VPN Problems ASA 5505 to 7206 Router MM_WAIT_MSG2

Hi
Since I swapped a Pix Firewall for a Cisco ASA 5505 Firewall at one of our Sites the VPN Tunnel wont come up
I'm getting this:
asaXXXXX# sho crypto isakmp sa
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 10.150.242.23
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2
asaXXXXX#
below is the crypto relevant settings off the ASA:
access-list outside_cryptomap_10 extended permit ip object-group Net_Inside any
access-list outside extended permit ip object-group Network_PPCUK any log debugging
access-list outside extended permit icmp any any
access-list outside extended permit ip object-group Network_QSec any log debugging
access-list inside extended permit ip object-group Net_Inside any
access-list inside extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 10.xxx.xxx.x 255.255.255.192 any
access-list outside_1_cryptomap extended permit ip 10.xxx.xxx.x 255.255.255.192 any
access-list vpn extended permit ip object-group Net_Inside any
access-list outside_cryptomap_11 extended permit ip 10.xxx.xxx.x 255.255.255.192 any
crypto ipsec transform-set vue2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 14400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map site-crypto-map 10 match address outside_cryptomap_11
crypto map site-crypto-map 10 set pfs
crypto map site-crypto-map 10 set peer 10.150.242.23
crypto map site-crypto-map 10 set transform-set ESP-3DES-SHA
crypto map site-crypto-map 10 set security-association lifetime seconds 14400
crypto map site-crypto-map 10 set security-association lifetime kilobytes 209715
crypto map site-crypto-map 10 set trustpoint ukpvca
crypto map site-crypto-map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 14400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp am-disable
below is the crypto map settings off the 7206 Head End Router:
crypto isakmp policy 10
encr 3des
group 2
lifetime 14400
crypto isakmp identity hostname
crypto isakmp keepalive 30 3
crypto ipsec security-association lifetime kilobytes 2097152
crypto ipsec security-association lifetime seconds 14400
crypto ipsec transform-set xxx ah-sha-hmac esp-3des esp-sha-hmac
crypto ipsec transform-set xxxx esp-3des esp-sha-hmac
crypto map vue 2148 ipsec-isakmp
set peer 10.155.248.82
set transform-set vue2
set pfs group2
match address SITENAME
This 7206 Router has 140 VPN Tunnels running on it and the rest are all ok only this one Site thats not working
Any feedback would be much appreciated!
Thanks
CLIGuru

Hi
I've compared the configs to a known working ASA and theylook identical
I ran a debug crypto isakmp  251 and got the following:
Aug 16 14:29:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 16 14:29:11 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 16 14:29:11 [IKEv1]: IP = 10.150.242.23, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Aug 16 14:29:12 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 16 14:29:12 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 16 14:29:13 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 16 14:29:13 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 16 14:29:13 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 16 14:29:13 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 16 14:29:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 16 14:29:14 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 16 14:29:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 16 14:29:15 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 16 14:29:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 16 14:29:15 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
en P1 SA is complete.
Aug 16 14:29:37 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 16 14:29:37 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 16 14:29:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 16 14:29:38 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 16 14:29:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 16 14:29:38 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 16 14:29:39 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 16 14:29:39 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Strange eh ?!

Similar Messages

  • Problem with Remote Access VPN on ASA 5505

    I am currently having an issue configuring an ASA 5505 to connect via remote access VPN using the Cisco VPN Client 5.0.07.0440 running on Windows 8 Pro x64. The VPN client prompts for the username and password during the connect process, but fails soon after.
    The VPN client logs are as follows:
    Cisco Systems VPN Client Version 5.0.07.0440
    Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 6.2.9200
    2      15:09:21.240  12/11/12  Sev=Info/4    CM/0x63100002
    Begin connection process
    3      15:09:21.287  12/11/12  Sev=Info/4    CM/0x63100004
    Establish secure connection
    4      15:09:21.287  12/11/12  Sev=Info/4    CM/0x63100024
    Attempt connection with server "**.**.***.***"
    5      15:09:21.287  12/11/12  Sev=Info/6    IKE/0x6300003B
    Attempting to establish a connection with **.**.***.***.
    6      15:09:21.287  12/11/12  Sev=Info/4    IKE/0x63000001
    Starting IKE Phase 1 Negotiation
    7      15:09:21.303  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to **.**.***.***
    8      15:09:21.365  12/11/12  Sev=Info/6    GUI/0x63B00012
    Authentication request attributes is 6h.
    9      15:09:21.334  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    10     15:09:21.334  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from **.**.***.***
    11     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
    Peer is a Cisco-Unity compliant peer
    12     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
    Peer supports XAUTH
    13     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
    Peer supports DPD
    14     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
    Peer supports NAT-T
    15     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
    Peer supports IKE fragmentation payloads
    16     15:09:21.334  12/11/12  Sev=Info/6    IKE/0x63000001
    IOS Vendor ID Contruction successful
    17     15:09:21.334  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to **.**.***.***
    18     15:09:21.334  12/11/12  Sev=Info/6    IKE/0x63000055
    Sent a keepalive on the IPSec SA
    19     15:09:21.334  12/11/12  Sev=Info/4    IKE/0x63000083
    IKE Port in use - Local Port =  0xFBCE, Remote Port = 0x1194
    20     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000072
    Automatic NAT Detection Status:
       Remote end is NOT behind a NAT device
       This   end IS behind a NAT device
    21     15:09:21.334  12/11/12  Sev=Info/4    CM/0x6310000E
    Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
    22     15:09:21.365  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    23     15:09:21.365  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
    24     15:09:21.365  12/11/12  Sev=Info/4    CM/0x63100015
    Launch xAuth application
    25     15:09:21.474  12/11/12  Sev=Info/4    IPSEC/0x63700008
    IPSec driver successfully started
    26     15:09:21.474  12/11/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    27     15:09:27.319  12/11/12  Sev=Info/4    CM/0x63100017
    xAuth application returned
    28     15:09:27.319  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
    29     15:09:27.365  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    30     15:09:27.365  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
    31     15:09:27.365  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
    32     15:09:27.365  12/11/12  Sev=Info/4    CM/0x6310000E
    Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
    33     15:09:27.365  12/11/12  Sev=Info/5    IKE/0x6300005E
    Client sending a firewall request to concentrator
    34     15:09:27.365  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
    35     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    36     15:09:27.397  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
    37     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
    38     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
    39     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
    40     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
    41     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
    42     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000E
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO
    43     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
    44     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000E
    MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.2(5) built by builders on Fri 20-May-11 16:00
    45     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
    46     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
    47     15:09:27.397  12/11/12  Sev=Info/4    CM/0x63100019
    Mode Config data received
    48     15:09:27.412  12/11/12  Sev=Info/4    IKE/0x63000056
    Received a key request from Driver: Local IP = 192.168.2.70, GW IP = **.**.***.***, Remote IP = 0.0.0.0
    49     15:09:27.412  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to **.**.***.***
    50     15:09:27.444  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    51     15:09:27.444  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
    52     15:09:27.444  12/11/12  Sev=Info/5    IKE/0x63000045
    RESPONDER-LIFETIME notify has value of 86400 seconds
    53     15:09:27.444  12/11/12  Sev=Info/5    IKE/0x63000047
    This SA has already been alive for 6 seconds, setting expiry to 86394 seconds from now
    54     15:09:27.459  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    55     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from **.**.***.***
    56     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to **.**.***.***
    57     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000049
    Discarding IPsec SA negotiation, MsgID=CE99A8A8
    58     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000017
    Marking IKE SA for deletion  (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
    59     15:09:27.459  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    60     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000058
    Received an ISAKMP message for a non-active SA, I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924
    61     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(Dropped) from **.**.***.***
    62     15:09:27.490  12/11/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    63     15:09:30.475  12/11/12  Sev=Info/4    IKE/0x6300004B
    Discarding IKE SA negotiation (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
    64     15:09:30.475  12/11/12  Sev=Info/4    CM/0x63100012
    Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
    65     15:09:30.475  12/11/12  Sev=Info/5    CM/0x63100025
    Initializing CVPNDrv
    66     15:09:30.475  12/11/12  Sev=Info/6    CM/0x63100046
    Set tunnel established flag in registry to 0.
    67     15:09:30.475  12/11/12  Sev=Info/4    IKE/0x63000001
    IKE received signal to terminate VPN connection
    68     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    69     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    70     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    71     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x6370000A
    IPSec driver successfully stopped
    The running configuration is as follows (there is a site-to-site VPN set up as well to another ASA 5505, but that is working flawlessly):
    : Saved
    ASA Version 8.2(5)
    hostname NCHCO
    enable password hTjwXz/V8EuTw9p9 encrypted
    passwd hTjwXz/V8EuTw9p9 encrypted
    names
    name 192.168.2.0 NCHCO description City Offices
    name 192.168.2.80 VPN_End
    name 192.168.2.70 VPN_Start
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address **.**.***.*** 255.255.255.248
    boot system disk0:/asa825-k8.bin
    ftp mode passive
    access-list outside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
    access-list outside_1_cryptomap extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
    access-list outside_1_cryptomap_1 extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
    access-list LAN_Access standard permit NCHCO 255.255.255.0
    access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (outside) 0 access-list outside_nat0_outbound
    route outside 0.0.0.0 0.0.0.0 74.219.208.49 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    network-acl outside_nat0_outbound
    webvpn
      svc ask enable default svc
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http **.**.***.*** 255.255.255.255 outside
    http 74.218.158.238 255.255.255.255 outside
    http NCHCO 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set l2tp-transform esp-3des esp-sha-hmac
    crypto ipsec transform-set l2tp-transform mode transport
    crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map dyn-map 10 set pfs group1
    crypto dynamic-map dyn-map 10 set transform-set l2tp-transform vpn-transform
    crypto dynamic-map dyn-map 10 set reverse-route
    crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer 74.219.208.50
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto map vpn-map 1 match address outside_1_cryptomap_1
    crypto map vpn-map 1 set pfs group1
    crypto map vpn-map 1 set peer 74.219.208.50
    crypto map vpn-map 1 set transform-set ESP-3DES-SHA
    crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
    crypto isakmp identity address
    crypto isakmp enable inside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 15
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 35
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp ipsec-over-tcp port 10000
    client-update enable
    telnet 192.168.1.0 255.255.255.0 inside
    telnet NCHCO 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh NCHCO 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.2.150-192.168.2.225 inside
    dhcpd dns 216.68.4.10 216.68.5.10 interface inside
    dhcpd lease 64000 interface inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 192.168.2.1
    vpn-tunnel-protocol IPSec l2tp-ipsec
    default-domain value nchco.local
    group-policy DfltGrpPolicy attributes
    dns-server value 192.168.2.1
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    password-storage enable
    ipsec-udp enable
    intercept-dhcp 255.255.255.0 enable
    address-pools value VPN_Pool
    group-policy NCHVPN internal
    group-policy NCHVPN attributes
    dns-server value 192.168.2.1 8.8.8.8
    vpn-tunnel-protocol IPSec l2tp-ipsec
    default-domain value NCHCO
    username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
    username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
    username NCHvpn99 password QhZZtJfwbnowceB7 encrypted
    tunnel-group DefaultRAGroup general-attributes
    address-pool (inside) VPN_Pool
    address-pool VPN_Pool
    authentication-server-group (inside) LOCAL
    authentication-server-group (outside) LOCAL
    authorization-server-group LOCAL
    authorization-server-group (inside) LOCAL
    authorization-server-group (outside) LOCAL
    default-group-policy DefaultRAGroup
    strip-realm
    strip-group
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *****
    peer-id-validate nocheck
    tunnel-group DefaultRAGroup ppp-attributes
    no authentication chap
    no authentication ms-chap-v1
    authentication ms-chap-v2
    tunnel-group DefaultWEBVPNGroup ppp-attributes
    authentication pap
    authentication ms-chap-v2
    tunnel-group 74.219.208.50 type ipsec-l2l
    tunnel-group 74.219.208.50 ipsec-attributes
    pre-shared-key *****
    tunnel-group NCHVPN type remote-access
    tunnel-group NCHVPN general-attributes
    address-pool VPN_Pool
    default-group-policy NCHVPN
    tunnel-group NCHVPN ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:15852745977ff159ba808c4a4feb61fa
    : end
    asdm image disk0:/asdm-645.bin
    asdm location VPN_Start 255.255.255.255 inside
    asdm location VPN_End 255.255.255.255 inside
    no asdm history enable
    Anyone have any idea why this is happening?
    Thanks!

    Thanks again for your reply, and sorry about the late response, havent gotten back to this issue until just now. I applied the above command as you specified, and unfortunately, it did not resolve the problem. Below are the logs from the VPN Client for the connection + attempted browsing of a network share that is behind the ASA, and the new running configuration.
    VPN Client Log:
    Cisco Systems VPN Client Version 5.0.07.0440
    Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 6.2.9200
    331    13:11:41.362  12/17/12  Sev=Info/4    CM/0x63100002
    Begin connection process
    332    13:11:41.362  12/17/12  Sev=Info/4    CM/0x63100004
    Establish secure connection
    333    13:11:41.362  12/17/12  Sev=Info/4    CM/0x63100024
    Attempt connection with server "69.61.228.178"
    334    13:11:41.362  12/17/12  Sev=Info/6    IKE/0x6300003B
    Attempting to establish a connection with 69.61.228.178.
    335    13:11:41.362  12/17/12  Sev=Info/4    IKE/0x63000001
    Starting IKE Phase 1 Negotiation
    336    13:11:41.424  12/17/12  Sev=Info/6    GUI/0x63B00012
    Authentication request attributes is 6h.
    337    13:11:41.362  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 69.61.228.178
    338    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    339    13:11:41.393  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 69.61.228.178
    340    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
    Peer is a Cisco-Unity compliant peer
    341    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
    Peer supports XAUTH
    342    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
    Peer supports DPD
    343    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
    Peer supports NAT-T
    344    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
    Peer supports IKE fragmentation payloads
    345    13:11:41.393  12/17/12  Sev=Info/6    IKE/0x63000001
    IOS Vendor ID Contruction successful
    346    13:11:41.393  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 69.61.228.178
    347    13:11:41.393  12/17/12  Sev=Info/6    IKE/0x63000055
    Sent a keepalive on the IPSec SA
    348    13:11:41.393  12/17/12  Sev=Info/4    IKE/0x63000083
    IKE Port in use - Local Port =  0xD271, Remote Port = 0x1194
    349    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000072
    Automatic NAT Detection Status:
       Remote end is NOT behind a NAT device
       This   end IS behind a NAT device
    350    13:11:41.393  12/17/12  Sev=Info/4    CM/0x6310000E
    Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
    351    13:11:41.424  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    352    13:11:41.424  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
    353    13:11:41.424  12/17/12  Sev=Info/4    CM/0x63100015
    Launch xAuth application
    354    13:11:41.424  12/17/12  Sev=Info/4    CM/0x63100017
    xAuth application returned
    355    13:11:41.424  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
    356    13:11:41.456  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    357    13:11:41.456  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
    358    13:11:41.456  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
    359    13:11:41.456  12/17/12  Sev=Info/4    CM/0x6310000E
    Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
    360    13:11:41.456  12/17/12  Sev=Info/5    IKE/0x6300005E
    Client sending a firewall request to concentrator
    361    13:11:41.456  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
    362    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    363    13:11:41.502  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
    364    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
    365    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
    366    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
    367    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
    368    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
    369    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
    370    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000F
    SPLIT_NET #1
        subnet = 192.168.2.0
        mask = 255.255.255.0
        protocol = 0
        src port = 0
        dest port=0
    371    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000E
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO.local
    372    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
    373    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000E
    MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(1) built by builders on Mon 31-Jan-11 02:11
    374    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
    375    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
    376    13:11:41.502  12/17/12  Sev=Info/4    CM/0x63100019
    Mode Config data received
    377    13:11:41.502  12/17/12  Sev=Info/4    IKE/0x63000056
    Received a key request from Driver: Local IP = 192.168.2.70, GW IP = 69.61.228.178, Remote IP = 0.0.0.0
    378    13:11:41.502  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 69.61.228.178
    379    13:11:41.534  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    380    13:11:41.534  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
    381    13:11:41.534  12/17/12  Sev=Info/5    IKE/0x63000045
    RESPONDER-LIFETIME notify has value of 86400 seconds
    382    13:11:41.534  12/17/12  Sev=Info/5    IKE/0x63000047
    This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now
    383    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    384    13:11:41.549  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
    385    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000045
    RESPONDER-LIFETIME notify has value of 28800 seconds
    386    13:11:41.549  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK QM *(HASH) to 69.61.228.178
    387    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000059
    Loading IPsec SA (MsgID=C4F5B5A6 OUTBOUND SPI = 0xD2DBADEA INBOUND SPI = 0x14762837)
    388    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000025
    Loaded OUTBOUND ESP SPI: 0xD2DBADEA
    389    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000026
    Loaded INBOUND ESP SPI: 0x14762837
    390    13:11:41.549  12/17/12  Sev=Info/5    CVPND/0x63400013
        Destination           Netmask           Gateway         Interface   Metric
            0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
          127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
          127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
    127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
        192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
      192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
      192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
          224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
          224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
    255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
    255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
    391    13:11:41.877  12/17/12  Sev=Info/6    CVPND/0x63400001
    Launch VAInst64 to control IPSec Virtual Adapter
    392    13:11:43.455  12/17/12  Sev=Info/4    CM/0x63100034
    The Virtual Adapter was enabled:
        IP=192.168.2.70/255.255.255.0
        DNS=192.168.2.1,8.8.8.8
        WINS=0.0.0.0,0.0.0.0
        Domain=NCHCO.local
        Split DNS Names=
    393    13:11:43.455  12/17/12  Sev=Info/5    CVPND/0x63400013
        Destination           Netmask           Gateway         Interface   Metric
            0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
          127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
          127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
    127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
        192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
      192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
      192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
          224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
          224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
          224.0.0.0         240.0.0.0           0.0.0.0           0.0.0.0      266
    255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
    255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
    255.255.255.255   255.255.255.255           0.0.0.0           0.0.0.0      266
    394    13:11:47.517  12/17/12  Sev=Info/4    CM/0x63100038
    Successfully saved route changes to file.
    395    13:11:47.517  12/17/12  Sev=Info/5    CVPND/0x63400013
        Destination           Netmask           Gateway         Interface   Metric
            0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
      69.61.228.178   255.255.255.255       192.168.1.1     192.168.1.162      100
          127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
          127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
    127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
        192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
        192.168.1.2   255.255.255.255     192.168.1.162     192.168.1.162      100
      192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
      192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
        192.168.2.0     255.255.255.0      192.168.2.70      192.168.2.70      266
        192.168.2.0     255.255.255.0       192.168.2.1      192.168.2.70      100
       192.168.2.70   255.255.255.255      192.168.2.70      192.168.2.70      266
      192.168.2.255   255.255.255.255      192.168.2.70      192.168.2.70      266
          224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
          224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
          224.0.0.0         240.0.0.0      192.168.2.70      192.168.2.70      266
    255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
    255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
    255.255.255.255   255.255.255.255      192.168.2.70      192.168.2.70      266
    396    13:11:47.517  12/17/12  Sev=Info/6    CM/0x63100036
    The routing table was updated for the Virtual Adapter
    397    13:11:47.517  12/17/12  Sev=Info/4    CM/0x6310001A
    One secure connection established
    398    13:11:47.517  12/17/12  Sev=Info/4    CM/0x6310003B
    Address watch added for 192.168.1.162.  Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
    399    13:11:47.517  12/17/12  Sev=Info/4    CM/0x6310003B
    Address watch added for 192.168.2.70.  Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
    400    13:11:47.517  12/17/12  Sev=Info/5    CM/0x63100001
    Did not find the Smartcard to watch for removal
    401    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700008
    IPSec driver successfully started
    402    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    403    13:11:47.517  12/17/12  Sev=Info/6    IPSEC/0x6370002C
    Sent 109 packets, 0 were fragmented.
    404    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    405    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700010
    Created a new key structure
    406    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x6370000F
    Added key with SPI=0xeaaddbd2 into key list
    407    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700010
    Created a new key structure
    408    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x6370000F
    Added key with SPI=0x37287614 into key list
    409    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x6370002F
    Assigned VA private interface addr 192.168.2.70
    410    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700037
    Configure public interface: 192.168.1.162. SG: 69.61.228.178
    411    13:11:47.517  12/17/12  Sev=Info/6    CM/0x63100046
    Set tunnel established flag in registry to 1.
    412    13:11:52.688  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
    413    13:11:52.688  12/17/12  Sev=Info/6    IKE/0x6300003D
    Sending DPD request to 69.61.228.178, our seq# = 2722476009
    414    13:11:52.704  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    415    13:11:52.704  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
    416    13:11:52.704  12/17/12  Sev=Info/5    IKE/0x63000040
    Received DPD ACK from 69.61.228.178, seq# received = 2722476009, seq# expected = 2722476009
    417    13:12:03.187  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
    418    13:12:03.187  12/17/12  Sev=Info/6    IKE/0x6300003D
    Sending DPD request to 69.61.228.178, our seq# = 2722476010
    419    13:12:03.202  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    420    13:12:03.202  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
    421    13:12:03.202  12/17/12  Sev=Info/5    IKE/0x63000040
    Received DPD ACK from 69.61.228.178, seq# received = 2722476010, seq# expected = 2722476010
    422    13:12:14.185  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
    423    13:12:14.185  12/17/12  Sev=Info/6    IKE/0x6300003D
    Sending DPD request to 69.61.228.178, our seq# = 2722476011
    424    13:12:14.201  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    425    13:12:14.201  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
    426    13:12:14.201  12/17/12  Sev=Info/5    IKE/0x63000040
    Received DPD ACK from 69.61.228.178, seq# received = 2722476011, seq# expected = 2722476011
    427    13:12:24.762  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
    428    13:12:24.762  12/17/12  Sev=Info/6    IKE/0x6300003D
    Sending DPD request to 69.61.228.178, our seq# = 2722476012
    429    13:12:24.778  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    430    13:12:24.778  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
    431    13:12:24.778  12/17/12  Sev=Info/5    IKE/0x63000040
    Received DPD ACK from 69.61.228.178, seq# received = 2722476012, seq# expected = 2722476012
    New running configuration:
    : Saved
    ASA Version 8.4(1)
    hostname NCHCO
    enable password hTjwXz/V8EuTw9p9 encrypted
    passwd hTjwXz/V8EuTw9p9 encrypted
    names
    name 192.168.2.0 NCHCO description City Offices
    name 192.168.2.80 VPN_End
    name 192.168.2.70 VPN_Start
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 69.61.228.178 255.255.255.248
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    boot system disk0:/asa841-k8.bin
    ftp mode passive
    object network NCHCO
    subnet 192.168.2.0 255.255.255.0
    object network obj-192.168.1.0
    subnet 192.168.1.0 255.255.255.0
    object network obj-192.168.2.64
    subnet 192.168.2.64 255.255.255.224
    object network obj-0.0.0.0
    subnet 0.0.0.0 255.255.255.0
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
    access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
    access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
    access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
    access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
    access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
    access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
    access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
    access-list AnyConnect_Client_Local_Print extended deny ip any any
    access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
    access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
    access-list AnyConnect_Client_Local_Print remark Windows' printing port
    access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
    access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
    access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
    access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
    access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-649.bin
    no asdm history enable
    arp timeout 14400
    nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
    nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
    nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
    object network obj_any
    nat (inside,outside) dynamic interface
    route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    network-acl outside_nat0_outbound
    webvpn
      svc ask enable default svc
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 69.61.228.178 255.255.255.255 outside
    http 74.218.158.238 255.255.255.255 outside
    http NCHCO 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set l2tp-transform mode transport
    crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map dyn-map 10 set pfs group1
    crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
    crypto dynamic-map dyn-map 10 set reverse-route
    crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer 74.219.208.50
    crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
    crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto map vpn-map 1 match address outside_1_cryptomap_1
    crypto map vpn-map 1 set pfs group1
    crypto map vpn-map 1 set peer 74.219.208.50
    crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
    crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
    crypto isakmp identity address
    crypto ikev1 enable inside
    crypto ikev1 enable outside
    crypto ikev1 ipsec-over-tcp port 10000
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto ikev1 policy 15
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 35
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    client-update enable
    telnet 192.168.1.0 255.255.255.0 inside
    telnet NCHCO 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh NCHCO 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.2.150-192.168.2.225 inside
    dhcpd dns 216.68.4.10 216.68.5.10 interface inside
    dhcpd lease 64000 interface inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 192.168.2.1
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    default-domain value nchco.local
    group-policy DfltGrpPolicy attributes
    dns-server value 192.168.2.1
    vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
    password-storage enable
    ipsec-udp enable
    intercept-dhcp 255.255.255.0 enable
    address-pools value VPN_Pool
    group-policy NCHCO internal
    group-policy NCHCO attributes
    dns-server value 192.168.2.1 8.8.8.8
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value NCHCO_splitTunnelAcl_1
    default-domain value NCHCO.local
    username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
    username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
    username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
    tunnel-group DefaultRAGroup general-attributes
    address-pool (inside) VPN_Pool
    address-pool VPN_Pool
    authentication-server-group (inside) LOCAL
    authentication-server-group (outside) LOCAL
    authorization-server-group LOCAL
    authorization-server-group (inside) LOCAL
    authorization-server-group (outside) LOCAL
    default-group-policy DefaultRAGroup
    strip-realm
    strip-group
    tunnel-group DefaultRAGroup ipsec-attributes
    ikev1 pre-shared-key *****
    peer-id-validate nocheck
    tunnel-group DefaultRAGroup ppp-attributes
    no authentication chap
    no authentication ms-chap-v1
    authentication ms-chap-v2
    tunnel-group DefaultWEBVPNGroup ppp-attributes
    authentication pap
    authentication ms-chap-v2
    tunnel-group 74.219.208.50 type ipsec-l2l
    tunnel-group 74.219.208.50 ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group NCHCO type remote-access
    tunnel-group NCHCO general-attributes
    address-pool VPN_Pool
    default-group-policy NCHCO
    tunnel-group NCHCO ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:b6ce58676b6aaeba48caacbeefea53a5
    : end
    asdm image disk0:/asdm-649.bin
    asdm location VPN_Start 255.255.255.255 inside
    asdm location VPN_End 255.255.255.255 inside
    no asdm history enable
    I'm at a loss myself as to why this isn't working, and i'm sure that you are running out of solutions yourself. Any other ideas? I really need to get this working.
    Thanks so much!
    Matthew

  • Site to Site VPN between ASA 5505 and Cisco 800 router

    Evening all,
    Hoping that someboy can see the error of my ways.  It seems very like the problem that i read here: https://supportforums.cisco.com/thread/2016300
    We have a cisco 800 in a remote site which we wanted to use for a site to site vpn.  Went through the steps on the ASA 5505 and the 800 and have got to the stage were the tunnel is up and connected.  Getting traffic through it is another matter.  Remote network is 172.20.224.0/20 and the server network behind the ASA is 192.168.168.0/24. The tunnel does intiate when you send traffic from 172 ......to 192.......  Both the ASA and 800 report the tunnel is up.  If i look at the stats using ccp on the 800 i can see the encapsulation packets graph shooting up but nothing cominbg back.  I did packet captures on the 5505 and could not see anything coming from the tunnel so i dont belive its making it to the ASA.  Here is the config from the 800:
    Building configuration...
    Current configuration : 6488 bytes
    version 12.4
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    hostname hhp-sty-backup
    boot-start-marker
    boot-end-marker
    logging message-counter syslog
    logging buffered 4096
    enable secret 5 $1$jI1i$/kZbRk2WHD5h0HtfuQVej1
    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    aaa authorization auth-proxy default local
    aaa session-id common
    crypto pki trustpoint TP-self-signed-1347488939
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1347488939
    revocation-check none
    rsakeypair TP-self-signed-1347488939
    crypto pki certificate chain TP-self-signed-1347488939
    certificate self-signed 02
      30820255 308201BE A0030201 02020102 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 31333437 34383839 3339301E 170D3032 30333031 30313336
      33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33343734
      38383933 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100E714 7B0ADB41 19F60528 A8A5C43B 5CD2D1CD DCCF2E08 8B38D444 36EAB9B7
      0E93CEF7 660F979E E27915B9 E44812A5 794EA03D BA66752B FD0F7EBF D6342513
      D6410E4E 098CE838 C3BADD0A 5F3505FE 22CA776F 89B19510 F0852225 3600F046
      4D57D2E2 FE4AAD1E 8BE4BF80 7B27369E BFA65160 BC769BC9 00A13741 E336D0EA
      8A810203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
      551D1104 21301F82 1D686870 2D737479 2D626163 6B75702E 796F7572 646F6D61
      696E2E63 6F6D301F 0603551D 23041830 168014FA 4A8C4DF6 629638DE 87D7B60A
      0F5BB40F EA6AED30 1D060355 1D0E0416 0414FA4A 8C4DF662 9638DE87 D7B60A0F
      5BB40FEA 6AED300D 06092A86 4886F70D 01010405 00038181 00BBE577 6EF63FE7
      789766D5 37841812 298D4885 1CD06D07 4C625369 C3403106 89EE1398 73495432
      66C49CB1 36A5B2F8 D77A8C46 5AFE4112 EA5917D9 81542640 80EF2D36 54A85CC6
      C3FFFFB8 39A648DD 2ABA2B13 4137BE07 760E46C0 74401DA7 482E3FA2 A64B70FF
      447AA1B2 52E37240 29987085 532BBE3B C2E2E54A 54CA1D13 0E
                quit
    dot11 syslog
    ip source-route
    ip dhcp excluded-address 10.10.10.1
    ip dhcp pool inside
    ip dhcp pool lan_network
       network 172.20.224.0 255.255.240.0
       dns-server 8.8.8.8 8.8.4.4
       default-router 172.20.224.1
       lease 7
    ip cef
    no ip domain lookup
    ip domain name yourdomain.com
    password encryption aes
    username pix privilege 15 secret 5 $1$Z.wA$lBmj36AJx/cbK1RjmfGJh1
    username admin privilege 15 password 0 434Zaty
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key password address 217.36.32.222
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel to217.36.32.222
    set peer 217.36.32.222
    set transform-set ESP-3DES-SHA
    match address 100
    archive
    log config
      hidekeys
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    pvc 0/38
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
    dsl operating-mode auto
    interface FastEthernet0
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
    ip address 172.20.224.1 255.255.240.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    interface Dialer0
    ip address negotiated
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname B6*******.btclick.com
    ppp chap password 0 H*******
    crypto map SDM_CMAP_1
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
    access-list 1 remark CCP_ACL Category=16
    access-list 1 permit 172.4.0.0 0.240.255.255
    access-list 10 permit 195.12.1.35
    access-list 10 permit 172.4.0.0 0.240.255.255
    access-list 100 remark CCP_ACL Category=4
    access-list 100 remark IPSec Rule
    access-list 100 permit ip 172.20.224.0 0.0.15.255 192.168.168.0 0.0.0.255
    access-list 101 remark CCP_ACL Category=2
    access-list 101 remark IPSec Rule
    access-list 101 deny   ip 172.20.224.0 0.0.15.255 192.168.168.0 0.0.0.255
    access-list 101 permit ip 172.4.0.0 0.240.255.255 any
    route-map SDM_RMAP_1 permit 1
    match ip address 101
    control-plane
    banner exec ^C
    % Password expiration warning.
    Cisco Configuration Professional (Cisco CP) is installed on this device
    and it provides the default username "cisco" for  one-time use. If you have
    already used the username "cisco" to login to the router and your IOS image
    supports the "one-time" user option, then this username has already expired.
    You will not be able to login to the router with this username after you exit
    this session.
    It is strongly suggested that you create a new username with a privilege level
    of 15 using the following command.
    username <myuser> privilege 15 secret 0 <mypassword>
    Replace <myuser> and <mypassword> with the username and password you
    want to use.
    ^C
    banner login ^C
    Cisco Configuration Professional (Cisco CP) is installed on this device.
    This feature requires the one-time use of the username "cisco" with the
    password "cisco". These default credentials have a privilege level of 15.
    YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE 
    PUBLICLY-KNOWN CREDENTIALS
    Here are the Cisco IOS commands.
    username <myuser>  privilege 15 secret 0 <mypassword>
    no username cisco
    Replace <myuser> and <mypassword> with the username and password you want
    to use.
    IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
    NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
    For more information about Cisco CP please follow the instructions in the
    QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
    ^C
    line con 0
    no modem enable
    stopbits 1
    line aux 0
    line vty 0 4
    access-class 10 in
    privilege level 15
    password 434Zaty
    transport input telnet ssh
    scheduler max-task-time 5000
    end
    Any help will be most gratefully recieved.

    Rick,
    Thanks for replying.  Here is the output from the 800 Show Crypto command:
    interface: Dialer0
        Crypto map tag: SDM_CMAP_1, local addr 81.136.160.237
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (172.20.224.0/255.255.240.0/0/0)
       remote ident (addr/mask/prot/port): (192.168.168.0/255.255.255.0/0/0)
       current_peer 217.36.32.222 port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 10928, #pkts encrypt: 10928, #pkts digest: 10928
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 2, #recv errors 0
         local crypto endpt.: 81.136.160.237, remote crypto endpt.: 217.36.32.222
         path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
         current outbound spi: 0x0(0)
         inbound esp sas:
         inbound ah sas:
         inbound pcp sas:
         outbound esp sas:
         outbound ah sas:
         outbound pcp sas:
    interface: Virtual-Access2
        Crypto map tag: SDM_CMAP_1, local addr 81.136.160.237
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (172.20.224.0/255.255.240.0/0/0)
       remote ident (addr/mask/prot/port): (192.168.168.0/255.255.255.0/0/0)
       current_peer 217.36.32.222 port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 10928, #pkts encrypt: 10928, #pkts digest: 10928
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 2, #recv errors 0
         local crypto endpt.: 81.136.160.237, remote crypto endpt.: 217.36.32.222
         path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
         current outbound spi: 0x0(0)
         inbound esp sas:
         inbound ah sas:
         inbound pcp sas:
         outbound esp sas:
         outbound ah sas:
         outbound pcp sas:
    and this is the running config frm our ASA at HQ:
    Result of the command: "sh run"
    : Saved
    ASA Version 8.2(1)
    hostname secure-access
    domain-name hhp.com
    enable password UWWykvGjAPmxufUo encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.168.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    pppoe client vpdn group BT
    ip address 217.36.32.222 255.255.255.255 pppoe
    interface Vlan12
    nameif DMZ
    security-level 50
    ip address 192.168.169.1 255.255.255.0
    interface Vlan22
    nameif Wireless_HHP
    security-level 100
    ip address 172.16.36.1 255.255.254.0
    interface Vlan32
    nameif CNES
    security-level 100
    ip address 187.187.168.1 255.255.0.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    switchport access vlan 12
    interface Ethernet0/3
    switchport access vlan 22
    interface Ethernet0/4
    switchport access vlan 32
    interface Ethernet0/5
    switchport access vlan 12
    interface Ethernet0/6
    switchport access vlan 12
    interface Ethernet0/7
    ftp mode passive
    dns domain-lookup inside
    dns domain-lookup outside
    dns domain-lookup DMZ
    dns domain-lookup Wireless_HHP
    dns domain-lookup CNES
    dns server-group DefaultDNS
    name-server 192.168.168.2
    domain-name hhp.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network NET-cnes_HHP-Sty
    network-object 172.20.224.0 255.255.240.0
    object-group network NET-cnes_HHP-Balivanich
    network-object 172.20.192.0 255.255.240.0
    object-group network Oak-DC1
    network-object 192.168.168.2 255.255.255.255
    object-group network Maple-DC2
    network-object 192.168.168.3 255.255.255.255
    object-group network HHP_Domain_Controllers
    group-object Oak-DC1
    group-object Maple-DC2
    object-group network PC-Support
    network-object 187.187.60.1 255.255.255.255
    network-object 187.187.60.2 255.255.255.254
    network-object 187.187.60.4 255.255.255.254
    network-object 187.187.60.6 255.255.255.255
    object-group network ELM-ActiveH
    network-object 192.168.168.6 255.255.255.255
    object-group network Pine-GP
    network-object 192.168.168.12 255.255.255.255
    object-group network HHP_Application_Servers
    group-object ELM-ActiveH
    group-object Pine-GP
    object-group network Fern-TS1
    network-object 192.168.168.4 255.255.255.255
    object-group network Fir-TS2
    network-object 192.168.168.5 255.255.255.255
    object-group network HHP_Terminal_Servers
    group-object Fern-TS1
    group-object Fir-TS2
    object-group service Global_Catalog_LDAP
    description (Generated by Cisco SM from Object "Global Catalog LDAP")
    service-object tcp eq 3268
    object-group service Global_Catalog_LDAP_SSL
    description (Generated by Cisco SM from Object "Global Catalog LDAP SSL")
    service-object tcp eq 3269
    object-group service UDP-389
    description UDP port for LDAP
    service-object udp eq 389
    object-group service TCP-88
    description TCP Port 88
    service-object tcp eq 88
    object-group service TCP-445
    description SMB
    service-object tcp eq 445
    object-group network John_-_Laptop
    description John's Laptop
    network-object 187.187.10.65 255.255.255.255
    object-group network Graham_-_PC
    description Graham Morrison's PC
    network-object 187.187.10.90 255.255.255.255
    object-group network john_test
    network-object 187.187.40.7 255.255.255.255
    object-group network Iain_PC
    description Iain Macaulay IT
    network-object 187.187.10.19 255.255.255.255
    object-group network John_-_PC
    description John MacPhail's PC
    network-object 187.187.10.7 255.255.255.255
    object-group network it-alahen-lap
    network-object 187.187.10.230 255.255.255.255
    object-group network Catriona_-_Laptop
    description Catriona's Laptop
    network-object 187.187.10.60 255.255.255.255
    object-group network Graham_-_Laptop
    network-object 187.186.10.120 255.255.255.255
    object-group network it-innive-xp
    description Innes MacIver's PC
    network-object 187.187.10.14 255.255.255.255
    object-group network it-alahen-xp
    description Desktop
    network-object 187.187.10.229 255.255.255.255
    object-group network Cat_-_PC
    description Catriona Macmillan's PC
    network-object 187.187.10.4 255.255.255.255
    object-group network it-davdon-xp
    description Desktop
    network-object 187.187.160.7 255.255.255.255
    object-group network cat-laptop
    description Catriona's Laptop addresses
    network-object 187.187.77.81 255.255.255.255
    network-object 187.187.77.82 255.255.255.255
    object-group network Catriona_old_pc
    network-object 187.187.10.44 255.255.255.255
    object-group network cat-tablet
    description Catriona's Tablet ip address's
    network-object 187.187.77.78 255.255.255.254
    object-group network DSO-SQLServer
    description Task Database Server
    network-object 187.187.1.33 255.255.255.255
    object-group network it-finfernew-xp
    description Findlay Ferguson PC
    network-object 187.187.10.153 255.255.255.255
    object-group network PC_Support
    group-object John_-_Laptop
    group-object Graham_-_PC
    group-object john_test
    group-object Iain_PC
    group-object John_-_PC
    group-object it-alahen-lap
    group-object Catriona_-_Laptop
    group-object Graham_-_Laptop
    group-object it-alahen-xp
    group-object Cat_-_PC
    group-object it-davdon-xp
    group-object cat-laptop
    group-object Catriona_old_pc
    group-object cat-tablet
    group-object it-innive-xp
    network-object 187.187.1.128 255.255.255.255
    network-object 187.187.10.76 255.255.255.255
    group-object DSO-SQLServer
    network-object 187.187.15.234 255.255.255.255
    network-object 187.187.4.60 255.255.255.255
    network-object 187.187.10.134 255.255.255.255
    network-object 172.18.194.22 255.255.255.255
    group-object it-finfernew-xp
    object-group network Entire_CNE
    description Entire CNE range
    network-object 187.0.0.0 255.0.0.0
    object-group network NET-cnes_HHP-Sty-Staff
    network-object 172.20.225.0 255.255.255.0
    object-group network NET-cnes_HHP-Balivanich-staff
    network-object 172.20.193.0 255.255.255.0
    object-group network Alder-Intranet
    network-object 192.168.168.13 255.255.255.255
    object-group network Aspen-ISA
    network-object 192.168.168.10 255.255.255.255
    object-group service tcp-8080
    description TCP Port 8080
    service-object tcp eq 8080
    object-group network Beech-External
    network-object 217.36.32.210 255.255.255.255
    object-group network it-csm
    description cisco security manager
    network-object 187.187.1.72 255.255.255.255
    object-group network Juniper-External
    description Internet Server
    network-object 217.36.32.211 255.255.255.255
    object-group network HHP_Server_Network
    network-object 192.168.168.0 255.255.255.0
    object-group network Messagelabs_Incoming_HHP
    network-object 67.219.240.0 255.255.240.0
    network-object 95.131.104.0 255.255.248.0
    network-object 193.109.254.0 255.255.254.0
    network-object 195.245.230.0 255.255.254.0
    network-object 216.82.240.0 255.255.240.0
    network-object 85.158.136.0 255.255.248.0
    network-object 117.120.16.0 255.255.248.0
    network-object 194.106.220.0 255.255.254.0
    object-group network Angus-Maclean-PC
    network-object 187.187.10.250 255.255.255.255
    object-group service RDP
    service-object tcp eq 3389
    object-group network it-dbserver
    description Database Server (Live)
    network-object 187.187.1.65 255.255.255.255
    object-group network it-sql-test
    description Test SQL / database server
    network-object 187.187.1.81 255.255.255.255
    object-group service DNS-Resolving
    description Domain Name Server
    service-object tcp eq domain
    service-object udp eq domain
    object-group network Beech-Exchange
    network-object 192.168.168.91 255.255.255.255
    object-group network Messagelabs_-_Incoming
    description List of MessageLab addresses that SMTP connections are accepted from
    network-object 212.125.75.0 255.255.255.224
    network-object 216.82.240.0 255.255.240.0
    network-object 195.216.16.211 255.255.255.255
    network-object 194.205.110.128 255.255.255.224
    network-object 194.106.220.0 255.255.254.0
    network-object 193.109.254.0 255.255.254.0
    network-object 62.231.131.0 255.255.255.0
    network-object 62.173.108.208 255.255.255.240
    network-object 62.173.108.16 255.255.255.240
    network-object 212.125.74.44 255.255.255.255
    network-object 195.245.230.0 255.255.254.0
    network-object 85.158.136.0 255.255.248.0
    object-group network MIS_Support
    network-object 192.168.168.250 255.255.255.254
    object-group network it-donadon-xp
    description Donald Macdonald's PC
    network-object 187.187.10.13 255.255.255.255
    object-group network Angela_PC
    network-object 187.187.10.155 255.255.255.255
    object-group network Katie_PC
    network-object 187.187.10.151 255.255.255.255
    object-group network Pauline_PC
    network-object 187.187.10.12 255.255.255.255
    object-group network it-paye-net
    network-object 187.187.1.92 255.255.255.255
    object-group network MessageLabs-Towers
    description Message Labs IP Address ranges
    network-object 216.82.240.0 255.255.240.0
    network-object 67.219.240.0 255.255.240.0
    network-object 85.158.136.0 255.255.248.0
    network-object 95.131.104.0 255.255.248.0
    network-object 117.120.16.0 255.255.248.0
    network-object 193.109.254.0 255.255.254.0
    network-object 194.106.220.0 255.255.254.0
    network-object 195.245.230.0 255.255.254.0
    network-object 62.231.131.0 255.255.255.0
    network-object 212.125.75.16 255.255.255.240
    object-group network NET_cnes-castlebay-staff
    network-object 172.19.17.0 255.255.255.0
    object-group network NET_cnes_tarbert_staff
    description NET_cnes_tarbert_staff
    network-object 172.19.33.0 255.255.255.0
    object-group network Juniper
    network-object 192.168.169.5 255.255.255.255
    object-group network HHP_DMZ_Network
    network-object 192.168.169.0 255.255.255.0
    object-group network Ash
    network-object 192.168.168.100 255.255.255.255
    object-group service UDP-445
    service-object udp eq 445
    object-group service tcp-udp-135-139
    service-object tcp-udp range 135 139
    object-group network HHP-ELM
    description HHP's ELM ActiveH server
    network-object 187.187.1.203 255.255.255.255
    object-group network CNES-Ext-GW
    description CNES External Address
    network-object 194.83.245.242 255.255.255.255
    object-group service IPSEC
    description IPSEC
    service-object 57
    service-object ah
    service-object esp
    service-object udp eq isakmp
    object-group network Alamur-PC
    network-object 187.187.10.15 255.255.255.255
    object-group network Iain-Nicolson-PC
    network-object 187.187.10.159 255.255.255.255
    object-group network HHP_Remote_Access_Pool
    network-object 192.168.168.200 255.255.255.248
    network-object 192.168.168.208 255.255.255.240
    network-object 192.168.168.224 255.255.255.252
    network-object 192.168.168.228 255.255.255.254
    object-group network Holly-AV
    network-object 192.168.168.9 255.255.255.255
    object-group service AVG_Ports
    description For AVG server to HHP PCs
    service-object tcp-udp eq 6150
    service-object tcp-udp eq 6051
    service-object tcp-udp eq 445
    service-object tcp-udp eq 138
    service-object tcp-udp eq 135
    service-object tcp-udp eq 6054
    service-object tcp-udp eq 4158
    service-object tcp-udp eq 139
    service-object tcp-udp eq 137
    object-group network CNES_Access
    network-object 192.168.168.230 255.255.255.254
    network-object 192.168.168.232 255.255.255.248
    network-object 192.168.168.240 255.255.255.248
    network-object 192.168.168.248 255.255.255.254
    object-group network HHP-068
    description BACS PC
    network-object 172.20.225.6 255.255.255.255
    object-group network Banyan
    network-object 192.168.168.105 255.255.255.255
    object-group service TCP81
    description TCP Port 81
    service-object tcp eq 81
    object-group network Gavin_-_new_PC
    network-object 187.187.10.150 255.255.255.255
    object-group network Secudoors
    network-object 172.20.224.4 255.255.255.255
    access-list outside_access_in remark Time sync to external ntp server
    access-list outside_access_in extended permit udp host 192.108.114.23 object-group HHP_Domain_Controllers eq ntp
    access-list outside_access_in extended permit tcp object-group MessageLabs-Towers object-group Beech-External eq smtp
    access-list outside_access_in extended permit ip host 81.136.160.237 object-group HHP_Server_Network
    access-list outside_access_in extended permit ip object-group CNES_Access object-group HHP_Server_Network
    access-list outside_access_in extended permit ip object-group MIS_Support object-group HHP_Server_Network
    access-list outside_access_in extended permit ip object-group HHP_Remote_Access_Pool object-group HHP_Server_Network
    access-list outside_access_in extended permit tcp any object-group Juniper-External eq www
    access-list outside_access_in extended permit tcp any object-group Juniper-External eq https
    access-list outside_access_in extended deny ip any any
    access-list outside_access_in_1 extended permit ip any any
    access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group NET-cnes_HHP-Balivanich object-group HHP_Server_Network
    access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group NET-cnes_HHP-Sty object-group HHP_Server_Network
    access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq www
    access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq domain
    access-list CSM_FW_ACL_Wireless_HHP extended permit udp object-group HHP-068 any eq domain
    access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq https
    access-list CSM_FW_ACL_Wireless_HHP extended permit object-group DNS-Resolving object-group HHP-068 any
    access-list CSM_FW_ACL_Wireless_HHP extended permit object-group tcp-8080 object-group HHP-068 any
    access-list CSM_FW_ACL_Wireless_HHP extended permit ip host 172.20.193.53 object-group CNES-Ext-GW
    access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group Secudoors any
    access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Balivanich
    access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Sty
    access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Application_Servers object-group PC_Support
    access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Domain_Controllers object-group PC_Support
    access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Terminal_Servers object-group PC_Support
    access-list CSM_FW_ACL_inside extended permit tcp object-group Oak-DC1 any eq domain
    access-list CSM_FW_ACL_inside extended permit udp object-group Oak-DC1 any eq domain
    access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Oak-DC1 any
    access-list CSM_FW_ACL_inside extended permit tcp object-group Maple-DC2 any eq domain
    access-list CSM_FW_ACL_inside extended permit udp object-group Maple-DC2 any eq domain
    access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Maple-DC2 any
    access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq www
    access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq domain
    access-list CSM_FW_ACL_inside extended permit udp object-group Aspen-ISA any eq domain
    access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq https
    access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Aspen-ISA any
    access-list CSM_FW_ACL_inside extended permit object-group tcp-8080 object-group Aspen-ISA any
    access-list CSM_FW_ACL_inside remark For Symantec Liveupdates
    access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq ftp
    access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq www
    access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq https
    access-list CSM_FW_ACL_inside remark IPSec VPN access from ELm to CNES
    access-list CSM_FW_ACL_inside extended permit object-group IPSEC object-group ELM-ActiveH object-group CNES-Ext-GW
    access-list CSM_FW_ACL_inside extended permit udp object-group ELM-ActiveH object-group CNES-Ext-GW eq 4500
    access-list CSM_FW_ACL_inside extended permit tcp object-group ELM-ActiveH object-group CNES-Ext-GW eq 4500
    access-list CSM_FW_ACL_inside extended permit icmp object-group HHP_Server_Network object-group HHP_DMZ_Network
    access-list CSM_FW_ACL_inside remark Time sync to external ntp server
    access-list CSM_FW_ACL_inside extended permit udp object-group HHP_Domain_Controllers host 192.108.114.23 eq ntp
    access-list CSM_FW_ACL_inside extended permit tcp object-group Beech-Exchange object-group Messagelabs_-_Incoming eq smtp
    access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA object-group Juniper eq www
    access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA object-group Juniper eq https
    access-list CSM_FW_ACL_inside extended permit ip object-group Holly-AV object-group Juniper
    access-list CSM_FW_ACL_inside extended deny ip any any
    access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group HHP_Server_Network
    access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group HHP_DMZ_Network
    access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group NET-cnes_HHP-Balivanich
    access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group NET-cnes_HHP-Sty
    access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq ssh
    access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq www
    access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq https
    access-list CSM_FW_ACL_CNES remark Aim's access to Active H server: DSO SQL
    access-list CSM_FW_ACL_CNES remark server's access (Task)
    access-list CSM_FW_ACL_CNES remark IT Ops - mapped drive for FTP transfer to and from E450/Elm of Entitlement Adjustments
    access-list CSM_FW_ACL_CNES remark and Tenancy Changes
    access-list CSM_FW_ACL_CNES extended permit ip object-group it-sql-test object-group ELM-ActiveH
    access-list CSM_FW_ACL_CNES extended permit ip object-group DSO-SQLServer object-group ELM-ActiveH
    access-list CSM_FW_ACL_CNES extended permit ip object-group it-paye-net object-group ELM-ActiveH
    access-list CSM_FW_ACL_CNES extended permit ip object-group Angela_PC object-group ELM-ActiveH
    access-list CSM_FW_ACL_CNES extended permit ip object-group Katie_PC object-group ELM-ActiveH
    access-list CSM_FW_ACL_CNES extended permit ip object-group Pauline_PC object-group ELM-ActiveH
    access-list CSM_FW_ACL_CNES remark donald and Findlay RDP access to Active H
    access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-donadon-xp object-group ELM-ActiveH
    access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-donadon-xp object-group HHP_Terminal_Servers
    access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-finfernew-xp object-group ELM-ActiveH
    access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-finfernew-xp object-group HHP_Terminal_Servers
    access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC object-group Alder-Intranet
    access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC host 192.168.168.17
    access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC object-group Juniper
    access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC object-group Alder-Intranet
    access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC host 192.168.168.17
    access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC object-group Juniper
    access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp object-group Alder-Intranet
    access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp host 192.168.168.17
    access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp object-group Juniper
    access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC object-group Alder-Intranet
    access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC host 192.168.168.17
    access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC object-group Juniper
    access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC object-group Alder-Intranet
    access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC host 192.168.168.17
    access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC object-group Juniper
    access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group NET_cnes-castlebay-staff object-group HHP_Server_Network
    access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group NET_cnes_tarbert_staff object-group HHP_Server_Network
    access-list MIS_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip object-group HHP_Server_Network 192.168.168.250 255.255.255.254
    access-list inside_nat0_outbound extended permit ip object-group HHP_Server_Network 192.168.168.224 255.255.255.224
    access-list CSM_FW_ACL_DMZ extended permit ip object-group HHP_DMZ_Network object-group PC_Support
    access-list CSM_FW_ACL_DMZ extended permit icmp object-group HHP_DMZ_Network object-group HHP_Server_Network
    access-list CSM_FW_ACL_DMZ extended permit ip object-group Juniper object-group Angus-Maclean-PC
    access-list CSM_FW_ACL_DMZ extended permit ip object-group Juniper object-group Holly-AV
    access-list CSM_FW_ACL_DMZ extended permit tcp object-group Juniper object-group Beech-Exchange eq smtp
    access-list CSM_FW_ACL_DMZ extended permit tcp object-group Juniper object-group HHP_Domain_Controllers eq domain
    access-list CSM_FW_ACL_DMZ extended permit udp object-group Juniper object-group HHP_Domain_Controllers eq domain
    access-list CSM_FW_ACL_DMZ remark for backups to USB drive on ASH
    access-list CSM_FW_ACL_DMZ extended permit object-group TCP-445 object-group Juniper object-group Ash
    access-list CSM_FW_ACL_DMZ extended permit object-group UDP-445 object-group Juniper object-group Ash
    access-list CSM_FW_ACL_DMZ extended permit object-group tcp-udp-135-139 object-group Juniper object-group Ash
    access-list CSM_FW_ACL_DMZ extended deny ip any any
    access-list CNES_Support_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
    access-list RemoteAccess_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
    access-list outside_cryptomap extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Sty
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1492
    mtu DMZ 1500
    mtu Wireless_HHP 1500
    mtu CNES 1500
    ip local pool CNES_Access 192.168.168.230-192.168.168.249
    ip local pool MIS_Support 192.168.168.250-192.168.168.251
    ip local pool OLM-VPN-Pool 192.168.168.252
    ip local pool HHP_Remote_Access_Pool 192.168.168.200-192.168.168.229
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (Wireless_HHP) 1 172.20.193.53 255.255.255.255
    nat (Wireless_HHP) 1 172.20.225.0 255.255.255.0
    static (inside,CNES) 192.168.168.0 192.168.168.0 netmask 255.255.255.0
    static (CNES,inside) 187.187.0.0 255.255.0.0 netmask 255.255.0.0
    static (Wireless_HHP,inside) 172.20.224.0 172.20.224.0 netmask 255.255.240.0
    static (inside,Wireless_HHP) 192.168.168.0 192.168.168.0 netmask 255.255.255.0
    static (CNES,Wireless_HHP) 187.187.0.0 187.187.0.0 netmask 255.255.0.0
    static (inside,outside) 217.36.32.210 192.168.168.91 netmask 255.255.255.255
    static (DMZ,outside) 217.36.32.211 192.168.169.5 netmask 255.255.255.255
    static (inside,DMZ) 192.168.168.0 192.168.168.0 netmask 255.255.255.0
    static (CNES,DMZ) 187.0.0.0 187.0.0.0 netmask 255.0.0.0
    access-group CSM_FW_ACL_inside in interface inside
    access-group outside_access_in_1 in interface outside control-plane
    access-group outside_access_in in interface outside
    access-group CSM_FW_ACL_DMZ in interface DMZ
    access-group CSM_FW_ACL_Wireless_HHP in interface Wireless_HHP
    access-group CSM_FW_ACL_CNES in interface CNES
    route outside 0.0.0.0 0.0.0.0 81.148.0.157 1
    route Wireless_HHP 172.20.192.0 255.255.240.0 172.16.36.3 1
    route Wireless_HHP 172.20.224.0 255.255.240.0 172.16.36.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server HHP protocol ldap
    aaa-server HHP (inside) host 192.168.168.2
    timeout 5
    ldap-base-dn dc=hhp,dc=com
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *
    ldap-login-dn cn=gramor,cn=users,dc=hhp,dc=com
    server-type microsoft
    aaa-server HHP_1 protocol ldap
    aaa-server HHP_1 (inside) host 192.168.168.2
    timeout 5
    ldap-base-dn dc=hhp,dc=com
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *
    ldap-login-dn cn=administrator,cn=users,dc=hhp,dc=com
    server-type microsoft
    aaa-server HHP_3 protocol ldap
    aaa-server HHP_3 (inside) host 192.168.168.2
    timeout 5
    ldap-base-dn dc=hhp,dc=com
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *
    ldap-login-dn cn=administrator,cn=users,dc=hhp,dc=com
    server-type microsoft
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.168.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outside
    http 194.83.245.242 255.255.255.255 outside
    http 187.187.1.72 255.255.255.255 CNES
    http 187.187.10.90 255.255.255.255 CNES
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map outside_map_dynamic 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set peer 81.136.160.237
    crypto map outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 30001 ipsec-isakmp dynamic outside_map_dynamic
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment terminal
    fqdn none
    subject-name O=Hebridean Housing Partnership Limited,CN=secure-access.hebrideanhousing.co.uk,L=Isle of Lewis,ST=Scotland,C=GB
    keypair SSL_Certificate
    crl configure
    crypto ca trustpoint ASDM_TrustPoint1
    enrollment terminal
    fqdn none
    crl configure
    crypto ca certificate chain ASDM_TrustPoint0
    certificate 0100000000012790a5c005
        30820530 30820418 a0030201 02020b01 00000000 012790a5 c005300d 06092a86
        4886f70d 01010505 00306a31 23302106 0355040b 131a4f72 67616e69 7a617469
        6f6e2056 616c6964 6174696f 6e204341 31133011 06035504 0a130a47 6c6f6261
        6c536967 6e312e30 2c060355 04031325 476c6f62 616c5369 676e204f 7267616e
        697a6174 696f6e20 56616c69 64617469 6f6e2043 41301e17 0d313030 33323431
        34313835 385a170d 31333033 32343134 31383534 5a308197 310b3009 06035504
        06130247 42311130 0f060355 04081308 53636f74 6c616e64 31163014 06035504
        07130d49 736c6520 6f66204c 65776973 312e302c 06035504 0a132548 65627269
        6465616e 20486f75 73696e67 20506172 746e6572 73686970 204c696d 69746564
        312d302b 06035504 03132473 65637572 652d6163 63657373 2e686562 72696465
        616e686f 7573696e 672e636f 2e756b30 82012230 0d06092a 864886f7 0d010101
        05000382 010f0030 82010a02 82010100 def181d9 c34c58a8 9abcc849 7d8ad0a9
        3c64c77f f3126c81 30911f41 5903a92c 81fb374b 2fe2680e 10b26dce 81ca0c23
        af2c9f9a 52295e8c d2223fa6 7c4c386d 51c6fb16 a47688e6 e47e2410 b0283503
        fd72abd3 e59d3b02 cd47706e babf948c 4e0282a3 5f789ff7 8041b2db ceac64eb
        3e163b38 3a8ecc25 0c4802a8 d17fecd9 f1a36288 29202df4 b20ae891 f95ce055
        6e670559 3d075024 7f3ac7ef 26218154 a7f6a399 34c43c4a 97c2c88c c4588ee4
        77cc2ad8 b1bd868d d55c2b9b 727e9904 66d0fb52 c212abd7 a06f28f1 ad2aa04b
        3d7b3094 c59c00d4 cf51fefb d8bfa101 8ba9c4ba 5cf629ff c50716d3 71019a98
        8fa55b83 6b158b6d 1043f092 646ef07d 02030100 01a38201 a7308201 a3301f06
        03551d23 04183016 80147d6d 2aec66ab a75136ab 0269f170 8fc4590b 9a1f3049
        06082b06 01050507 0101043d 303b3039 06082b06 01050507 3002862d 68747470
        3a2f2f73 65637572 652e676c 6f62616c 7369676e 2e6e6574 2f636163 6572742f
        6f726776 312e6372 74303f06 03551d1f 04383036 3034a032 a030862e 68747470
        3a2f2f63 726c2e67 6c6f6261 6c736967 6e2e6e65 742f4f72 67616e69 7a617469
        6f6e5661 6c312e63 726c301d 0603551d 0e041604 14d398d5 ddf29355 15b04750
        baccc6b3 0f97a6c9 94302f06 03551d11 04283026 82247365 63757265 2d616363
        6573732e 68656272 69646561 6e686f75 73696e67 2e636f2e 756b3009 0603551d
        13040230 00300e06 03551d0f 0101ff04 04030205 a0302906 03551d25 04223020
        06082b06 01050507 03010608 2b060105 05070302 060a2b06 01040182 370a0303
        304b0603 551d2004 44304230 4006092b 06010401 a0320114 30333031 06082b06
        01050507 02011625 68747470 3a2f2f77 77772e67 6c6f6261 6c736967 6e2e6e65
        742f7265 706f7369 746f7279 2f301106 09608648 0186f842 01010404 030206c0
        300d0609 2a864886 f70d0101 05050003 82010100 8af3be01 c4830d83 9b347355
        de7496ef bd76b86c ee92f32f 1157ef11 6ad949b6 611537ad 81f06408 73ec6fe2
        6466675c cf31a80f bead422d ec574f95 55fe0b7a 97e271e7 0220c7b1 53376843
        ff7f7280 f9bfdee6 3584e123 00c37d9f 5004b766 9469ead5 f002744c fd50271c
        6bcdb54c e5db85aa 9760a330 d72464a2 bc8ecdff d80bbc27 7551e97c ee9b7078
        9207f9d6 b969a47a 6df722b6 14ce803d 8d4bb9e9 4695e8e6 d453950e 06506594
        ec7652ea 365cdf94 90e2f7ee 855dadb5 c0459d73 bb6d01a8 3c076718 7f80de40
        c5eb9e0e 17c93087 fd5c5fc1 fd6401fe 7e5038b1 3da1d250 01ccd8be 964d5557
        b320c4c1 0015d1b7 daad7527 930b0c90 7711704f
      quit
    crypto ca certificate chain ASDM_TrustPoint1
    certificate ca 0400000000011e44a5f52a
        30820467 3082034f a0030201 02020b04 00000000 011e44a5 f52a300d 06092a86
        4886f70d 01010505 00305731 0b300906 03550406 13024245 31193017 06035504
        0a131047 6c6f6261 6c536967 6e206e76 2d736131 10300e06 0355040b 1307526f
        6f742043 41311b30 19060355 04031312 476c6f62 616c5369 676e2052 6f6f7420
        4341301e 170d3037 30343131 31323030 30305a17 0d313730 34313131 32303030
        305a306a 31233021 06035504 0b131a4f 7267616e 697a6174 696f6e20 56616c69
        64617469 6f6e2043 41311330 11060355 040a130a 476c6f62 616c5369 676e312e
        302c0603 55040313 25476c6f 62616c53 69676e20 4f726761 6e697a61 74696f6e
        2056616c 69646174 696f6e20 43413082 0122300d 06092a86 4886f70d 01010105
        00038201 0f003082 010a0282 010100a1 2fc4bcce 8703e967 c189c8e5 93fc7db4
        ad9ef663 4e6ae89c 2c7389a2 01f48f21 f8fd259d 58166d86 f6ee4957 757e75ea
        22117e3d fbc74241 dcfcc50c 9155807b eb64331d 9bf9ca38 e9abc625 43512540
        f4e47e18 556aa98f 103a401e d65783ef 7f2f342f 2dd2f653 c2190db7 edc981f5
        462cb423 425e9d13 0375ecea 6afc577c c936973b 98dc1313 ecec41fa 5d34eab9
        93e71016 65cc9c92 fdf5c59d 3e4ab909 fce45f1e 695f4df4 567244b1 1d2303c8
        36f66588 c8bf3916 458e1e26 6c5116c5 2a0038c5 a4136995 7dab013b a8c414b4
        80daac1a 4420d5fe a9067b14 27afe030 21dd90f4 a9d52319 2e1e03e6 c1df9529
        e4c19443 dd3e90aa cb4bc9be 8ad33902 03010001 a382011f 3082011b 300e0603
        551d0f01 01ff0404 03020106 30120603 551d1301 01ff0408 30060101 ff020100
        301d0603 551d0e04 1604147d 6d2aec66 aba75136 ab0269f1 708fc459 0b9a1f30
        4b060355 1d200444 30423040 06092b06 010401a0 32011430 33303106 082b0601
        05050702 01162568 7474703a 2f2f7777 772e676c 6f62616c 7369676e 2e6e6574
        2f726570 6f736974 6f72792f 30330603 551d1f04 2c302a30 28a026a0 24862268
        7474703a 2f2f6372 6c2e676c 6f62616c 7369676e 2e6e6574 2f726f6f 742e6372
        6c301106 09608648 0186f842 01010404 03020204 30200603 551d2504 19301706
        0a2b0601 04018237 0a030306 09608648 0186f842 0401301f 0603551d 23041830
        16801460 7b661a45 0d97ca89 502f7d04 cd34a8ff fcfd4b30 0d06092a 864886f7
        0d010105 05000382 01010079 47fc15d7 4c79df0f 7a9eced4 7c4b63c9 89b57b3f
        9912e89c 8c9a492f e04e954a edc7bcbe f1a2db8e 931dba71 54aa4bd9 89222487
        c504a8ac 8252a052 f8b8e14f a1276663 214a39e7 c7c54e5f b2d61d13 6d30e9ce
        d7a21cbc 290a733c 5b2349fe d6ffcab0 4ff5f267 98c04711 f8b748a6 9009d642
        beeab1b9 5342c39c 20c9fba1 5bb5566d 8781c860 acc4b972 270a8e1e a8b12ecd
        32a27857 b09cf895 bb438e8c 31866e53 0dc61205 ba416ea8 35300918 1d0261ff
        fdee35de 6ac33bd0 4d4b4e50 b256360c 445dda1a 652ae698 56a96333 2e04e7ae
        e8f48eb7 b2da7dc0 c8e2aea6 282fe3c9 73bdfc07 4134b7aa 6eeea7db d1933ced
        90ec3292 88d9c823 6c7421
      quit
    crypto isakmp identity hostname
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash sha
    group 1
    lifetime 86400
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh 187.187.1.41 255.255.255.255 inside
    ssh 187.187.1.72 255.255.255.255 inside
    ssh 187.187.77.81 255.255.255.255 inside
    ssh 187.187.10.19 255.255.255.255 inside
    ssh 187.187.10.229 255.255.255.255 inside
    ssh 187.187.160.7 255.255.255.255 inside
    ssh 187.187.1.41 255.255.255.255 outside
    ssh 187.187.1.72 255.255.255.255 outside
    ssh 187.187.77.81 255.255.255.255 outside
    ssh 187.187.10.19 255.255.255.255 outside
    ssh 187.187.10.229 255.255.255.255 outside
    ssh 187.187.160.7 255.255.255.255 outside
    ssh timeout 15
    console timeout 0
    vpdn group BT request dialout pppoe
    vpdn group BT localname B*******.btclick.com
    vpdn group BT ppp authentication chap
    vpdn username B*******@hg39.btclick.com password *********
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ssl trust-point ASDM_TrustPoint0 outside
    ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
    webvpn
    enable inside
    enable outside
    group-policy HHP_Remote_Access_1 internal
    group-policy HHP_Remote_Access_1 attributes
    wins-server value 192.168.168.2 192.168.168.2
    dns-server value 192.168.168.2 192.168.168.3
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value CNES_Support_splitTunnelAcl
    group-policy HHP_Remote_Access internal
    group-policy HHP_Remote_Access attributes
    wins-server value 192.168.168.2 192.168.168.2
    dns-server value 192.168.168.2 192.168.168.3
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value CNES_Support_splitTunnelAcl
    group-policy Omfax internal
    group-policy Omfax attributes
    wins-server value 192.168.168.2 192.168.168.3
    dns-server value 192.168.168.2 192.168.168.3
    vpn-tunnel-protocol IPSec webvpn
    webvpn
      svc ask none default webvpn
    group-policy MIS_1 internal
    group-policy MIS_1 attributes
    wins-server value 192.168.168.2 192.168.168.3
    dns-server value 192.168.168.2 192.168.168.3
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value MIS_splitTunnelAcl
    default-domain value hhp.com
    group-policy RemoteAccess internal
    group-policy RemoteAccess attributes
    wins-server value 192.168.168.2 192.168.168.3
    dns-server value 192.168.168.2 192.168.168.3
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value RemoteAccess_splitTunnelAcl
    group-policy CNES_Access internal
    group-policy CNES_Access attributes
    wins-server value 192.168.168.2 192.168.168.3
    dns-server value 192.168.168.2 192.168.168.3
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value CNES_Support_splitTunnelAcl
    group-policy HHP internal
    group-policy HHP attributes
    dhcp-network-scope none
    vpn-access-hours none
    vpn-idle-timeout none
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec webvpn
    password-storage disable
    ip-comp disable
    re-xauth disable
    group-lock none
    pfs disable
    ipsec-udp disable
    split-tunnel-policy tunnelall
    split-tunnel-network-list none
    split-dns none
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout none
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    client-firewall none
    webvpn
      url-list value Severs
      filter none
      homepage none
      port-forward disable
      http-proxy disable
      sso-server none
      svc dtls none
      svc keep-installer none
      svc rekey time none
      svc rekey method none
      svc dpd-interval client none
      svc dpd-interval gateway none
      svc compression none
      svc modules none
      svc profiles none
      svc ask none default webvpn
      customization none
      http-comp none
      user-storage none
      storage-key none
      hidden-shares none
      smart-tunnel disable
      activex-relay disable
      file-entry disable
      file-browsing disable
      url-entry disable
      deny-message none
    group-policy MIS internal
    group-policy MIS attributes
    wins-server value 192.168.168.2 192.168.168.3
    dns-server value 192.168.168.2 192.168.168.3
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value MIS_splitTunnelAcl
    username test password Kg/Rgy23do7gPGTv encrypted privilege 0
    username test attributes
    vpn-group-policy HHP_Remote_Access
    username catneil password yOgiHCGobUNIkjcN encrypted privilege 0
    username omfax password pvUaCLwilGmQVifd encrypted privilege 0
    username backup password IHQbl.JAoESlM9Jv encrypted privilege 0
    username misadmin password 8IZXmHa67HIJYHK1 encrypted
    username misadmin attributes
    service-type remote-access
    username gramor password ne829U0rGFVEedhY encrypted privilege 15
    username gramor attributes
    vpn-group-policy HHP_Remote_Access
    webvpn
      url-list value Severs
    username aim_user password 5OQaWCdB18qiHlOn encrypted privilege 0
    username aim_user attributes
    vpn-group-policy CNES_Support
    username katask password 2WsX.HoqKXuiqkDk encrypted privilege 0
    username katask attributes
    vpn-group-policy CNES_Support
    username janboyd password ZEUyykwzME6hII2i encrypted privilege 0
    username marmor password C5n48AiRLXwxAeBQ encrypted privilege 0
    username marste password amwTL584WdiT87Tb encrypted privilege 0
    username helmah password RvU8c.3w0H3/MJz4 encrypted privilege 0
    username anglea password wGlUJDBrmJI.uz./ encrypted privilege 0
    username anglea attributes
    vpn-group-policy CNES_Support
    username fiobuc password 5Uispw90wqvDYerQ encrypted privilege 0
    tunnel-group DefaultRAGroup general-attributes
    authentication-server-group HHP_1
    tunnel-group DefaultWEBVPNGroup general-attributes
    authentication-server-group HHP_1
    default-group-policy HHP
    tunnel-group DefaultWEBVPNGroup webvpn-attributes
    nbns-server 192.168.168.2 timeout 2 retry 2
    nbns-server 192.168.168.3 timeout 2 retry 2
    tunnel-group WebVPN type remote-access
    tunnel-group WebVPN general-attributes
    authentication-server-group HHP_3
    default-group-policy HHP
    username-from-certificate UID
    tunnel-group CNES_Access

  • Problem with VPN by ASA 5505 and PIX 501

    Hi
    I have this scenario: Firewall ASA 5505, Firewall Pix 501 (with CatOS 6.3(5) ).
    I have configured this appliance for Easy VPN (server is ASA) and PIX, and remote Access with Cisco client vpn (for internal lan ASA).
    When i configure the ASA i have this problem, when i configure nat for easy vpn.
    This is my nat configuration:
    nat (inside) 0 access-list 100
    nat (inside) 1 192.168.1.0 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (inside) 0 0.0.0.0 0.0.0.0 outside
    when i put this command:
    nat (inside) 0 access-list no-nat
    this command is necessary for configuration of easy vpn, but the previous nat:
    nat (inside) 0 access-list 100
    is replace with the latest command.

    To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.
    For regular dynamic NAT:
    nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
    no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
    For policy dynamic NAT and NAT exemption:
    nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]
    no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]

  • VPN Between Cisco ASA 5505 and Cisco Router 881

    Hi All,
    I want to interconnect two office to each other but i have trouble: Please see below my configuration: What is missing to finalize the configuration properly?
    Cisco ASA 5505.
    Version 8.4(3)
    HQ-ASA5505(config)# crypto ikev1 policy 888
    HQ-ASA5505(config-ikev1-policy)# authentication pre-share
    HQ-ASA5505(config-ikev1-policy)# encryption 3des
    HQ-ASA5505(config-ikev1-policy)# hash md5
    HQ-ASA5505(config-ikev1-policy)# lifetime 86400
    HQ-ASA5505(config-ikev1-policy)# group 2
    HQ-ASA5505(config)# tunnel-group 1.1.1.1 type ipsec-l2l
    HQ-ASA5505(config)# tunnel-group 1.1.1.1 ipsec-attributes
    HQ-ASA5505(config-tunnel-ipsec)# ikev1 pre-shared-key test
    HQ-ASA5505(config)#object network HQ-Users
    HQ-ASA5505(config-network-object)#subnet 10.48.0.0 255.255.255.0
    HQ-ASA5505(config)# object-group network HQ.grp
    HQ-ASA5505(config-network-object-group)# network-object object HQ-Users
    HQ-ASA5505(config)#object network FSP_DATA
    HQ-ASA5505(config-network-object)#subnet 10.48.12.0 255.255.255.0
    HQ-ASA5505(config)#object-group network FSP.grp
    HQ-ASA5505(config-network-object-group)#network-object object FSP_DATA
    HQ-ASA5505(config)#access-list VPN_to_FSP extended permit ip object-group HQ.grp object-group FSP.grp
    HQ-ASA5505(config)# crypto ipsec ikev1 transform-set TS esp-3des esp-md5-hmac
    HQ-ASA5505(config)# crypto map ouside_map 888 set ikev1 transform-set TS
    HQ-ASA5505(config)# crypto map ouside_map 888 match address VPN_to_FSP
    HQ-ASA5505(config)# crypto map ouside_map 888 set peer 1.1.1.1
    HQ-ASA5505(config)# crypto map ouside_map 888 set pfs group2
    HQ-ASA5505(config)# crypto ikev1 enable outside
    HQ-ASA5505(config)# crypto map ouside_map interface outside
    Router 881
    Version 12.4
    License Information for 'c880-data'
        License Level: advipservices   Type: Permanent
        Next reboot license Level: advipservices
    LAB_ROuter(config)#object-group network HQ
    LAB_ROuter(config-network-group)#10.48.0.0 255.255.255.0
    LAB_ROuter(config)#object-group network FSP
    LAB_ROuter(config-network-group)#10.48.12.0 255.255.255.0
    ip access-list extended FSP_VPN
     permit ip object-group FSP object-group HQ
    LAB_ROuter(config)#crypto isakmp policy 888
    LAB_ROuter(config-isakmp)#encryption 3des
    LAB_ROuter(config-isakmp)#authentication pre-share
    LAB_ROuter(config-isakmp)#hash md5
    LAB_ROuter(config-isakmp)#group 2
    LAB_ROuter(config-isakmp)#lifetime 86400
    LAB_ROuter(config)#crypto isakmp key test address 2.2.2.2
    LAB_ROuter(config)#crypto ipsec transform-set TS esp-3des esp-md5-hmac
    crypto map outside_map 888 ipsec-isakmp
     set peer 2.2.2.2
     set transform-set TS
     match address FSP_VPN
    interface fast4 --> Outside Interface (where public IP address is assigned) 
    crypto map outside_map
    Thank you in advance for your prompt advice!

    If you do a show crypto map in the router you will see the VPN traffic to be "any to any".
    This is due a known bug on Cisco routers. The router does not support object-groups network for the VPN traffic. Use a regular ACL instead.

  • Problem with AnyConnect VPN on ASA 5505

    Hello everyone,
    We're troubleshooting an issue where a client cannot pass any traffic across an AnyConnect VPN with an ASA5505 as the endpoint. The client receives and IP address in the 172.16.0.1/24 range and the ASA creates a static route to the 10.0.0.0/24 internal network but we cannot ping or connect to any internal IP address. The connection appears to fully build and pass traffic (based on the byte counts which increase) but we can't talk to the main network.
    Does anyone have any ideas as to what I can check?
    Thanks!
    Ryan

    AnyConnect client should not be in the same subnet as the internal hosts. It needs to be unique subnet within your environment, so you were on the right path initially.
    If you can share your config, that would be easier for us to check.
    In the meantime, a few things to check:
    1) Have you configured split tunnel policy?
    2) Do you have NAT exemption configured?
    3) Any VPN filter configured that might be blocking the traffic?
    4) Does the internal network know how to route back to the VPN Pool subnet (ie: via the ASA)
    5) Lastly, do you have "inspect icmp" configured?

  • OWA not accessible after setting up vpn through ASA 5505

    I have a client that is running Win2003 Server R2 with Exchange Server 2003. OWA was setup and clients could connect to their exchange mailbox from the internet with no problems.
    We recently configured vpn on the ASA 5505 and now no-one can connect to OWA since that time.
    Here is what I have for a configuration.
    Any thoughts?

    I thought OWA uses tcp port 80 by default, or 443 if you use https. Ignore the rest if this fact is wrong. Otherwise ...
    In your config there is nothing to allow the www traffic in the access-list outside_access_in
    access-list outside_access_in extended permit tcp any interface outside eq 80
    and no static nat for this
    static (inside,outside) tcp interface 80 192.168.0.254 80 netmask 255.255.255.255
    I think these must have got deleted when you made the other changes ? Hope this helps.

  • Setup vpn in ASA 5505

    We have a hosted server with a new provider and we also opted for a firewall which is a ASA 5505. It turns out that they do not provide assistance with the firewall, so I have come here!
    The server hosts multiple customer websites, along with both MySQL and SQL Server databases.
    I would like to provide customers with the ability to connect to their databases remotely, for which I assume we need to create a VPN to allow them access through the firewall. Also, I would want them to be able to use the standard Windows connection tool(s).
    Unfortunately, I know very little about this so I am looking for idiot-proof help ;-)
    First of all, is this a safe thing to do - can I control what they can access on the server end?
    What type of VPN do I need? I looked at one of the wizards and stopped at the point when it started talking about IP addresses ... what range should I / can I use? How does that relate to our server setup, or doesn't it?
    I don't know what else to ask ... hopefully you can guide me in the right direction!

    Can you add this:
    tunnel-group 64.53.58.229 type ipsec-l2l
    tunnel-group 64.53.58.229 ipsec-attributes
    pre-shared-key
    Another thing i have noticed is the disconnect between the WAN IP (VLAN 2) and default gateway next hop IP address.
    nterface Vlan2
    nameif inside
    security-level 100
    ip address 204.116.85.166 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 207.144.35.1 1
    Please rate replies and mark question as "answered" if applicable.

  • Site to Site VPN between ASA 5505 and Juniper SSG140 no traffic

    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
     switchport access vlan 3
    interface Ethernet0/2
     switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
     switchport mode trunk
    interface Ethernet0/3
     switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
     switchport mode trunk
    interface Ethernet0/4
     switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
     switchport mode trunk
    interface Ethernet0/5
     switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
     switchport mode trunk
    interface Ethernet0/6
     switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
     switchport mode trunk
    interface Ethernet0/7
     switchport access vlan 250
    interface Vlan2
     nameif outside
     security-level 0
     ip address 81.XXX.XXX.XXX 255.255.255.252
    interface Vlan3
     nameif OUTSIDE_BACK
     security-level 0
     ip address 41.XXX.XXX.XXX 255.255.255.248
    interface Vlan20
     nameif XXX
     security-level 80
     ip address 10.143.0.1 255.255.255.0 standby 10.143.0.2
    interface Vlan21
     nameif XXX
     security-level 90
     ip address 10.143.1.1 255.255.255.0 standby 10.143.1.2
    interface Vlan24
     nameif XXX
     security-level 80
     ip address 10.143.4.1 255.255.255.0 standby 10.143.4.2
    interface Vlan28
     nameif XXX
     security-level 80
     ip address 10.143.8.1 255.255.255.0 standby 10.143.8.2
    interface Vlan212
     nameif SELF
     security-level 80
     ip address 10.143.12.1 255.255.255.0 standby 10.143.12.2
    interface Vlan213
     nameif XXX
     security-level 80
     ip address 10.143.13.1 255.255.255.0 standby 10.143.13.2
    interface Vlan214
     nameif BIOFR
     security-level 80
     ip address 10.143.14.1 255.255.255.0 standby 10.143.14.2
    interface Vlan232
     nameif MNGT
     security-level 80
     ip address 10.143.32.1 255.255.255.0 standby 10.143.32.2
    interface Vlan233
     nameif XXX
     security-level 80
     ip address 10.143.33.1 255.255.255.0 standby 10.143.33.2
    interface Vlan234
     nameif XXX
     security-level 80
     ip address 10.143.34.1 255.255.255.0 standby 10.143.34.2
    interface Vlan235
     nameif XX
     security-level 80
     ip address 10.143.35.1 255.255.255.0 standby 10.143.35.2
    interface Vlan236
     nameif XXX
     security-level 80
     ip address 10.143.36.1 255.255.255.0 standby 10.143.36.2
    interface Vlan250
    description LAN Failover Interface
    interface Vlan254
     nameif TEST
     security-level 80
     ip address 10.143.254.1 255.255.255.0 standby 10.143.254.2
    interface Vlan255
     nameif XXX
     security-level 100
     ip address 10.143.255.1 255.255.255.0 standby 10.143.255.2
    object network obj_any
     subnet 0.0.0.0 0.0.0.0
    object network XXX
     subnet 10.143.14.0 255.255.255.0
    object network XXX
     subnet 10.143.35.0 255.255.255.0
    object network XXX
     subnet 10.143.1.0 255.255.255.0
    object network MGMT
     subnet 10.143.32.0 255.255.255.0
    object network XXX
     subnet 10.143.36.0 255.255.255.0
    object network XXX
     subnet 10.143.4.0 255.255.252.0
    object network XXX
     subnet 10.143.33.0 255.255.255.0
    object network ACCT
     subnet 10.143.34.0 255.255.255.0
    object network XXX
     subnet 10.143.0.0 255.255.255.0
    object network XXX
     subnet 10.143.8.0 255.255.255.0
    object network XXX
     subnet 10.143.12.0 255.255.255.0
    object network XXX
     subnet 10.143.37.0 255.255.255.0
    object network TEST
     subnet 10.143.254.0 255.255.255.0
    object network XXX
     subnet 10.143.255.0 255.255.255.0
    object network NETWORK_OBJ_10.143.0.0_16
     subnet 10.143.0.0 255.255.0.0
    object network NETWORK_OBJ_10.91.0.0_16
     subnet 10.91.0.0 255.255.0.0
    object-group network vpn-local-network
     network-object 10.143.14.0 255.255.255.0
     network-object 10.143.35.0 255.255.255.0
     network-object 10.143.1.0 255.255.255.0
     network-object 10.143.32.0 255.255.255.0
     network-object 10.143.36.0 255.255.255.0
     network-object 10.143.4.0 255.255.255.0
     network-object 10.143.33.0 255.255.255.0
     network-object 10.143.34.0 255.255.255.0
    object-group network vpn-remote-network
     network-object 10.112.0.0 255.255.0.0
    access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
    access-list ACL_INSIDE_NONAT extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
    access-list PING extended permit icmp any any
    access-list PING extended permit icmp any any object-group ALLOW_PING
    pager lines 24
    logging asdm informational
    mtu outside 1500
    failover
    failover lan unit primary
    failover lan interface FAILOVER Vlan250
    failover interface ip FAILOVER 10.143.250.1 255.255.255.0 standby 10.143.250.2
    no monitor-interface outside
    no monitor-interface OUTSIDE_BACK
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-721.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (XXX,outside) source dynamic XXX interface
    nat (XXX,outside) source dynamic XXX interface
    nat (XXX,outside) source dynamic XXX interface
    nat (XXX,outside) source dynamic XXX interface
    nat (XXX,outside) source dynamic XXX interface
    nat (XXX,outside) source dynamic XXX interface
    nat (XX,outside) source dynamic XXX interface
    nat (XXX,outside) source dynamic XXX interface
    nat (XXX,outside) source dynamic XX interface
    nat(IT,outside) source dynamic IT interface
    nat (TEST,outside) source dynamic TEST interface
    nat ( IT,outside) source dynamic IT interface
    nat (TEST,outside) source static vpn-local-network vpn-local-network destination static vpn-remote-network vpn-remote-network no-proxy-arp route-lookup
    access-group PING in interface outside
    access-group PING in interface OUTSIDE_BACK
    route outside 0.0.0.0 0.0.0.0 81.XXX.XXX.XXX.XXX 1 track 1
    route OUTSIDE_BACK 0.0.0.0 0.0.0.0 41.XXXX
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    sysopt connection preserve-vpn-flows
    sla monitor 123
     type echo protocol ipIcmpEcho 41.xxx.xxx.xxx interface outside
     frequency 10
    sla monitor schedule 123 life forever start-time now
    crypto ipsec ikev1 transform-set ESP-3DES-ESP-MD5-HMAC esp-3des esp-md5-hmac
    crypto ipsec security-association pmtu-aging infinite
    crypto map TEST 1 match address ACL_VPN
    crypto map TEST 1 set peer 194.XXX.XXX.XXX
    crypto map TEST 1 set ikev1 transform-set ESP-3DES-ESP-MD5-HMAC
    crypto map TEST 1 set security-association lifetime seconds 86400
    crypto map TEST 1 set security-association lifetime kilobytes 2147483647
    crypto map TEST interface outside
    crypto ca trustpool policy
    no crypto isakmp nat-traversal
    crypto ikev1 enable outside
    crypto ikev1 policy 1
     authentication pre-share
     encryption 3des
     hash md5
     group 2
     lifetime 86400
    track 1 rtr 123 reachability
    telnet timeout 5
    ssh stricthostkeycheck
    ssh 10.143.255.0 255.255.255.0 IT
    ssh timeout 10
    ssh key-exchange group dh-group1-sha1
    console timeout 60
    management-access IT
    dhcpd lease 60000
    dhcpd ping_timeout 20
    dhcpd domain tls.ad
    dhcpd auto_config outside
    dhcpd address 10.143.4.10-10.143.4.200 XXX
    dhcpd dns 10.91.0.34 8.8.8.8 interface XXX
    dhcpd option 3 ip 10.143.4.1 interface XXX
    dhcpd enable XXX
    dhcpd address 10.143.12.10-10.143.12.200 XXX
    dhcpd option 3 ip 10.143.12.1 interface XXX
    dhcpd enable XXX
    dhcpd address 10.143.14.10-10.143.14.200 XXX
    dhcpd option 3 ip 10.143.14.1 interface XXX
    dhcpd enable XXX
    dhcpd address 10.143.32.10-10.143.32.100 MNGT
    dhcpd option 3 ip 10.143.32.1 interface MNGT
    dhcpd enable MNGT
    dhcpd address 10.143.33.10-10.143.33.100 XXX
    dhcpd option 3 ip 10.143.32.1 interface XXX
    dhcpd enable XXX
    dhcpd address 10.143.34.10-10.143.34.100 XXX
    dhcpd option 3 ip 10.143.32.1 interface XXX
    dhcpd enable XXX
    dhcpd address 10.143.36.10-10.143.36.100 XXX
    dhcpd option 3 ip 10.143.32.1 interface XXX
    dhcpd enable XXX
    dhcpd address 10.143.255.10-10.143.255.200 XXX
    dhcpd option 3 ip 10.143.255.1 interface XXX
    dhcpd enable IT
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp authenticate
    ntp server 10.90.0.34
    ntp server 10.91.0.34
    ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
    group-policy DfltGrpPolicy attributes
     vpn-idle-timeout none
     vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
    username tlsnimda password OW03yrp6/wvkyg6E encrypted
    tunnel-group 194.XXX.XXX.XXX type ipsec-l2l
    tunnel-group 194.XXX.XXX.XXX ipsec-attributes
     ikev1 pre-shared-key *****
    class-map icmp
     match default-inspection-traffic
    policy-map icmppolicy
     class icmp
      inspect icmp
    service-policy icmppolicy interface outside
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:e820e629c3cbaf67478c065440ac8138
    VPN is up but not passing any traffing
      Crypto map tag: TEST, seq num: 1, local addr: 81.xxx.xxx.xxx
          access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
          local ident (addr/mask/prot/port): (10.143.0.0/255.255.0.0/0/0)
          remote ident (addr/mask/prot/port): (10.112.0.0/255.255.0.0/0/0)
          current_peer: 194.xxx.xxx.xxx
          #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
          #pkts decaps: 10, #pkts decrypt: 0, #pkts verify: 0
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #TFC rcvd: 0, #TFC sent: 0
          #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
          #send errors: 0, #recv errors: 10
          local crypto endpt.: 81.xxx.xxx.xxx/0, remote crypto endpt.: 194.xxx.xxx.xx/0
          path mtu 1500, ipsec overhead 58(36), media mtu 1500
          PMTU time remaining (sec): 0, DF policy: copy-df
          ICMP error validation: disabled, TFC packets: disabled
          current outbound spi: CC4FACB7
          current inbound spi : D8C0AC76
        inbound esp sas:
          spi: 0xD8C0AC76 (3636505718)
             transform: esp-3des esp-md5-hmac no compression
             in use settings ={L2L, Tunnel, IKEv1, }
             slot: 0, conn_id: 9367552, crypto-map: TEST
             sa timing: remaining key lifetime (kB/sec): (1824522239/3507)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
        outbound esp sas:
          spi: 0xCC4FACB7 (3427773623)
             transform: esp-3des esp-md5-hmac no compression
             in use settings ={L2L, Tunnel, IKEv1, }
             slot: 0, conn_id: 9367552, crypto-map: TEST
             sa timing: remaining key lifetime (kB/sec): (1824522239/3507)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
    VPN is unstable 
    Connection terminated for peer 194.XXX.XXX.XX.  Reason: Peer Terminate  Remote Proxy 10.112.0.0, Local Proxy 10.143.0.0
    I cannot pass any traffic through the vpn when it's UP, or ping the other side.
    ASA VERSION 9.2

    I do not think that'll be any problem. Here at work we also use Cisco ADSL 800 Series with vpn between customers' sites without any issues. The ASA should vpn for sure.

  • ASA 5505 interface based routing?

    Hi,
    I got an ASA 5505 in my lab and got it working fine with one IP and various NAT and other scenarios (I'm currently refreshing my skills after a longer break on the job).
    Now, from my ISP I can get up to 5 public IPs. However, those IPs are assigned via DHCP and they are pretty random and not all in the same subnet. For testing, I created an interface outside2 on e0/1 and connected that to one of the ports of the cable gateway. The interface does get an IP and INCOMING packets go to the right place via static PAT, BUT the replies don't arrive at the client. I strongly suspect that the ASA is sending the reply packets through the other public IP on outside (e0/0) which would make sense because that's where the default route points.
    Is it possible to configure some kind of interface base routing, i.e. if a packet comes in via outside2, the corresponsing reply goes through outside2 and through the gateway outside2 receives via DHCP?
    -Stefan

    Hi Stefan,
    As I understand the traffic is coming in from outside2 going to a host-A behind the ASA.
    Host-A will reply back, but this traffic will exit out through the outside 0/0 interface since there is where you have configured the default gateway.
    In order to send the replies to client over outside2, you need to setup specific routes on the ASA through outside2 interface.
    Also remember that ASA doesn´t support Policy Based Routing(PRB), because ASA routes the traffic based on destination:
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/route_static.html#wp1121567
    Harvey.
    Please rate if this is the correct answer.

  • Unable to establish site to site vpn between asa 5505 an 5510

    Hi ALL expert
    We are now plan to form a site to site IPSec VPN tunnel between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failure, would you please teach me how to establish it? Any reference guide?
    Hugo

    Here are the links to the cisco config-guides:
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html
    In addition to VPN you need to look into NAT exemption:
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1043541
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wpxref25608
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_rules.html#wp1232160
    And lots of examples:
    http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • Site to site VPN - cisco asa 5505

    having VPN connection problem between 69.x.x.54 VPN 208.x.x.165. Please help.
    This is 69.x.x.54/172.16.0.0/16 - - A site - ASDM:6.2(1)  ASA: 8.2(1)
    ASA Version 8.2(1)
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.16.0.1 255.255.0.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 69.x.x.54 255.255.255.248
    interface Vlan5
    shutdown
    no forward interface Vlan1
    nameif dmz
    security-level 50
    ip address dhcp
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 172.16.0.2
    name-server 69.x.x.6
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service TS-777 tcp-udp
    port-object eq 777
    object-group service Graphon tcp-udp
    port-object eq 491
    object-group service TS-778 tcp-udp
    port-object eq 778
    object-group service moodle tcp-udp
    port-object eq 5801
    object-group service moodle-5801 tcp-udp
    port-object eq 5801
    object-group service smtp-587 tcp-udp
    port-object eq 587
    access-list outside_access_in extended permit tcp any host 69.x.x.50 eq imap4
    access-list outside_access_in extended permit tcp any host 69.x.x.52 eq ftp
    access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.50 object-group smtp-587
    access-list outside_access_in extended permit tcp any host 69.x.x.52 eq telnet
    access-list outside_access_in extended permit tcp any host 69.x.x.52 eq ssh
    access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.52 object-group moodle-5801
    access-list outside_access_in extended permit tcp any host 69.x.x.52 eq smtp
    access-list outside_access_in extended permit tcp any host 69.x.x.52 eq https
    access-list outside_access_in extended permit tcp any host 69.x.x.52 eq www
    access-list outside_access_in extended permit tcp any host 69.x.x.50 eq ftp
    access-list outside_access_in extended permit tcp any host 69.x.x.50 eq smtp
    access-list outside_access_in extended permit tcp any host 69.x.x.50 eq pop3
    access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.50 eq domain
    access-list outside_access_in extended permit tcp any host 69.x.x.50 eq https
    access-list outside_access_in extended permit tcp any host 69.x.x.50 eq www
    access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.51 eq domain
    access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.51 object-group TS-778
    access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.51 object-group Graphon
    access-list outside_access_in extended permit tcp any host 69.x.x.51 eq https
    access-list outside_access_in extended permit tcp any host 69.x.x.51 eq www
    access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.50 object-group TS-777
    access-list outside_access_in extended permit tcp any host 69.x.x.54 eq https
    access-list outside_2_cryptomap extended permit ip 172.16.0.0 255.255.0.0 192.168.50.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 172.16.0.32 255.255.255.224
    access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.50.0 255.255.255.0
    access-list inside_access_in extended permit ip any any
    access-list Split-Tunnel standard permit 172.16.0.0 255.255.0.0
    access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
    access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 172.16.100.0 255.255.255.0
    access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 192.168.50.0 255.255.255.0
    access-list outside_cryptomap extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    ip local pool vpn_users 172.16.100.10-172.16.100.2
    0 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) 69.x.x.50 172.16.0.2 netmask 255.255.255.255
    static (inside,outside) 69.x.x.51 172.16.1.2 netmask 255.255.255.255
    static (inside,outside) 69.x.x.52 172.16.1.3 netmask 255.255.255.255
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 69.x.x.49 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-reco
    rd DfltAccessPolicy
    http server enable
    http 172.16.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 208.x.x.162
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map 2 match address outside_2_cryptomap
    crypto map outside_map 2 set pfs group1
    crypto map outside_map 2 set peer 208.x.x.165
    crypto map outside_map 2 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 172.16.0.20-172.16.0.40 inside
    dhcpd dns 172.16.0.2 69.x.x.6 interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    svc image disk0:/anyconnect-win-2.5.
    2014-k9.pk
    g 1
    svc enable
    tunnel-group-list enable
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    group-policy sales internal
    group-policy sales attributes
    dns-server value 172.16.1.2 172.16.0.2
    vpn-tunnel-protocol svc
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Split-Tunnel
    webvpn
      svc mtu 1406
    username graciela password CdnZ0hm9o72q6Ddj encrypted
    tunnel-group 208.x.x.165 type ipsec-l2l
    tunnel-group 208.x.x.165 ipsec-attributes
    pre-shared-key *
    tunnel-group TunnelGroup1 type remote-access
    tunnel-group TunnelGroup1 general-attributes
    address-pool vpn_users
    default-group-policy sales
    dhcp-server 172.16.0.1
    tunnel-group TunnelGroup1 webvpn-attributes
    group-alias Remote_Access enable
    group-alias sales_department disable
    tunnel-group 208.x.x.162 type ipsec-l2l
    tunnel-group 208.x.x.162 ipsec-attributes
    pre-shared-key *
    class-map global-class
    match default-inspection-traffic
    policy-map global-policy
    class global-class
      inspect icmp
    service-policy global-policy global
    prompt hostname context
    : end
    asdm location 192.168.50.0 255.255.255.0 inside
    no asdm history enable
    This is 208.x.x.165/192.168.50.0/2
    4- - B site - ASDM:6.4(7)  ASA: 8.4(3)
    ASA Version 8.4(3)
    hostname ciscoasa
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.50.51 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 208.x.x.165 255.255.255.248
    ftp mode passive
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network NETWORK_OBJ_192.168.50.0_2
    4
    subnet 192.168.50.0 255.255.255.0
    object network email
    host 172.16.0.0
    description 255.255.0.0
    access-list 1 standard permit 192.168.50.0 255.255.255.0
    access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.50.0
    _24 object email
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static NETWORK_OBJ_192.168.50.0_2
    4 NETWORK_OBJ_192.1
    68.50.0_24 destination static email email no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    route outside 0.0.0.0 0.0.0.0 208.x.x.161 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-reco
    rd DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.50.0 255.255.255.0 inside
    http 192.168.50.51 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer 69.x.x.54
    crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 192.168.50.60-192.168.50.1
    50 inside
    dhcpd dns 208.x.x.10 208.x.x.11 interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
    group-policy GroupPolicy_69.x.x.54 internal
    group-policy GroupPolicy_69.x.x.54 attributes
    vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
    tunnel-group DefaultL2LGroup ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 69.x.x.54 type ipsec-l2l
    tunnel-group 69.x.x.54 general-attributes
    default-group-policy GroupPolicy_69.x.x.54
    tunnel-group 69.x.x.54 ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous

    On ASA running 8.4.3. B side. I believe object "email" is defined incorrectly.
    Existing configuration
    object network email
    host 172.16.0.0
    description 255.255.0.0
    Correct configuration
    object network email
    subnet 172.16.0.0 255.255.0.0

  • Want to configure BACKUP VPN in asa 5505 for failover link

    Hi,
    Current i'm having 2 isps one tata and another one reliance iwant to configure the backup vpn for reliance ip for same peer ip which tata vpn had configured
    i mandatory to configure same SA,ENCRPTION,IPSEC POLICY,KEY,LIFETIME...etc for failover vpn also.

    Hi michael,
    First of thanks for reply.
    Can we do it by public certificate or DNS entry e.g. both ISP Public ip address entry will be in DNS and user will hit particular DNS name. You r right that once link down so user will disconnect but when he will retry then he will connect via another link.
    Is it possible??
    Ashish

  • Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

    Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
    I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
    Please help me to find where is the issue.
    I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
    192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
    Here is my current configuration.
    Thanks for your help.
    IOS Configuration
    version 15.2
    crypto isakmp policy 1
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp key cisco address 198.0.183.225
    crypto isakmp invalid-spi-recovery
    crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
    mode transport
    crypto map static-map 1 ipsec-isakmp
    set peer S2.S2.S2.S2
    set transform-set AES-SET
    set pfs group2
    match address 100
    interface GigabitEthernet0/0
    ip address S1.S1.S1.S1 255.255.255.240
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map static-map
    interface GigabitEthernet0/1
    ip address 192.168.17.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
    ASA Configuration
    ASA Version 8.4(3)
    interface Ethernet0/0
    switchport access vlan 2
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.83.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address S2.S2.S2.S2 255.255.255.248
    ftp mode passive
    same-security-traffic permit intra-interface
    object network inside-network
    subnet 192.168.83.0 255.255.255.0
    object network datacenter
    host S1.S1.S1.S1
    object network datacenter-network
    subnet 192.168.17.0 255.255.255.0
    object network NETWORK_OBJ_192.168.83.0_24
    subnet 192.168.83.0 255.255.255.0
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended deny ip any any log
    access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source dynamic inside-network interface
    nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
    nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
    nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
    crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set vpn-transform-set mode transport
    crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set L2L_SET mode transport
    crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
    crypto map vpn 1 match address outside_cryptomap
    crypto map vpn 1 set pfs
    crypto map vpn 1 set peer S1.S1.S1.S1
    crypto map vpn 1 set ikev1 transform-set L2L_SET
    crypto map vpn 20 ipsec-isakmp dynamic dyno
    crypto map vpn interface outside
    crypto isakmp nat-traversal 3600
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    group-policy GroupPolicy_S1.S1.S1.S1 internal
    group-policy GroupPolicy_S1.S1.S1.S1 attributes
    vpn-tunnel-protocol ikev1
    group-policy remote_vpn_policy internal
    group-policy remote_vpn_policy attributes
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
    username admin password rqiFSVJFung3fvFZ encrypted privilege 15
    tunnel-group DefaultRAGroup general-attributes
    address-pool vpn_pool
    default-group-policy remote_vpn_policy
    tunnel-group DefaultRAGroup ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group DefaultRAGroup ppp-attributes
    authentication ms-chap-v2
    tunnel-group S1.S1.S1.S1 type ipsec-l2l
    tunnel-group S1.S1.S1.S1 general-attributes
    default-group-policy GroupPolicy_S1.S1.S1.S1
    tunnel-group S1.S1.S1.S1 ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:f55f10c19a0848edd2466d08744556eb
    : end

    Thanks for helping me again. I really appreciate.
    I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
    Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
    Because on Cisco ASA I guess I have everything.
    Here is show crypto session detail
    router(config)#do show crypto session detail
    Crypto session current status
    Code: C - IKE Configuration mode, D - Dead Peer Detection
    K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
    X - IKE Extended Authentication, F - IKE Fragmentation
    Interface: GigabitEthernet0/0
    Session status: DOWN
    Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
          Desc: (none)
          Phase1_id: (none)
      IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
            Active SAs: 0, origin: crypto map
            Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
            Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
    Should I see something in crypto isakmp sa?
    pp-border#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    IPv6 Crypto ISAKMP SA
    Thanks again for your help.

  • ASA 5505 LAN-to-WAN site-to-site VPN

    Hi
    I need to set up a site-to-site VPN on ASA 5505 (ASA version 8.4) on a private IP address range to a third party who have are using internet routable IP addresses for the remote LAN.
    E.g. in the Protected Networks settings
    Local Network: 192.168.1.0/24
    Remote Network: 1.1.1.0/24
    Is this possible?
    Thanks
    Julian

    Yes, it is possible, use in the interesting traffic identifier ACL (i.e crypto ACL) the remote destination address is public address instead of a private address and your VPN remote peer's address is naturally public address if it goes over public-cloud. You may have an ACL on the inside interface, control (local LAN) access to remote tunnel end.
    This setup is much similar to vpn tunning to banks over public-cloud.
    Thanks
    Rizwan Rafeek.

Maybe you are looking for

  • Connect my iPad2 to an adhoc connection

    Hello, Currently in a hotel room where they only have wired connection.  So, I hooked up the ethernet cable to my laptop (PC) and created an adhoc connection.  My buddy is able to get the connection and access the internet with his laptop but even if

  • Problem With Match Transformation

    Hi , I am using Match transformation to find the duplicates . My input data like this EMP NO     ENAME         SAL     DEPTNO 10     SRIRAM MV  10000     100 11     MV SRIRAM  11000     100 12     SRIRAM PV  11000     100 13     SRIHARI       11000  

  • Powershell Excel Chart: want to plot chart by columns

    I have the following Powershell code to create a chart: $range = $wb.ActiveSheet.usedRange $range.EntireColumn.AutoFit() | Out-Null $chartType = "microsoft.office.interop.excel.xlChartType" -as [type] $wb.charts.add() | Out-Null $wb.ActiveChart.chart

  • Datasource activation in CRM

    HI,    No Datasoource are not appering in in rsa6 in CRM Source system.How to activate all datasources from RSA5 Regards Vishal sd

  • What all apple devices are compaitable with first class schooling?

    i want to buy an ipad but idk which one to buy... i want one for my schooling... right now i am attending w-a-y academy of flint. the school itself is called w-a-y program and the app in needs is called first class... i would like help figuring out w