to NAT that traffic.
    I'm assuming the reason the 1st VPN works is because the ASA is the default gateway for the inside 192.168.1.0/24 network.
    Thanks in advance for any insight you can provide.

    Hello Belnet,
    What do the logs show from the ASA.
    Can you post them ??
    Any other question..Sure..Just remember to rate all of the community answers.
    Julio

  • Cisco ASA 5520 SSL VPN Web Login Customization For RSA Login

    I have a Cisco 5520 that I have RSA radius with hardware token up and working witrhout issue. The RSA radius authentication works fine.
    My problem is that I want the login page of the WebVPN portal to display two fields for the user RSA passcode. An RSA passcode is the PIN and the current toke code together.
    I want one field to accept the PIN from the passcode and the other field to accept the TOKEN CODE from the RSA token.
    Currently the login page has in this order:
    USERNAME:
    PASSCODE:
    My end state would be:
    USERNAME:
    PIN:
    TOKENCODE:
    I know this has been done with the native Cisco IPSEC client but I cannot find a way to do this with the WebVPN login page. I have been thru the Customization page and can't seem to get this to work correctly.
    Thanks.

    Hello friend!
    Please allow me to resurect this old post. Did you have the solution?
    Regards!

  • Cisco ASA 5505 Site to Site VPN

    Hello All,
    First time posting to the forums. I've been working with Cisco ASA 5505 for a number of months and recently I purchased a 2nd ASA with the goal of setting up Site to Site VPN tunnel. It look so simple from the number of videos that I have watched on the internet. But when I have done it suprise suprise it didn't work for me ... I have deleted the tunnels a number of times and attempted to recreate them. I am using the VPN wizard in the ADM to create the tunnel. Both the asa are 5505 and have the same same firmware etc.
    I would appreciate any help that can be directed towards this issue please.  Slowly losing my mind
    Please see details below:
    Both ADM are 7.1
    IOS
    ASA 1
    aved
    ASA Version 9.0(1)
    hostname PAYBACK
    enable password HSMurh79NVmatjY0 encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    description Trunk link to SW1
    switchport trunk allowed vlan 1,10,20,30,40
    switchport trunk native vlan 1
    switchport mode trunk
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    no nameif
    no security-level
    no ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address 92.51.193.158 255.255.255.252
    interface Vlan10
    nameif inside
    security-level 100
    ip address 192.168.10.1 255.255.255.0
    interface Vlan20
    nameif servers
    security-level 100
    ip address 192.168.20.1 255.255.255.0
    interface Vlan30
    nameif printers
    security-level 100
    ip address 192.168.30.1 255.255.255.0
    interface Vlan40
    nameif wireless
    security-level 100
    ip address 192.168.40.1 255.255.255.0
    banner login line Welcome to Payback Loyalty Systems
    boot system disk0:/asa901-k8.bin
    ftp mode passive
    clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns domain-lookup servers
    dns domain-lookup printers
    dns domain-lookup wireless
    dns server-group DefaultDNS
    name-server 83.147.160.2
    name-server 83.147.160.130
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network ftp_server
    object network Internal_Report_Server
    host 192.168.20.21
    description Automated Report Server Internal Address
    object network Report_Server
    host 89.234.126.9
    description Automated Report Server
    object service RDP
    service tcp destination eq 3389
    description RDP to Server
    object network Host_QA_Server
    host 89.234.126.10
    description QA Host External Address
    object network Internal_Host_QA
    host 192.168.20.22
    description Host of VM machine for QA
    object network Internal_QA_Web_Server
    host 192.168.20.23
    description Web Server in QA environment
    object network Web_Server_QA_VM
    host 89.234.126.11
    description Web server in QA environment
    object service SQL_Server
    service tcp destination eq 1433
    object network Demo_Server
    host 89.234.126.12
    description Server set up to Demo Product
    object network Internal_Demo_Server
    host 192.168.20.24
    description Internal IP Address of Demo Server
    object network NETWORK_OBJ_192.168.20.0_24
    subnet 192.168.20.0 255.255.255.0
    object network NETWORK_OBJ_192.168.50.0_26
    subnet 192.168.50.0 255.255.255.192
    object network NETWORK_OBJ_192.168.0.0_16
    subnet 192.168.0.0 255.255.0.0
    object service MSSQL
    service tcp destination eq 1434
    description MSSQL port
    object network VPN-network
    subnet 192.168.50.0 255.255.255.0
    object network NETWORK_OBJ_192.168.50.0_24
    subnet 192.168.50.0 255.255.255.0
    object service TS
    service tcp destination eq 4400
    object service TS_Return
    service tcp source eq 4400
    object network External_QA_3
    host 89.234.126.13
    object network Internal_QA_3
    host 192.168.20.25
    object network Dev_WebServer
    host 192.168.20.27
    object network External_Dev_Web
    host 89.234.126.14
    object network CIX_Subnet
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.10.0_24
    subnet 192.168.10.0 255.255.255.0
    object network NETWORK_OBJ_84.39.233.50
    host 84.39.233.50
    object network NETWORK_OBJ_92.51.193.158
    host 92.51.193.158
    object network NETWORK_OBJ_192.168.100.0_24
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.1.0_24
    subnet 192.168.1.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_1
    service-object tcp destination eq ftp
    service-object tcp destination eq netbios-ssn
    service-object tcp destination eq smtp
    service-object object TS
    object-group network Payback_Internal
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.20.0 255.255.255.0
    network-object 192.168.40.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_3
    service-object tcp destination eq www
    service-object tcp destination eq https
    service-object object TS
    service-object object TS_Return
    object-group service DM_INLINE_SERVICE_4
    service-object object RDP
    service-object tcp destination eq www
    service-object tcp destination eq https
    object-group service DM_INLINE_SERVICE_5
    service-object object MSSQL
    service-object object RDP
    service-object object TS
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_SERVICE_6
    service-object object TS
    service-object object TS_Return
    service-object tcp destination eq www
    service-object tcp destination eq https
    access-list outside_access_in remark This rule is allowing from internet to interal server.
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark FTP
    access-list outside_access_in remark RDP
    access-list outside_access_in remark SMTP
    access-list outside_access_in remark Net Bios
    access-list outside_access_in remark SQL
    access-list outside_access_in remark TS - 4400
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
    access-list outside_access_in remark Access rule to internal host QA
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark HTTP
    access-list outside_access_in remark RDP
    access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
    access-list outside_access_in remark Access to INternal Web Server:
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark HTTP
    access-list outside_access_in remark RDP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
    access-list outside_access_in remark Rule for allowing access to Demo server
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark RDP
    access-list outside_access_in remark MSSQL
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
    access-list outside_access_in remark Access for Development WebServer
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
    access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
    access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
    access-list AnyConnect_Client_Local_Print remark Windows' printing port
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
    access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
    access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
    access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
    access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
    access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
    access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
    pager lines 24
    logging enable
    logging console informational
    logging asdm informational
    logging from-address
    [email protected]
    logging recipient-address
    [email protected]
    level alerts
    mtu outside 1500
    mtu inside 1500
    mtu servers 1500
    mtu printers 1500
    mtu wireless 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-711-52.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source dynamic any interface
    nat (wireless,outside) source dynamic any interface
    nat (servers,outside) source dynamic any interface
    nat (servers,outside) source static Internal_Report_Server Report_Server
    nat (servers,outside) source static Internal_Host_QA Host_QA_Server
    nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
    nat (servers,outside) source static Internal_Demo_Server Demo_Server
    nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
    nat (servers,outside) source static Internal_QA_3 External_QA_3
    nat (servers,outside) source static Dev_WebServer External_Dev_Web
    nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
    nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.10.0 255.255.255.0 inside
    http 192.168.40.0 255.255.255.0 wireless
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 84.39.233.50
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 77.75.100.208 255.255.255.240 outside
    ssh 192.168.10.0 255.255.255.0 inside
    ssh 192.168.40.0 255.255.255.0 wireless
    ssh timeout 5
    console timeout 0
    dhcpd dns 192.168.0.1
    dhcpd auto_config outside
    dhcpd address 192.168.10.21-192.168.10.240 inside
    dhcpd dns 192.168.20.21 83.147.160.2 interface inside
    dhcpd option 15 ascii paybackloyalty.com interface inside
    dhcpd enable inside
    dhcpd address 192.168.40.21-192.168.40.240 wireless
    dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
    dhcpd update dns interface wireless
    dhcpd option 15 ascii paybackloyalty.com interface wireless
    dhcpd enable wireless
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy Payback_VPN internal
    group-policy Payback_VPN attributes
    vpn-simultaneous-logins 10
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Payback_VPN_splitTunnelAcl
    group-policy DfltGrpPolicy attributes
    dns-server value 83.147.160.2 83.147.160.130
    vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
    group-policy GroupPolicy_84.39.233.50 internal
    group-policy GroupPolicy_84.39.233.50 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username Noelle password XB/IpvYaATP.2QYm encrypted
    username Noelle attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
    username Eanna attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Michael password qpbleUqUEchRrgQX encrypted
    username Michael attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
    username Danny attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
    username Aileen attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
    username Aidan attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
    username shane.c password iqGMoWOnfO6YKXbw encrypted
    username shane.c attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Shane password uYePLcrFadO9pBZx encrypted
    username Shane attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username James password TdYPv1pvld/hPM0d encrypted
    username James attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username mark password yruxpddqfyNb.qFn encrypted
    username mark attributes
    service-type admin
    username Mary password XND5FTEiyu1L1zFD encrypted
    username Mary attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
    username Massimo attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    tunnel-group Payback_VPN type remote-access
    tunnel-group Payback_VPN general-attributes
    address-pool VPN1
    default-group-policy Payback_VPN
    tunnel-group Payback_VPN ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 84.39.233.50 type ipsec-l2l
    tunnel-group 84.39.233.50 general-attributes
    default-group-policy GroupPolicy_84.39.233.50
    tunnel-group 84.39.233.50 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map global-class
    match default-inspection-traffic
    policy-map global-policy
    class global-class
      inspect dns
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect pptp
      inspect rsh
      inspect rtsp
      inspect sip
      inspect snmp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect xdmcp
      inspect icmp error
      inspect icmp
    service-policy global-policy global
    smtp-server 192.168.20.21
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1
    ASA 2
    ASA Version 9.0(1)
    hostname Payback-CIX
    enable password HSMurh79NVmatjY0 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    description This port connects to VLAN 100
    switchport access vlan 100
    interface Ethernet0/2
    interface Ethernet0/3
    switchport access vlan 100
    interface Ethernet0/4
    switchport access vlan 100
    interface Ethernet0/5
    switchport access vlan 100
    interface Ethernet0/6
    switchport access vlan 100
    interface Ethernet0/7
    switchport access vlan 100
    interface Vlan2
    nameif outside
    security-level 0
    ip address 84.39.233.50 255.255.255.240
    interface Vlan100
    nameif inside
    security-level 100
    ip address 192.168.100.1 255.255.255.0
    banner login line Welcome to Payback Loyalty - CIX
    ftp mode passive
    clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns server-group defaultDNS
    name-server 8.8.8.8
    name-server 8.8.4.4
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network CIX-Host-1
    host 192.168.100.2
    description This is the host machine of the VM servers
    object network External_CIX-Host-1
    host 84.39.233.51
    description This is the external IP address of the host server for the VM server
    object service RDP
    service tcp source range 1 65535 destination eq 3389
    object network Payback_Office
    host 92.51.193.158
    object service MSQL
    service tcp destination eq 1433
    object network Development_OLTP
    host 192.168.100.10
    description VM for Eiresoft
    object network External_Development_OLTP
    host 84.39.233.52
    description This is the external IP address for the VM for Eiresoft
    object network Eiresoft
    host 146.66.160.70
    description DBA Contractor
    object network External_TMC_Web
    host 84.39.233.53
    description Public Address of TMC Webserver
    object network TMC_Webserver
    host 192.168.100.19
    description Internal Address of TMC Webserver
    object network External_TMC_OLTP
    host 84.39.233.54
    description Targets OLTP external IP
    object network TMC_OLTP
    host 192.168.100.18
    description Targets interal IP address
    object network External_OLTP_Failover
    host 84.39.233.55
    description Public IP of OLTP Failover
    object network OLTP_Failover
    host 192.168.100.60
    description Server for OLTP failover
    object network Servers
    subnet 192.168.20.0 255.255.255.0
    object network Wired
    subnet 192.168.10.0 255.255.255.0
    object network Wireless
    subnet 192.168.40.0 255.255.255.0
    object network NETWORK_OBJ_192.168.100.0_24
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.10.0_24
    subnet 192.168.10.0 255.255.255.0
    object network Eiresoft_2nd
    host 137.117.217.29
    description Eiresoft 2nd IP
    object network Dev_Test_Webserver
    host 192.168.100.12
    description Dev Test Webserver Internal Address
    object network External_Dev_Test_Webserver
    host 84.39.233.56
    description This is the PB Dev Test Webserver
    object network NETWORK_OBJ_192.168.1.0_24
    subnet 192.168.1.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_1
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_2
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_3
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_4
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_5
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_6
    service-object object MSQL
    service-object object RDP
    object-group network Payback_Intrernal
    network-object object Servers
    network-object object Wired
    network-object object Wireless
    object-group service DM_INLINE_SERVICE_7
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_8
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_9
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_10
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_11
    service-object object RDP
    service-object tcp destination eq ftp
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
    access-list outside_access_in remark Development OLTP from Payback Office
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
    access-list outside_access_in remark Access for Eiresoft
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
    access-list outside_access_in remark Access to OLTP for target from Payback Office
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
    access-list outside_access_in remark This is allowing access from Eiresoft to the OLTP Failover server
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover
    access-list outside_access_in remark Access for the 2nd IP from Eiresoft
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
    access-list outside_access_in remark Access from the 2nd Eiresoft IP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
    access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source dynamic any interface
    nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
    nat (inside,outside) source static Development_OLTP External_Development_OLTP
    nat (inside,outside) source static TMC_Webserver External_TMC_Web
    nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
    nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
    nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
    nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
    nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 92.51.193.156 255.255.255.252 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 92.51.193.158
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 77.75.100.208 255.255.255.240 outside
    ssh 92.51.193.156 255.255.255.252 outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy GroupPolicy_92.51.193.158 internal
    group-policy GroupPolicy_92.51.193.158 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
    tunnel-group 92.51.193.158 type ipsec-l2l
    tunnel-group 92.51.193.158 general-attributes
    default-group-policy GroupPolicy_92.51.193.158
    tunnel-group 92.51.193.158 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
    : end

    Hi,
    Thanks for the help to date
    I now have the Site to Site working but there is one little issue I have. If I try to RD to a server through the tunnel it will not allow connection on the first attempt however if I ping that host and then attempt to RD it will allow the connection. It looks like the host is asleep until it receives traffic through the tunnel. Is this thje correct behaviour.
    See below the details:
    ASA1:
    hostname PAYBACK
    enable password HSMurh79NVmatjY0 encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    description Trunk link to SW1
    switchport trunk allowed vlan 1,10,20,30,40
    switchport trunk native vlan 1
    switchport mode trunk
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    no nameif
    no security-level
    no ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address XX.XX.XX.XX 255.255.255.252
    interface Vlan10
    nameif inside
    security-level 100
    ip address 192.168.10.1 255.255.255.0
    interface Vlan20
    nameif servers
    security-level 100
    ip address 192.168.20.1 255.255.255.0
    interface Vlan30
    nameif printers
    security-level 100
    ip address 192.168.30.1 255.255.255.0
    interface Vlan40
    nameif wireless
    security-level 100
    ip address 192.168.40.1 255.255.255.0
    banner login line Welcome to Payback Loyalty Systems
    boot system disk0:/asa901-k8.bin
    ftp mode passive
    clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns domain-lookup servers
    dns domain-lookup printers
    dns domain-lookup wireless
    dns server-group DefaultDNS
    name-server 83.147.160.2
    name-server 83.147.160.130
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network ftp_server
    object network Internal_Report_Server
    host 192.168.20.21
    description Automated Report Server Internal Address
    object network Report_Server
    host 89.234.126.9
    description Automated Report Server
    object service RDP
    service tcp destination eq 3389
    description RDP to Server
    object network Host_QA_Server
    host 89.234.126.10
    description QA Host External Address
    object network Internal_Host_QA
    host 192.168.20.22
    description Host of VM machine for QA
    object network Internal_QA_Web_Server
    host 192.168.20.23
    description Web Server in QA environment
    object network Web_Server_QA_VM
    host 89.234.126.11
    description Web server in QA environment
    object service SQL_Server
    service tcp destination eq 1433
    object network Demo_Server
    host 89.234.126.12
    description Server set up to Demo Product
    object network Internal_Demo_Server
    host 192.168.20.24
    description Internal IP Address of Demo Server
    object network NETWORK_OBJ_192.168.20.0_24
    subnet 192.168.20.0 255.255.255.0
    object network NETWORK_OBJ_192.168.50.0_26
    subnet 192.168.50.0 255.255.255.192
    object network NETWORK_OBJ_192.168.0.0_16
    subnet 192.168.0.0 255.255.0.0
    object service MSSQL
    service tcp destination eq 1434
    description MSSQL port
    object network VPN-network
    subnet 192.168.50.0 255.255.255.0
    object network NETWORK_OBJ_192.168.50.0_24
    subnet 192.168.50.0 255.255.255.0
    object service TS
    service tcp destination eq 4400
    object service TS_Return
    service tcp source eq 4400
    object network External_QA_3
    host 89.234.126.13
    object network Internal_QA_3
    host 192.168.20.25
    object network Dev_WebServer
    host 192.168.20.27
    object network External_Dev_Web
    host 89.234.126.14
    object network NETWORK_OBJ_192.168.100.0_24
    subnet 192.168.100.0 255.255.255.0
    object network Wireless
    subnet 192.168.40.0 255.255.255.0
    description Wireless network
    object network Servers
    subnet 192.168.20.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_1
    service-object tcp destination eq ftp
    service-object tcp destination eq netbios-ssn
    service-object tcp destination eq smtp
    service-object object TS
    service-object object SQL_Server
    object-group service DM_INLINE_SERVICE_3
    service-object tcp destination eq www
    service-object tcp destination eq https
    service-object object TS
    service-object object TS_Return
    object-group service DM_INLINE_SERVICE_4
    service-object object RDP
    service-object tcp destination eq www
    service-object tcp destination eq https
    object-group service DM_INLINE_SERVICE_5
    service-object object MSSQL
    service-object object RDP
    service-object object TS
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_SERVICE_6
    service-object object TS
    service-object object TS_Return
    service-object tcp destination eq www
    service-object tcp destination eq https
    object-group network DM_INLINE_NETWORK_1
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.20.0 255.255.255.0
    network-object 192.168.40.0 255.255.255.0
    object-group network Payback_Internal
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.20.0 255.255.255.0
    network-object 192.168.40.0 255.255.255.0
    access-list outside_access_in remark This rule is allowing from internet to interal server.
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark FTP
    access-list outside_access_in remark RDP
    access-list outside_access_in remark SMTP
    access-list outside_access_in remark Net Bios
    access-list outside_access_in remark SQL
    access-list outside_access_in remark TS - 4400
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
    access-list outside_access_in remark Access rule to internal host QA
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark HTTP
    access-list outside_access_in remark RDP
    access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
    access-list outside_access_in remark Access to INternal Web Server:
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark HTTP
    access-list outside_access_in remark RDP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
    access-list outside_access_in remark Rule for allowing access to Demo server
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark RDP
    access-list outside_access_in remark MSSQL
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
    access-list outside_access_in remark Access for Development WebServer
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
    access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
    access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
    access-list AnyConnect_Client_Local_Print remark Windows' printing port
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
    access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
    access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
    access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
    access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
    access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
    access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.100.0 255.255.255.0
    pager lines 24
    logging enable
    logging console informational
    logging asdm informational
    logging from-address [email protected]
    logging recipient-address [email protected] level alerts
    mtu outside 1500
    mtu inside 1500
    mtu servers 1500
    mtu printers 1500
    mtu wireless 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-711-52.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
    nat (wireless,outside) source static Wireless Wireless destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
    nat (servers,outside) source static Servers Servers destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
    nat (inside,outside) source dynamic any interface
    nat (wireless,outside) source dynamic any interface
    nat (servers,outside) source dynamic any interface
    nat (servers,outside) source static Internal_Report_Server Report_Server
    nat (servers,outside) source static Internal_Host_QA Host_QA_Server
    nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
    nat (servers,outside) source static Internal_Demo_Server Demo_Server
    nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
    nat (servers,outside) source static Internal_QA_3 External_QA_3
    nat (servers,outside) source static Dev_WebServer External_Dev_Web
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.10.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer XX.XX.XX.XX
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto map servers_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map servers_map interface servers
    crypto ca trustpool policy
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 enable inside client-services port 443
    crypto ikev1 enable outside
    crypto ikev1 enable inside
    crypto ikev1 enable servers
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.10.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd dns 192.168.0.1
    dhcpd auto_config outside
    dhcpd address 192.168.10.21-192.168.10.240 inside
    dhcpd dns 192.168.20.21 83.147.160.2 interface inside
    dhcpd option 15 ascii paybackloyalty.com interface inside
    dhcpd enable inside
    dhcpd address 192.168.40.21-192.168.40.240 wireless
    dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
    dhcpd update dns interface wireless
    dhcpd option 15 ascii paybackloyalty.com interface wireless
    dhcpd enable wireless
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy Payback_VPN internal
    group-policy Payback_VPN attributes
    vpn-simultaneous-logins 10
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Payback_VPN_splitTunnelAcl
    group-policy DfltGrpPolicy attributes
    dns-server value 83.147.160.2 83.147.160.130
    vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
    group-policy GroupPolicy_84.39.233.50 internal
    group-policy GroupPolicy_84.39.233.50 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username Noelle password XB/IpvYaATP.2QYm encrypted
    username Noelle attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
    username Eanna attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Michael password qpbleUqUEchRrgQX encrypted
    username Michael attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
    username Danny attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username niamh password MlFlIlEiy8vismE0 encrypted
    username niamh attributes
    service-type admin
    username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
    username Aileen attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
    username Aidan attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
    username shane.c password iqGMoWOnfO6YKXbw encrypted
    username shane.c attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Shane password yQeVtvLLKqapoUje encrypted privilege 0
    username Shane attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username James password TdYPv1pvld/hPM0d encrypted
    username James attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username mark password yruxpddqfyNb.qFn encrypted
    username mark attributes
    service-type admin
    username Mary password XND5FTEiyu1L1zFD encrypted
    username Mary attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
    username Massimo attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    tunnel-group Payback_VPN type remote-access
    tunnel-group Payback_VPN general-attributes
    address-pool VPN1
    default-group-policy Payback_VPN
    tunnel-group Payback_VPN ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 84.39.233.50 type ipsec-l2l
    tunnel-group 84.39.233.50 general-attributes
    default-group-policy GroupPolicy_84.39.233.50
    tunnel-group 84.39.233.50 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map global-class
    match default-inspection-traffic
    policy-map global-policy
    class global-class
      inspect dns
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect pptp
      inspect rsh
      inspect rtsp
      inspect sip
      inspect snmp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect xdmcp
      inspect icmp error
      inspect icmp
    service-policy global-policy global
    smtp-server 192.168.20.21
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:83fa7ce1d93375645205f6e79b526381
    ASA2:
    ASA Version 9.0(1)
    hostname Payback-CIX
    enable password HSMurh79NVmatjY0 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    description This port connects to VLAN 100
    switchport access vlan 100
    interface Ethernet0/2
    interface Ethernet0/3
    switchport access vlan 100
    interface Ethernet0/4
    switchport access vlan 100
    interface Ethernet0/5
    switchport access vlan 100
    interface Ethernet0/6
    switchport access vlan 100
    interface Ethernet0/7
    switchport access vlan 100
    interface Vlan2
    nameif outside
    security-level 0
    ip address X.X.X.X 255.255.255.240
    interface Vlan100
    nameif inside
    security-level 100
    ip address 192.168.100.1 255.255.255.0
    banner login line Welcome to Payback Loyalty - CIX
    ftp mode passive
    clock timezone GMT 0
    clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns server-group defaultDNS
    name-server 8.8.8.8
    name-server 8.8.4.4
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network CIX-Host-1
    host 192.168.100.2
    description This is the host machine of the VM servers
    object network External_CIX-Host-1
    host 84.39.233.51
    description This is the external IP address of the host server for the VM server
    object service RDP
    service tcp source range 1 65535 destination eq 3389
    object network Payback_Office
    host 92.51.193.158
    object service MSQL
    service tcp destination eq 1433
    object network Development_OLTP
    host 192.168.100.10
    description VM for Eiresoft
    object network External_Development_OLTP
    host 84.39.233.52
    description This is the external IP address for the VM for Eiresoft
    object network External_TMC_Web
    host 84.39.233.53
    description Public Address of TMC Webserver
    object network TMC_Webserver
    host 192.168.100.19
    description Internal Address of TMC Webserver
    object network External_TMC_OLTP
    host 84.39.233.54
    description Targets OLTP external IP
    object network TMC_OLTP
    host 192.168.100.18
    description Targets interal IP address
    object network External_OLTP_Failover
    host 84.39.233.55
    description Public IP of OLTP Failover
    object network OLTP_Failover
    host 192.168.100.60
    description Server for OLTP failover
    object network Servers
    subnet 192.168.20.0 255.255.255.0
    object network Wired
    subnet 192.168.10.0 255.255.255.0
    object network Wireless
    subnet 192.168.40.0 255.255.255.0
    object network NETWORK_OBJ_192.168.100.0_24
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.10.0_24
    subnet 192.168.10.0 255.255.255.0
    object network Eiresoft_2nd
    host 137.117.217.29
    description Eiresoft 2nd IP
    object network Dev_Test_Webserver
    host 192.168.100.12
    description Dev Test Webserver Internal Address
    object network External_Dev_Test_Webserver
    host 84.39.233.56
    description This is the PB Dev Test Webserver
    object network NETWORK_OBJ_192.168.1.0_24
    subnet 192.168.1.0 255.255.255.0
    object network LAN
    subnet 192.168.100.0 255.255.255.0
    object network REMOTE-LAN
    subnet 192.168.10.0 255.255.255.0
    object network TargetMC
    host 83.71.194.145
    description This is Target Location that will be accessing the Webserver
    object network Rackspace_OLTP
    host 162.13.34.56
    description This is the IP address of production OLTP
    object service DB
    service tcp destination eq 5022
    object network Topaz_Target_VM
    host 82.198.151.168
    description This is Topaz IP that will be accessing Targets VM
    object service DB_2
    service tcp destination eq 5023
    object network EireSoft_NEW_IP
    host 146.66.161.3
    description Eiresoft latest IP form ISP DHCP
    object-group service DM_INLINE_SERVICE_1
    service-object object MSQL
    service-object object RDP
    service-object icmp echo
    service-object icmp echo-reply
    object-group service DM_INLINE_SERVICE_2
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_4
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    service-object tcp destination eq www
    object-group service DM_INLINE_SERVICE_5
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_6
    service-object object MSQL
    service-object object RDP
    object-group network Payback_Intrernal
    network-object object Servers
    network-object object Wired
    network-object object Wireless
    object-group service DM_INLINE_SERVICE_8
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_9
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_10
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    service-object icmp echo
    service-object icmp echo-reply
    service-object object DB
    object-group service DM_INLINE_SERVICE_11
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_12
    service-object object MSQL
    service-object icmp echo
    service-object icmp echo-reply
    service-object object DB
    service-object object DB_2
    object-group service DM_INLINE_SERVICE_13
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_14
    service-object object MSQL
    service-object object RDP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
    access-list outside_access_in remark Development OLTP from Payback Office
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
    access-list outside_access_in remark Access to OLTP for target from Payback Office
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
    access-list outside_access_in remark Access for the 2nd IP from Eiresoft
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
    access-list outside_access_in remark Access from the 2nd Eiresoft IP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
    access-list outside_access_in remark Access rules from Traget to CIX for testing
    access-list outside_access_in extended permit tcp object TargetMC object TMC_Webserver eq www
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12 object Rackspace_OLTP object OLTP_Failover
    access-list outside_access_in remark Topaz access to Target VM
    access-list outside_access_in extended permit tcp object Topaz_Target_VM object TMC_Webserver eq www
    access-list outside_access_in remark Opened up for Target for the weekend. Closing on Monday 20th
    access-list outside_access_in extended permit tcp any object TMC_Webserver eq www
    access-list outside_access_in remark Access for Eiresoft after their ISP changed their IP Address
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13 object EireSoft_NEW_IP object Development_OLTP
    access-list outside_access_in remark Eiresoft Access after ISP changed their IP Address
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14 object EireSoft_NEW_IP object OLTP_Failover
    access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object-group Payback_Intrernal
    pager lines 24
    logging enable
    logging console debugging
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static Payback_Intrernal Payback_Intrernal no-proxy-arp route-lookup
    nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
    nat (inside,outside) source static Development_OLTP External_Development_OLTP
    nat (inside,outside) source static TMC_Webserver External_TMC_Web
    nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
    nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
    nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
    nat (inside,outside) source dynamic LAN interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http X.X.X.X 255.255.255.252 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer X.X.X.X
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh X.X.X.X  255.255.255.240 outside
    ssh X.X.X.X 255.255.255.252 outside
    ssh 192.168.40.0 255.255.255.0 outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy GroupPolicy_92.51.193.158 internal
    group-policy GroupPolicy_92.51.193.158 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
    tunnel-group 92.51.193.158 type ipsec-l2l
    tunnel-group 92.51.193.158 general-attributes
    default-group-policy GroupPolicy_92.51.193.158
    tunnel-group 92.51.193.158 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:78a7b9ccec2fa048306092eb29a2b769

  • Cisco ASA 5505 and comodo SSL certificate

    Hey All,
    I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
    Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
    On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
    What am I missing here? I can post config if anyone needs it.
    (My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))

    It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
    ASA Version 9.0(2)
    hostname MyDomain-firewall-1
    domain-name MyDomain.com
    enable password omitted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd omitted
    names
    name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
    name 10.200.0.0 MyDomain_New_IP description MyDomain_New
    name 10.100.0.0 MyDomain-Old description Inside_Old
    name XXX.XXX.XX.XX Provider description Provider_Wireless
    name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
    name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
    ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
    ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address Cisco_ASA_5505 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address Provider 255.255.255.252
    boot system disk0:/asa902-k8.bin
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns domain-lookup inside
    dns server-group DefaultDNS
    name-server 10.0.3.21
    domain-name MyDomain.com
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network MyDomain-Employee
    subnet 192.168.208.0 255.255.255.0
    description MyDomain-Employee
    object-group network Inside-all
    description All Networks
    network-object MyDomain-Old 255.255.254.0
    network-object MyDomain_New_IP 255.255.192.0
    network-object host MyDomain-Inside
    access-list inside_access_in extended permit ip any4 any4
    access-list split-tunnel standard permit host 10.0.13.1
    pager lines 24
    logging enable
    logging buffered errors
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-712.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
    route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
    route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
    route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    action terminate
    dynamic-access-policy-record "Network Access Policy Allow VPN"
    description "Must have the Network Access Policy Enabled to get VPN access"
    aaa-server LDAP_Group protocol ldap
    aaa-server LDAP_Group (inside) host 10.0.3.21
    ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
    ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
    server-type microsoft
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http MyDomain_New_IP 255.255.192.0 inside
    http redirect outside 80
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint LOCAL-CA-SERVER
    keypair LOCAL-CA-SERVER
    no validation-usage
    no accept-subordinates
    no id-cert-issuer
    crl configure
    crypto ca trustpoint VPN
    enrollment terminal
    fqdn vpn.mydomain.com
    subject-name CN=vpn.mydomain.com,OU=IT
    keypair vpn.mydomain.com
    crl configure
    crypto ca trustpoint ASDM_TrustPoint1
    enrollment terminal
    crl configure
    crypto ca trustpool policy
    crypto ca server
    shutdown
    crypto ca certificate chain LOCAL-CA-SERVER
    certificate ca 01
        omitted
      quit
    crypto ca certificate chain VPN
    certificate
        omitted
      quit
    crypto ca certificate chain ASDM_TrustPoint1
    certificate ca
        omitted
      quit
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 remote-access trustpoint VPN
    telnet timeout 5
    ssh MyDomain_New_IP 255.255.192.0 inside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    dynamic-filter updater-client enable
    dynamic-filter use-database
    dynamic-filter enable
    ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
    ssl trust-point VPN outside
    webvpn
    enable outside
    anyconnect-essentials
    anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
    anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
    anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
    anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
    anyconnect enable
    tunnel-group-list enable
    group-policy DfltGrpPolicy attributes
    dns-server value 10.0.3.21
    vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
    default-domain value MyDomain.com
    group-policy MyDomain-Employee internal
    group-policy MyDomain-Employee attributes
    wins-server none
    dns-server value 10.0.3.21
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    default-domain value MyDomain.com
    webvpn
      anyconnect profiles value MyDomain-employee type user
    username MyDomainadmin password omitted encrypted privilege 15
    tunnel-group MyDomain-Employee type remote-access
    tunnel-group MyDomain-Employee general-attributes
    address-pool MyDomain-Employee-Pool
    authentication-server-group LDAP_Group LOCAL
    default-group-policy MyDomain-Employee
    tunnel-group MyDomain-Employee webvpn-attributes
    group-alias MyDomain-Employee enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
    : end
    asdm image disk0:/asdm-712.bin
    asdm location MyDomain_New_IP 255.255.192.0 inside
    asdm location MyDomain-Inside 255.255.255.255 inside
    asdm location MyDomain-Old 255.255.254.0 inside
    no asdm history enable

  • Cisco ASA 5505 - 2 questions - VPN Licensing; Routing

    Hi,
    I have a client that has a Cisco ASA 5505 security appliance.  Currently it is setup as a "proof of concept" for clientless browser-based SSL VPN.  The device came with 2 licenses for this service, and we need to increase that somewhere between 10-25 users.  25 users is the max on this device I believe.
    I have searched Cisco.com and tried Googling the ASA 5505 for licensing but I can't find the correct license that I need for this.
    The second question I have is routing capability.  We have a WAN connection to another branch of the computer from this location where the ASA 5505 is located.  A Cisco 2851 is used for this connection.  We are wanting to bring in a high speed Internet connection for the VPN access and Internet access.  What I need to know is can we put the WAN and Internet connections behind the ASA 5505 and have that route appropriately to the branch WAN for that traffic and all other traffic to the Internet?
    Thanks!
    --Kent

    Hi Kent,
    Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main (http://forums.cisco.com/eforum/servlet/NetProf?page=main) This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
    Regards,
    David Dunlap
    SBSC Engineer

  • Port Forwarding for Cisco ASA 5505 VPN

    This is the Network
    Linksys E2500 ---> Cisco ASA 5505 ---> Server
    I beleive I need to forward some ports to the asa to use the IPsec VPN I just setup. I had the SSL VPN working but only needed to forward 443 for that....I assume that IPsec tunnel is a specific port.
    Thank You

    For IPSec VPN, you need to port forward UDP/500 and UDP/4500, and remember to enable NAT-T on the ASA.
    Command to enable NAT-T on ASA:
    crypto isakmp nat-traversal 30

  • Setting up site to site vpn with cisco asa 5505

    I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
    IP of remote office router is 71.37.178.142
    IP of the main office firewall is 209.117.141.82
    Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
    ciscoasa# show run
    : Saved
    ASA Version 7.2(4)
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password TMACBloMlcBsq1kp encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
    access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group5
    crypto map outside_map 1 set peer 209.117.141.82
    crypto map outside_map 1 set transform-set ESP-AES-256-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn username [email protected] password ********* store-local
    dhcpd auto_config outside
    dhcpd address 192.168.1.2-192.168.1.129 inside
    dhcpd enable inside
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
    : end
    ciscoasa#
    Thanks!

    Hi Mandy,
    By using following access list define Peer IP as source and destination
    access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
    you are not defining the interesting traffic / subnets from both ends.
    Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
    !.1..source subnet(called local encryption domain) at your end  192.168.200.0
    !..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
    !..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
    !...at your end  192.168.200.0
    !..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
    !...at other end 192.168.100.0
    Please use Baisc Steps as follows:
    A. Configuration in your MAIN office  having IP = 209.117.141.82  (follow step 1 to 6)
    Step 1.
    Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    Step 2.
    Config ISAKMP Policy with minimum 4 parameters are to be config for
    crypto isakmp policy 10
    authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
    encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
    hash sha   --->  3rd parameter of ISAKMP Policy is OK
    group 5  --->  4th parameter of ISAKMP Policy is OK
    lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
    Step 3.
    Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
    Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
    Use following command:
    crypto isakmp key 0 CISCO123 address 71.37.178.142
    or , but not both
    crypto isakmp key 6 CISCO123 address71.37.178.142
    step 4.
    Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
    Here is yours one:
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
    crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
    or
    crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
    Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
    ah-sha-hmac or  ah-md5-hmac
    crypto ipsec transform-set TSET1 ah-sha-hmac
    or
    crypto ipsec transform-set TSET1 ah-md5-hmac
    Step 5.
    Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
    crypto map ipsec-isakmp
    1. Define peer -- called WHO to set tunnel with
    2. Define or call WHICH - Transform Set
    3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
    Like in your case it is but ipsec-isakmp keyword missing in the ;ast
    crypto map outside_map 10 ipsec-isakmp
    1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
    2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
    !..In you case it is correct
    !...set transform-set ESP-AES-256-SHA (also correct)
    3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
    4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
    Step 6.
    Now apply this one crypto MAP to your OUTSIDE interface always
    interface outside
    crypto map outside_map
    Configure the same but just change ACL on other end in step one  by reversing source and destination
    and also set the peer IP of this router in other end.
    So other side config should look as follows:
    B.  Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
    Step 7.
    Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
    access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
    Step 8.
    Config ISAKMP Policy with minimum 4 parameters are to be config for
    crypto isakmp policy 10
    authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
    encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
    hash sha   --->  3rd parameter of ISAKMP Policy is OK
    group 5  --->  4th parameter of ISAKMP Policy is OK
    lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
    Step 9.
    Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
    Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
    Use following command:
    crypto isakmp key 0 CISCO123 address 209.117.141.82
    or , but not both
    crypto isakmp key 6 CISCO123 address 209.117.141.82
    step 10.
    Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
    Here is yours one:
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
    crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
    or
    crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
    Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
    ah-sha-hmac or  ah-md5-hmac
    crypto ipsec transform-set TSET1 ah-sha-hmac
    or
    crypto ipsec transform-set TSET1 ah-md5-hmac
    Step 11.
    Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
    crypto map    ipsec-isakmp
    1. Define peer -- called WHO to set tunnel with
    2. Define or call WHICH - Transform Set, only one is permissible
    3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
    Like in your case it is but ipsec-isakmp keyword missing in the ;ast
    crypto map outside_map 10 ipsec-isakmp
    1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
    2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
    !..In you case it is correct
    !...set transform-set ESP-AES-256-SHA (also correct)
    3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
    4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
    Step 12.
    Now apply this one crypto MAP to your OUTSIDE interface always
    interface outside
    crypto map outside_map
    Now initite a ping
    Here is for your summary:
    IPSec: Site to Site - Routers
    Configuration Steps
    Phase 1
    Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
    Step 2: Configure ISAKMP Policy
    Step 3: Configure ISAKMP Key
    Phase 2
    Step 4: Configure Transform Set
    Step 5: Configure Crypto Map
    Step 6: Apply Crypto Map to an Interface
    To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
    Router#debug crpyto isakmp
    Router#debug crpyto ipsec
    Router(config)# logging buffer 7
    Router(config)# logging buffer 99999
    Router(config)# logging console 6
    Router# clear logging
    Configuration
    In R1:
    (config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
    (config)# crypto isakmp policy 10
    (config-policy)# encryption 3des
    (config-policy)# authentication pre-share
    (config-policy)# group 2
    (config-policy)# hash sha1
    (config)# crypto isakmp key 0 cisco address 2.2.2.1
    (config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
    (config)# crypto map CMAP 10 ipsec-isakmp
    (config-crypto-map)# set peer 2.2.2.1
    (config-crypto-map)# match address 101
    (config-crypto-map)# set transform-set TSET
    (config)# int f0/0
    (config-if)# crypto map CMAP
    Similarly in R2
    Verification Commands
    #show crypto isakmp SA
    #show crypto ipsec SA
    Change to Transport Mode, add the following command in Step 4:
    (config-tranform-set)# mode transport
    Even after  doing this change, the ipsec negotiation will still be done through  tunnel mode if pinged from Loopback to Loopback. To overcome this we  make changes to ACL.
    Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
    (config)# crypto isakmp peer address 2.2.2.1
    (config-peer)# set aggressive-mode password cisco
    (config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1
    Similarly on R2.
    The below process is for the negotiation using RSA-SIG (PKI) as authentication type
    Debug Process:
    After  we debug, we can see the negotiation between the two peers. The first  packet of the interesting traffic triggers the ISAKMP (Phase1)  negotiation. Important messages are marked in BOLD and explanation in  RED
    R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
    Packet sent with a source address of 2.2.2.2
    Mar  2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) //  Router tried to find any IPSec SA matching the outgoing connection but  no valid SA has been found in Security Association Database (SADB)
    Mar  2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
    Mar  2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
    Mar  2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
    Mar  2 16:18:42.939: ISAKMP: local port 500, remote port 500
    Mar  2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE    
    Mar  2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
    Mar  2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
    Mar  2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
    Mar  2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    Mar  2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
    Mar  2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
    Mar  2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
    Mar  2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Mar  2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
    Mar  2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
    Mar  2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
    Mar  2 16:18:42.947:.!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
    R2(config)# ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Mar  2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
    Mar  2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
    Mar  2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
    Mar  2 16:18:42.947: ISAKMP:      hash SHA
    Mar  2 16:18:42.947: ISAKMP:      default group 2
    Mar  2 16:18:42.947: ISAKMP:      auth RSA sig
    Mar  2 16:18:42.947: ISAKMP:      life type in seconds
    Mar  2 16:18:42.947: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
    Mar  2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
    Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
    Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
    Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
    Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    Mar  2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
    Mar  2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
    Mar  2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
    Mar  2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
    Mar  2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
    Mar  2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
    Mar  2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
    Mar  2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
    Mar  2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
    Mar  2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
    Mar  2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
    Mar  2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
    Mar  2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
    Mar  2 16:18:43.007:  Choosing trustpoint CA_Server as issuer
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
    Mar  2 16:18:43.007: ISAKMP:received payload type 20
    Mar  2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
    Mar  2 16:18:43.007: ISAKMP:received payload type 20
    Mar  2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
    Mar  2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4
    Mar  2 16:18:43.011: ISAKMP:(1008):Send initial contact
    Mar  2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
    Mar  2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
    Mar  2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
    Mar  2 16:18:43.011: ISAKMP (1008): ID payload
              next-payload : 6
              type         : 2
              FQDN name    : R2
              protocol     : 17
              port         : 500
              length       : 10
    Mar  2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
    Mar  2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
    Mar  2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
    Mar  2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Mar  2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5
    Mar  2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
    // "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
    Mar  2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
    Mar  2 16:18:43.047: ISAKMP (1008): ID payload
              next-payload : 6
              type         : 2
              FQDN name    : ASA1
              protocol     : 0
              port         : 0
              length       : 12
    Mar  2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
    Mar  2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
    Mar  2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
    Mar  2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
    Mar  2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
    Mar  2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
    Mar  2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
    Mar  2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
    Mar  2 16:18:43.067: ISAKMP:received payload type 17
    Mar  2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
    Mar  2 16:18:43.067: ISAKMP:(1008):SA authentication status:
              authenticated
    Mar  2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
    Mar  2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/,  and inserted successfully 46519678. // SA inserted into SADB
    Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6
    Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6
    Mar  2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
    Mar  2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
    Mar  2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
    Mar  2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
    Mar  2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
    Mar  2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
    Mar  2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
    Mar  2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
    Mar  2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
    Mar  2 16:18:43.079: ISAKMP:   attributes in transform:
    Mar  2 16:18:43.079: ISAKMP:      SA life type in seconds
    Mar  2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
    Mar  2 16:18:43.079: ISAKMP:      SA life type in kilobytes
    Mar  2 16:18:43.079: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
    Mar  2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
    Mar  2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
    Mar  2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
    Mar  2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
    Mar  2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
    Mar  2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i)  0/ 0
              (proxy 1.1.1.1 to 2.2.2.2)
    Mar  2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
    Mar  2 16:18:43.083:         lifetime of 3600 seconds
    Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
    Mar  2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
              (proxy 2.2.2.2 to 1.1.1.1)
    Mar  2 16:18:43.083:         has spi  0x2B367FB4 and conn_id 0
    Mar  2 16:18:43.083:         lifetime of 3600 seconds
    Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
    Mar  2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
    Mar  2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
    Mar  2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    Mar  2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
    Verification Commands
    #show crypto isakmp SA
    #show crypto ipsec SA
    Kindly rate if you find the explanation useful !!
    Best Regards
    Sachin Garg

Maybe you are looking for

  • Interactive report from PL/SQL function

    Hello All, i have a pl/sql function that dynamically builds up a sql query and returns it as a varchar2. when i create a new report then i can use this function in the report like return f_function(param1,param2,v('APP_ID'), v('APP_SESSION')); and th

  • MS Office Report (Report Generation toolkit) is not executable​, Xnode broken?

    Hi, I am trying to generate an excel report, and I figured it would be easier to use the MS Office report VI, but I am getting the broken arrow saying the SubVI is not executable and that the library that defines the xnode is broken... here is a scre

  • How to print the form output in news paper format

    Hi All, How we will print the data in the output in newspaper format in SAP script? Can any body give some idea on this. Thanks&Regards Mahesh

  • HT2506 using Preview to alter, then save both versions, of a photo

    I take photos in courtrooms, with judges' permission. Sometimes they order me to "tilize," or obscure the face of a person -- the defendant, or a witness. How can I import a photo using Preview, and use a simple tool to hide a face, and then save BOT

  • Garage Band infinite Loop for Jam Pack Install

    Since I upgraded to Lion, I can't run the Jam packs to install for Garageband.   I get a PowerPC is not supported error message and then the install opens up (what appears to be) an infinite number oif dialogue boxes and I have to reboot my laptop.