Configurate L2tp over ipsec vpn at ASA

Hi dear i want to  configurate L2tp over ipsec vpn at asa. my asa behind nat device(nat device is router).
is it working?

thanks to reply me.
i have a transfor set for ipsec vpn client.  yes you are rigth i have same sequence dynamic map. which one i changed? and then what about  crytpto map? how i do it? please write to me how to do at my configuration??
i have real working network i confused to test it. please write me how to do it.
thanks.

Similar Messages

  • Is it possible configurate split-tunnel at l2tp over ipsec vpn at asa

    Dear i want to know is it possibly to configurate split-tunnel at l2tp over ipsec vpn at asa???
    thanks.

    please help me.

  • Trying to connect to a L2TP over IPSec VPN

    There are quite a few threads on here about VPN's and Lion, and clearly quite a number of questions. However, I haven't found one that quite addresses the problem I've got and I've now exhausted all my ideas and am looking for help...
    I have a hardware VPN server that I know is working correctly. I normally have it setup so that all connections have to be L2TP over IPSec, but currently also have PPTP connections enabled.
    At the moment I can do the following:
    Connect to it from a machine running Windows 7 using all methods
    Connect to it from a machine running Snow Leopard using the in built PPTP and L2TP over IPSec network configurations
    Connect to it from a machine running Lion using the in built PPTP network configuration
    Connect to it from a machine running Lion using Equinux's VPN Tracker 6
    What I can't do is connect to it from a machine running Lion using L2TP over IPSec using the network configuration
    I have tried a clean install of Lion and entering the connections. I have tried using an install of Snow Leopard that works and then upgrading it. I just cannot get it to work.
    Looking at the logs on both the VPN server and my machine I can see that the IPSec connection is established but then my client says that it cannot connect to the server whilst my server is saying that CHAP login has failed.
    I have been through all of the potential solutions I can find on here or the wider internet, no matter how unlikely they seem to be to my problem. I've ensured that there are no potential firewall issues. I've also tried every setting I can think of on both my client and the server. I've tried changing secrets and passwords, including reducing their length, ensuring nothing like Back to My Mac can interfere, and even starting up in 32 bit mode.
    I've now exhausted my ideas. Does anybody have any ideas, a potential solution or managed to get this to work?
    My connection is set up to use a shared secret and a password.

    I am trying to set up connection to PureVPN for security purposes and have followed their config settings for my Macbook.
    So how do I check the ports on my machine, as I'm sure it's not a problem at their end. I only have one machine so don't understand how it is possible to see if ports are being blocked at my end.
    Do I run that /var/log/ppp.log in Terminal?

  • L2TP over IPSec

    Dear All,
    I have configured L2TP over IPSec VPN in my Cisco ASA 5520 for windows vpn client.
    my client pool range is 192.168.15.0-192.168.15.50 255.255.255.192
    my internal nw range 10.138.78.0/24,10.138.79.0/24
    Now I want to know What access list I need to configure for that?What port I need to open for the same?
    Access-list is configured in my ASA for inbound traffic in the outside interface only.I want to give full access to the VPN client.
    Plz guide me in this issue..It will be very helpful if u send the sample L2TP over IPSec VPN configuration.
    Regards,
    som

    Hope this helps.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml

  • ASA 5505 - L2TP over IPsec - Remote Address shows outside interface address

    Using an ASA 5505 for firewall and VPN.  We've enabled L2TP over IPsec to allow Windows clients to connect without third party software.
    The devices complete the connection and authenticate fine, but then are unable to hit any internal resources.  Split tunneling seems to be working, as they can still hit outside resources.  Packet tracer shows tcp flowing freely between VPN clients (192.168.102.0/24) and internal resources (192.168.100.0/24).  Even the NAT translation looks good in packet tracer.
    I pulled up the session details for one of the VPN clients in the ASDM and under the IPsecOverNatT details, it is showing the VPN client's remote address correctly, but displays the local address as the address assigned to the outside interface (which the client is using to connect.)  This seems to be the problem, as viewing detailed connection logs shows the internal resources trying to send packets back to the outside interface rather than the VPN client's assigned internal addresses.  Details:
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: [OUTSIDE INTERFACE ADDRESS]
    local ident (addr/mask/prot/port): ([OUTSIDE INTERFACE ADDRESS]/255.255.255.255/17/1701)
    remote ident (addr/mask/prot/port): ([VPN CLIENT ADDRESS]/255.255.255.255/17/0)
    current_peer: [VPN CLIENT ADDRESS], username: vpnuser
    dynamic allocated peer ip: 192.168.102.1 [This is what I think it should be showing for local ident]
    dynamic allocated peer ip(ipv6): 0.0.0.0
    #pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
    #pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 16, #pkts comp failed: 0, #pkts decomp failed: 0
    #post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #TFC rcvd: 0, #TFC sent: 0
    #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
    #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
    #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
    #pkts invalid prot (rcv): 0, #pkts verify failed: 0
    #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
    #pkts invalid pad (rcv): 0,
    #pkts invalid ip version (rcv): 0,
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
    #pkts replay failed (rcv): 0
    #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (rcv): 0
    local crypto endpt.: [OUTSIDE INTERFACE ADDRESS]/4500, remote crypto endpt.: [VPN CLIENT ADDRESS]/8248
    path mtu 1500, ipsec overhead 82(52), media mtu 1500
    PMTU time remaining (sec): 0, DF policy: copy-df
    ICMP error validation: disabled, TFC packets: disabled
    current outbound spi: 05BFAE20
    current inbound spi : CF85B895
    inbound esp sas:
    spi: 0xCF85B895 (3481647253)
    transform: esp-aes esp-sha-hmac no compression
    in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
    slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
    sa timing: remaining key lifetime (kB/sec): (4373998/3591)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x000FFFFD
    outbound esp sas:
    spi: 0x05BFAE20 (96448032)
    transform: esp-aes esp-sha-hmac no compression
    in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
    slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
    sa timing: remaining key lifetime (kB/sec): (4373999/3591)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001
    Any ideas?  The remote clients connect but when internal resources try to send traffic to the VPN clients, the packets are directed to the outside interface address instead of the local address assigned to the VPN client.

     I have what I believe to be a similar issue. Site to site vpn is working well. That is site b can ping and send traffic to site A but Site A can not. Site B is a 3rd party vpn router. Site A is a Cisco 5505.
    It appears that when the crypto map inserts the route into the routing table it shows the route via the outside IP of the outside interface and not the IP of Site B. in the crypto map I can see the proper ip address for the peer. I can't figure out why when it inserts the route that it uses the wrong ip address

  • L2TP over IPSec, ASA 8.0

    We use CISCO VPN Client for RA. Now, a special application have to work with L2TP over IPSec. First I configure as shown in http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml#win and after with VPN Wizzard. Both times I cannot connect but don t know why. Phase 1 is established and an error occured while Phase 2:
    PIX|ASA-6-713177
    PIX|ASA-3-713902
    I tested behind and in front of an nat-device with same error. client-identity is configured for ip-address. Whats going wrong?
    Is it possible to configure an ACL for port 1701? I read something like that in earlier postings but cannot believe it.
    Regards
    Helmut

    If the user is an L2TP client that uses Microsoft CHAP version 1 or version 2, and the security appliance is configured - to authenticate against the local database, you must include the mschap keyword. For example, username password mschap.
    Note tunnel-group must be the DefaultRAGroup name.

  • Looking for help to set up l2tp Ipsec vpn on asa 5055

    I am trying to set up a L2tp Ipsec vpn on asa 5055 and I am using windows 8.1 build in VPN client to connect to it. I got the following error. Anyone has experence please help.
    Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, All IPSec SA proposals found unacceptable!
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending notify message
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing blank hash payload
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing ipsec notify payload for msg id 1
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing qm hash payload
    Apr 17 22:48:21 [IKEv1]IP = 209.171.88.81, IKE_DECODE SENDING Message (msgid=6a50f8f9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, QM FSM error (P2 struct &0xad6946b8, mess id 0x1)!
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE QM Responder FSM error history (struct &0xad6946b8)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, 
    EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, 
    EV_COMP_HASH
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending delete/delete with reason message
    Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, Removing peer from correlator table failed, no match!
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE SA MM:d8870fa5 rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE SA MM:d8870fa5 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending delete/delete with reason message
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing blank hash payload
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing IKE delete payload
    Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing qm hash payload
    Apr 17 22:48:21 [IKEv1]IP = 209.171.88.81, IKE_DECODE SENDING Message (msgid=232654dc) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
    Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, Session is being torn down. Reason: Phase 2 Mismatch
    I am new to this so I don't know what I should do next. Thanks

    Here it is. Thanks.
    CL-T179-12IH# show run crypto
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal DES
     protocol esp encryption des
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
     protocol esp encryption 3des
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
     protocol esp encryption aes
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
     protocol esp encryption aes-192
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
     protocol esp encryption aes-256
     protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint vpn
     enrollment self
     subject-name CN=174.142.90.17
     crl configure
    crypto ca trustpool policy
    crypto ca certificate chain vpn
     certificate 2d181c55
        308201ff 30820168 a0030201 0202042d 181c5530 0d06092a 864886f7 0d010105
        05003044 31163014 06035504 03130d31 37342e31 34322e39 302e3137 312a3028
        06092a86 4886f70d 01090216 1b434c2d 54313739 2d313249 482e7072 69766174
        65646e73 2e636f6d 301e170d 31353034 31363033 31393439 5a170d32 35303431
        33303331 3934395a 30443116 30140603 55040313 0d313734 2e313432 2e39302e
        3137312a 30280609 2a864886 f70d0109 02161b43 4c2d5431 37392d31 3249482e
        70726976 61746564 6e732e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500
        03818d00 30818902 818100bf 797d1cc1 cfffc634 8c3b2a4b ce27b1c9 3fc3e026
        4f6cd8f4 c9675aca b5176cef 7f3df142 35ba4e15 2613d34c 91bb5da3 14b34b6c
        71e4ff44 f129046f 7f91e73f 2c9d42f9 93001559 ea6c71c1 1a848073 15da79f7
        a41081ee b4cd3cc3 baa7a272 3a5fb32d 66dedee6 5994d4b2 ad9d7489 44ec9eb9
        44038a2a 817e935f 1bb7ad02 03010001 300d0609 2a864886 f70d0101 05050003
        8181002c 6cee9ae7 a037698a 5690aca1 f01c87db 04d9cbc6 65bda6dc a17fc4b6
        b1fd419e 56df108f b06edfe6 ab5a5eb3 5474a7fe 58970da3 23e6bc6e 36ab8f62
        d5c442bf 43581eb3 26b8cf26 6a667a8b ddd25a73 a094f0d0 65092ff8 d2a644d8
        3d7da7ca efeb9e2f 84807fdf 0cf3d75e bcb65ba4 7b51cb49 f912f516 f95b5d86
        da0e01
      quit
    crypto ikev2 policy 1
     encryption aes-256
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 10
     encryption aes-192
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 30
     encryption 3des
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 40
     encryption des
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 remote-access trustpoint vpn
    crypto ikev1 enable outside
    crypto ikev1 policy 10
     authentication crack
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 20
     authentication rsa-sig
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 30
     authentication pre-share
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 40
     authentication crack
     encryption aes-192
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 50
     authentication rsa-sig
     encryption aes-192
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 60
     authentication pre-share
     encryption aes-192
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 70
     authentication crack
     encryption aes
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 80
     authentication rsa-sig
     encryption aes
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 90
     authentication pre-share
     encryption aes
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 100
     authentication crack
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 110
     authentication rsa-sig
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 120
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 130
     authentication crack
     encryption des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 140
     authentication rsa-sig
     encryption des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 150
     authentication pre-share
     encryption des
     hash sha
     group 2
     lifetime 86400

  • Cisco 2811 VPN L2TP over IPSEC

    Hi,
    Does the cisco 2811 support L2TP over IPSEC?

    Check these links:
    http://www.cisco.com/en/US/products/ps5854/products_data_sheets_list.html
    http://www.cisco.com/en/US/products/ps5854/products_qanda_item0900aecd80169bd6.shtml
    http://www.cisco.com/en/US/products/ps5854/products_qanda_item0900aecd80169bba.shtml

  • L2TP over IPSEC Static NAT trouble

    I have a 5510 that i have configured for L2TP over IPSEC, not using AnyConnect.  As of right now i have two open issues that i cannot figure out.  The first, and most prevelant being, VPN clients are unable to ping/access any of the hosts that are assigned a static NAT from the inside interface to the outside interface.  I was able to circumvent this by adding another static NAT to the public interface for the incoming clients, but this caused intermittent connectivity issues with inside hosts. 
    The second issue involves DNS.  I have configured two DNS servers, both of which reside on the internal network and are in the split_tunnel ACL for VPN clients, but no clients are using this DNS.  What is the workaround for using split tunneling AND internal DNS servers, if any?
    I'm looking for any help someone might be able to give as i've had two different CCNA's look at this numerous times to no avail.  The config is below.
    To sum up, and put this in perspective i need to be able to do the following...
         VPN CLIENT (10.1.50.x) -> splitTunnel -> int G0/2 (COMCAST_PUBLIC) -> int G0/3(outside)(10.1.4.x) -> STATIC NAT from G0/0(inside)(10.103.x.x) -> NAT (10.1.4.x)
    A ping from a VPN client to any internal host works fine, unless it is one that is NAT'd.  You can see in the config where i added the extra STATIC NAT to try and fix the issue.  And this works perfectly across the tunnel but only intermittenly from the internal 10.1.4.x network.
    As well as any help with DNS.  Please advise, thank you.
    -tony
    : Saved
    ASA Version 8.2(1)
    hostname fw-01
    enable password HOB2xUbkoBliqazl encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 10.103.6.0 K2CONT description K2 Control Network
    name 10.103.5.0 K2FTP description K2 FTP Network
    name 10.103.1.0 NET description Internal Network Core Subnet
    name 10.1.4.0 WBND description WBND Business Network
    name 178.3.200.173 WCIU-INEWS0 description WCIU iNEWS Server
    name 178.3.200.174 WCIU-INEWS1 description WCIU iNEWS Server
    name 10.103.2.50 ENG-PC description Engineering PC
    name 10.103.2.56 NAV-PC description Navigator PC
    name 10.103.2.77 PF-SVR-01 description Pathfire Server 01
    name 69.55.236.230 RTISVR description "Rootlike Technologies, Inc. Server"
    name 69.55.236.228 RTISVR1 description "Rootlike Technologies, Inc. Server"
    name 10.103.2.0 GEN-NET description General Broadcast Network
    name 10.103.4.0 INEWS-NET description INEWS Network
    name 10.103.4.84 INEWS0 description WBND iNEWS Server 0
    name 10.103.4.85 INEWS1 description WBND iNEWS Server 1
    name 10.103.3.0 TELE-NET description TELEMETRICS Network
    name 10.1.4.22 NAT-INEWS0 description "Public NAT address of iNEWS server 0"
    name 10.1.4.23 NAT-INEWS1 description "Public NAT address of iNEWS server 1"
    name 10.1.4.20 NAT-K2-FTP0 description "Public NAT address of K2 FTP Server 0"
    name 10.1.4.21 NAT-K2-FTP1 description "Public NAT address of K2 FTP Server 0"
    name 10.103.4.80 MOSGW description "MOS Gateway."
    name 10.1.4.24 NAT-MOSGW description "Public NAT address of MOS Gateway."
    name 10.103.2.74 PF-DUB-01 description PathFire Dub Workstation
    name 209.118.74.10 PF-EXT-0 description PF External Server 0
    name 209.118.74.19 PF-EXT-1 description PF External Server 1
    name 209.118.74.26 PF-EXT-2 description PF External Server 2
    name 209.118.74.80 PF-EXT-3 description PF External Server 3
    name 10.103.4.37 PIXPWR description Pixel Power System 0
    name 10.1.4.26 NAT-PIXPWR description "Public NAT address of PixelPower System 0"
    name 10.103.4.121 ignite
    name 10.103.3.89 telemetrics
    name 10.1.4.50 vpn_3000
    name 10.103.5.4 K2-FTP0 description K2 FTP Server 0
    name 10.103.5.5 K2-FTP1 description K2 FTP Server 1
    name 10.1.4.40 NAT-ENG-PC description Engineering HP
    name 10.103.2.107 ENG-NAS description ENG-NAS-6TB
    name 10.1.1.0 WCIU description WCIU
    name 178.3.200.0 WCIU_Broadcast description WCIU_Broadcast
    name 10.2.1.0 A-10.2.1.0 description WCIU 2
    name 10.1.50.0 VPN-POOL description VPN ACCESS
    interface Ethernet0/0
    description "Internal Network 10.103.1.0/24"
    nameif inside
    security-level 100
    ip address 10.103.1.1 255.255.255.0
    interface Ethernet0/1
    shutdown
    no nameif
    security-level 0
    no ip address
    interface Ethernet0/2
    nameif COMCAST_PUBLIC
    security-level 0
    ip address 173.161.x.x 255.255.255.240
    interface Ethernet0/3
    description "WBND Business Network 10.1.4.0/24"
    nameif outside
    security-level 0
    ip address 10.1.4.8 255.255.255.0
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    ftp mode passive
    clock timezone Indiana -4
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group icmp-type ICMP-OK
    description "ICMP types we want to permit."
    icmp-object echo
    icmp-object echo-reply
    icmp-object traceroute
    icmp-object unreachable
    icmp-object time-exceeded
    object-group network INTERNAL-ALL
    description "All internal networks."
    network-object NET 255.255.255.0
    network-object GEN-NET 255.255.255.0
    network-object TELE-NET 255.255.255.0
    network-object INEWS-NET 255.255.255.0
    network-object K2FTP 255.255.255.0
    network-object K2CONT 255.255.255.0
    object-group service W3C
    description "HTTP/S"
    service-object tcp eq www
    service-object tcp eq https
    object-group service FTP-ALL
    description "FTP Active/Passive."
    service-object tcp eq ftp
    service-object tcp eq ftp-data
    object-group service INEWS-CLI
    description "Ports required for INEWS client/server communications."
    service-object tcp eq telnet
    service-object tcp eq login
    service-object tcp eq 600
    service-object tcp eq 49153
    service-object tcp eq 49152
    service-object tcp-udp eq 1020
    service-object tcp-udp eq 1019
    group-object W3C
    group-object FTP-ALL
    service-object tcp eq ssh
    service-object tcp-udp eq 1034
    service-object tcp-udp eq 1035
    object-group service NET-BASE
    description "Base network services required by all."
    service-object tcp-udp eq 123
    service-object udp eq domain
    object-group network INEWS-SVR
    description "iNEWS Servers."
    network-object INEWS0 255.255.255.255
    network-object INEWS1 255.255.255.255
    object-group network WCIU-INEWS
    description "iNEWS Servers at WCIU."
    network-object WCIU-INEWS0 255.255.255.255
    network-object WCIU-INEWS1 255.255.255.255
    object-group network K2-FTP
    description "K2 Servers"
    network-object host K2-FTP0
    network-object host K2-FTP1
    object-group network PF-SYS
    description Internal PathFire Systems
    network-object host PF-DUB-01
    network-object host PF-SVR-01
    object-group network INET-ALLOWED
    description "Hosts that are allowed Internet access (HTTP/FTP) and a few other basic protocols.
    network-object host ENG-PC
    network-object host NAV-PC
    network-object host PF-SVR-01
    group-object INEWS-SVR
    group-object K2-FTP
    group-object PF-SYS
    network-object host PIXPWR
    network-object K2CONT 255.255.255.0
    object-group service GoToAssist
    description "Port required for Citrix GoToAssist remote support sessions (along with HTTP/S)"
    service-object tcp eq 8200
    object-group service DM_INLINE_SERVICE_1
    group-object FTP-ALL
    group-object W3C
    service-object tcp eq ssh
    service-object tcp eq telnet
    group-object GoToAssist
    object-group network RTI
    network-object host RTISVR1
    network-object host RTISVR
    object-group network NAT-K2-SVR
    description "Public NAT addresses of K2 Servers."
    network-object host NAT-K2-FTP0
    network-object host NAT-K2-FTP1
    object-group network NAT-INEWS-SVR
    description "Public NAT addresses of iNEWS servers."
    network-object host NAT-INEWS0
    network-object host NAT-INEWS1
    object-group service INEWS-SVCS
    description "Ports required for iNEWS inter-server communication.
    group-object INEWS-CLI
    service-object tcp eq 1022
    service-object tcp eq 1023
    service-object tcp eq 2048
    service-object tcp eq 698
    service-object tcp eq 699
    object-group service MOS
    description "Ports used for MOS Gateway Services."
    service-object tcp eq 10540
    service-object tcp eq 10541
    service-object tcp eq 6826
    service-object tcp eq 10591
    object-group network DM_INLINE_NETWORK_1
    network-object host WCIU-INEWS0
    network-object host WCIU-INEWS1
    object-group network DM_INLINE_NETWORK_2
    network-object GEN-NET 255.255.255.0
    network-object INEWS-NET 255.255.255.0
    object-group network PF-Svrs
    description External PathfFire Servers
    network-object host PF-EXT-0
    network-object host PF-EXT-1
    network-object host PF-EXT-2
    network-object host PF-EXT-3
    object-group service PF
    description PathFire Services
    group-object FTP-ALL
    service-object tcp eq 1901
    service-object tcp eq 24999
    service-object udp range 6652 6654
    service-object udp range 6680 6691
    object-group service GVG-SDB
    description "Ports required by GVG SDB Client/Server Communication."
    service-object tcp eq 2000
    service-object tcp eq 2001
    service-object tcp eq 3000
    service-object tcp eq 3001
    object-group service MS-SVCS
    description "Ports required for Microsoft networking."
    service-object tcp-udp eq 135
    service-object tcp eq 445
    service-object tcp eq ldap
    service-object tcp eq ldaps
    service-object tcp eq 3268
    service-object tcp eq 3269
    service-object tcp-udp eq cifs
    service-object tcp-udp eq domain
    service-object tcp-udp eq kerberos
    service-object tcp eq netbios-ssn
    service-object udp eq kerberos
    service-object udp eq netbios-ns
    service-object tcp-udp eq 139
    service-object udp eq netbios-dgm
    service-object tcp eq cifs
    service-object tcp eq kerberos
    service-object udp eq cifs
    service-object udp eq domain
    service-object udp eq ntp
    object-group service DM_INLINE_SERVICE_2
    group-object MS-SVCS
    group-object NET-BASE
    group-object GVG-SDB
    group-object W3C
    object-group service DM_INLINE_SERVICE_3
    group-object GVG-SDB
    group-object MS-SVCS
    group-object W3C
    object-group service PIXEL-PWR
    description "Pixel Power Services"
    service-object tcp-udp eq 10250
    object-group service DM_INLINE_SERVICE_4
    group-object FTP-ALL
    group-object GoToAssist
    group-object NET-BASE
    group-object PIXEL-PWR
    group-object W3C
    group-object MS-SVCS
    service-object ip
    object-group service DM_INLINE_SERVICE_5
    group-object MS-SVCS
    group-object NET-BASE
    group-object PIXEL-PWR
    group-object W3C
    object-group service IG-TELE tcp-udp
    port-object range 2500 49501
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object tcp
    object-group network DM_INLINE_NETWORK_3
    network-object host ENG-PC
    network-object host NAT-ENG-PC
    object-group protocol DM_INLINE_PROTOCOL_2
    protocol-object ip
    protocol-object udp
    protocol-object icmp
    object-group network DM_INLINE_NETWORK_4
    network-object WCIU 255.255.255.0
    network-object WBND 255.255.255.0
    network-object WCIU_Broadcast 255.255.255.0
    object-group network il2k_test
    network-object 207.32.225.0 255.255.255.0
    object-group network DM_INLINE_NETWORK_8
    network-object WCIU 255.255.255.0
    network-object WBND 255.255.255.0
    network-object A-10.2.1.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_8
    service-object ip
    group-object INEWS-CLI
    service-object icmp
    service-object udp
    object-group service DM_INLINE_SERVICE_6
    service-object ip
    group-object MS-SVCS
    object-group network DM_INLINE_NETWORK_5
    network-object WCIU 255.255.255.0
    network-object WBND 255.255.255.0
    network-object A-10.2.1.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_7
    service-object ip
    service-object icmp
    service-object udp
    group-object INEWS-CLI
    object-group network DM_INLINE_NETWORK_9
    network-object host NAT-INEWS0
    network-object host INEWS0
    object-group protocol DM_INLINE_PROTOCOL_3
    protocol-object ip
    protocol-object icmp
    protocol-object tcp
    object-group network VPN-POOL
    description "IP range assigned to dial-up IPSec VPN."
    network-object VPN-POOL 255.255.255.0
    object-group network DM_INLINE_NETWORK_6
    network-object WBND 255.255.255.0
    network-object WCIU_Broadcast 255.255.255.0
    network-object A-10.2.1.0 255.255.255.0
    network-object WCIU 255.255.255.0
    network-object VPN-POOL 255.255.255.0
    object-group network DM_INLINE_NETWORK_7
    network-object WBND 255.255.255.0
    network-object VPN-POOL 255.255.255.0
    network-object A-10.2.1.0 255.255.255.0
    network-object WCIU 255.255.255.0
    object-group network DM_INLINE_NETWORK_10
    network-object TELE-NET 255.255.255.0
    network-object host ignite
    access-list inbound extended permit object-group DM_INLINE_SERVICE_5 any host NAT-PIXPWR
    access-list inbound extended permit object-group FTP-ALL any host NAT-K2-FTP1
    access-list inbound extended permit object-group FTP-ALL any host NAT-K2-FTP0
    access-list inbound extended permit object-group INEWS-CLI any host NAT-INEWS1
    access-list inbound extended permit object-group INEWS-CLI any host NAT-INEWS0
    access-list inbound extended permit object-group INEWS-SVCS object-group DM_INLINE_NETWORK_1 object-group NAT-INEWS-SVR
    access-list inbound extended permit object-group DM_INLINE_SERVICE_7 object-group DM_INLINE_NETWORK_5 host NAT-INEWS1
    access-list inbound extended permit object-group DM_INLINE_SERVICE_8 object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9
    access-list inbound extended permit object-group MOS WBND 255.255.255.0 host NAT-MOSGW
    access-list inbound extended permit icmp WBND 255.255.255.0 K2FTP 255.255.255.0 object-group ICMP-OK
    access-list inbound extended permit object-group FTP-ALL WBND 255.255.255.0 object-group NAT-K2-SVR
    access-list inbound extended permit object-group FTP-ALL WBND 255.255.255.0 K2FTP 255.255.255.0
    access-list inbound extended permit object-group DM_INLINE_PROTOCOL_2 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3
    access-list inbound extended permit icmp any any object-group ICMP-OK
    access-list inbound extended permit object-group DM_INLINE_PROTOCOL_1 host ignite host telemetrics
    access-list inbound extended permit object-group MS-SVCS any WBND 255.255.255.0
    access-list inbound extended permit ip any any
    access-list inbound extended permit object-group DM_INLINE_PROTOCOL_2 WBND 255.255.255.0 object-group DM_INLINE_NETWORK_3
    access-list inbound extended permit object-group MS-SVCS any any
    access-list inbound extended permit object-group INEWS-CLI WBND 255.255.255.0 object-group NAT-INEWS-SVR
    access-list inbound extended permit object-group DM_INLINE_PROTOCOL_3 any WBND 255.255.255.0
    access-list inbound extended permit ip any 173.161.x.x 255.255.255.240
    access-list inbound extended permit ip any 207.32.225.0 255.255.255.0
    access-list inbound extended permit ip WBND 255.255.255.0 host 70.194.x.x
    access-list outbound extended deny ip object-group DM_INLINE_NETWORK_10 any
    access-list outbound extended permit object-group DM_INLINE_SERVICE_4 host PIXPWR any
    access-list outbound extended permit object-group INEWS-SVCS object-group INEWS-SVR object-group WCIU-INEWS
    access-list outbound extended permit object-group INEWS-CLI object-group DM_INLINE_NETWORK_2 object-group WCIU-INEWS
    access-list outbound extended permit object-group DM_INLINE_SERVICE_1 object-group INET-ALLOWED any
    access-list outbound extended permit object-group NET-BASE object-group INTERNAL-ALL any
    access-list outbound extended permit icmp any any object-group ICMP-OK
    access-list outbound extended permit ip GEN-NET 255.255.255.0 any
    access-list outbound extended permit ip host ignite host telemetrics
    access-list outbound extended permit ip host NAV-PC host 10.103.2.18
    access-list outbound extended permit ip any GEN-NET 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit WBND 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit WCIU 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit VPN-POOL 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit WCIU_Broadcast 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit A-10.2.1.0 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.1.0 255.255.255.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.200.0 255.255.255.0
    access-list outside_nat0_outbound extended permit ip NET 255.255.255.0 object-group INTERNAL-ALL
    access-list COMCAST_access_in extended permit ip any any
    access-list COMCAST_PUBLIC_access_in extended permit ip any any
    access-list outside_access_in extended permit ip any any
    pager lines 24
    logging enable
    logging timestamp
    logging buffer-size 100000
    logging asdm-buffer-size 512
    logging monitor notifications
    logging buffered notifications
    logging asdm notifications
    mtu inside 1500
    mtu COMCAST_PUBLIC 1500
    mtu outside 1500
    mtu management 1500
    ip local pool VPN-POOL 10.1.50.1-10.1.50.254 mask 255.255.255.0
    ipv6 access-list inside_access_ipv6_in deny ip any any
    ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
    ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
    ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
    ipv6 access-list outside_access_ipv6_in deny ip any any
    ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
    ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
    ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any COMCAST_PUBLIC
    icmp permit any echo outside
    icmp permit any echo-reply outside
    icmp permit any unreachable outside
    no asdm history enable
    arp timeout 14400
    global (COMCAST_PUBLIC) 1 173.161.x.x
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 dns
    static (inside,outside) NAT-K2-FTP0 K2-FTP0 netmask 255.255.255.255 dns
    static (inside,outside) NAT-K2-FTP1 K2-FTP1 netmask 255.255.255.255 dns
    static (inside,outside) NAT-INEWS0 INEWS0 netmask 255.255.255.255 dns
    static (inside,outside) NAT-INEWS1 INEWS1 netmask 255.255.255.255 dns
    static (inside,outside) NAT-MOSGW MOSGW netmask 255.255.255.255 dns
    static (inside,outside) NAT-PIXPWR PIXPWR netmask 255.255.255.255 dns
    static (inside,outside) NAT-ENG-PC ENG-PC netmask 255.255.255.255 dns
    static (inside,COMCAST_PUBLIC) 10.1.4.39 ENG-NAS netmask 255.255.255.255 dns
    access-group outbound in interface inside per-user-override
    access-group inside_access_ipv6_in in interface inside per-user-override
    access-group outbound in interface COMCAST_PUBLIC
    access-group outside_access_in in interface outside
    access-group outside_access_ipv6_in in interface outside
    route COMCAST_PUBLIC 0.0.0.0 0.0.0.0 173.161.x.x 1
    route outside 0.0.0.0 0.0.0.0 10.1.4.1 100
    route outside WCIU 255.255.255.0 10.1.4.11 1
    route outside A-10.2.1.0 255.255.255.0 10.1.4.1 1
    route inside 10.11.1.0 255.255.255.0 10.103.1.73 1
    route inside GEN-NET 255.255.255.0 10.103.1.2 1
    route inside TELE-NET 255.255.255.0 10.103.1.2 1
    route inside INEWS-NET 255.255.255.0 10.103.1.2 1
    route inside K2FTP 255.255.255.0 10.103.1.62 1
    route inside K2CONT 255.255.255.0 10.103.1.62 1
    route outside WCIU_Broadcast 255.255.255.0 10.1.4.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server DOMCON protocol radius
    accounting-mode simultaneous
    aaa-server DOMCON (outside) host 10.1.4.17
    timeout 5
    key Tr3at!Ne
    acl-netmask-convert auto-detect
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    aaa authentication telnet console LOCAL
    aaa authorization command LOCAL
    aaa authorization exec LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http NET 255.255.255.0 inside
    http GEN-NET 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set il2k-trans esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set il2k-transform-set esp-3des esp-sha-hmac
    crypto ipsec transform-set il2k-transform-set mode transport
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set peer WBND
    crypto dynamic-map dyno 10 set transform-set il2k-transform-set il2k-trans
    crypto map VPN 10 ipsec-isakmp dynamic dyno
    crypto map VPN interface COMCAST_PUBLIC
    crypto map VPN interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto isakmp identity address
    crypto isakmp enable inside
    crypto isakmp enable COMCAST_PUBLIC
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp ipsec-over-tcp port 10000
    crypto isakmp disconnect-notify
    telnet timeout 5
    ssh scopy enable
    ssh NET 255.255.255.0 inside
    ssh GEN-NET 255.255.255.0 inside
    ssh VPN-POOL 255.255.255.0 COMCAST_PUBLIC
    ssh 10.103.1.224 255.255.255.240 outside
    ssh WBND 255.255.255.0 outside
    ssh 192.168.1.0 255.255.255.0 management
    ssh timeout 20
    console timeout 0
    management-access inside
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 10.103.2.52 source inside prefer
    webvpn
    enable inside
    enable outside
    svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 10.1.4.17 10.1.1.21
    vpn-tunnel-protocol l2tp-ipsec
    ipsec-udp enable
    group-policy DfltGrpPolicy attributes
    dns-server value 10.1.4.17 10.1.1.21
    vpn-simultaneous-logins 100
    vpn-idle-timeout 120
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
    default-domain value MAINSERV
    intercept-dhcp enable
    address-pools value VPN-POOL
    group-policy il2k internal
    group-policy il2k attributes
    dns-server value 10.1.4.17
    vpn-tunnel-protocol l2tp-ipsec
    ipsec-udp enable
    username DefaultRAGroup password F1C2vupePix5SQn3t9BAZg== nt-encrypted
    username tsimons password F1C2vupePix5SQn3t9BAZg== nt-encrypted privilege 15
    username interlink password 4QnXXKO..Ry/9yKL encrypted
    username iphone password TQrRGN4aXV4OVyavS5T/Ow== nt-encrypted
    username iphone attributes
    service-type remote-access
    username hriczo password OSruMCto90cxZoWxHllC5A== nt-encrypted
    username hriczo attributes
    service-type remote-access
    username cheighway password LqxYepmj5N6LE2zMU+CuPA== nt-encrypted privilege 15
    username cheighway attributes
    vpn-group-policy il2k
    service-type admin
    username jason password D8PHWEPGhNLOBxNHo0nQmQ== nt-encrypted
    username roscor password jLkgabJ1qUf3hXax encrypted
    username roscor attributes
    service-type admin
    tunnel-group DefaultRAGroup general-attributes
    address-pool VPN-POOL
    authentication-server-group DOMCON LOCAL
    authentication-server-group (outside) LOCAL
    authentication-server-group (inside) LOCAL
    default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    tunnel-group DefaultRAGroup ppp-attributes
    authentication ms-chap-v2
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:4b7c375a2b09feacdf760d10092cf73f
    : end

    No one?  I'd be happy to provide any more info if someone needs it, i'm just looking for some sort of direction.   I did almost this whole config by myself and i'm completely self-taught Cisco, so weird things like this really through me.
    Please help.  Thank you

  • 9.0 can a dynamic nat be used over ipsec vpn?

    9.0 can a  dynamic nat be used over ipsec vpn?
    we have a vpn up and working between two asa's and when we run the traffic through a static nat rule the traffic passes over the vpn. When we use a dynamic nat the traffic does not get picked up by the vpn ACL. 
    we are disabling the nat rules to switch back and forth so even when we use the same source destination the result is the same. 
    Am I missing something with 9.0 code versions? If i disable all nats and pass the traffic it goes over the vpn. 
    So it seems when using the dynamic nat statement it pushes the traffic to the outside interface without looking at the vpn acl. Please let me know if I am off base I am a newb on post 8.3 code. 
    Thanks

    I didn't do that at first because I remember reading something about in ver 9 to only use the unnatted IP because of order of ops. That seemed weird to me at the time. 
    Yes it seems that you need the nat ip like always. Should have just went with my gut on that. 
    Thanks

  • L2TP over IPSec - Can IPSec be disabled?

    Hello.
    I need a pure L2TP connection. Mac OS X has L2TP over IPSec by default. I went through all checkboxes and have not found the one that could disable IPSec. Do I have to do it in the Terminal? If so, what is the command?
    Thanks.

    It can be done by editing some files, but the documention I knew about is gone, but perhaps the zipped script in this thread will give you a clue on how to do it without OSX' built in one.
    http://forums.macosxhints.com/showthread.php?t=40920
    There are some GUI APPs that support plain L2TP...
    IPsecuritas
    http://www.lobotomo.com/products/IPSecuritas/
    VaporSec
    http://www.afp548.com/Software/VaporSec/
    VPN Tracker
    http://www.equinux.com/us/products/vpntracker/index.html

  • L2TP over IPSec Disconnect/Reconnect Wait Time on Astaro Gateway

    Hi Folks,
    We're testing out a new router, Astaro 220. This may be an issue with connecting to just this router or all of them under Leopard, I don't know. This is the first time I've ever gotten the built-in "L2TP over IPSec" to work at all so I'm too giddy to complain too much, but I found this interesting:
    Under Leopard (10.5.5), we can establish a VPN connection to and through the router. But after we disconnect, we cannot see the router's public (WAN) IP address. We can see it fine from other clients and connect from them no problem. This condition lasts for about three (3) minutes when we can finally ping the router again and VPN in.
    This does not occur under Tiger; we can disconnect and reconnect immediately without issue.
    Anyone else ever see anything like this? Like I said, I'm too happy about having it actually work to try to tinker too much, but if there's a simple workaround to tell users (other than "please wait"), it would be great.
    Thanks,
    Jeff
    Message was edited by: JSCooper

    If anyone ever cares ... we needed to set up routes on the Astaro from the IPSec pool to the LAN. Also, had to set the client to "Send ALL traffic through the VPN" and kick DNS back to the vpn clients from the gateway to enable web access.

  • 3000 series concentrator and L2TP over IPSec

    All,
    Anyone have any wisdom they are willing to share regarding the establishment of a L2TP over IPSec tunnel between Mac OS X and a 3000 series concentrator? I believe that the concentrator is accepted the IKE SA proposal, but I can't get any further and I'm not able to get any useful information out of the logs on either side of the tunnel. The client side simply reports that "L2TP cannot connect to the server", the concentrator reports "Connection terminated for peer". It has clearly exchanged some valid information because the concentrator has assigned the traffic to the correct group (a non-default group I've set up specially to test this connection).
    Looking at the packet dump I can see the two devices exchange some information, then the client starts sending ISAKMP packets (quick mode) that the concentrator seems to ignore.
    Thoughts, suggestions, anecdotes etc. are all welcome.

    Try to adjust SA lifetime and the max connect time in VPN concentrator.
    Refer these links:
    http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_tech_note09186a0080094eca.shtml
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_qanda_item09186a0080094cf4.shtml

  • How to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configrations

    how to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configurations
    before ver 8.3 and after version 8.3 ...8.4.. 9 versions..

    Hi,
    To my understanding you should be able to attach the same cryptomap to the other "outside" interface or perhaps alternatively create a new crypto map that you attach only to your new "outside" interface.
    Also I think you will probably need to route the remote peer ip of the VPN connection towards the gateway IP address of that new "outside" and also the remote network found behind the VPN connection.
    If you attempt to use VPN Client connection instead of L2L VPN connection with the new "outside" interface then you will run into routing problems as naturally you can have 2 default routes active at the sametime (default route would be required on the new "outside" interface if VPN Client was used since you DONT KNOW where the VPN Clients are connecting to your ASA)
    Hope this helps
    - Jouni

  • L2TP over IPSec on 15.3.3M

    Good day, I have a 1941 router where I manage to connect some roadwarriors using L2TP over IPSec and it works perfectly up to 15.3.2T  release.
    After upgrading to 15.3.3M I am unable to have L2TP over IPSec  working, while pure LAN to LAN IPSec still works perfectly (I have some  tunnels to branch offices).
    I have performed some debugs and I can  get exactly the same messagges as 15.3.2T, I have captured all the  packets on my computer and while on 15.3.2T I notice normal ESP traffic  after ISAKMP, on 15.3.3M I only capture ESP packets from my PC to the  1941 and not any packet from 1941 and my PC.
    Both show crypto isakmp sa and show crypto ipsec sa show active  SAs between my PC and the 1941 so it seems that it's not a matter of  IPSec, another test I need to perform is disabling one of the two WAN  interfaces and leaving enabled only the one that I want to connect to.
    Did you have any similar problem and can you share any information? Thanks in advance.

    Hi,
    how you fixed it?

Maybe you are looking for

  • Unable to fully sync with iPod Touch 1G and the (new/lat)est iTunes versions in a very old Windows XP Pro SP3 machine?

    Hi. I keep getting this "The iPod '...' cannot be synced. The disk is locked and cannot be written to." error when I try to sync my 11 GB of music from my very old, updated Windows XP Pro SP3 machine to an old iPod Touch 1G (iOS v3.1.3). It has a bra

  • Here Drive + Algorithm Problems?

    I want to start this post with some praise for Here Drive +. Ten years ago, it would have cost €300. Now it comes for free with a Nokia Lumia, and in most cases does a better job than the old SatNav. But I have my doubts about its shortest route algo

  • CRM Materials

    Hi Experts, I just started working in CRM Module. Can any one provide me with some good CRM material. Please let me know the database tables that are generally used in CRM Module. Thanks in advance. Regards, Samantak

  • Howto change Quoram configuration in win2003R2

    Howto change Quorum configuration in win2003R2. I have two nodes cluster and I want to change quorum setting as below. Node and Disk Majority (recommended for clusters with an even number of nodes) Any comment will be appreciated. Thanks. Zahid Hasee

  • Class help

    Hi I cant figure out what my problem is here. I have created 2 classes here one that creates a circle called ball and one that has handlers to drag the circle. My main class MouseMoveDrag is connected to a document class and it is directed to the as