ASA 5505 ICMP Deny

Similar Messages

• ASA 5505 AnyConnect VPN Can RDP to clients but can't ping/icmp

  Hello all,
  I've been searching all day for a solution to this problem. I setup and SSL anyconnect VPN on my Cisco ASA 5505. It works well and connects with out a problem. However, I can't ping any internal clients, but I can RDP to them. It may be something simple and I would appreciate any help. Most of the time people end up posting their config so I will as well.
  MafSecASA# show run
  : Saved
  ASA Version 8.2(1)
  hostname MafSecASA
  domain-name mafsec.com
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.4.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 7.3.3.2 255.255.255.248
  interface Vlan3
  no forward interface Vlan1
  nameif dmz
  security-level 50
  ip address 172.20.1.1 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  speed 100
  duplex full
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 3
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name mafsec.com
  same-security-traffic permit intra-interface
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object tcp
  protocol-object udp
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  protocol-object udp
  protocol-object tcp
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object ip
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_4
  protocol-object ip
  protocol-object icmp
  access-list inside_access_in extended permit icmp any any
  access-list inside_access_in extended permit ip any any
  access-list inside_access_in remark allow remote users to internal users
  access-list inside_access_in remark allow remote users to internal users
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any
  access-list inside_split_tunnel standard permit 10.4.0.0 255.255.255.0
  access-list inside_split_tunnel standard permit 10.5.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  ip local pool SSLVPNPool2 10.5.0.1-10.5.0.254 mask 255.255.255.0
  ip verify reverse-path interface outside
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound_1
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 7.3.3.6 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 10.4.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 10
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 10.4.0.0 255.255.255.0 inside
  ssh timeout 5
  ssh version 2
  console timeout 0
  dhcpd option 6 ip 8.8.8.8 8.8.4.4
  dhcpd address 10.4.0.15-10.4.0.245 inside
  dhcpd dns 8.8.8.8 8.8.4.4 interface inside
  dhcpd lease 86400 interface inside
  dhcpd option 3 ip 10.4.0.1 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
  svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
  svc enable
  tunnel-group-list enable
  group-policy SSLVPN internal
  group-policy SSLVPN attributes
  dns-server value 8.8.8.8 8.8.4.4
  vpn-tunnel-protocol svc
  group-lock none
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value inside_split_tunnel
  vlan none
  address-pools value SSLVPNPool2
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  username user1 password
  username user1 attributes
  service-type remote-access
  username user2 password
  tunnel-group SSLVPNGROUP type remote-access
  tunnel-group SSLVPNGROUP general-attributes
  address-pool SSLVPNPool2
  default-group-policy SSLVPN
  tunnel-group SSLVPNGROUP webvpn-attributes
  group-alias SSLVPN enable
  prompt hostname context
  Cryptochecksum:3b16cbc9bbdfa20e6987857c1916a396
  : end
  Thank in advance for any help!

  Your config actually looks good (you have the ACL that would allow the echo-reply back since you don't have inspection turned on) - are you sure this isn't a windows firewall issue on the PCs?  I'd try pinging a router or switch just to make sure.
  --Jason

• ASA 5505:Static Routing and Deny TCP connection because of bad flag

  Hi Everybody,
  I have a problem. I made a VPN site-2-site with 2 ASA 5505. The VPN works great. And I create a redondant link if the VPN failed.
  In fact, I use Dual ISP with route tracking. If the VPN fails, the default route change to an ISDN router, situated on the inside interface.
  When I simulated a VPN fail, the ASAs routes switch automatically on backup ISDN routers. If I ping elements, it works great. But when i try TCP connection like telnet, the ASAs deny connections:
  %PIX|ASA-6-106015: Deny TCP (no connection) from 172.16.10.57/35066 to 172.16.18.1/23 flags tcp_flags on interface interface_name.
  the security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.
  thanks!
  EDIT: On the schema, The interface of the main asa is 172.16.18.148...

  Check if the xlate timer is set greater than or equal to what the conn timer, so as not to have connections waiting on xlates that no longer exist. To minimize the number of attempts, enable "service resetinbound" . The PIX will reset the connection and make it go away. Without service resetinbound, the PIX Firewall drops packets that are denied and generates a syslog message stating that the SYN was a denied connection.

• ASA 5505 site to site RTP traffic is hitting deny all rule

  Hello,
  Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a 10.0.0.0/24 network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.
  Currently the rules are as follows
  Incoming External
  allow ip any any
  allow tcp any any
  allow udp any any
  default deny
  Incoming Internal
  allow ip any any
  allow tcp any any
  allow udp any any
  default deny
  It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.

  Hi Daniel,
  I guess there is support feature issue with the ASA sending VOIP traffic over VPN
  The ASA Phone Proxy does not  support inspection of packets from phones connecting to it over a VPN  tunnel. Therefore, sending phone proxy traffic through a VPN tunnel is  not supported.
  Note The ASA 5500 appliances running version 8.4 can support the Phone Proxy feature when integrated with Unified CM 8.0(x) but do not support Phone Proxy with Unified CM versions 8.5(x) and 8.6(x).
  Please do rate if the given information helps.
  By
  Karthik

• Cisco ASA 5505 - problem with ssh, icmp on OUTSIDE interface

  Hi all,
  I have a very strange problem with OUTSIDE interface and remote ssh. Well, I have followed documentation and configure remote access for ssh like this [1.]. If I want to connect from internet to OUTSIDE interface [2.] get no response and in log I can see this message [3.]. I really do not understand why is ssh connection dropped by OUTSIDE access-list [4.]? If I understand documentation correctly there is no impact for remote mangement/access like icmp, ssh, http(s) by interface access-list. So, why?
  When I try ssh connection form internal network to INSIDE interface everything works fine and I can log in to ASA. If I try allow ssh in OUTSIDE access-list still no success and a get this message [5.]? It is strange, isn't?
  The same problem with icmp if I want to "ping" OUTSIDE interface from internet a get thish message in log [6.] and configuration for ICMP like this [7.].
  Full ASA config is in attachment.
  Can anybody help how to fix it and explain what is exactly wrong.Thanks.
  Regards,
  Karel
  [1.]
  ssh stricthostkeycheck
  ssh 10.0.0.0 255.255.255.0 INSIDE
  ssh 0.0.0.0 0.0.0.0 OUTSIDE
  ssh timeout 60
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  ASA-FW01# show ssh
  Timeout: 60 minutes
  Version allowed: 2
  10.0.0.0 255.255.255.0 INSIDE
  0.0.0.0 0.0.0.0 OUTSIDE
   [2.]
  ASA-FW01# show nameif
  Interface                Name                     Security
  Vlan10                   INSIDE                   100
  Vlan20                   EXT-VLAN20                 0
  Vlan30                   EXT-WIFI-VLAN30           10
  Vlan100                  OUTSIDE                    0
  ASA-FW01# show ip
  System IP Addresses:
  Interface                Name                   IP address      Subnet mask     Method
  Vlan10                   INSIDE                 10.0.0.1        255.255.255.0   CONFIG
  Vlan20                   EXT-VLAN20             10.0.1.1        255.255.255.0   CONFIG
  Vlan30                   EXT-WIFI-VLAN30        10.0.2.1        255.255.255.0   CONFIG
  Vlan100                  OUTSIDE                85.71.188.158   255.255.255.255 CONFIG
  Current IP Addresses:
  Interface                Name                   IP address      Subnet mask     Method
  Vlan10                   INSIDE                 10.0.0.1        255.255.255.0   CONFIG
  Vlan20                   EXT-VLAN20             10.0.1.1        255.255.255.0   CONFIG
  Vlan30                   EXT-WIFI-VLAN30        10.0.2.1        255.255.255.0   CONFIG
  Vlan100                  OUTSIDE                85.71.188.158   255.255.255.255 CONFIG
  ASA-FW01# show interface OUTSIDE detail
  Interface Vlan100 "OUTSIDE", is up, line protocol is up
    Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
          Description: >>VLAN pro pripojeni do internetu<<
          MAC address f44e.05d0.6c17, MTU 1480
          IP address 85.71.188.158, subnet mask 255.255.255.255
    Traffic Statistics for "OUTSIDE":
          90008 packets input, 10328084 bytes
          60609 packets output, 13240078 bytes
          1213 packets dropped
        1 minute input rate 15 pkts/sec,  994 bytes/sec
  [3.]
  Jan 13 2015 06:45:30 ASA-FW01 : %ASA-6-106100: access-list OUTSIDE denied tcp OUTSIDE/193.86.236.70(46085) -> OUTSIDE/85.71.188.158(22) hit-cnt 1 first hit [0xb74026ad, 0x0]
  [4.]
  access-list OUTSIDE remark =======================================================================================
  access-list OUTSIDE extended permit icmp any any echo-reply
  access-list OUTSIDE extended deny ip any any log
  access-group OUTSIDE in interface OUTSIDE
  [5.]
  Jan 12 2015 23:00:46 ASA-FW01 : %ASA-2-106016: Deny IP spoof from (193.86.236.70) to 85.71.188.158 on interface OUTSIDE
  [6.]
  Jan 13 2015 06:51:16 ASA-FW01 : %ASA-4-400014: IDS:2004 ICMP echo request from 193.86.236.70 to 85.71.188.158 on interface OUTSIDE
  [7.]
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit 10.0.0.0 255.0.0.0 INSIDE
  icmp permit 10.0.0.0 255.0.0.0 EXT-WIFI-VLAN30
  icmp permit any OUTSIDE

  You're right that the ACL should not affect otherwise allowed communications to the interface address.
  Try disabling the ip audit feature on your outside interface.
  no ip audit interface OUTSIDE AP_OUTSIDE_INFO
  no ip audit interface OUTSIDE AP_OUTSIDE_ATTACK

• Cisco ASA 5505 site to site Multiple subnet.

  Hi. I need some help configuring my cisco asa 5505.
  I've set up a VPN tunnel between two ASA 5505
  Site 1:
  Subnet 192.168.77.0
  Site 2:
  Have multiple vlans and now the tunnel goes to vlan400 - 192.168.1.0
  What I need help with:
  From site 1 i need to be able to reach another vlan on site 2. vlan480 - 192.168.20.0
  And from site 1 I need to reach 192.168.77.0 subnet from vlan480 - 192.168.20.0
  Vlan480 is used for phones. In vlan480 we have a PABX central.
  Is this possible to do?
  Any help would be greatfully appreciated!
  Config site 2:
  : Saved
  ASA Version 7.2(2)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password x encrypted
  names
  name 192.168.1.250 DomeneServer
  name 192.168.1.10 NotesServer
  name 192.168.1.90 OvServer
  name 192.168.1.97 TerminalServer
  name 192.168.1.98 w8-eyeshare
  name 192.168.50.10 w8-print
  name 192.168.1.94 w8-app
  name 192.168.1.89 FonnaFlyMedia
  interface Vlan1
  nameif Vlan1
  security-level 100
  ip address 192.168.200.100 255.255.255.0
  ospf cost 10
  interface Vlan2
  nameif outside
  security-level 0
  ip address 79.x.x.226 255.255.255.224
  ospf cost 10
  interface Vlan400
  nameif vlan400
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  ospf cost 10
  interface Vlan450
  nameif Vlan450
  security-level 100
  ip address 192.168.210.1 255.255.255.0
  ospf cost 10
  interface Vlan460
  nameif Vlan460-SuldalHotell
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  ospf cost 10
  interface Vlan461
  nameif Vlan461-SuldalHotellGjest
  security-level 100
  ip address 192.168.3.1 255.255.255.0
  ospf cost 10
  interface Vlan462
  nameif Vlan462-Suldalsposten
  security-level 100
  ip address 192.168.4.1 255.255.255.0
  ospf cost 10
  interface Vlan470
  nameif vlan470-Kyrkjekontoret
  security-level 100
  ip address 192.168.202.1 255.255.255.0
  ospf cost 10
  interface Vlan480
  nameif vlan480-Telefoni
  security-level 100
  ip address 192.168.20.1 255.255.255.0
  ospf cost 10
  interface Vlan490
  nameif Vlan490-QNapBackup
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  ospf cost 10
  interface Vlan500
  nameif Vlan500-HellandBadlands
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  ospf cost 10
  interface Vlan510
  nameif Vlan510-IsTak
  security-level 100
  ip address 192.168.40.1 255.255.255.0
  ospf cost 10
  interface Vlan600
  nameif Vlan600-SafeQ
  security-level 100
  ip address 192.168.50.1 255.255.255.0
  ospf cost 10
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  switchport access vlan 500
  switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610
  switchport mode trunk
  interface Ethernet0/3
  switchport access vlan 490
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  passwd x encrypted
  ftp mode passive
  clock timezone WAT 1
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group service Lotus_Notes_Utgaaande tcp
  description Frim Notes og ut til alle
  port-object eq domain
  port-object eq ftp
  port-object eq www
  port-object eq https
  port-object eq lotusnotes
  port-object eq pop3
  port-object eq pptp
  port-object eq smtp
  object-group service Lotus_Notes_inn tcp
  description From alle og inn til Notes
  port-object eq www
  port-object eq lotusnotes
  port-object eq pop3
  port-object eq smtp
  object-group service Reisebyraa tcp-udp
  port-object range 3702 3702
  port-object range 5500 5500
  port-object range 9876 9876
  object-group service Remote_Desktop tcp-udp
  description Tilgang til Remote Desktop
  port-object range 3389 3389
  object-group service Sand_Servicenter_50000 tcp-udp
  description Program tilgang til Sand Servicenter AS
  port-object range 50000 50000
  object-group service VNC_Remote_Admin tcp
  description Frå oss til alle
  port-object range 5900 5900
  object-group service Printer_Accept tcp-udp
  port-object range 9100 9100
  port-object eq echo
  object-group icmp-type Echo_Ping
  icmp-object echo
  icmp-object echo-reply
  object-group service Print tcp
  port-object range 9100 9100
  object-group service FTP_NADA tcp
  description Suldalsposten NADA tilgang
  port-object eq ftp
  port-object eq ftp-data
  object-group service Telefonsentral tcp
  description Hoftun
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  port-object eq telnet
  object-group service Printer_inn_800 tcp
  description Fra 800  nettet og inn til 400 port 7777
  port-object range 7777 7777
  object-group service Suldalsposten tcp
  description Sending av mail vha Mac Mail programmet - åpner smtp
  port-object eq pop3
  port-object eq smtp
  object-group service http2 tcp
  port-object range 81 81
  object-group service DMZ_FTP_PASSIVE tcp-udp
  port-object range 55536 56559
  object-group service DMZ_FTP tcp-udp
  port-object range 20 21
  object-group service DMZ_HTTPS tcp-udp
  port-object range 443 443
  object-group service DMZ_HTTP tcp-udp
  port-object range 8080 8080
  object-group service DNS_Query tcp
  port-object range domain domain
  object-group service DUETT_SQL_PORT tcp-udp
  description For kobling mellom andre nett og duett server
  port-object range 54659 54659
  access-list outside_access_in extended permit ip any any
  access-list outside_access_out extended permit ip any any
  access-list vlan400_access_in extended deny ip any host 149.20.56.34
  access-list vlan400_access_in extended deny ip any host 149.20.56.32
  access-list vlan400_access_in extended permit ip any any
  access-list Vlan450_access_in extended deny ip any host 149.20.56.34
  access-list Vlan450_access_in extended deny ip any host 149.20.56.32
  access-list Vlan450_access_in extended permit ip any any
  access-list Vlan460_access_in extended deny ip any host 149.20.56.34
  access-list Vlan460_access_in extended deny ip any host 149.20.56.32
  access-list Vlan460_access_in extended permit ip any any
  access-list vlan400_access_out extended permit icmp any any object-group Echo_Ping
  access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande
  access-list vlan400_access_out extended permit tcp any host DomeneServer object-group Remote_Desktop
  access-list vlan400_access_out extended permit tcp any host TerminalServer object-group Remote_Desktop
  access-list vlan400_access_out extended permit tcp any host OvServer object-group http2
  access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_inn
  access-list vlan400_access_out extended permit tcp any host NotesServer object-group Remote_Desktop
  access-list vlan400_access_out extended permit tcp any host w8-eyeshare object-group Remote_Desktop
  access-list vlan400_access_out extended permit tcp any host w8-app object-group Remote_Desktop
  access-list vlan400_access_out extended permit tcp any host FonnaFlyMedia range 8400 8600
  access-list vlan400_access_out extended permit udp any host FonnaFlyMedia range 9000 9001
  access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host DomeneServer
  access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host w8-app object-group DUETT_SQL_PORT
  access-list Vlan500_access_in extended deny ip any host 149.20.56.34
  access-list Vlan500_access_in extended deny ip any host 149.20.56.32
  access-list Vlan500_access_in extended permit ip any any
  access-list vlan470_access_in extended deny ip any host 149.20.56.34
  access-list vlan470_access_in extended deny ip any host 149.20.56.32
  access-list vlan470_access_in extended permit ip any any
  access-list Vlan490_access_in extended deny ip any host 149.20.56.34
  access-list Vlan490_access_in extended deny ip any host 149.20.56.32
  access-list Vlan490_access_in extended permit ip any any
  access-list Vlan450_access_out extended permit icmp any any object-group Echo_Ping
  access-list Vlan1_access_out extended permit ip any any
  access-list Vlan1_access_out extended permit tcp any host w8-print object-group Remote_Desktop
  access-list Vlan1_access_out extended deny ip any any
  access-list Vlan1_access_out extended permit icmp any any echo-reply
  access-list Vlan460_access_out extended permit icmp any any object-group Echo_Ping
  access-list Vlan490_access_out extended permit icmp any any object-group Echo_Ping
  access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP
  access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE
  access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTPS
  access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTP
  access-list Vlan500_access_out extended permit icmp any any object-group Echo_Ping
  access-list vlan470_access_out extended permit icmp any any object-group Echo_Ping
  access-list vlan470_access_out extended permit tcp any host 192.168.202.10 object-group Remote_Desktop
  access-list Vlan510_access_out extended permit icmp any any object-group Echo_Ping
  access-list vlan480_access_out extended permit ip any any
  access-list Vlan510_access_in extended permit ip any any
  access-list Vlan600_access_in extended permit ip any any
  access-list Vlan600_access_out extended permit icmp any any
  access-list Vlan600_access_out extended permit tcp any host w8-print object-group Remote_Desktop
  access-list Vlan600_access_out extended permit tcp 192.168.1.0 255.255.255.0 host w8-print eq www
  access-list Vlan600_access_out extended permit tcp 192.168.202.0 255.255.255.0 host w8-print eq www
  access-list Vlan600_access_out extended permit tcp 192.168.210.0 255.255.255.0 host w8-print eq www
  access-list Vlan600_access_in_1 extended permit ip any any
  access-list Vlan461_access_in extended permit ip any any
  access-list Vlan461_access_out extended permit icmp any any object-group Echo_Ping
  access-list vlan400_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
  access-list outside_20_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
  access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
  access-list Vlan462-Suldalsposten_access_in extended permit ip any any
  access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo-reply
  access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo-reply
  access-list Vlan462-Suldalsposten_access_in_1 extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu Vlan1 1500
  mtu outside 1500
  mtu vlan400 1500
  mtu Vlan450 1500
  mtu Vlan460-SuldalHotell 1500
  mtu Vlan461-SuldalHotellGjest 1500
  mtu vlan470-Kyrkjekontoret 1500
  mtu vlan480-Telefoni 1500
  mtu Vlan490-QNapBackup 1500
  mtu Vlan500-HellandBadlands 1500
  mtu Vlan510-IsTak 1500
  mtu Vlan600-SafeQ 1500
  mtu Vlan462-Suldalsposten 1500
  no failover
  monitor-interface Vlan1
  monitor-interface outside
  monitor-interface vlan400
  monitor-interface Vlan450
  monitor-interface Vlan460-SuldalHotell
  monitor-interface Vlan461-SuldalHotellGjest
  monitor-interface vlan470-Kyrkjekontoret
  monitor-interface vlan480-Telefoni
  monitor-interface Vlan490-QNapBackup
  monitor-interface Vlan500-HellandBadlands
  monitor-interface Vlan510-IsTak
  monitor-interface Vlan600-SafeQ
  monitor-interface Vlan462-Suldalsposten
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-522.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (vlan400) 0 access-list vlan400_nat0_outbound
  nat (vlan400) 1 0.0.0.0 0.0.0.0 dns
  nat (Vlan450) 1 0.0.0.0 0.0.0.0 dns
  nat (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0
  nat (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0
  nat (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0
  nat (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns
  nat (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0
  nat (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0
  nat (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0
  nat (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0
  static (vlan400,outside) 79.x.x.x DomeneServer netmask 255.255.255.255
  static (vlan470-Kyrkjekontoret,outside) 79.x.x.x 192.168.202.10 netmask 255.255.255.255
  static (vlan400,outside) 79.x.x.x NotesServer netmask 255.255.255.255 dns
  static (vlan400,outside) 79.x.x.231 TerminalServer netmask 255.255.255.255
  static (vlan400,outside) 79.x.x.234 OvServer netmask 255.255.255.255
  static (vlan400,outside) 79.x.x.232 w8-eyeshare netmask 255.255.255.255
  static (Vlan490-QNapBackup,outside) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns
  static (Vlan600-SafeQ,outside) 79.x.x.235 w8-print netmask 255.255.255.255
  static (vlan400,outside) 79.x.x.236 w8-app netmask 255.255.255.255
  static (Vlan450,vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
  static (Vlan500-HellandBadlands,vlan400) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
  static (vlan400,Vlan500-HellandBadlands) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
  static (vlan400,Vlan450) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
  static (vlan400,outside) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255
  static (Vlan462-Suldalsposten,vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
  static (vlan400,Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
  static (vlan400,Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
  static (Vlan600-SafeQ,vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
  static (Vlan600-SafeQ,Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
  static (Vlan600-SafeQ,vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
  static (Vlan450,Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
  static (vlan470-Kyrkjekontoret,Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0
  access-group Vlan1_access_out out interface Vlan1
  access-group outside_access_in in interface outside
  access-group outside_access_out out interface outside
  access-group vlan400_access_in in interface vlan400
  access-group vlan400_access_out out interface vlan400
  access-group Vlan450_access_in in interface Vlan450
  access-group Vlan450_access_out out interface Vlan450
  access-group Vlan460_access_in in interface Vlan460-SuldalHotell
  access-group Vlan460_access_out out interface Vlan460-SuldalHotell
  access-group Vlan461_access_in in interface Vlan461-SuldalHotellGjest
  access-group Vlan461_access_out out interface Vlan461-SuldalHotellGjest
  access-group vlan470_access_in in interface vlan470-Kyrkjekontoret
  access-group vlan470_access_out out interface vlan470-Kyrkjekontoret
  access-group vlan480_access_out out interface vlan480-Telefoni
  access-group Vlan490_access_in in interface Vlan490-QNapBackup
  access-group Vlan490_access_out out interface Vlan490-QNapBackup
  access-group Vlan500_access_in in interface Vlan500-HellandBadlands
  access-group Vlan500_access_out out interface Vlan500-HellandBadlands
  access-group Vlan510_access_in in interface Vlan510-IsTak
  access-group Vlan510_access_out out interface Vlan510-IsTak
  access-group Vlan600_access_in_1 in interface Vlan600-SafeQ
  access-group Vlan600_access_out out interface Vlan600-SafeQ
  access-group Vlan462-Suldalsposten_access_in_1 in interface Vlan462-Suldalsposten
  access-group Vlan462-Suldalsposten_access_out_1 out interface Vlan462-Suldalsposten
  route outside 0.0.0.0 0.0.0.0 79.x.x.225 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  username x password x encrypted privilege 15
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.210.0 255.255.255.0 Vlan450
  http 192.168.200.0 255.255.255.0 Vlan1
  http 192.168.1.0 255.255.255.0 vlan400
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map outside_map 20 match address outside_20_cryptomap_1
  crypto map outside_map 20 set pfs
  crypto map outside_map 20 set peer 62.92.159.137
  crypto map outside_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp enable vlan400
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  tunnel-group 62.92.159.137 type ipsec-l2l
  tunnel-group 62.92.159.137 ipsec-attributes
  pre-shared-key *
  telnet 192.168.200.0 255.255.255.0 Vlan1
  telnet 192.168.1.0 255.255.255.0 vlan400
  telnet timeout 5
  ssh 171.68.225.216 255.255.255.255 outside
  ssh timeout 5
  console timeout 0
  dhcpd update dns both
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface outside
  dhcpd address 192.168.1.100-192.168.1.225 vlan400
  dhcpd option 6 ip DomeneServer 81.167.36.11 interface vlan400
  dhcpd option 3 ip 192.168.1.1 interface vlan400
  dhcpd enable vlan400
  dhcpd address 192.168.210.100-192.168.210.200 Vlan450
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450
  dhcpd option 3 ip 192.168.210.1 interface Vlan450
  dhcpd enable Vlan450
  dhcpd address 192.168.2.100-192.168.2.150 Vlan460-SuldalHotell
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell
  dhcpd option 3 ip 192.168.2.1 interface Vlan460-SuldalHotell
  dhcpd enable Vlan460-SuldalHotell
  dhcpd address 192.168.3.100-192.168.3.200 Vlan461-SuldalHotellGjest
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest
  dhcpd option 3 ip 192.168.3.1 interface Vlan461-SuldalHotellGjest
  dhcpd enable Vlan461-SuldalHotellGjest
  dhcpd address 192.168.202.100-192.168.202.199 vlan470-Kyrkjekontoret
  dhcpd option 3 ip 192.168.202.1 interface vlan470-Kyrkjekontoret
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret
  dhcpd enable vlan470-Kyrkjekontoret
  dhcpd option 3 ip 192.168.20.1 interface vlan480-Telefoni
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni
  dhcpd address 192.168.10.80-192.168.10.90 Vlan490-QNapBackup
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup
  dhcpd option 3 ip 192.168.10.1 interface Vlan490-QNapBackup
  dhcpd address 192.168.30.100-192.168.30.199 Vlan500-HellandBadlands
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands
  dhcpd option 3 ip 192.168.30.1 interface Vlan500-HellandBadlands
  dhcpd enable Vlan500-HellandBadlands
  dhcpd address 192.168.40.100-192.168.40.150 Vlan510-IsTak
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak
  dhcpd option 3 ip 192.168.40.1 interface Vlan510-IsTak
  dhcpd enable Vlan510-IsTak
  dhcpd address 192.168.50.150-192.168.50.199 Vlan600-SafeQ
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ
  dhcpd enable Vlan600-SafeQ
  dhcpd address 192.168.4.100-192.168.4.150 Vlan462-Suldalsposten
  dhcpd option 6 ip DomeneServer 81.167.36.11 interface Vlan462-Suldalsposten
  dhcpd option 3 ip 192.168.4.1 interface Vlan462-Suldalsposten
  dhcpd enable Vlan462-Suldalsposten
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  prompt hostname context
  Cryptochecksum:x
  : end
  Config site 1:
  : Saved
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password x encrypted
  passwd x encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.77.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group Telenor
  ip address pppoe setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  switchport access vlan 15
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list outside_access_in extended permit icmp any any echo-reply log disable
  access-list outside_1_cryptomap extended permit ip 192.168.77.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 192.168.1.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.77.0 255.255.255.0 inside
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 79.160.252.226
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.77.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  vpdn group Telenor request dialout pppoe
  vpdn group Telenor localname x
  vpdn group Telenor ppp authentication chap
  vpdn username x password x store-local
  dhcpd auto_config outside
  dhcpd address 192.168.77.100-192.168.77.130 inside
  dhcpd dns 192.168.77.1 interface inside
  dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface inside
  dhcpd enable inside
  dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface outside
  tunnel-group 79.160.252.226 type ipsec-l2l
  tunnel-group 79.160.252.226 ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:x
  : end

  Hi,
  The addition of a new network to the existing L2L VPN should be a pretty simple process.
  Essentially you will have to add the network to the Crypto ACL present in the "crypto map" configurations. You will also have to configure the NAT0 configuration for it in the proper interfaces of the ASA. These configurations are all done on both ends of the L2L VPN connection.
  Looking at your above configurations it would seem that you will need the following configurations
  SITE 1
  We add the new network to both the crypto ACL and the NAT0 ACL
  access-list outside_1_cryptomap extended permit ip 192.168.77.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 192.168.20.0 255.255.255.0
  SITE 2
  We add the new network to the crypto ACL
  We create a new NAT0 configuration for the Vlan480 interface as it has no previous NAT0 configuration
  access-list outside_20_cryptomap_1 extended permit ip 192.168.20.0 255.255.255.0 192.168.77.0 255.255.255.0
  access-list VLAN480-NAT0 remark NAT0 for VPN
  access-list VLAN480-NAT0 permit ip 192.168.20.0 255.255.255.0 192.168.77.0 255.255.255.0
  nat (vlan480-Telefoni) 0 access-list VLAN480-NAT0
  These configurations should pretty much do the trick.
  Let me know if it worked
  - Jouni

• Cisco ASA 5505 Site to Site VPN

  Hello All,
  First time posting to the forums. I've been working with Cisco ASA 5505 for a number of months and recently I purchased a 2nd ASA with the goal of setting up Site to Site VPN tunnel. It look so simple from the number of videos that I have watched on the internet. But when I have done it suprise suprise it didn't work for me ... I have deleted the tunnels a number of times and attempted to recreate them. I am using the VPN wizard in the ADM to create the tunnel. Both the asa are 5505 and have the same same firmware etc.
  I would appreciate any help that can be directed towards this issue please.  Slowly losing my mind
  Please see details below:
  Both ADM are 7.1
  IOS
  ASA 1
  aved
  ASA Version 9.0(1)
  hostname PAYBACK
  enable password HSMurh79NVmatjY0 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description Trunk link to SW1
  switchport trunk allowed vlan 1,10,20,30,40
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  no nameif
  no security-level
  no ip address
  interface Vlan2
  nameif outside
  security-level 0
  ip address 92.51.193.158 255.255.255.252
  interface Vlan10
  nameif inside
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Vlan20
  nameif servers
  security-level 100
  ip address 192.168.20.1 255.255.255.0
  interface Vlan30
  nameif printers
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  interface Vlan40
  nameif wireless
  security-level 100
  ip address 192.168.40.1 255.255.255.0
  banner login line Welcome to Payback Loyalty Systems
  boot system disk0:/asa901-k8.bin
  ftp mode passive
  clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns domain-lookup servers
  dns domain-lookup printers
  dns domain-lookup wireless
  dns server-group DefaultDNS
  name-server 83.147.160.2
  name-server 83.147.160.130
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network ftp_server
  object network Internal_Report_Server
  host 192.168.20.21
  description Automated Report Server Internal Address
  object network Report_Server
  host 89.234.126.9
  description Automated Report Server
  object service RDP
  service tcp destination eq 3389
  description RDP to Server
  object network Host_QA_Server
  host 89.234.126.10
  description QA Host External Address
  object network Internal_Host_QA
  host 192.168.20.22
  description Host of VM machine for QA
  object network Internal_QA_Web_Server
  host 192.168.20.23
  description Web Server in QA environment
  object network Web_Server_QA_VM
  host 89.234.126.11
  description Web server in QA environment
  object service SQL_Server
  service tcp destination eq 1433
  object network Demo_Server
  host 89.234.126.12
  description Server set up to Demo Product
  object network Internal_Demo_Server
  host 192.168.20.24
  description Internal IP Address of Demo Server
  object network NETWORK_OBJ_192.168.20.0_24
  subnet 192.168.20.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_26
  subnet 192.168.50.0 255.255.255.192
  object network NETWORK_OBJ_192.168.0.0_16
  subnet 192.168.0.0 255.255.0.0
  object service MSSQL
  service tcp destination eq 1434
  description MSSQL port
  object network VPN-network
  subnet 192.168.50.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_24
  subnet 192.168.50.0 255.255.255.0
  object service TS
  service tcp destination eq 4400
  object service TS_Return
  service tcp source eq 4400
  object network External_QA_3
  host 89.234.126.13
  object network Internal_QA_3
  host 192.168.20.25
  object network Dev_WebServer
  host 192.168.20.27
  object network External_Dev_Web
  host 89.234.126.14
  object network CIX_Subnet
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
  object network NETWORK_OBJ_84.39.233.50
  host 84.39.233.50
  object network NETWORK_OBJ_92.51.193.158
  host 92.51.193.158
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq ftp
  service-object tcp destination eq netbios-ssn
  service-object tcp destination eq smtp
  service-object object TS
  object-group network Payback_Internal
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.20.0 255.255.255.0
  network-object 192.168.40.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_3
  service-object tcp destination eq www
  service-object tcp destination eq https
  service-object object TS
  service-object object TS_Return
  object-group service DM_INLINE_SERVICE_4
  service-object object RDP
  service-object tcp destination eq www
  service-object tcp destination eq https
  object-group service DM_INLINE_SERVICE_5
  service-object object MSSQL
  service-object object RDP
  service-object object TS
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service DM_INLINE_SERVICE_6
  service-object object TS
  service-object object TS_Return
  service-object tcp destination eq www
  service-object tcp destination eq https
  access-list outside_access_in remark This rule is allowing from internet to interal server.
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark FTP
  access-list outside_access_in remark RDP
  access-list outside_access_in remark SMTP
  access-list outside_access_in remark Net Bios
  access-list outside_access_in remark SQL
  access-list outside_access_in remark TS - 4400
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
  access-list outside_access_in remark Access rule to internal host QA
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
  access-list outside_access_in remark Access to INternal Web Server:
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
  access-list outside_access_in remark Rule for allowing access to Demo server
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark RDP
  access-list outside_access_in remark MSSQL
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
  access-list outside_access_in remark Access for Development WebServer
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
  access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
  access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
  pager lines 24
  logging enable
  logging console informational
  logging asdm informational
  logging from-address
  [email protected]
  logging recipient-address
  [email protected]
  level alerts
  mtu outside 1500
  mtu inside 1500
  mtu servers 1500
  mtu printers 1500
  mtu wireless 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source dynamic any interface
  nat (wireless,outside) source dynamic any interface
  nat (servers,outside) source dynamic any interface
  nat (servers,outside) source static Internal_Report_Server Report_Server
  nat (servers,outside) source static Internal_Host_QA Host_QA_Server
  nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
  nat (servers,outside) source static Internal_Demo_Server Demo_Server
  nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
  nat (servers,outside) source static Internal_QA_3 External_QA_3
  nat (servers,outside) source static Dev_WebServer External_Dev_Web
  nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.10.0 255.255.255.0 inside
  http 192.168.40.0 255.255.255.0 wireless
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 84.39.233.50
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 77.75.100.208 255.255.255.240 outside
  ssh 192.168.10.0 255.255.255.0 inside
  ssh 192.168.40.0 255.255.255.0 wireless
  ssh timeout 5
  console timeout 0
  dhcpd dns 192.168.0.1
  dhcpd auto_config outside
  dhcpd address 192.168.10.21-192.168.10.240 inside
  dhcpd dns 192.168.20.21 83.147.160.2 interface inside
  dhcpd option 15 ascii paybackloyalty.com interface inside
  dhcpd enable inside
  dhcpd address 192.168.40.21-192.168.40.240 wireless
  dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
  dhcpd update dns interface wireless
  dhcpd option 15 ascii paybackloyalty.com interface wireless
  dhcpd enable wireless
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy Payback_VPN internal
  group-policy Payback_VPN attributes
  vpn-simultaneous-logins 10
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Payback_VPN_splitTunnelAcl
  group-policy DfltGrpPolicy attributes
  dns-server value 83.147.160.2 83.147.160.130
  vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
  group-policy GroupPolicy_84.39.233.50 internal
  group-policy GroupPolicy_84.39.233.50 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username Noelle password XB/IpvYaATP.2QYm encrypted
  username Noelle attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
  username Eanna attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Michael password qpbleUqUEchRrgQX encrypted
  username Michael attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
  username Danny attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
  username Aileen attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
  username Aidan attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  username shane.c password iqGMoWOnfO6YKXbw encrypted
  username shane.c attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Shane password uYePLcrFadO9pBZx encrypted
  username Shane attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username James password TdYPv1pvld/hPM0d encrypted
  username James attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username mark password yruxpddqfyNb.qFn encrypted
  username mark attributes
  service-type admin
  username Mary password XND5FTEiyu1L1zFD encrypted
  username Mary attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
  username Massimo attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  tunnel-group Payback_VPN type remote-access
  tunnel-group Payback_VPN general-attributes
  address-pool VPN1
  default-group-policy Payback_VPN
  tunnel-group Payback_VPN ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 84.39.233.50 type ipsec-l2l
  tunnel-group 84.39.233.50 general-attributes
  default-group-policy GroupPolicy_84.39.233.50
  tunnel-group 84.39.233.50 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map global-class
  match default-inspection-traffic
  policy-map global-policy
  class global-class
    inspect dns
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect pptp
    inspect rsh
    inspect rtsp
    inspect sip
    inspect snmp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
    inspect icmp error
    inspect icmp
  service-policy global-policy global
  smtp-server 192.168.20.21
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1
  ASA 2
  ASA Version 9.0(1)
  hostname Payback-CIX
  enable password HSMurh79NVmatjY0 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description This port connects to VLAN 100
  switchport access vlan 100
  interface Ethernet0/2
  interface Ethernet0/3
  switchport access vlan 100
  interface Ethernet0/4
  switchport access vlan 100
  interface Ethernet0/5
  switchport access vlan 100
  interface Ethernet0/6
  switchport access vlan 100
  interface Ethernet0/7
  switchport access vlan 100
  interface Vlan2
  nameif outside
  security-level 0
  ip address 84.39.233.50 255.255.255.240
  interface Vlan100
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  banner login line Welcome to Payback Loyalty - CIX
  ftp mode passive
  clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group defaultDNS
  name-server 8.8.8.8
  name-server 8.8.4.4
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network CIX-Host-1
  host 192.168.100.2
  description This is the host machine of the VM servers
  object network External_CIX-Host-1
  host 84.39.233.51
  description This is the external IP address of the host server for the VM server
  object service RDP
  service tcp source range 1 65535 destination eq 3389
  object network Payback_Office
  host 92.51.193.158
  object service MSQL
  service tcp destination eq 1433
  object network Development_OLTP
  host 192.168.100.10
  description VM for Eiresoft
  object network External_Development_OLTP
  host 84.39.233.52
  description This is the external IP address for the VM for Eiresoft
  object network Eiresoft
  host 146.66.160.70
  description DBA Contractor
  object network External_TMC_Web
  host 84.39.233.53
  description Public Address of TMC Webserver
  object network TMC_Webserver
  host 192.168.100.19
  description Internal Address of TMC Webserver
  object network External_TMC_OLTP
  host 84.39.233.54
  description Targets OLTP external IP
  object network TMC_OLTP
  host 192.168.100.18
  description Targets interal IP address
  object network External_OLTP_Failover
  host 84.39.233.55
  description Public IP of OLTP Failover
  object network OLTP_Failover
  host 192.168.100.60
  description Server for OLTP failover
  object network Servers
  subnet 192.168.20.0 255.255.255.0
  object network Wired
  subnet 192.168.10.0 255.255.255.0
  object network Wireless
  subnet 192.168.40.0 255.255.255.0
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
  object network Eiresoft_2nd
  host 137.117.217.29
  description Eiresoft 2nd IP
  object network Dev_Test_Webserver
  host 192.168.100.12
  description Dev Test Webserver Internal Address
  object network External_Dev_Test_Webserver
  host 84.39.233.56
  description This is the PB Dev Test Webserver
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_2
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_3
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_4
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_5
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_6
  service-object object MSQL
  service-object object RDP
  object-group network Payback_Intrernal
  network-object object Servers
  network-object object Wired
  network-object object Wireless
  object-group service DM_INLINE_SERVICE_7
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_8
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_9
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_10
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_11
  service-object object RDP
  service-object tcp destination eq ftp
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
  access-list outside_access_in remark Development OLTP from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
  access-list outside_access_in remark Access for Eiresoft
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
  access-list outside_access_in remark Access to OLTP for target from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
  access-list outside_access_in remark This is allowing access from Eiresoft to the OLTP Failover server
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover
  access-list outside_access_in remark Access for the 2nd IP from Eiresoft
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
  access-list outside_access_in remark Access from the 2nd Eiresoft IP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
  access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source dynamic any interface
  nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
  nat (inside,outside) source static Development_OLTP External_Development_OLTP
  nat (inside,outside) source static TMC_Webserver External_TMC_Web
  nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
  nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
  nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
  nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 92.51.193.156 255.255.255.252 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 92.51.193.158
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 77.75.100.208 255.255.255.240 outside
  ssh 92.51.193.156 255.255.255.252 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy GroupPolicy_92.51.193.158 internal
  group-policy GroupPolicy_92.51.193.158 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  tunnel-group 92.51.193.158 type ipsec-l2l
  tunnel-group 92.51.193.158 general-attributes
  default-group-policy GroupPolicy_92.51.193.158
  tunnel-group 92.51.193.158 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
  : end

  Hi,
  Thanks for the help to date
  I now have the Site to Site working but there is one little issue I have. If I try to RD to a server through the tunnel it will not allow connection on the first attempt however if I ping that host and then attempt to RD it will allow the connection. It looks like the host is asleep until it receives traffic through the tunnel. Is this thje correct behaviour.
  See below the details:
  ASA1:
  hostname PAYBACK
  enable password HSMurh79NVmatjY0 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description Trunk link to SW1
  switchport trunk allowed vlan 1,10,20,30,40
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  no nameif
  no security-level
  no ip address
  interface Vlan2
  nameif outside
  security-level 0
  ip address XX.XX.XX.XX 255.255.255.252
  interface Vlan10
  nameif inside
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Vlan20
  nameif servers
  security-level 100
  ip address 192.168.20.1 255.255.255.0
  interface Vlan30
  nameif printers
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  interface Vlan40
  nameif wireless
  security-level 100
  ip address 192.168.40.1 255.255.255.0
  banner login line Welcome to Payback Loyalty Systems
  boot system disk0:/asa901-k8.bin
  ftp mode passive
  clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns domain-lookup servers
  dns domain-lookup printers
  dns domain-lookup wireless
  dns server-group DefaultDNS
  name-server 83.147.160.2
  name-server 83.147.160.130
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network ftp_server
  object network Internal_Report_Server
  host 192.168.20.21
  description Automated Report Server Internal Address
  object network Report_Server
  host 89.234.126.9
  description Automated Report Server
  object service RDP
  service tcp destination eq 3389
  description RDP to Server
  object network Host_QA_Server
  host 89.234.126.10
  description QA Host External Address
  object network Internal_Host_QA
  host 192.168.20.22
  description Host of VM machine for QA
  object network Internal_QA_Web_Server
  host 192.168.20.23
  description Web Server in QA environment
  object network Web_Server_QA_VM
  host 89.234.126.11
  description Web server in QA environment
  object service SQL_Server
  service tcp destination eq 1433
  object network Demo_Server
  host 89.234.126.12
  description Server set up to Demo Product
  object network Internal_Demo_Server
  host 192.168.20.24
  description Internal IP Address of Demo Server
  object network NETWORK_OBJ_192.168.20.0_24
  subnet 192.168.20.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_26
  subnet 192.168.50.0 255.255.255.192
  object network NETWORK_OBJ_192.168.0.0_16
  subnet 192.168.0.0 255.255.0.0
  object service MSSQL
  service tcp destination eq 1434
  description MSSQL port
  object network VPN-network
  subnet 192.168.50.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_24
  subnet 192.168.50.0 255.255.255.0
  object service TS
  service tcp destination eq 4400
  object service TS_Return
  service tcp source eq 4400
  object network External_QA_3
  host 89.234.126.13
  object network Internal_QA_3
  host 192.168.20.25
  object network Dev_WebServer
  host 192.168.20.27
  object network External_Dev_Web
  host 89.234.126.14
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network Wireless
  subnet 192.168.40.0 255.255.255.0
  description Wireless network
  object network Servers
  subnet 192.168.20.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq ftp
  service-object tcp destination eq netbios-ssn
  service-object tcp destination eq smtp
  service-object object TS
  service-object object SQL_Server
  object-group service DM_INLINE_SERVICE_3
  service-object tcp destination eq www
  service-object tcp destination eq https
  service-object object TS
  service-object object TS_Return
  object-group service DM_INLINE_SERVICE_4
  service-object object RDP
  service-object tcp destination eq www
  service-object tcp destination eq https
  object-group service DM_INLINE_SERVICE_5
  service-object object MSSQL
  service-object object RDP
  service-object object TS
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service DM_INLINE_SERVICE_6
  service-object object TS
  service-object object TS_Return
  service-object tcp destination eq www
  service-object tcp destination eq https
  object-group network DM_INLINE_NETWORK_1
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.20.0 255.255.255.0
  network-object 192.168.40.0 255.255.255.0
  object-group network Payback_Internal
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.20.0 255.255.255.0
  network-object 192.168.40.0 255.255.255.0
  access-list outside_access_in remark This rule is allowing from internet to interal server.
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark FTP
  access-list outside_access_in remark RDP
  access-list outside_access_in remark SMTP
  access-list outside_access_in remark Net Bios
  access-list outside_access_in remark SQL
  access-list outside_access_in remark TS - 4400
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
  access-list outside_access_in remark Access rule to internal host QA
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
  access-list outside_access_in remark Access to INternal Web Server:
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
  access-list outside_access_in remark Rule for allowing access to Demo server
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark RDP
  access-list outside_access_in remark MSSQL
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
  access-list outside_access_in remark Access for Development WebServer
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
  access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
  access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
  access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.100.0 255.255.255.0
  pager lines 24
  logging enable
  logging console informational
  logging asdm informational
  logging from-address [email protected]
  logging recipient-address [email protected] level alerts
  mtu outside 1500
  mtu inside 1500
  mtu servers 1500
  mtu printers 1500
  mtu wireless 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  nat (wireless,outside) source static Wireless Wireless destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  nat (servers,outside) source static Servers Servers destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source dynamic any interface
  nat (wireless,outside) source dynamic any interface
  nat (servers,outside) source dynamic any interface
  nat (servers,outside) source static Internal_Report_Server Report_Server
  nat (servers,outside) source static Internal_Host_QA Host_QA_Server
  nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
  nat (servers,outside) source static Internal_Demo_Server Demo_Server
  nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
  nat (servers,outside) source static Internal_QA_3 External_QA_3
  nat (servers,outside) source static Dev_WebServer External_Dev_Web
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer XX.XX.XX.XX
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto map servers_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map servers_map interface servers
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 enable inside client-services port 443
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  crypto ikev1 enable servers
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.10.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd dns 192.168.0.1
  dhcpd auto_config outside
  dhcpd address 192.168.10.21-192.168.10.240 inside
  dhcpd dns 192.168.20.21 83.147.160.2 interface inside
  dhcpd option 15 ascii paybackloyalty.com interface inside
  dhcpd enable inside
  dhcpd address 192.168.40.21-192.168.40.240 wireless
  dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
  dhcpd update dns interface wireless
  dhcpd option 15 ascii paybackloyalty.com interface wireless
  dhcpd enable wireless
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy Payback_VPN internal
  group-policy Payback_VPN attributes
  vpn-simultaneous-logins 10
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Payback_VPN_splitTunnelAcl
  group-policy DfltGrpPolicy attributes
  dns-server value 83.147.160.2 83.147.160.130
  vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
  group-policy GroupPolicy_84.39.233.50 internal
  group-policy GroupPolicy_84.39.233.50 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username Noelle password XB/IpvYaATP.2QYm encrypted
  username Noelle attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
  username Eanna attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Michael password qpbleUqUEchRrgQX encrypted
  username Michael attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
  username Danny attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username niamh password MlFlIlEiy8vismE0 encrypted
  username niamh attributes
  service-type admin
  username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
  username Aileen attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
  username Aidan attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  username shane.c password iqGMoWOnfO6YKXbw encrypted
  username shane.c attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Shane password yQeVtvLLKqapoUje encrypted privilege 0
  username Shane attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username James password TdYPv1pvld/hPM0d encrypted
  username James attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username mark password yruxpddqfyNb.qFn encrypted
  username mark attributes
  service-type admin
  username Mary password XND5FTEiyu1L1zFD encrypted
  username Mary attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
  username Massimo attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  tunnel-group Payback_VPN type remote-access
  tunnel-group Payback_VPN general-attributes
  address-pool VPN1
  default-group-policy Payback_VPN
  tunnel-group Payback_VPN ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 84.39.233.50 type ipsec-l2l
  tunnel-group 84.39.233.50 general-attributes
  default-group-policy GroupPolicy_84.39.233.50
  tunnel-group 84.39.233.50 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map global-class
  match default-inspection-traffic
  policy-map global-policy
  class global-class
    inspect dns
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect pptp
    inspect rsh
    inspect rtsp
    inspect sip
    inspect snmp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
    inspect icmp error
    inspect icmp
  service-policy global-policy global
  smtp-server 192.168.20.21
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:83fa7ce1d93375645205f6e79b526381
  ASA2:
  ASA Version 9.0(1)
  hostname Payback-CIX
  enable password HSMurh79NVmatjY0 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description This port connects to VLAN 100
  switchport access vlan 100
  interface Ethernet0/2
  interface Ethernet0/3
  switchport access vlan 100
  interface Ethernet0/4
  switchport access vlan 100
  interface Ethernet0/5
  switchport access vlan 100
  interface Ethernet0/6
  switchport access vlan 100
  interface Ethernet0/7
  switchport access vlan 100
  interface Vlan2
  nameif outside
  security-level 0
  ip address X.X.X.X 255.255.255.240
  interface Vlan100
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  banner login line Welcome to Payback Loyalty - CIX
  ftp mode passive
  clock timezone GMT 0
  clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group defaultDNS
  name-server 8.8.8.8
  name-server 8.8.4.4
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network CIX-Host-1
  host 192.168.100.2
  description This is the host machine of the VM servers
  object network External_CIX-Host-1
  host 84.39.233.51
  description This is the external IP address of the host server for the VM server
  object service RDP
  service tcp source range 1 65535 destination eq 3389
  object network Payback_Office
  host 92.51.193.158
  object service MSQL
  service tcp destination eq 1433
  object network Development_OLTP
  host 192.168.100.10
  description VM for Eiresoft
  object network External_Development_OLTP
  host 84.39.233.52
  description This is the external IP address for the VM for Eiresoft
  object network External_TMC_Web
  host 84.39.233.53
  description Public Address of TMC Webserver
  object network TMC_Webserver
  host 192.168.100.19
  description Internal Address of TMC Webserver
  object network External_TMC_OLTP
  host 84.39.233.54
  description Targets OLTP external IP
  object network TMC_OLTP
  host 192.168.100.18
  description Targets interal IP address
  object network External_OLTP_Failover
  host 84.39.233.55
  description Public IP of OLTP Failover
  object network OLTP_Failover
  host 192.168.100.60
  description Server for OLTP failover
  object network Servers
  subnet 192.168.20.0 255.255.255.0
  object network Wired
  subnet 192.168.10.0 255.255.255.0
  object network Wireless
  subnet 192.168.40.0 255.255.255.0
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
  object network Eiresoft_2nd
  host 137.117.217.29
  description Eiresoft 2nd IP
  object network Dev_Test_Webserver
  host 192.168.100.12
  description Dev Test Webserver Internal Address
  object network External_Dev_Test_Webserver
  host 84.39.233.56
  description This is the PB Dev Test Webserver
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network LAN
  subnet 192.168.100.0 255.255.255.0
  object network REMOTE-LAN
  subnet 192.168.10.0 255.255.255.0
  object network TargetMC
  host 83.71.194.145
  description This is Target Location that will be accessing the Webserver
  object network Rackspace_OLTP
  host 162.13.34.56
  description This is the IP address of production OLTP
  object service DB
  service tcp destination eq 5022
  object network Topaz_Target_VM
  host 82.198.151.168
  description This is Topaz IP that will be accessing Targets VM
  object service DB_2
  service tcp destination eq 5023
  object network EireSoft_NEW_IP
  host 146.66.161.3
  description Eiresoft latest IP form ISP DHCP
  object-group service DM_INLINE_SERVICE_1
  service-object object MSQL
  service-object object RDP
  service-object icmp echo
  service-object icmp echo-reply
  object-group service DM_INLINE_SERVICE_2
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_4
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  service-object tcp destination eq www
  object-group service DM_INLINE_SERVICE_5
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_6
  service-object object MSQL
  service-object object RDP
  object-group network Payback_Intrernal
  network-object object Servers
  network-object object Wired
  network-object object Wireless
  object-group service DM_INLINE_SERVICE_8
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_9
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_10
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  service-object icmp echo
  service-object icmp echo-reply
  service-object object DB
  object-group service DM_INLINE_SERVICE_11
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_12
  service-object object MSQL
  service-object icmp echo
  service-object icmp echo-reply
  service-object object DB
  service-object object DB_2
  object-group service DM_INLINE_SERVICE_13
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_14
  service-object object MSQL
  service-object object RDP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
  access-list outside_access_in remark Development OLTP from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
  access-list outside_access_in remark Access to OLTP for target from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
  access-list outside_access_in remark Access for the 2nd IP from Eiresoft
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
  access-list outside_access_in remark Access from the 2nd Eiresoft IP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
  access-list outside_access_in remark Access rules from Traget to CIX for testing
  access-list outside_access_in extended permit tcp object TargetMC object TMC_Webserver eq www
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12 object Rackspace_OLTP object OLTP_Failover
  access-list outside_access_in remark Topaz access to Target VM
  access-list outside_access_in extended permit tcp object Topaz_Target_VM object TMC_Webserver eq www
  access-list outside_access_in remark Opened up for Target for the weekend. Closing on Monday 20th
  access-list outside_access_in extended permit tcp any object TMC_Webserver eq www
  access-list outside_access_in remark Access for Eiresoft after their ISP changed their IP Address
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13 object EireSoft_NEW_IP object Development_OLTP
  access-list outside_access_in remark Eiresoft Access after ISP changed their IP Address
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14 object EireSoft_NEW_IP object OLTP_Failover
  access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object-group Payback_Intrernal
  pager lines 24
  logging enable
  logging console debugging
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static Payback_Intrernal Payback_Intrernal no-proxy-arp route-lookup
  nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
  nat (inside,outside) source static Development_OLTP External_Development_OLTP
  nat (inside,outside) source static TMC_Webserver External_TMC_Web
  nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
  nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
  nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
  nat (inside,outside) source dynamic LAN interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http X.X.X.X 255.255.255.252 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer X.X.X.X
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh X.X.X.X  255.255.255.240 outside
  ssh X.X.X.X 255.255.255.252 outside
  ssh 192.168.40.0 255.255.255.0 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy GroupPolicy_92.51.193.158 internal
  group-policy GroupPolicy_92.51.193.158 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  tunnel-group 92.51.193.158 type ipsec-l2l
  tunnel-group 92.51.193.158 general-attributes
  default-group-policy GroupPolicy_92.51.193.158
  tunnel-group 92.51.193.158 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:78a7b9ccec2fa048306092eb29a2b769

• Cisco ASA 5505 AnyConnect SSL VPN problem

  Hi!
  I have a small network, wiht ASA 5505, 8.4:
  Inside network: 192.168.2.0/24
  Outside: Static IP
  I would like to deploy a SSL AnyConnect setup.
  The state:
  -I give the correct IP from my predefined VPN pool (10.10.10.0/24).
  But, could not reach any resource, could not ping too. My host has given 10.10.10.1 IP, and I had a GW: 10.10.10.2. Where is this GW from?
  Could you help me?
  Here is my config (I omitted my PUBLIC IP, and GW): 
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.4(4)1
  hostname valamiASA
  domain-name valami.local
  enable password OeyyCrIqfUEmzen8 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 12
  interface Vlan1
  description LAN
  no forward interface Vlan12
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  description WAN
  nameif outside
  security-level 0
  ip address MY_STATIC_IP 255.255.255.248
  interface Vlan12
  description Vendegeknek a valamiHotSpot WiFi-hez
  nameif guest
  security-level 100
  ip address 192.168.4.1 255.255.255.0
  management-only
  ftp mode passive
  clock timezone GMT 0
  dns domain-lookup inside
  dns domain-lookup outside
  dns domain-lookup guest
  dns server-group DefaultDNS
  name-server 62.112.192.4
  name-server 195.70.35.66
  domain-name valami.local
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network inside-net
  subnet 192.168.2.0 255.255.255.0
  object network guest-net
  subnet 192.168.3.0 255.255.255.0
  object network NETWORK_OBJ_192.168.2.128_25
  subnet 192.168.2.128 255.255.255.128
  object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object ip
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  protocol-object icmp
  access-list global_access extended permit object-group DM_INLINE_PROTOCOL_3 any any
  access-list AnyConnect_Client_Local_Print extended deny ip any any
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
  access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu guest 1500
  ip local pool valami_vpn_pool 10.10.10.1-10.10.10.10 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  no asdm history enable
  arp timeout 14400
  object network inside-net
  nat (inside,outside) dynamic interface
  object network guest-net
  nat (guest,outside) dynamic interface
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  access-group global_access global
  route outside 0.0.0.0 0.0.0.0 MY_STATIC_GW 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa local authentication attempts max-fail 16
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable inside
  enable outside
  anyconnect-essentials
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy GroupPolicy_valami_VPN internal
  group-policy GroupPolicy_valami_VPN attributes
  wins-server value 192.168.2.2
  dns-server value 192.168.2.2
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelall
  default-domain value valami.local
  webvpn
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect ask enable default anyconnect timeout 30
    customization none
    deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
  username test password P4ttSyrm33SV8TYp encrypted
  tunnel-group valami_VPN type remote-access
  tunnel-group valami_VPN general-attributes
  address-pool valami_vpn_pool
  default-group-policy GroupPolicy_valami_VPN
  tunnel-group valami_VPN webvpn-attributes
  group-alias valami_VPN enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:d54de340bb6794d90a9ee52c69044753
  : end

  First of all thanks your link.
  I know your notes, but i don't understand 1 thing:
  if i check nat exemption in the anyconnect wizad, why should i make nat exemption rule?
  A tried creating a roule, but it is wrong.
  My steps (on ASDM):
  1: create network object (10.10.10.0/24), named VPN
  2: create nat rule: source any, destination VPN, protocol any
  Here is my config:
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.4(4)1
  hostname companyASA
  domain-name company.local
  enable password OeyyCrIqfUEmzen8 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 12
  interface Vlan1
  description LAN
  no forward interface Vlan12
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  description WAN
  nameif outside
  security-level 0
  ip address 77.111.103.106 255.255.255.248
  interface Vlan12
  description Vendegeknek a companyHotSpot WiFi-hez
  nameif guest
  security-level 100
  ip address 192.168.4.1 255.255.255.0
  ftp mode passive
  clock timezone CEST 1
  clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
  dns domain-lookup inside
  dns domain-lookup outside
  dns domain-lookup guest
  dns server-group DefaultDNS
  name-server 62.112.192.4
  name-server 195.70.35.66
  domain-name company.local
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network inside-net
  subnet 192.168.2.0 255.255.255.0
  object network guest-net
  subnet 192.168.3.0 255.255.255.0
  object network NETWORK_OBJ_192.168.2.128_25
  subnet 192.168.2.128 255.255.255.128
  object network WEBSHOP
  host 192.168.2.2
  object network INSIDE_HOST
  host 10.100.130.5
  object network VOIP_management
  host 192.168.2.215
  object network Dev_1
  host 192.168.2.2
  object network Dev_2
  host 192.168.2.2
  object network RDP
  host 192.168.2.2
  object network Mediasa
  host 192.168.2.17
  object network VOIP_ePhone
  host 192.168.2.215
  object network NETWORK_OBJ_192.168.4.0_28
  subnet 192.168.4.0 255.255.255.240
  object network NETWORK_OBJ_10.10.10.8_29
  subnet 10.10.10.8 255.255.255.248
  object network VPN
  subnet 10.10.10.0 255.255.255.0
  object network VPN-internet
  subnet 10.10.10.0 255.255.255.0
  object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object ip
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  protocol-object icmp
  access-list global_access extended permit object-group DM_INLINE_PROTOCOL_3 any any
  access-list AnyConnect_Client_Local_Print extended deny ip any any
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
  access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu guest 1500
  ip local pool company_vpn_pool 10.10.10.10-10.10.10.15 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  no asdm history enable
  arp timeout 14400
  nat (any,any) source static any any destination static VPN VPN
  nat (inside,outside) source static inside-net inside-net destination static VPN VPN
  object network inside-net
  nat (inside,outside) dynamic interface
  object network guest-net
  nat (guest,outside) dynamic interface
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  access-group global_access global
  route outside 0.0.0.0 0.0.0.0 77.111.103.105 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa local authentication attempts max-fail 16
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable inside
  enable outside
  anyconnect-essentials
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy GroupPolicy_company_VPN internal
  group-policy GroupPolicy_company_VPN attributes
  wins-server value 192.168.2.2
  dns-server value 192.168.2.2
  vpn-tunnel-protocol l2tp-ipsec
  split-tunnel-policy tunnelall
  default-domain value company.local
  webvpn
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect ask enable default anyconnect timeout 30
    customization none
    deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
  group-policy GroupPolicy_VPN internal
  group-policy GroupPolicy_VPN attributes
  wins-server none
  dns-server value 62.112.192.4 195.70.35.66
  vpn-tunnel-protocol ssl-client
  default-domain value company.local
  username test password P4ttSyrm33SV8TYp encrypted
  tunnel-group company_VPN type remote-access
  tunnel-group company_VPN general-attributes
  address-pool company_vpn_pool
  default-group-policy GroupPolicy_company_VPN
  tunnel-group company_VPN webvpn-attributes
  group-alias company_VPN enable
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  address-pool company_vpn_pool
  default-group-policy GroupPolicy_VPN
  tunnel-group VPN webvpn-attributes
  group-alias VPN enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    inspect icmp error
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:33ee37a3722f228f9be9b84ef43f731e
  : end
  Could you give me a CLI-code?
  (or ASDM steps).

• Cisco asa 5505 issues ( ROUTING AND PAT)

  I have some issues with my cisco asa 5505 config. Please see details below:
  NETWORK SETUP:
  gateway( 192.168.223.191)   - cisco asa 5505 ( outside - 192.168.223.200 , inside - 192.168.2.253, DMZ - 172.16.3.253 )  -
  ISSUES:
  1)
  no route from DMZ to outside
  example:
  ping from 172.16.3201 to the gateway
  6          Jan 27 2014          11:15:33                    172.16.3.201          39728                              Failed to locate egress interface for ICMP from outside:172.16.3.201/39728 to 172.16.3.253/0
  2)
  not working access from external to DMZ AT ALL
  ASA DETAILS:
  cisco asa5505
  Device license          Base
  Maximum Physical Interfaces          8          perpetual
  VLANs          3      DMZ Restricted
  Inside Hosts          Unlimited          perpetual
  configuration:
  firewall200(config)# show run
  : Saved
  ASA Version 9.1(3)
  hostname firewall200
  domain-name test1.com
  enable password xxxxxxxxxxx encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd XXXXXXXXXXX encrypted
  names
  interface Ethernet0/0
  switchport access vlan 100
  interface Ethernet0/1
  switchport access vlan 200
  interface Ethernet0/2
  switchport access vlan 200
  interface Ethernet0/3
  switchport access vlan 200
  interface Ethernet0/4
  switchport access vlan 300
  interface Ethernet0/5
  switchport access vlan 300
  interface Ethernet0/6
  switchport access vlan 300
  interface Ethernet0/7
  switchport access vlan 300
  interface Vlan100
  nameif outside
  security-level 0
  ip address 192.168.223.200 255.255.255.0
  interface Vlan200
  mac-address 001b.539c.597e
  nameif inside
  security-level 100
  ip address 172.16.2.253 255.255.255.0
  interface Vlan300
  no forward interface Vlan200
  nameif DMZ
  security-level 50
  ip address 172.16.3.253 255.255.255.0
  boot system disk0:/asa913-k8.bin
  boot config disk0:/startup-config.cfg
  ftp mode passive
  clock timezone GMT/BST 0
  clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns server-group DefaultDNS
  domain-name test1.com
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network office1-int
  host 172.16.2.1
  object network firewall-dmz-gateway
  host 172.16.3.253
  object network firewall-internal-gateway
  host 172.16.2.253
  object network com1
  host 192.168.223.227
  object network web2-ext
  host 192.168.223.201
  object network web2-int
  host 172.16.3.201
  object network gateway
  host 192.168.223.191
  object network office1-int
  host 172.16.2.1
  object-group network DMZ_SUBNET
  network-object 172.16.3.0 255.255.255.0
  object-group service www tcp
  port-object eq www
  port-object eq https
  access-list DMZ_access_in extended permit icmp any any
  access-list DMZ_access_in extended permit ip any any
  access-list outside_access_in extended permit tcp any object web2-ext eq www
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500 
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-714.bin
  no asdm history enable
  arp DMZ 172.16.4.199 001b.539c.597e alias
  arp DMZ 172.16.3.199 001b.539c.597e alias
  arp timeout 14400
  no arp permit-nonconnected
  object network web2-int
  nat (DMZ,outside) static web2-ext service tcp www www
  access-group outside_access_in in interface outside
  access-group DMZ_access_in in interface DMZ
  route inside 172.168.2.0 255.255.255.0 192.168.223.191 1
  route inside 172.168.3.0 255.255.255.0 192.168.223.191 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.223.227 255.255.255.255 outside
  http 172.163.2.5 255.255.255.255 outside
  http 172.163.2.5 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 192.168.223.227 255.255.255.255 outside
  ssh 172.163.2.5 255.255.255.255 outside
  ssh 172.163.2.5 255.255.255.255 inside
  ssh timeout 60
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd address 172.16.2.10-172.16.2.10 inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 176.58.109.199 source outside prefer
  ntp server 81.150.197.169 source outside
  ntp server 82.113.154.206
  username xxxx password xxxxxxxxx encrypted
  class-map DMZ-class
  match any
  policy-map global_policy
  policy-map DMZ-policy
  class DMZ-class
    inspect icmp
  service-policy DMZ-policy interface DMZ
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:9c73fa27927822d24c75c49f09c67c24
  : end

  Thank you one more time for everthing. It is workingin indeed
  Reason why maybe sometimes I had some 'weird' results was because I had all devices connected to the same switch.Separtated all networks to a different switches helped.Anyway if you could take a look one last time to my configuration and let me know if it's good enough to deploy it on live ( only www for all , ssh restricted from outside, lan to dmz) .Thanks one more time.
  show run
  : Saved
  ASA Version 9.1(3)
  hostname firewall200
  domain-name test1.com
  enable password xxxxxxxxxx encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd xxxxxxxxxxxx encrypted
  names
  interface Ethernet0/0
  switchport access vlan 100
  interface Ethernet0/1
  switchport access vlan 200
  interface Ethernet0/2
  switchport access vlan 200
  interface Ethernet0/3
  switchport access vlan 200
  interface Ethernet0/4
  switchport access vlan 300
  interface Ethernet0/5
  switchport access vlan 300
  interface Ethernet0/6
  switchport access vlan 300
  interface Ethernet0/7
  switchport access vlan 300
  interface Vlan100
  nameif outside
  security-level 0
  ip address 192.168.223.200 255.255.255.0
  interface Vlan200
  mac-address 001b.539c.597e
  nameif inside
  security-level 100
  ip address 172.16.2.253 255.255.255.0
  interface Vlan300
  no forward interface Vlan200
  nameif DMZ
  security-level 50
  ip address 172.16.3.253 255.255.255.0
  boot system disk0:/asa913-k8.bin
  boot config disk0:/startup-config.cfg
  ftp mode passive
  clock timezone GMT/BST 0
  clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup inside
  dns domain-lookup DMZ
  dns server-group DefaultDNS
  name-server 8.8.8.8
  name-server 8.8.4.4
  domain-name test1.com
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network firewall-dmz-gateway
  host 172.16.3.253
  object network firewall-internal-gateway
  host 172.16.2.253
  object network com1
  host 192.168.223.227
  object network web2-ext
  host 192.168.223.201
  object network web2-int
  host 172.16.3.201
  object network gateway
  host 192.168.223.191
  object network office1-int
  host 172.16.2.1
  object-group network DMZ_SUBNET
  network-object 172.16.3.0 255.255.255.0
  object-group service www tcp
  port-object eq www
  port-object eq https
  access-list DMZ_access_in extended permit icmp any any
  access-list DMZ_access_in extended permit ip any any
  access-list DMZ_access_in extended permit tcp 172.16.3.0 255.255.255.0 interface outside eq ssh
  access-list outside_access_in extended permit tcp any object web2-int eq www
  access-list outside_access_in extended permit tcp any object web2-int eq ssh
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any DMZ
  asdm image disk0:/asdm-714.bin
  no asdm history enable
  arp DMZ 172.16.4.199 001b.539c.597e alias
  arp DMZ 172.16.3.199 001b.539c.597e alias
  arp timeout 14400
  no arp permit-nonconnected
  object network web2-int
  nat (DMZ,outside) static web2-ext net-to-net
  access-group outside_access_in in interface outside
  access-group DMZ_access_in in interface DMZ
  route outside 0.0.0.0 0.0.0.0 192.168.223.191 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.223.227 255.255.255.255 outside
  http 172.163.2.5 255.255.255.255 outside
  http 172.163.2.5 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 192.168.223.227 255.255.255.255 outside
  ssh 172.163.2.5 255.255.255.255 outside
  ssh 172.16.3.253 255.255.255.255 outside
  ssh 172.163.2.5 255.255.255.255 inside
  ssh timeout 60
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 176.58.109.199 source outside prefer
  ntp server 81.150.197.169 source outside
  ntp server 82.113.154.206
  username xxxxx password xxxxxxxxx encrypted
  class-map DMZ-class
  match any
  policy-map global_policy
  policy-map DMZ-policy
  class DMZ-class
    inspect icmp
  service-policy DMZ-policy interface DMZ
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:f264c94bb8c0dd206385a6b72afe9e5b
  : end

• Cisco ASA 5505 Simple PAT

  Good morning you clever bunch,
  Having a real issue here, am used to the Router\Switch CLI but been asked to set up an ASA 5505 8.4.
  Quite simply I am trying to at least test out a static PAT from an external source to an internal server in a test environment and no matter whether I set it up as an auto-nat or a twice-nat whenever I run a packet tracer I end up with the same error. This is the packet-tracer I am running -
  packet-trace input outside tcp 80.80.80.80 3389 10.240.0.10 3389
  Phase: 5
  Type: NAT
  Subtype: rpf-check
  Result: DROP
  Config:
  nat (inside,outside) source static server publicIP service RDP RDP
  Additional Information:
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  Now I have a couple of questions initially. I have made the presumption that packet-tracer does not look at any external devices while running - as in as long as the ports are up it doesn't matter what is on the end of them for testing purposes? Is there anything I am missing?
  I have this morning wiped the config and have simply set up the adapters, a default route and twice nat and am not sure why I keep getting the error. I am sure it is something very simple and I'm being a massive donut! Any help ios greatly appreciated as I've gotten quite stuck and feel like I have followed all the instructions online and just about trie everything.
  Many thanks,
  Sam - below is my running config
  ASA Version 8.4(4)1
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  interface Ethernet0/1
  switchport access vlan 2
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.240.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 80.*.*.203 255.255.255.248
  ftp mode passive
  object network server
  host 10.240.0.10
  object network publicIP
  host 80.*.*.37
  object service RDP
  service tcp source eq 3389
  access-list ouside_in extended permit tcp any host 10.240.0.10 eq 3389
  pager lines 24
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static server publicIP service RDP RDP
  access-group ouside_in in interface outside
  route outside 0.0.0.0 0.0.0.0 80.*.*.201 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:e67c79a8361f7b6aa3a7dd549f85e818
  : end

  Hi Jennifer,
  No I just changed that for testing purposes as I had tried everything I thought was correct to no avail.
  You, Jennifer, are my new hero.... literally on the config side I was trying everything and was completely barking up the wrong tree! Every time I had set up packet tracer that way, you can understand my logic when it comes to the destination address, seeing as I had already specified the outside adapter, but it makes a lot more sense using the outside host. Flow is now running perfectly.
  Many thanks.
  Sam

• Cisco asa 5505 with Router 881w Configuration Help

  Hello all,
  I'm having trouble setting up a second vlan to route to the internet. I have a Cisco ASA 5505 connected to my ISP(OUTSIDE) and a Cisco 881w (INSIDE) router in the back of my firewall. My vlan 10 with the network 192.168.5.1 255.255.255.0 works with pat, however vlan 15 that is on my 881w router does not route to the internet at all. I can only ping from 192.168.15.15 network to 192.168.5.1 I would like some advice on how can I make this set up work. Attached with this discussion is a picture of my topology.
  Thanks in advance.
  here are the show runs:
  Cisco ASA 5505 show run:
  ASA Version 8.3(1)
  names
  interface Vlan1
   no nameif
   no security-level
   no ip address
  interface Vlan5
   mac-address xxxx.xxxx.xxxx
   nameif OUTSIDE
   security-level 0
   ip address dhcp setroute
  interface Vlan10
   nameif INSIDE
   security-level 100
   ip address 192.168.5.1 255.255.255.0
  interface Ethernet0/0
   switchport access vlan 5
  interface Ethernet0/1
   switchport access vlan 10
  interface Ethernet0/2
  interface Ethernet0/3
   shutdown
  interface Ethernet0/4
   shutdown
  interface Ethernet0/5
   shutdown
  interface Ethernet0/6
   shutdown
  interface Ethernet0/7
   shutdown
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  object network INTERNAL_LAN
   subnet 192.168.5.0 255.255.255.0
  object network PRIVATE_LAN_192
   subnet 192.168.15.0 255.255.255.224
   description PRIVATE_LAN_192
  access-list INSIDE_access_in extended permit ip any any
  access-list INSIDE_access_in extended deny ip any any
  access-list OUTSIDE_access_in extended permit ip any any
  access-list OUTSIDE_access_in extended deny ip any any
  pager lines 24
  logging enable
  mtu OUTSIDE 1500
  mtu INSIDE 1500
  ip verify reverse-path interface OUTSIDE
  ip verify reverse-path interface INSIDE
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  object network INTERNAL_LAN
   nat (INSIDE,OUTSIDE) dynamic interface
  object network PRIVATE_LAN_192
   nat (INSIDE,OUTSIDE) dynamic interface
  access-group OUTSIDE_access_in in interface OUTSIDE
  access-group INSIDE_access_in in interface INSIDE
  route INSIDE 192.168.15.0 255.255.255.224 192.168.5.2 1
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  dhcpd dns 8.8.8.8 75.75.76.76
  dhcpd address 192.168.5.10-192.168.5.100 INSIDE
  dhcpd enable INSIDE
  Router 881w show run:
  Current configuration : 4912 bytes
  version 12.4
  no ip source-route
  ip dhcp excluded-address 192.168.15.1 192.168.15.10
  ip dhcp pool PRIVATE_LAN
     network 192.168.15.0 255.255.255.224
  interface FastEthernet0
   switchport trunk allowed vlan 1,15,1002-1005
   switchport mode trunk
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
   ip address 192.168.5.2 255.255.255.0
   duplex auto
   speed auto
  interface wlan-ap0
   description Service module interface to manage the embedded AP
   no ip address
   arp timeout 0
  interface Wlan-GigabitEthernet0
   description Internal switch interface connecting to the embedded AP
  interface Vlan1
   no ip address
  interface Vlan15
   ip address 192.168.15.1 255.255.255.224
  no ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 FastEthernet4
  no ip http server
  ip http authentication local
  ip http secure-server

  The cable modem does not have any configuration. I cant add any to it. Its a cisco dpc3008. From vlan 10 i have no problem to get to the internet with the above  configuration. My problem is just vlan 15.

• How do I block pings from the outside to the ASA 5505 outside interface?

  I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall.  I found a post that said to enter "icmp deny any outside", however that does not do it.
  I created an ACL to try and do the trick, also to no avail:
  access-list outside_in extended permit icmp any any echo-reply
  access-list outside_in in interface outside
  access-group outside_in in interface outside
  Anyone have a clue what I'm doing wrong?  I'm not the firewall guy as you can tell.  :/
  Thanks in advance...
  Block / Deny ICMP Echo (Ping) on Cisco ASA Outside Interface
  Most networks that you protect with a Cisco ASA device, will probably want to deny ICMP (maybe not all ICMP types, but a lot of network admins will want to block ICMP Echo, etc.) on the outside interface. This will make the network harder to find through external enumeration, but not impossible.
  ASA5505(config)#icmp deny any outside
  You will deny ICMP on the outside interface, but if you include ICMP as a protocol in the default global policy map, you can ping from the inside to any host on the outside, and it will be permitted back through the ASA, as it knows about the previous ICMP “connection

  You are allowing echo-reply, thus it will reply to a ping
  try this ACL:
  icmp deny any echo-reply outside
  From: 
  https://supportforums.cisco.com/thread/223769
  Eric

• Need HELPS! ASA 5505 8.4 Cisco VPN Client cannot ping any internal host

  Hi:
  Need your great help for my new ASA 5505 (8.4)
  I just set a new ASA 5505 with 8.4. However, I cannot ping any host after VPN in with Cisco VPN client. Please see below posted configuration file, thanks for any suggestion.
  ASA Version 8.4(3)
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 2
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.29.8.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 177.164.222.140 255.255.255.248
  ftp mode passive
  clock timezone GMT 0
  dns server-group DefaultDNS
  domain-name ABCtech.com
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 172.29.8.0 255.255.255.0
  object service RDP
  service tcp source eq 3389
  object network orange
  host 172.29.8.151
  object network WAN_173_164_222_138
  host 177.164.222.138
  object service SMTP
  service tcp source eq smtp
  object service PPTP
  service tcp source eq pptp
  object service JT_WWW
  service tcp source eq www
  object service JT_HTTPS
  service tcp source eq https
  object network obj_lex
  subnet 172.29.88.0 255.255.255.0
  description Lexington office network
  object network obj_HQ
  subnet 172.29.8.0 255.255.255.0
  object network guava
  host 172.29.8.3
  object service L2TP
  service udp source eq 1701
  access-list VPN_Tunnel_User standard permit 172.29.8.0 255.255.255.0
  access-list VPN_Tunnel_User standard permit 172.29.88.0 255.255.255.0
  access-list inside_access_in extended permit icmp any any
  access-list inside_access_in extended deny tcp any any eq 135
  access-list inside_access_in extended deny tcp any eq 135 any
  access-list inside_access_in extended deny udp any eq 135 any
  access-list inside_access_in extended deny udp any any eq 135
  access-list inside_access_in extended deny tcp any any eq 1591
  access-list inside_access_in extended deny tcp any eq 1591 any
  access-list inside_access_in extended deny udp any eq 1591 any
  access-list inside_access_in extended deny udp any any eq 1591
  access-list inside_access_in extended deny tcp any any eq 1214
  access-list inside_access_in extended deny tcp any eq 1214 any
  access-list inside_access_in extended deny udp any any eq 1214
  access-list inside_access_in extended deny udp any eq 1214 any
  access-list inside_access_in extended permit ip any any
  access-list inside_access_in extended permit tcp any any eq www
  access-list inside_access_in extended permit tcp any eq www any
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq 33
  89
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq sm
  tp
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq pp
  tp
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ww
  w
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ht
  tps
  access-list outside_access_in extended permit gre any host 177.164.222.138
  access-list outside_access_in extended permit udp any host 177.164.222.138 eq 17
  01
  access-list outside_access_in extended permit ip any any
  access-list inside_access_out extended permit icmp any any
  access-list inside_access_out extended permit ip any any
  access-list outside_cryptomap extended permit ip 172.29.8.0 255.255.255.0 172.29
  .88.0 255.255.255.0
  access-list inside_in extended permit icmp any any
  access-list inside_in extended permit ip any any
  access-list inside_in extended permit udp any any eq isakmp
  access-list inside_in extended permit udp any eq isakmp any
  access-list inside_in extended permit udp any any
  access-list inside_in extended permit tcp any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool ABC_HQVPN_DHCP 172.29.8.210-172.29.8.230 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static orange interface service RDP RDP
  nat (inside,outside) source static obj_HQ obj_HQ destination static obj_lex obj_
  lex route-lookup
  nat (inside,outside) source static guava WAN_173_164_222_138 service JT_WWW JT_W
  WW
  nat (inside,outside) source static guava WAN_173_164_222_138 service JT_HTTPS JT
  _HTTPS
  nat (inside,outside) source static guava WAN_173_164_222_138 service RDP RDP
  nat (inside,outside) source static guava WAN_173_164_222_138 service SMTP SMTP
  nat (inside,outside) source static guava WAN_173_164_222_138 service PPTP PPTP
  nat (inside,outside) source static guava WAN_173_164_222_138 service L2TP L2TP
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group inside_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
  route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server Guava protocol nt
  aaa-server Guava (inside) host 172.29.8.3
  timeout 15
  nt-auth-domain-controller guava
  user-identity default-domain LOCAL
  http server enable
  http 172.29.8.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set Remote_vpn_set esp-3des esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set
  crypto dynamic-map outside_dyn_map 20 set reverse-route
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set peer 173.190.123.138
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
  ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES
  P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 43200
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.1.0 255.255.255.0 inside
  telnet 172.29.8.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside vpnclient-wins-override
  dhcprelay server 172.29.8.3 inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  group-policy ABCtech_VPN internal
  group-policy ABCtech_VPN attributes
  dns-server value 172.29.8.3
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPN_Tunnel_User
  default-domain value ABCtech.local
  group-policy GroupPolicy_10.8.8.1 internal
  group-policy GroupPolicy_10.8.8.1 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username who password eicyrfJBrqOaxQvS encrypted
  tunnel-group 10.8.8.1 type ipsec-l2l
  tunnel-group 10.8.8.1 general-attributes
  default-group-policy GroupPolicy_10.8.8.1
  tunnel-group 10.8.8.1 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 remote-authentication certificate
  ikev2 local-authentication pre-shared-key *****
  tunnel-group ABCtech type remote-access
  tunnel-group ABCtech general-attributes
  address-pool ABC_HQVPN_DHCP
  authentication-server-group Guava
  default-group-policy ABCtech_VPN
  tunnel-group ABCtech ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 173.190.123.138 type ipsec-l2l
  tunnel-group 173.190.123.138 general-attributes
  default-group-policy GroupPolicy_10.8.8.1
  tunnel-group 173.190.123.138 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 remote-authentication certificate
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect pptp
    inspect ftp
    inspect netbios
  smtp-server 172.29.8.3
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:6a26676668b742900360f924b4bc80de
  : end

  Hello Wayne,
  Can you use a different subnet range than the internal interface, this could cause you a LOT of issues and hours on troubleshooting, so use a dedicated different Ip address range...
  I can see that the local Pool range is included into the inside interface Ip address subnet range, change that and the related config ( NAT,etc, ) and let us know what happens,
  Regards,
  Julio
  Security Trainer

• Remote Access VPN Problem with ASA 5505

  After about ~1 year of having the Cisco VPN Client connecting to a ASA 5505 without any problems, suddenly one day it stops working. The client is able to get a connection to the ASA and browse the local network for only about 30 seconds after connection. After that, no access is available to the network behind the ASA. I tried everything that I can think of to try and troubleshoot the problem, but at this point I am just banging my head against a wall. Does anyone know what could cause this?
  Here is the running cfg of the ASA
  : Saved
  ASA Version 8.4(1)
  hostname NCHCO
  enable password xxxxxxxxxxxxxxx encrypted
  passwd xxxxxxxxxxx encrypted
  names
  name 192.168.2.0 NCHCO description City Offices
  name 192.168.2.80 VPN_End
  name 192.168.2.70 VPN_Start
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address **.**.***.*** 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  boot system disk0:/asa841-k8.bin
  ftp mode passive
  object network NCHCO
  subnet 192.168.2.0 255.255.255.0
  object network obj-192.168.1.0
  subnet 192.168.1.0 255.255.255.0
  object network obj-192.168.2.64
  subnet 192.168.2.64 255.255.255.224
  object network obj-0.0.0.0
  subnet 0.0.0.0 255.255.255.0
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Webserver
  object network FINX
  host 192.168.2.11
  object service rdp
  service tcp source range 1 65535 destination eq 3389
  description rdp
  access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
  access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
  access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
  access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
  access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
  access-list AnyConnect_Client_Local_Print extended deny ip any any
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
  access-list outside_access_in extended permit tcp any object FINX eq 3389
  access-list outside_access_in_1 extended permit object rdp any object FINX
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-649.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
  nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
  nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
  object network obj_any
  nat (inside,outside) dynamic interface
  object network FINX
  nat (inside,outside) static interface service tcp 3389 3389
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  network-acl outside_nat0_outbound
  webvpn
    svc ask enable default svc
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http **.**.***.*** 255.255.255.255 outside
  http **.**.***.*** 255.255.255.255 outside
  http NCHCO 255.255.255.0 inside
  http 96.11.251.186 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set l2tp-transform mode transport
  crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map dyn-map 10 set pfs group1
  crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
  crypto dynamic-map dyn-map 10 set reverse-route
  crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 20 set reverse-route
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 74.219.208.50
  crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
  crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto map vpn-map 1 match address outside_1_cryptomap_1
  crypto map vpn-map 1 set pfs group1
  crypto map vpn-map 1 set peer 74.219.208.50
  crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
  crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
  crypto isakmp identity address
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  crypto ikev1 ipsec-over-tcp port 10000
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto ikev1 policy 15
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 35
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  client-update enable
  telnet 192.168.1.0 255.255.255.0 inside
  telnet NCHCO 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh NCHCO 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.150-192.168.2.225 inside
  dhcpd dns 216.68.4.10 216.68.5.10 interface inside
  dhcpd lease 64000 interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 192.168.2.1
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  default-domain value nchco.local
  group-policy DfltGrpPolicy attributes
  dns-server value 192.168.2.1
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
  password-storage enable
  ipsec-udp enable
  intercept-dhcp 255.255.255.0 enable
  address-pools value VPN_Pool
  group-policy NCHCO internal
  group-policy NCHCO attributes
  dns-server value 192.168.2.1 8.8.8.8
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value NCHCO_splitTunnelAcl_1
  default-domain value NCHCO.local
  username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
  username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
  username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
  tunnel-group DefaultRAGroup general-attributes
  address-pool (inside) VPN_Pool
  address-pool VPN_Pool
  authentication-server-group (inside) LOCAL
  authentication-server-group (outside) LOCAL
  authorization-server-group LOCAL
  authorization-server-group (inside) LOCAL
  authorization-server-group (outside) LOCAL
  default-group-policy DefaultRAGroup
  strip-realm
  strip-group
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  peer-id-validate nocheck
  tunnel-group DefaultRAGroup ppp-attributes
  no authentication chap
  no authentication ms-chap-v1
  authentication ms-chap-v2
  tunnel-group DefaultWEBVPNGroup ppp-attributes
  authentication pap
  authentication ms-chap-v2
  tunnel-group 74.219.208.50 type ipsec-l2l
  tunnel-group 74.219.208.50 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group NCHCO type remote-access
  tunnel-group NCHCO general-attributes
  address-pool VPN_Pool
  default-group-policy NCHCO
  tunnel-group NCHCO ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:a2110206e1af06974c858fb40c6de2fc
  : end
  asdm image disk0:/asdm-649.bin
  asdm location VPN_Start 255.255.255.255 inside
  asdm location VPN_End 255.255.255.255 inside
  no asdm history enable
  And here is the logs from the Cisco VPN Client when it browses, then fails to browse the network behind the ASA:
  Cisco Systems VPN Client Version 5.0.07.0440
  Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
  Client Type(s): Windows, WinNT
  Running on: 6.1.7601 Service Pack 1
  Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
  1      09:44:55.677  10/01/13  Sev=Info/6    CERT/0x63600026
  Attempting to find a Certificate using Serial Hash.
  2      09:44:55.677  10/01/13  Sev=Info/6    CERT/0x63600027
  Found a Certificate using Serial Hash.
  3      09:44:55.693  10/01/13  Sev=Info/6    GUI/0x63B00011
  Reloaded the Certificates in all Certificate Stores successfully.
  4      09:45:02.802  10/01/13  Sev=Info/4    CM/0x63100002
  Begin connection process
  5      09:45:02.802  10/01/13  Sev=Info/4    CM/0x63100004
  Establish secure connection
  6      09:45:02.802  10/01/13  Sev=Info/4    CM/0x63100024
  Attempt connection with server "**.**.***.***"
  7      09:45:02.802  10/01/13  Sev=Info/6    IKE/0x6300003B
  Attempting to establish a connection with **.**.***.***.
  8      09:45:02.818  10/01/13  Sev=Info/4    IKE/0x63000001
  Starting IKE Phase 1 Negotiation
  9      09:45:02.865  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to **.**.***.***
  10     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  11     09:45:02.896  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from **.**.***.***
  12     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x63000001
  Peer is a Cisco-Unity compliant peer
  13     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x63000001
  Peer supports XAUTH
  14     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x63000001
  Peer supports DPD
  15     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x63000001
  Peer supports NAT-T
  16     09:45:02.896  10/01/13  Sev=Info/5    IKE/0x63000001
  Peer supports IKE fragmentation payloads
  17     09:45:02.927  10/01/13  Sev=Info/6    IKE/0x63000001
  IOS Vendor ID Contruction successful
  18     09:45:02.927  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to **.**.***.***
  19     09:45:02.927  10/01/13  Sev=Info/4    IKE/0x63000083
  IKE Port in use - Local Port =  0xDD3B, Remote Port = 0x01F4
  20     09:45:02.927  10/01/13  Sev=Info/5    IKE/0x63000072
  Automatic NAT Detection Status:
     Remote end is NOT behind a NAT device
     This   end is NOT behind a NAT device
  21     09:45:02.927  10/01/13  Sev=Info/4    CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  22     09:45:02.943  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  23     09:45:02.943  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
  24     09:45:02.943  10/01/13  Sev=Info/4    CM/0x63100015
  Launch xAuth application
  25     09:45:03.037  10/01/13  Sev=Info/6    GUI/0x63B00012
  Authentication request attributes is 6h.
  26     09:45:03.037  10/01/13  Sev=Info/4    CM/0x63100017
  xAuth application returned
  27     09:45:03.037  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
  28     09:45:03.037  10/01/13  Sev=Info/4    IPSEC/0x63700008
  IPSec driver successfully started
  29     09:45:03.037  10/01/13  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  30     09:45:03.083  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  31     09:45:03.083  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
  32     09:45:03.083  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
  33     09:45:03.083  10/01/13  Sev=Info/4    CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
  34     09:45:03.083  10/01/13  Sev=Info/5    IKE/0x6300005E
  Client sending a firewall request to concentrator
  35     09:45:03.083  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
  36     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  37     09:45:03.146  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
  38     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
  39     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
  40     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
  41     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
  42     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
  43     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
  44     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000F
  SPLIT_NET #1
      subnet = 192.168.2.0
      mask = 255.255.255.0
      protocol = 0
      src port = 0
      dest port=0
  45     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000E
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO.local
  46     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0x00002710
  47     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
  48     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000E
  MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(1) built by builders on Mon 31-Jan-11 02:11
  49     09:45:03.146  10/01/13  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
  50     09:45:03.146  10/01/13  Sev=Info/4    CM/0x63100019
  Mode Config data received
  51     09:45:03.146  10/01/13  Sev=Info/4    IKE/0x63000056
  Received a key request from Driver: Local IP = 192.168.2.70, GW IP = **.**.***.***, Remote IP = 0.0.0.0
  52     09:45:03.146  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to **.**.***.***
  53     09:45:03.177  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  54     09:45:03.177  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
  55     09:45:03.177  10/01/13  Sev=Info/5    IKE/0x63000045
  RESPONDER-LIFETIME notify has value of 86400 seconds
  56     09:45:03.177  10/01/13  Sev=Info/5    IKE/0x63000047
  This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
  57     09:45:03.193  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  58     09:45:03.193  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
  59     09:45:03.193  10/01/13  Sev=Info/5    IKE/0x63000045
  RESPONDER-LIFETIME notify has value of 28800 seconds
  60     09:45:03.193  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK QM *(HASH) to **.**.***.***
  61     09:45:03.193  10/01/13  Sev=Info/5    IKE/0x63000059
  Loading IPsec SA (MsgID=967A3C93 OUTBOUND SPI = 0xAAAF4C1C INBOUND SPI = 0x3EBEBFC5)
  62     09:45:03.193  10/01/13  Sev=Info/5    IKE/0x63000025
  Loaded OUTBOUND ESP SPI: 0xAAAF4C1C
  63     09:45:03.193  10/01/13  Sev=Info/5    IKE/0x63000026
  Loaded INBOUND ESP SPI: 0x3EBEBFC5
  64     09:45:03.193  10/01/13  Sev=Info/5    CVPND/0x63400013
      Destination           Netmask           Gateway         Interface   Metric
          0.0.0.0           0.0.0.0       96.11.251.1     96.11.251.149      261
      96.11.251.0     255.255.255.0     96.11.251.149     96.11.251.149      261
    96.11.251.149   255.255.255.255     96.11.251.149     96.11.251.149      261
    96.11.251.255   255.255.255.255     96.11.251.149     96.11.251.149      261
        127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
        127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
  127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
      192.168.1.0     255.255.255.0       192.168.1.3       192.168.1.3      261
      192.168.1.3   255.255.255.255       192.168.1.3       192.168.1.3      261
    192.168.1.255   255.255.255.255       192.168.1.3       192.168.1.3      261
        224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
        224.0.0.0         240.0.0.0     96.11.251.149     96.11.251.149      261
        224.0.0.0         240.0.0.0       192.168.1.3       192.168.1.3      261
  255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
  255.255.255.255   255.255.255.255     96.11.251.149     96.11.251.149      261
  255.255.255.255   255.255.255.255       192.168.1.3       192.168.1.3      261
  65     09:45:03.521  10/01/13  Sev=Info/6    CVPND/0x63400001
  Launch VAInst64 to control IPSec Virtual Adapter
  66     09:45:03.896  10/01/13  Sev=Info/4    CM/0x63100034
  The Virtual Adapter was enabled:
      IP=192.168.2.70/255.255.255.0
      DNS=192.168.2.1,8.8.8.8
      WINS=0.0.0.0,0.0.0.0
      Domain=NCHCO.local
      Split DNS Names=
  67     09:45:03.912  10/01/13  Sev=Info/5    CVPND/0x63400013
      Destination           Netmask           Gateway         Interface   Metric
          0.0.0.0           0.0.0.0       96.11.251.1     96.11.251.149      261
      96.11.251.0     255.255.255.0     96.11.251.149     96.11.251.149      261
    96.11.251.149   255.255.255.255     96.11.251.149     96.11.251.149      261
    96.11.251.255   255.255.255.255     96.11.251.149     96.11.251.149      261
        127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
        127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
  127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
      192.168.1.0     255.255.255.0       192.168.1.3       192.168.1.3      261
      192.168.1.3   255.255.255.255       192.168.1.3       192.168.1.3      261
    192.168.1.255   255.255.255.255       192.168.1.3       192.168.1.3      261
        224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
        224.0.0.0         240.0.0.0     96.11.251.149     96.11.251.149      261
        224.0.0.0         240.0.0.0       192.168.1.3       192.168.1.3      261
        224.0.0.0         240.0.0.0           0.0.0.0           0.0.0.0      261
  255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
  255.255.255.255   255.255.255.255     96.11.251.149     96.11.251.149      261
  255.255.255.255   255.255.255.255       192.168.1.3       192.168.1.3      261
  255.255.255.255   255.255.255.255           0.0.0.0           0.0.0.0      261
  68     09:45:07.912  10/01/13  Sev=Info/4    CM/0x63100038
  Successfully saved route changes to file.
  69     09:45:07.912  10/01/13  Sev=Info/5    CVPND/0x63400013
      Destination           Netmask           Gateway         Interface   Metric
          0.0.0.0           0.0.0.0       96.11.251.1     96.11.251.149      261
    **.**.***.***   255.255.255.255       96.11.251.1     96.11.251.149      100
      96.11.251.0     255.255.255.0     96.11.251.149     96.11.251.149      261
    96.11.251.149   255.255.255.255     96.11.251.149     96.11.251.149      261
    96.11.251.255   255.255.255.255     96.11.251.149     96.11.251.149      261
        127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
        127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
  127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
      192.168.1.0     255.255.255.0       192.168.1.3       192.168.1.3      261
      192.168.1.3   255.255.255.255       192.168.1.3       192.168.1.3      261
    192.168.1.255   255.255.255.255       192.168.1.3       192.168.1.3      261
      192.168.2.0     255.255.255.0      192.168.2.70      192.168.2.70      261
      192.168.2.0     255.255.255.0       192.168.2.1      192.168.2.70      100
     192.168.2.70   255.255.255.255      192.168.2.70      192.168.2.70      261
    192.168.2.255   255.255.255.255      192.168.2.70      192.168.2.70      261
        224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
        224.0.0.0         240.0.0.0     96.11.251.149     96.11.251.149      261
        224.0.0.0         240.0.0.0       192.168.1.3       192.168.1.3      261
        224.0.0.0         240.0.0.0      192.168.2.70      192.168.2.70      261
  255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
  255.255.255.255   255.255.255.255     96.11.251.149     96.11.251.149      261
  255.255.255.255   255.255.255.255       192.168.1.3       192.168.1.3      261
  255.255.255.255   255.255.255.255      192.168.2.70      192.168.2.70      261
  70     09:45:07.912  10/01/13  Sev=Info/6    CM/0x63100036
  The routing table was updated for the Virtual Adapter
  71     09:45:07.912  10/01/13  Sev=Info/4    CM/0x6310001A
  One secure connection established
  72     09:45:07.943  10/01/13  Sev=Info/4    CM/0x6310003B
  Address watch added for 96.11.251.149.  Current hostname: psaserver, Current address(es): 192.168.2.70, 96.11.251.149, 192.168.1.3.
  73     09:45:07.943  10/01/13  Sev=Info/4    CM/0x6310003B
  Address watch added for 192.168.2.70.  Current hostname: psaserver, Current address(es): 192.168.2.70, 96.11.251.149, 192.168.1.3.
  74     09:45:07.943  10/01/13  Sev=Info/5    CM/0x63100001
  Did not find the Smartcard to watch for removal
  75     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  76     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x63700010
  Created a new key structure
  77     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x6370000F
  Added key with SPI=0x1c4cafaa into key list
  78     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x63700010
  Created a new key structure
  79     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x6370000F
  Added key with SPI=0xc5bfbe3e into key list
  80     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x6370002F
  Assigned VA private interface addr 192.168.2.70
  81     09:45:07.943  10/01/13  Sev=Info/4    IPSEC/0x63700037
  Configure public interface: 96.11.251.149. SG: **.**.***.***
  82     09:45:07.943  10/01/13  Sev=Info/6    CM/0x63100046
  Set tunnel established flag in registry to 1.
  83     09:45:13.459  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
  84     09:45:13.459  10/01/13  Sev=Info/6    IKE/0x6300003D
  Sending DPD request to **.**.***.***, our seq# = 107205276
  85     09:45:13.474  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  86     09:45:13.474  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
  87     09:45:13.474  10/01/13  Sev=Info/5    IKE/0x63000040
  Received DPD ACK from **.**.***.***, seq# received = 107205276, seq# expected = 107205276
  88     09:45:15.959  10/01/13  Sev=Info/4    IPSEC/0x63700019
  Activate outbound key with SPI=0x1c4cafaa for inbound key with SPI=0xc5bfbe3e
  89     09:46:00.947  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
  90     09:46:00.947  10/01/13  Sev=Info/6    IKE/0x6300003D
  Sending DPD request to **.**.***.***, our seq# = 107205277
  91     09:46:01.529  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  92     09:46:01.529  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
  93     09:46:01.529  10/01/13  Sev=Info/5    IKE/0x63000040
  Received DPD ACK from **.**.***.***, seq# received = 107205277, seq# expected = 107205277
  94     09:46:11.952  10/01/13  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to **.**.***.***
  95     09:46:11.952  10/01/13  Sev=Info/6    IKE/0x6300003D
  Sending DPD request to **.**.***.***, our seq# = 107205278
  96     09:46:11.979  10/01/13  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  97     09:46:11.979  10/01/13  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from **.**.***.***
  98     09:46:11.979  10/01/13  Sev=Info/5    IKE/0x63000040
  Received DPD ACK from **.**.***.***, seq# received = 107205278, seq# expected = 107205278
  Any help would be appreciated, thanks!

  I made the change that you requested by moving the VPN pool to the 192.168.3.0 network. Unfortunately, now traffic isn't flowing to the inside network at all. I was going to make a specific route as you suggested, but as far as I can see the routes are already being created correctly on the VPN client's end.
  Here is the route print off of the computer behind the (test) client:
  ===========================================================================
  Interface List
  21...00 05 9a 3c 78 00 ......Cisco Systems VPN Adapter for 64-bit Windows
  10...00 15 5d 01 02 01 ......Microsoft Hyper-V Network Adapter
  15...00 15 5d 01 02 02 ......Microsoft Hyper-V Network Adapter #2
    1...........................Software Loopback Interface 1
  13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
  11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
  14...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
  16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
  23...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
  ===========================================================================
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0      96.11.251.1    96.11.251.149    261
      69.61.228.178  255.255.255.255      96.11.251.1    96.11.251.149    100
        96.11.251.0    255.255.255.0         On-link     96.11.251.149    261
      96.11.251.149  255.255.255.255         On-link     96.11.251.149    261
      96.11.251.255  255.255.255.255         On-link     96.11.251.149    261
          127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
          127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
    127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        192.168.1.0    255.255.255.0         On-link       192.168.1.3    261
        192.168.1.3  255.255.255.255         On-link       192.168.1.3    261
      192.168.1.255  255.255.255.255         On-link       192.168.1.3    261
        192.168.2.0    255.255.255.0      192.168.3.1     192.168.3.70    100
        192.168.3.0    255.255.255.0         On-link      192.168.3.70    261
       192.168.3.70  255.255.255.255         On-link      192.168.3.70    261
      192.168.3.255  255.255.255.255         On-link      192.168.3.70    261
          224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
          224.0.0.0        240.0.0.0         On-link       192.168.1.3    261
          224.0.0.0        240.0.0.0         On-link     96.11.251.149    261
          224.0.0.0        240.0.0.0         On-link      192.168.3.70    261
    255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    255.255.255.255  255.255.255.255         On-link       192.168.1.3    261
    255.255.255.255  255.255.255.255         On-link     96.11.251.149    261
    255.255.255.255  255.255.255.255         On-link      192.168.3.70    261
  ===========================================================================
  Persistent Routes:
    Network Address          Netmask  Gateway Address  Metric
            0.0.0.0          0.0.0.0      96.11.251.1  Default
  ===========================================================================
  IPv6 Route Table
  ===========================================================================
  Active Routes:
  If Metric Network Destination      Gateway
  14   1020 ::/0                     2002:c058:6301::c058:6301
  14   1020 ::/0                     2002:c058:6301::1
    1    306 ::1/128                  On-link
  14   1005 2002::/16                On-link
  14    261 2002:600b:fb95::600b:fb95/128
                                      On-link
  15    261 fe80::/64                On-link
  10    261 fe80::/64                On-link
  21    261 fe80::/64                On-link
  10    261 fe80::64ae:bae7:3dc0:c8c4/128
                                      On-link
  21    261 fe80::e9f7:e24:3147:bd/128
                                      On-link
  15    261 fe80::f116:2dfd:1771:125a/128
                                      On-link
    1    306 ff00::/8                 On-link
  15    261 ff00::/8                 On-link
  10    261 ff00::/8                 On-link
  21    261 ff00::/8                 On-link
  ===========================================================================
  Persistent Routes:
    None
  And here is the updated running config in case you need it:
  : Saved
  ASA Version 8.4(1)
  hostname NCHCO
  enable password hTjwXz/V8EuTw9p9 encrypted
  passwd hTjwXz/V8EuTw9p9 encrypted
  names
  name 192.168.2.0 NCHCO description City Offices
  name 192.168.2.80 VPN_End
  name 192.168.2.70 VPN_Start
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 69.61.228.178 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  boot system disk0:/asa841-k8.bin
  ftp mode passive
  object network NCHCO
  subnet 192.168.2.0 255.255.255.0
  object network obj-192.168.1.0
  subnet 192.168.1.0 255.255.255.0
  object network obj-192.168.2.64
  subnet 192.168.2.64 255.255.255.224
  object network obj-0.0.0.0
  subnet 0.0.0.0 255.255.255.0
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Webserver
  object network FINX
  host 192.168.2.11
  object service rdp
  service tcp source range 1 65535 destination eq 3389
  description rdp 
  object network obj-192.168.3.0
  subnet 192.168.3.0 255.255.255.0
  object network obj-192.168.2.0
  subnet 192.168.2.0 255.255.255.0
  access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
  access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
  access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
  access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
  access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
  access-list AnyConnect_Client_Local_Print extended deny ip any any
  access-list outside_access_in extended permit tcp any object FINX eq 3389
  access-list outside_access_in_1 extended permit object rdp any object FINX
  access-list outside_specific_blocks extended deny ip host 121.168.66.35 any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
  ip local pool VPN_Split_Pool 192.168.3.70-192.168.3.80 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-649.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
  nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
  nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
  object network obj_any
  nat (inside,outside) dynamic interface
  object network FINX
  nat (inside,outside) static interface service tcp 3389 3389
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  network-acl outside_nat0_outbound
  webvpn
    svc ask enable default svc
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 69.61.228.178 255.255.255.255 outside
  http 74.218.158.238 255.255.255.255 outside
  http NCHCO 255.255.255.0 inside
  http 96.11.251.186 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set l2tp-transform mode transport
  crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map dyn-map 10 set pfs group1
  crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
  crypto dynamic-map dyn-map 10 set reverse-route
  crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 20 set reverse-route
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 74.219.208.50
  crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
  crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto map vpn-map 1 match address outside_1_cryptomap_1
  crypto map vpn-map 1 set pfs group1
  crypto map vpn-map 1 set peer 74.219.208.50
  crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
  crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
  crypto isakmp identity address
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  crypto ikev1 ipsec-over-tcp port 10000
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto ikev1 policy 15
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 35
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  client-update enable
  telnet 192.168.1.0 255.255.255.0 inside
  telnet NCHCO 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh NCHCO 255.255.255.0 inside
  ssh 96.11.251.186 255.255.255.255 outside
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.150-192.168.2.225 inside
  dhcpd dns 216.68.4.10 216.68.5.10 interface inside
  dhcpd lease 64000 interface inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 192.168.2.1
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  default-domain value nchco.local
  group-policy DfltGrpPolicy attributes
  dns-server value 192.168.2.1
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
  password-storage enable
  ipsec-udp enable
  intercept-dhcp 255.255.255.0 enable
  address-pools value VPN_Split_Pool
  group-policy NCHCO internal
  group-policy NCHCO attributes
  dns-server value 192.168.2.1 8.8.8.8
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value NCHCO_splitTunnelAcl_1
  default-domain value NCHCO.local
  username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
  username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
  username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
  tunnel-group DefaultRAGroup general-attributes
  address-pool (inside) VPN_Pool
  address-pool VPN_Split_Pool
  authentication-server-group (inside) LOCAL
  authentication-server-group (outside) LOCAL
  authorization-server-group LOCAL
  authorization-server-group (inside) LOCAL
  authorization-server-group (outside) LOCAL
  default-group-policy DefaultRAGroup
  strip-realm
  strip-group
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  peer-id-validate nocheck
  tunnel-group DefaultRAGroup ppp-attributes
  no authentication chap
  no authentication ms-chap-v1
  authentication ms-chap-v2
  tunnel-group DefaultWEBVPNGroup ppp-attributes
  authentication pap
  authentication ms-chap-v2
  tunnel-group 74.219.208.50 type ipsec-l2l
  tunnel-group 74.219.208.50 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group NCHCO type remote-access
  tunnel-group NCHCO general-attributes
  address-pool VPN_Split_Pool
  default-group-policy NCHCO
  tunnel-group NCHCO ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:9e8466cd318c0bd35bc660fa65ba7a03
  : end
  asdm image disk0:/asdm-649.bin
  asdm location VPN_Start 255.255.255.255 inside
  asdm location VPN_End 255.255.255.255 inside
  no asdm history enable
  Thanks again for your help,
  Matthew

• Site to Site VPN Problems With 2801 Router and ASA 5505

  Hello,
  I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
  IP scheme at SIte A:
  IP    172.19.3.x
  sub 255.255.255.128
  GW 172.19.3.129
  Site A Ciscso 2801 Router
  Current configuration : 11858 bytes
  version 12.4
  service timestamps debug datetime localtime
  service timestamps log datetime localtime show-timezone
  service password-encryption
  hostname router-2801
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  logging buffered 4096
  aaa new-model
  aaa authentication login userauthen group radius local
  aaa authorization network groupauthor local
  aaa session-id common
  clock timezone est -5
  clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
  dot11 syslog
  ip source-route
  ip dhcp excluded-address 172.19.3.129 172.19.3.149
  ip dhcp excluded-address 172.19.10.1 172.19.10.253
  ip dhcp excluded-address 172.19.3.140
  ip dhcp ping timeout 900
  ip dhcp pool DHCP
     network 172.19.3.128 255.255.255.128
     default-router 172.19.3.129
     domain-name domain.local
     netbios-name-server 172.19.3.7
     option 66 ascii 172.19.3.225
     dns-server 172.19.3.140 208.67.220.220 208.67.222.222
  ip dhcp pool VoiceDHCP
     network 172.19.10.0 255.255.255.0
     default-router 172.19.10.1
     dns-server 208.67.220.220 8.8.8.8
     option 66 ascii 172.19.10.2
     lease 2
  ip cef
  ip inspect name SDM_LOW cuseeme
  ip inspect name SDM_LOW dns
  ip inspect name SDM_LOW ftp
  ip inspect name SDM_LOW h323
  ip inspect name SDM_LOW https
  ip inspect name SDM_LOW icmp
  ip inspect name SDM_LOW imap
  ip inspect name SDM_LOW pop3
  ip inspect name SDM_LOW netshow
  ip inspect name SDM_LOW rcmd
  ip inspect name SDM_LOW realaudio
  ip inspect name SDM_LOW rtsp
  ip inspect name SDM_LOW esmtp
  ip inspect name SDM_LOW sqlnet
  ip inspect name SDM_LOW streamworks
  ip inspect name SDM_LOW tftp
  ip inspect name SDM_LOW tcp
  ip inspect name SDM_LOW udp
  ip inspect name SDM_LOW vdolive
  no ip domain lookup
  ip domain name domain.local
  multilink bundle-name authenticated
  key chain key1
  key 1
     key-string 7 06040033484B1B484557
  crypto pki trustpoint TP-self-signed-3448656681
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
  revocation-check none
  rsakeypair TP-self-signed-344bbb56681
  crypto pki certificate chain TP-self-signed-3448656681
  certificate self-signed 01
    3082024F
              quit
  username admin privilege 15 password 7 F55
  archive
  log config
    hidekeys
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key XXXXX address 209.118.0.1
  crypto isakmp key xxxxx address SITE B Public IP
  crypto isakmp keepalive 40 5
  crypto isakmp nat keepalive 20
  crypto isakmp client configuration group IISVPN
  key 1nsur3m3
  dns 172.19.3.140
  wins 172.19.3.140
  domain domain.local
  pool VPN_Pool
  acl 198
  crypto isakmp profile IISVPNClient
     description VPN clients profile
     match identity group IISVPN
     client authentication list userauthen
     isakmp authorization list groupauthor
     client configuration address respond
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto dynamic-map Dynamic 5
  set transform-set myset
  set isakmp-profile IISVPNClient
  qos pre-classify
  crypto map VPN 10 ipsec-isakmp
  set peer 209.118.0.1
  set peer SITE B Public IP
  set transform-set myset
  match address 101
  qos pre-classify
  crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
  track 123 ip sla 1 reachability
  delay down 15 up 10
  class-map match-any VoiceTraffic
  match protocol rtp audio
  match protocol h323
  match protocol rtcp
  match access-group name VOIP
  match protocol sip
  class-map match-any RDP
  match access-group 199
  policy-map QOS
  class VoiceTraffic
      bandwidth 512
  class RDP
      bandwidth 768
  policy-map MainQOS
  class class-default
      shape average 1500000
    service-policy QOS
  interface FastEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
  ip address 172.19.3.129 255.255.255.128
  ip access-group 100 in
  ip inspect SDM_LOW in
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/0.10
  description $ETH-VoiceVLAN$$
  encapsulation dot1Q 10
  ip address 172.19.10.1 255.255.255.0
  ip inspect SDM_LOW in
  ip nat inside
  ip virtual-reassembly
  interface FastEthernet0/1
  description "Comcast"
  ip address PUB IP 255.255.255.248
  ip access-group 102 in
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map VPN
  interface Serial0/1/0
  description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
  bandwidth 1536
  no ip address
  encapsulation frame-relay IETF
  frame-relay lmi-type ansi
  interface Serial0/1/0.1 point-to-point
  bandwidth 1536
  ip address 152.000.000.18 255.255.255.252
  ip access-group 102 in
  ip verify unicast reverse-path
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  frame-relay interface-dlci 500 IETF 
  crypto map VPN
  service-policy output MainQOS
  interface Serial0/2/0
  description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
  ip address 123.252.123.102 255.255.255.252
  ip access-group 102 in
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  crypto map VPN
  service-policy output MainQOS
  ip local pool VPN_Pool 172.20.3.130 172.20.3.254
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
  ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
  ip route 122.112.197.20 255.255.255.255 209.252.237.101
  ip route 208.67.220.220 255.255.255.255 50.78.233.110
  no ip http server
  no ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip flow-top-talkers
  top 20
  sort-by bytes
  ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
  ip nat inside source route-map PAETEC interface Serial0/2/0 overload
  ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
  ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
  ip access-list extended VOIP
  permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
  permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
  ip radius source-interface FastEthernet0/0
  ip sla 1
  icmp-echo 000.67.220.220 source-interface FastEthernet0/1
  timeout 10000
  frequency 15
  ip sla schedule 1 life forever start-time now
  access-list 23 permit 172.19.3.0 0.0.0.127
  access-list 23 permit 172.19.3.128 0.0.0.127
  access-list 23 permit 173.189.251.192 0.0.0.63
  access-list 23 permit 107.0.197.0 0.0.0.63
  access-list 23 permit 173.163.157.32 0.0.0.15
  access-list 23 permit 72.55.33.0 0.0.0.255
  access-list 23 permit 172.19.5.0 0.0.0.63
  access-list 100 remark "Outgoing Traffic"
  access-list 100 deny   ip 67.128.87.156 0.0.0.3 any
  access-list 100 deny   ip host 255.255.255.255 any
  access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 100 permit tcp host 172.19.3.190 any eq smtp
  access-list 100 permit tcp host 172.19.3.137 any eq smtp
  access-list 100 permit tcp any host 66.251.35.131 eq smtp
  access-list 100 permit tcp any host 173.201.193.101 eq smtp
  access-list 100 permit ip any any
  access-list 100 permit tcp any any eq ftp
  access-list 101 remark "Interesting VPN Traffic"
  access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
  access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
  access-list 101 permit tcp any any eq ftp
  access-list 101 permit tcp any any eq ftp-data
  access-list 102 remark "Inbound Access"
  access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
  access-list 102 permit udp any host 152.179.53.18 eq isakmp
  access-list 102 permit esp any host 152.179.53.18
  access-list 102 permit ahp any host 152.179.53.18
  access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
  access-list 102 permit udp any host 209.000.000.102 eq isakmp
  access-list 102 permit esp any host 209.000.000.102
  access-list 102 permit ahp any host 209.000.000.102
  access-list 102 permit udp any host PUB IP eq non500-isakmp
  access-list 102 permit udp any host PUB IP eq isakmp
  access-list 102 permit esp any host PUB IP
  access-list 102 permit ahp any host PUB IP
  access-list 102 permit ip 72.55.33.0 0.0.0.255 any
  access-list 102 permit ip 107.0.197.0 0.0.0.63 any
  access-list 102 deny   ip 172.19.3.128 0.0.0.127 any
  access-list 102 permit icmp any any echo-reply
  access-list 102 permit icmp any any time-exceeded
  access-list 102 permit icmp any any unreachable
  access-list 102 permit icmp any any
  access-list 102 deny   ip any any log
  access-list 102 permit tcp any host 172.19.3.140 eq ftp
  access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
  access-list 102 permit udp any host SITE B Public IP  eq non500-isakmp
  access-list 102 permit udp any host SITE B Public IP  eq isakmp
  access-list 102 permit esp any host SITE B Public IP
  access-list 102 permit ahp any host SITE B Public IP
  access-list 110 remark "Outbound NAT Rule"
  access-list 110 remark "Deny VPN Traffic NAT"
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
  access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
  access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
  access-list 110 permit ip 172.19.3.128 0.0.0.127 any
  access-list 110 permit ip 172.19.10.0 0.0.0.255 any
  access-list 198 remark "Networks for IISVPN Client"
  access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 199 permit tcp any any eq 3389
  route-map PAETEC permit 10
  match ip address 110
  match interface Serial0/2/0
  route-map COMCAST permit 10
  match ip address 110
  match interface FastEthernet0/1
  route-map VERIZON permit 10
  match ip address 110
  match interface Serial0/1/0.1
  snmp-server community 123 RO
  radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
  control-plane
  line con 0
  line aux 0
  line vty 0 4
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  line vty 5 15
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  scheduler allocate 20000 1000
  ntp server 128.118.25.3
  ntp server 217.150.242.8
  end
  IP scheme at site B:
  ip     172.19.5.x
  sub  255.255.255.292
  gw   172.19.5.65
  Cisco ASA 5505 at Site B
  ASA Version 8.2(5)
  hostname ASA5505
  domain-name domain.com
  enable password b04DSH2HQqXwS8wi encrypted
  passwd b04DSH2HQqXwS8wi encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.19.5.65 255.255.255.192
  interface Vlan2
  nameif outside
  security-level 0
  ip address SITE B public IP 255.255.255.224
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  clock timezone est -5
  clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
  dns server-group DefaultDNS
  domain-name iis-usa.com
  same-security-traffic permit intra-interface
  object-group network old hosting provider
  network-object 72.55.34.64 255.255.255.192
  network-object 72.55.33.0 255.255.255.0
  network-object 173.189.251.192 255.255.255.192
  network-object 173.163.157.32 255.255.255.240
  network-object 66.11.1.64 255.255.255.192
  network-object 107.0.197.0 255.255.255.192
  object-group network old hosting provider
  network-object host 172.19.250.10
  network-object host 172.19.250.11
  access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
  access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
  access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
  access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
  access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
  access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
  access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
  access-list 10 extended permit icmp any any echo-reply
  access-list 10 extended permit icmp any any time-exceeded
  access-list 10 extended permit icmp any any unreachable
  access-list 10 extended permit icmp any any traceroute
  access-list 10 extended permit icmp any any source-quench
  access-list 10 extended permit icmp any any
  access-list 10 extended permit tcp object-group old hosting provider any eq 3389
  access-list 10 extended permit tcp any any eq https
  access-list 10 extended permit tcp any any eq www
  access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
  access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
  pager lines 24
  logging enable
  logging timestamp
  logging console emergencies
  logging monitor emergencies
  logging buffered warnings
  logging trap debugging
  logging history debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip verify reverse-path interface inside
  ip verify reverse-path interface outside
  ip audit name jab attack action alarm drop reset
  ip audit name probe info action alarm drop reset
  ip audit interface outside probe
  ip audit interface outside jab
  ip audit info action alarm drop reset
  ip audit attack action alarm drop reset
  ip audit signature 2000 disable
  ip audit signature 2001 disable
  ip audit signature 2004 disable
  ip audit signature 2005 disable
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit 75.150.169.48 255.255.255.240 outside
  icmp permit 72.44.134.16 255.255.255.240 outside
  icmp permit 72.55.33.0 255.255.255.0 outside
  icmp permit any outside
  icmp permit 173.163.157.32 255.255.255.240 outside
  icmp permit 107.0.197.0 255.255.255.192 outside
  icmp permit 66.11.1.64 255.255.255.192 outside
  icmp deny any outside
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list 100
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group 10 in interface outside
  route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
  timeout xlate 3:00:00
  timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http 107.0.197.0 255.255.255.192 outside
  http 66.11.1.64 255.255.255.192 outside
  snmp-server host outside 107.0.197.29 community *****
  snmp-server host outside 107.0.197.30 community *****
  snmp-server host inside 172.19.250.10 community *****
  snmp-server host outside 172.19.250.10 community *****
  snmp-server host inside 172.19.250.11 community *****
  snmp-server host outside 172.19.250.11 community *****
  snmp-server host outside 68.82.122.239 community *****
  snmp-server host outside 72.55.33.37 community *****
  snmp-server host outside 72.55.33.38 community *****
  snmp-server host outside 75.150.169.50 community *****
  snmp-server host outside 75.150.169.51 community *****
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map VPNMAP 10 match address 110
  crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
  crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
  crypto map VPNMAP 10 set security-association lifetime seconds 86400
  crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
  crypto map VPNMAP interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 20
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 172.19.5.64 255.255.255.192 inside
  telnet 172.19.3.0 255.255.255.128 outside
  telnet timeout 60
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 60
  console timeout 0
  management-access inside
  dhcpd dns 172.19.3.140
  dhcpd wins 172.19.3.140
  dhcpd ping_timeout 750
  dhcpd domain iis-usa.com
  dhcpd address 172.19.5.80-172.19.5.111 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection scanning-threat shun except object-group old hosting provider
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 128.118.25.3 source outside
  ntp server 217.150.242.8 source outside
  tunnel-group 72.00.00.7 type ipsec-l2l
  tunnel-group 72.00.00.7 ipsec-attributes
  pre-shared-key *****
  tunnel-group old vpn public ip type ipsec-l2l
  tunnel-group old vpn public ip ipsec-attributes
  pre-shared-key *****
  tunnel-group SITE A Public IP  type ipsec-l2l
  tunnel-group SITE A Public IP  ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect netbios
    inspect tftp
    inspect pptp
    inspect sip 
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:
  : end

  I have removed the old "set peer" and have added:
  IOS router:
  access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
  ASA fw:
  access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
  on the router I have also added;
  access-list 110 deny  ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
  Here is my acl :
  access-list 110 remark "Outbound NAT Rule"
  access-list 110 remark "Deny VPN Traffic NAT"
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
  access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
  access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
  access-list 110 permit ip 172.19.3.128 0.0.0.127 any
  access-list 110 permit ip 172.19.10.0 0.0.0.255 any
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
  access-list 198 remark "Networks for IISVPN Client"
  access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  Still no ping tothe other site.