Cisco ASA 5505 IPSEC, one endpoint behind NAT device
We have two Cisco ASA 5505 devices.
Both are identical, however, one of them is behind a NAT device.
We are attempting to create an IPSEC network.
Site fg:
<ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)
Site be:
<ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
USG1: UDP port 500/4500 forwarded to 192.168.4.50
It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED
We verified / attempted the following:
- NAT excemption on both sides for IPSEC subnets
- Mirror image crypto maps
- Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
- Toggled between static to dynamic crypto maps on ASA1
Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.
Does anyone have any idea?
195.txt contains show running-config of ASA3
212.txt contains show running-config of ASA1
log.txt contains somewhat entire log snipper of ASA1
Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji.
Similar Messages
-
Cisco ASA 5505 Ipsec VPN and random connection dropping issues.
Hello,
We are currently having issues with a ASA 5505 Ipsec VPN. It was configured about 7-8 months ago and has been running very well..up until the last few weeks. For some reason, the VPN tends to randomly disconnect any user clients connected a lot. Furthermore, sometimes it actually connects; however does not put us on the local network for some reason and unable to browse file server. We have tried rebooting the ASA a few times and our ISP Time Warner informed us there are no signs of packet loss but still unable to pinpoint the problem. Sometimes users close out of VPN client completely, reopen several times and then it works. However it's never really consistent enough and hasn't been the last few weeks. No configuration changes have been made to ASA at all. Furthermore, the Cisco Ipsec VPN client version is: 5.0.70
Directly below is our current running config (modded for public). Any help or ideas would be greatly appreciated. Otherwise, if everything looks good...then I will defer back to our ISP Time Warner:
: Saved
ASA Version 8.4(2)
hostname domainasa
domain-name adomain.local
enable password cTfsR84pqF5Xohw. encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 205.101.1.240 255.255.255.248
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.2.60
domain-name adomain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network SBS_2011
host 192.168.2.60
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.192_
27
subnet 192.168.5.192 255.255.255.224
object network Https_Access
host 192.168.2.90
description Spam Hero
object-group network DM_INLINE_NETWORK_1
network-object object SPAM1
network-object object SPAM2
network-object object SPAM3
network-object object SPAM4
network-object object SPAM5
network-object object SPAM6
network-object object SPAM7
network-object object SPAM8
object-group service RDP tcp
description Microsoft RDP
port-object eq 3389
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SBS_2011 eq smtp
access-list outside_access_in extended permit tcp any object SBS_2011 eq https
access-list outside_access_in extended permit icmp any interface outside
access-list outside_access_in remark External RDP Access
access-list outside_access_in extended permit tcp any object SBS_2011 object-group RDP
access-list domain_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool test 192.168.10.1-192.168.10.5 mask 255.255.255.0
ip local pool VPN_Users 192.168.5.194-192.168.5.22
0 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24
NETWORK_OBJ_192.168.2.0_24
destination static NETWORK_OBJ_192.168.5.192_
27 NETWORK_OBJ_192.168.5.192_
27 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network SBS_2011
nat (inside,outside) static interface service tcp smtp smtp
object network Https_Access
nat (inside,outside) static interface service tcp https https
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 205.101.1.239 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
rd DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.160-192.168.2.19
9 inside
dhcpd dns 192.168.2.60 24.29.99.36 interface inside
dhcpd wins 192.168.2.60 24.29.99.36 interface inside
dhcpd domain adomain interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy domain internal
group-policy domain attributes
wins-server value 192.168.2.60
dns-server value 192.168.2.60
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value adomain.local
username ben password zWCAaitV3CB.GA87 encrypted privilege 0
username ben attributes
vpn-group-policy domain
username sdomain password FATqd4I1ZoqyQ/MN encrypted
username sdomain attributes
vpn-group-policy domain
username adomain password V5.hvhZU4S8NwGg/ encrypted
username adomain attributes
vpn-group-policy domain
service-type admin
username jdomain password uODal3Mlensb8d.t encrypted privilege 0
username jdomain attributes
vpn-group-policy domain
service-type admin
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool VPN_Users
default-group-policy domain
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e2466a5b754
eebcdb0cef
f051bef91d
9
: end
no asdm history enable
Thanks againHello Belnet,
What do the logs show from the ASA.
Can you post them ??
Any other question..Sure..Just remember to rate all of the community answers.
Julio -
Cisco ASA 5505 - IPsec Tunnel issue
Issue with IPsec Child SA
Hi,
I have a site to site VPN tunnel setup with a Cisco ASA5505 and a Checkpoint Firewall. The version of software is 9.22. I am using IKEv2 for Phase 1 encryption. The following is my cisco asa configuration:
hostname GARPR-COM1-WF01
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
description Failover Link
switchport access vlan 950
interface Ethernet0/1
description Outside FW Link
switchport access vlan 999
interface Ethernet0/2
description Inside FW Link
switchport access vlan 998
interface Ethernet0/3
description Management Link
switchport access vlan 6
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan6
nameif management
security-level 100
ip address 10.65.1.20 255.255.255.240
interface Vlan950
description LAN Failover Interface
interface Vlan998
nameif inside
security-level 100
ip address 10.65.1.5 255.255.255.252
interface Vlan999
nameif outside
security-level 0
ip address ************* 255.255.255.248
boot system disk0:/asa922-4-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ***************
object network North_American_LAN
subnet 10.73.0.0 255.255.0.0
description North American LAN
object network Queretaro_LAN
subnet 10.74.0.0 255.255.0.0
description Queretaro_LAN
object network Tor_LAN
subnet 10.75.0.0 255.255.0.0
description Tor LAN
object network Mor_LAN
subnet 10.76.0.0 255.255.0.0
description Mor LAN
object network Tus_LAN
subnet 10.79.128.0 255.255.128.0
description North American LAN
object network Mtl_LAN
subnet 10.88.0.0 255.255.0.0
description Mtl LAN
object network Wic_LAN
subnet 10.90.0.0 255.254.0.0
description Wic LAN
object network Wic_LAN_172
subnet 172.18.0.0 255.255.0.0
description Wic Servers/Legacy Client LAN
object network Mtl_LAN_172
subnet 172.19.0.0 255.255.0.0
description Mtl Servers/Legacy Client LAN
object network Tor_LAN_172
subnet 172.20.0.0 255.255.0.0
description Tor Servers/Legacy Client LAN
object network Bridge_LAN_172
subnet 172.23.0.0 255.255.0.0
description Bridge Servers/Legacy Client LAN
object network Mtl_WLAN
subnet 10.114.0.0 255.255.0.0
description Mtl Wireless LAN
object network Bel_WLAN
subnet 10.115.0.0 255.255.0.0
description Bel Wireless LAN
object network Wic_WLAN
subnet 10.116.0.0 255.255.0.0
description Wic Wireless LAN
object network Mtl_Infrastructure_10
subnet 10.96.0.0 255.255.0.0
description Mtl Infrastructre LAN
object network BA_Small_Site_Blocks
subnet 10.68.0.0 255.255.0.0
description BA Small Sites Blocks
object network Bel_LAN
subnet 10.92.0.0 255.255.0.0
description Bel LAN 10 Network
object network LAN_172
subnet 172.25.0.0 255.255.0.0
description LAN 172 Network
object network Gar_LAN
subnet 10.65.1.0 255.255.255.0
description Gar LAN
object network garpr-com1-wf01.net.aero.bombardier.net
host **************
description Garching Firewall
object-group network BA_Sites
description Internal Networks
network-object object BA_Small_Site_Blocks
network-object object Bel_LAN
network-object object Bel_LAN_172
network-object object Bel_WLAN
network-object object Bridge_LAN_172
network-object object Mtl_Infrastructure_10
network-object object Mtl_LAN
network-object object Mtl_LAN_172
network-object object Mtl_WLAN
network-object object Mor_LAN
network-object object North_American_LAN
network-object object Queretaro_LAN
network-object object Tor_LAN
network-object object Tor_LAN_172
network-object object Tus_LAN
network-object object Wic_LAN
network-object object Wic_LAN_172
network-object object Wic_WLAN
access-list 101 extended permit ip object garpr-com1-wf01.net.aero.bombardier.net object Bel_LAN_172
access-list 101 extended permit ip object Garching_LAN object-group BA_Sites
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging asdm informational
logging host outside 172.25.5.102
mtu management 1500
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface Failover_Link Vlan950
failover polltime interface msec 500 holdtime 5
failover key *****
failover interface ip Failover_Link 192.168.124.1 255.255.255.0 standby 192.168.124.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Gar_LAN Gar_LAN destination static BA_Sites BA_Sites no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 ************* 1
route inside 10.65.1.0 255.255.255.255 10.65.1.6 1
route inside 10.65.1.16 255.255.255.240 10.65.1.6 1
route inside 10.65.1.32 255.255.255.240 10.65.1.6 1
route inside 10.65.1.48 255.255.255.240 10.65.1.6 1
route inside 10.65.1.64 255.255.255.240 10.65.1.6 1
route inside 10.65.1.128 255.255.255.128 10.65.1.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.65.1.0 255.255.255.0 inside
http 172.25.5.0 255.255.255.0 inside
http 10.65.1.21 255.255.255.255 management
snmp-server host inside 172.25.49.0 community ***** udp-port 161
snmp-server host outside 172.25.49.0 community *****
snmp-server host inside 172.25.5.101 community ***** udp-port 161
snmp-server host outside 172.25.5.101 community *****
snmp-server host inside 172.25.81.88 poll community *****
snmp-server host outside 172.25.81.88 poll community *****
snmp-server location:
snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
crypto ipsec ikev2 ipsec-proposal aes256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto map GARCH 10 match address 101
crypto map GARCH 10 set pfs group19
crypto map GARCH 10 set peer *******************
crypto map GARCH 10 set ikev2 ipsec-proposal aes256
crypto map GARCH 10 set security-association lifetime seconds 3600
crypto map GARCH interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
telnet 10.65.1.6 255.255.255.255 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 172.25.5.0 255.255.255.0 inside
ssh 172.19.9.49 255.255.255.255 inside
ssh 172.25.5.0 255.255.255.0 outside
ssh 172.19.9.49 255.255.255.255 outside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 30
management-access inside
dhcprelay server 172.25.81.1 outside
dhcprelay server 172.25.49.1 outside
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.19.109.41
ntp server 172.19.109.42
ntp server 172.19.9.49 source outside
tunnel-group ********* type ipsec-l2l
tunnel-group ********* ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:25ad9bf6db66a31e840ad96f49cd7e37
: end
I believe when a VPN tunnel is setup there should be one Child sa per subnet. The internal network of 10.65.1.0/24 should be setup with a child sa to the networks that were specified above depending on if there is traffic destined for them. What I am seeing is multiple child sa setup for the same subnet like the example below:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 172.19
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
where for destination network 10.92.0.0/16 there is only one child sa:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 10.92
remote selector 10.92.0.0/0 - 10.92.255.255/6553
Should this be the case or does anyone have any idea why there is multiple child sa setup for the same subnet?
Thanks
JonathanHi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks -
Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL
Hi all.
we have following IPSec configuration:
ASA Site 1:
Cisco Adaptive Security Appliance Software Version 9.1(1)
crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal PropAES256
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0
crypto map CMVPN 5 match address SITE_2
crypto map CMVPN 5 set peer IP_SITE2
crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
crypto map CMVPN interface OUTSIDE
route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255
tunnel-group IP_SITE2 type ipsec-l2l
tunnel-group IP_SITE2 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
ASA Site 2:
Cisco Adaptive Security Appliance Software Version 9.1(4)
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 set peer IP_SITE1
crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
crypto map CMVPN 10 set reverse-route
crypto map CMVPN interface OUTSIDE
tunnel-group IP_SITE1 type ipsec-l2l
tunnel-group IP_SITE1 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
We are not able to reach from 172.22.20.x ips 172.27.99.x.
It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.
We are using similar configuration on many sites and it works correctly expect sites with DSL line.
We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.
Thanks in advance for your help.
Regards.
Jan
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (3)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (3)SHA1
Bytes Tx : 423634 Bytes Rx : 450526
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 1h:50m:45s
IKEv2 Tunnels: 1
IPsec Tunnels: 3
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 79756 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22156 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607648 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 312546 Bytes Rx : 361444
Pkts Tx : 3745 Pkts Rx : 3785
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22165 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607952 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 50014 Bytes Rx : 44621
Pkts Tx : 496 Pkts Rx : 503
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22324 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607941 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 61074 Bytes Rx : 44461
Pkts Tx : 402 Pkts Rx : 437
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 6648 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
.... after ping from 172.27.99.x any ip in 172.22.20.x.
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (4)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (4)SHA1
Bytes Tx : 784455 Bytes Rx : 1808965
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 2h:10m:48s
IKEv2 Tunnels: 1
IPsec Tunnels: 4
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 78553 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20953 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4606335 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 652492 Bytes Rx : 1705136
Pkts Tx : 7419 Pkts Rx : 7611
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20962 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607942 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 60128 Bytes Rx : 52359
Pkts Tx : 587 Pkts Rx : 594
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 21121 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607931 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 70949 Bytes Rx : 50684
Pkts Tx : 475 Pkts Rx : 514
IPsec:
Tunnel ID : 3058.5
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28767 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 961 Bytes Rx : 871
Pkts Tx : 17 Pkts Rx : 14
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 7852 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji. -
Cisco ASA 5505 IPsec client VPN - Cannot connect to local hosts
I have created a Cisco IPsec vpn on my ASA using the VPN creation wizard. I am able to successfully connect to the vpn and seemingly join the network, but after I connect I am unable to connect to or ping any of the hosts on the network.
Checking the ASA I can see that a VPN session is open and my client reports that it is connected. If I attempt to ping the client from the ASA all packets are dropped.
I suspect it may be an issue with my firewall, but I am not really sure where to begin.
Here is a copy of my config, any pointers or tips are aprpeciated:
hostname mcfw
enable password Pt8fQ27yMZplioYq encrypted
passwd 2qaO2Gd6IBRkrRFm encrypted
names
interface Ethernet0/0
switchport access vlan 400
interface Ethernet0/1
switchport access vlan 400
interface Ethernet0/2
switchport access vlan 420
interface Ethernet0/3
switchport access vlan 420
interface Ethernet0/4
switchport access vlan 450
interface Ethernet0/5
switchport access vlan 450
interface Ethernet0/6
switchport access vlan 500
interface Ethernet0/7
switchport access vlan 500
interface Vlan400
nameif outside
security-level 0
ip address 58.13.254.10 255.255.255.248
interface Vlan420
nameif public
security-level 20
ip address 192.168.20.1 255.255.255.0
interface Vlan450
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
interface Vlan500
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
ftp mode passive
clock timezone JST 9
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host 58.13.254.11
network-object host 58.13.254.13
object-group service ssh_2220 tcp
port-object eq 2220
object-group service ssh_2251 tcp
port-object eq 2251
object-group service ssh_2229 tcp
port-object eq 2229
object-group service ssh_2210 tcp
port-object eq 2210
object-group service DM_INLINE_TCP_1 tcp
group-object ssh_2210
group-object ssh_2220
object-group service zabbix tcp
port-object range 10050 10051
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
group-object zabbix
port-object eq 9000
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service http_8029 tcp
port-object eq 8029
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.20.10
network-object host 192.168.20.30
network-object host 192.168.20.60
object-group service imaps_993 tcp
description Secure IMAP
port-object eq 993
object-group service public_wifi_group
description Service allowed on the Public Wifi Group. Allows Web and Email.
service-object tcp-udp eq domain
service-object tcp-udp eq www
service-object tcp eq https
service-object tcp-udp eq 993
service-object tcp eq imap4
service-object tcp eq 587
service-object tcp eq pop3
service-object tcp eq smtp
access-list outside_access_in remark http traffic from outside
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in remark ssh from outside to web1
access-list outside_access_in extended permit tcp any host 58.13.254.11 object-group ssh_2251
access-list outside_access_in remark ssh from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group ssh_2229
access-list outside_access_in remark http from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group http_8029
access-list outside_access_in remark ssh from outside to hub & studio
access-list outside_access_in extended permit tcp any host 58.13.254.13 object-group DM_INLINE_TCP_1
access-list outside_access_in remark dns service to hub
access-list outside_access_in extended permit object-group TCPUDP any host 58.13.254.13 eq domain
access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp any host 192.168.10.251 object-group DM_INLINE_TCP_2
access-list public_access_in remark Web access to DMZ websites (mediastudio/civicrm)
access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www
access-list public_access_in remark General web access. (HTTP, DNS & ICMP and Email)
access-list public_access_in extended permit object-group public_wifi_group any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.0.80 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
pager lines 24
logging enable
logging timestamp
logging buffered notifications
logging trap notifications
logging asdm debugging
logging from-address [email protected]
logging recipient-address [email protected] level warnings
logging host dmz 192.168.10.90 format emblem
logging permit-hostdown
mtu outside 1500
mtu public 1500
mtu dmz 1500
mtu inside 1500
ip local pool OfficePool 192.168.0.80-192.168.0.90 mask 255.255.255.0
ip local pool VPN_Pool 192.168.0.91-192.168.0.99 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 60
global (outside) 1 interface
global (dmz) 2 interface
nat (public) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255
static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255
static (dmz,outside) 58.13.254.13 192.168.10.10 netmask 255.255.255.255 dns
static (dmz,outside) 58.13.254.11 192.168.10.30 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns
static (dmz,inside) 192.168.0.251 192.168.10.251 netmask 255.255.255.255
static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns
static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group public_access_in in interface public
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 58.13.254.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
http 59.159.40.188 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp dmz
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map public_map interface public
crypto isakmp enable outside
crypto isakmp enable public
crypto isakmp enable inside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 59.159.40.188 255.255.255.255 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 61.122.112.97 61.122.112.1
dhcpd auto_config outside
dhcpd address 192.168.20.200-192.168.20.254 public
dhcpd enable public
dhcpd address 192.168.10.190-192.168.10.195 dmz
dhcpd enable dmz
dhcpd address 192.168.0.200-192.168.0.254 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics host number-of-rate 2
no threat-detection statistics tcp-intercept
ntp server 130.54.208.201 source public
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol l2tp-ipsec
group-policy CiscoASA internal
group-policy CiscoASA attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol IPSec
username mcit password 4alT9CZ8ayD8O8Xg encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_Pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group ocmc type remote-access
tunnel-group ocmc general-attributes
address-pool OfficePool
tunnel-group ocmc ipsec-attributes
pre-shared-key *****
tunnel-group CiscoASA type remote-access
tunnel-group CiscoASA general-attributes
address-pool VPN_Pool
default-group-policy CiscoASA
tunnel-group CiscoASA ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
smtp-server 192.168.10.10
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:222d6dcb583b5f5abc51a2251026f7f2
: end
asdm location 192.168.10.10 255.255.255.255 inside
asdm location 192.168.0.29 255.255.255.255 inside
asdm location 58.13.254.10 255.255.255.255 inside
no asdm history enableHi Conor,
What is your local net ? I see only one default route for outside network. Dont you need a route inside for your local network.
Regards,
Umair -
Cisco ASA 5505 IPSec tunnel won't establish until remote site attempts to connect
I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
Any assistance would be appreciated.
ASA Version 8.2(1)
hostname KRPS-FW
domain-name lottonline.org
enable password uniQue
passwd uniQue
names
interface Vlan1
nameif inside
security-level 100
ip address 10.20.30.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
description Inside Network on VLAN1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
description Inside Network on VLAN1
ftp mode passive
dns server-group DefaultDNS
domain-name lottonline.org
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE_ACCESS_IN in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.20.30.0 255.255.255.0 inside
http 10.20.20.0 255.255.255.0 inside
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYNMAP 65535 set transform-set ESP-AES-256-SHA
crypto map VPNMAP 1 match address KWPS-BITP
crypto map VPNMAP 1 set peer xxx.xxx.xxx.001
crypto map VPNMAP 1 set transform-set ESP-AES-256-SHA
crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
ssh timeout 5
console timeout 0
management-access inside
tunnel-group xxx.xxx.xxx.001 type ipsec-l2l
tunnel-group xxx.xxx.xxx.001 ipsec-attributes
pre-shared-key somekeyHi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks -
Cisco ASA 5505 Site to Site VPN Problem
Hi All,
We have a site to site VPN with a cisco asa 5505 on one end and a Checkpoint firewall on the other end.
We can establish the vpn tunnel and all users in the remote office are working great. However at a random point during the day or it may even be after 2 weeks of working, the tunnel between the sites automatically fails.
When I dial into the modem which is connected to the firewall I see the following messages in the logs:
Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
There is nothing in the Checkpoint logs. To solve the issue I have to reload the firewall.
I have checked both firewalls for any mis-matched parameters and do not see any.
Any help is very much appreciated as it is very frustrating for myself and the users in the remote office.
Thanks!Also to note, PFS is enabled on both firewalls. Config on Cisco ASA firewall as follows:
hostname
domain-name
enable passwordpasswd names
interface Vlan701
nameif inside
security-level 100
ip address 10.65.0.69 255.255.255.252
interface Vlan999
nameif outside
security-level 0
ip address ****** 255.255.255.248
interface Ethernet0/0
description Link to Internet
switchport access vlan 999
interface Ethernet0/1
description
switchport access vlan 701
interface range Ethernet0/2 - 0/7
switchport access vlan 2
shutdown
ftp mode passive
dns server-group DefaultDNS
domain-name******
access-list 101 extended permit ip host ****** 172.25.0.0 255.255.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 host ******
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 ******* 255.255.255.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 ******** 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap warnings
logging asdm informational
logging host outside *****
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
route inside ******
route outside 0.0.0.0 0.0.0.0 ********
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
snmp-server location **:
snmp-server contact **
snmp-server community shortkey
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
crypto map CASGMAP 50 match address 101
crypto map CASGMAP 50 set pfs group1
crypto map CASGMAP 50 set peer ********
crypto map CASGMAP 50 set transform-set 3desmd5
crypto map CASGMAP 50 set security-association lifetime seconds 3600
crypto map CASGMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet **** inside
telnet timeout 5
ssh **** inside
ssh **** outside
ssh timeout 5
console timeout 30
management-access inside
dhcpd ping_timeout 750
priority-queue outside
ntp server **
username ***
tunnel-group ******** type ipsec-l2l
tunnel-group ******** ipsec-attributes
pre-shared-key ***
class-map VoIP
match dscp ef
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map General-purpose
class VoIP
priority
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
service-policy General-purpose interface outside
prompt hostname context -
Cisco ASA 5505 VPN Routing/Networking Question
I have a very basic question about Cisco ASA 5505 IPsec Site to Site VPNs. I want to install a Cisco ASA 5505 at a Data Center, in a LAN subnet that utilizes publicly routable IP addresses. I would like to install a second Cisco ASA 5505 in a remote branch office as its peer.
Regardless of whether I use publicly routable IPs at the branch office in the "inside" network or non-routable IPs, how would the devices and servers at the Data Center know to route IP packets destined for the branch office back through the Cisco ASA instead of through the default gateway at the Data Center? I can see accomplishing this if every single device at the Data Center is configured with routing table entries, but that isn't feasible. It also isn't feasible to use the Cisco ASA 5505 as the default gateway for all of the devices as the Data Center, allowing it to decide where the traffic should go.
What am I missing? Is the solution to try to map branch office IPs to IP addresses within the Data Center's LAN subnet so that all of the traffic is on the same subnet?You can do it in several different ways.
One way is to tell the server that if it has traffic to network x then it needs to go to the ASA all other traffic is to head for the default gateway.
In windows this is done via the route command
do not forget to make it "persistent" otherwise the route will disapear when your reboot the server.
in unix/linux
It is also the route command
Or you can tell your "default gateway" to route that network to the ASA
Good luck
HTH -
Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall
Hi,
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
3
Nov 21 2012
07:11:09
713061
Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5
Nov 21 2012
07:11:09
713119
Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
Here is from the syntax: show crypto isakmp sa
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 195.149.180.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
current_peer:195.149.180.254
#pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
#pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: E715B315
inbound esp sas:
spi: 0xFAC769EB (4207372779)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38738/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE715B315 (3876958997)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38673/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And here are my Accesslists and vpn site to site config:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 84600
crypto isakmp nat-traversal 40
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CustomerCryptoMap 10 match address VPN_Tunnel
crypto map CustomerCryptoMap 10 set pfs group5
crypto map CustomerCryptoMap 10 set peer 195.149.180.254
crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
crypto map CustomerCryptoMap interface outside
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
nat (inside) 0 access-list nonat
All these remote networks are at the Main Site Clavister Firewall.
Best Regards
MichaelHi,
I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
Maybe you could try to change the Encryption Domain configurations a bit and test it then.
You could also maybe take some debugs on the Phase2 and see if you get anymore hints as to what could be the problem when only one network is working for the L2L VPN.
- Jouni -
Cisco ASA 5505 IOS 9.2(1), ASDM 7.3(2) NAT issues
Hey all,
I am really new to Cisco and am trying to get this Cisco ASA 5505 configured that I bought recently configured properly.
Things I have successfully been able to do:
1. Configure static WAN IP on WAN port e0/0 (I have a /29 block of addresses)
2. Create static routes to point to all of my vlans that are currently being being routed through my layer 3 SG-300
3. Install and run ASDM 7.3(2)
4. Went through the start-up wizard and configured all of my WAN and LAN settings (I have a WAN block of /29 addresses. So I congured my device with NAT and put in the range the first usable IP address outside of the one I configured for the direct connected WAN port from my modem. Example: 10.24.56.99-102 where .98 is already configured as the direct connect from modem to ASA 5505 and .97 is the gateway of my ISP modem.)
The struggle that I am running into today is with NAT rules from outside to inside. I currently have an Exchange server behind this device but I am unable to get ports forwarded to it. I followed this tutorial about Static NAT, however there is still no joy.
http://www.networkworld.com/article/2162844/tech-primers/how-to-configure-static-nat-on-a-cisco-asa-security-appliance.html
Attached is a copy of my running-config and version. Any help with this would be greatly appreciated.Your Ethernet0/1 is a trunk with multiple VLANs allowed but you do not have corresponding VLAN interfaces for SVIs in each of the associated subnets. If, as your routing setup indicates, you will be going via your internal gateway at 10.10.1.1 to reach the internal subnets then Eth0/1 should just be an access port.
So your Exchange server in the 10.10.12.0/24 subnet will talk via the internal gateway (10.10.12.1?) and thus on to the ASA inside interface at 10.10.1.2.
I assume your "public" IPs have been changed to anonymize the output. If those are your actual addresses (10.24.56.x) then there must be additional NAT taking place upstream - that would all need to be setup properly as well. -
How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR
I'm trying to test my Cisco VPN client from my workplace to my home where I have a Cisco ASA 5505 (VPN server) behind the Actiontec MI424WR. I'm able to Ping the Actiontec external IP. I also have Port Forwarding for IKE and IPSec configured on the Actiontec, but I cannot establish the VPN connection.
What do I need to configure on the Actiontec to make this work?
Also, when I test this at home, the MI424WR acts as the DHCP server for my laptop and the Cisco outside interface. At home, I'm able to establish the VPN connection from my laptop to the ASA, allowing me to see a shared drive behind the ASA. However, at home, I cannot go to the Internet while using the VPN client.
Thanks for any help.
Steve
Solved!
Go to Solution.http://www.dslreports.com/faq/verizonfios/3.0_Networking
those are the best sample config's and resources on how to set the FiOS network
Bridging is possible but difficult. That link will give you great info on it.
Are you a FiOS customer that has phone/internet/tv
or no tv? or no phone? You have to be careful on your configuration or you might lose some TV features and functionality, like the Interactive Program Guide, or the VOD or the Widgets.
Sorry the Portforwarding wasn't enough to resolve your issue, I am not sure that it's a Actiontec config you are looking for, from my understanding of Cisco's and FiOS it may be something behind the cisco that is causing an issue. You may want to reach out to the Cisco admin that manages that, and find out if there are additional ports that are required and then you can come back and configure those ports too. -
Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN
Hi Guys,
I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
For some odd reason, I am able to ping the following, with no issues.
Cisco 3750 SVI (192.168.1.3)
CentOS web server (connected directly to the Cisco ASA 5505)
I have checked and enable the following:
Nat Exemption
Sysopt connection permit-vpn
ACL's
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Added ICMP in the inspection policy
Packet-capture - Only getting echo requests.
Thanks in advance!Hi,
I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
object network acvpnpool
subnet <anyconnect VPN Subnet>
object network insidelan
subnet <inside lan subnet>
nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
Regards
Karthik -
Setting up site to site vpn with cisco asa 5505
I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
IP of remote office router is 71.37.178.142
IP of the main office firewall is 209.117.141.82
Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
ciscoasa# show run
: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password TMACBloMlcBsq1kp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 209.117.141.82
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username [email protected] password ********* store-local
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
: end
ciscoasa#
Thanks!Hi Mandy,
By using following access list define Peer IP as source and destination
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
you are not defining the interesting traffic / subnets from both ends.
Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
!.1..source subnet(called local encryption domain) at your end 192.168.200.0
!..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
!..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
!...at your end 192.168.200.0
!..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
!...at other end 192.168.100.0
Please use Baisc Steps as follows:
A. Configuration in your MAIN office having IP = 209.117.141.82 (follow step 1 to 6)
Step 1.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
Step 2.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 3.
Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 71.37.178.142
or , but not both
crypto isakmp key 6 CISCO123 address71.37.178.142
step 4.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 5.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 6.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Configure the same but just change ACL on other end in step one by reversing source and destination
and also set the peer IP of this router in other end.
So other side config should look as follows:
B. Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
Step 7.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
Step 8.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 9.
Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 209.117.141.82
or , but not both
crypto isakmp key 6 CISCO123 address 209.117.141.82
step 10.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 11.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set, only one is permissible
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 12.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Now initite a ping
Here is for your summary:
IPSec: Site to Site - Routers
Configuration Steps
Phase 1
Step 1: Configure Mirrored ACL/Crypto ACL for Interesting Traffic
Step 2: Configure ISAKMP Policy
Step 3: Configure ISAKMP Key
Phase 2
Step 4: Configure Transform Set
Step 5: Configure Crypto Map
Step 6: Apply Crypto Map to an Interface
To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
Router#debug crpyto isakmp
Router#debug crpyto ipsec
Router(config)# logging buffer 7
Router(config)# logging buffer 99999
Router(config)# logging console 6
Router# clear logging
Configuration
In R1:
(config)# access-list 101 permit ipo host 10.1.1.1 host 10.1.2.1
(config)# crypto isakmp policy 10
(config-policy)# encryption 3des
(config-policy)# authentication pre-share
(config-policy)# group 2
(config-policy)# hash sha1
(config)# crypto isakmp key 0 cisco address 2.2.2.1
(config)# crypto ipsec transform-set TSET esp-3des sha-aes-hmac
(config)# crypto map CMAP 10 ipsec-isakmp
(config-crypto-map)# set peer 2.2.2.1
(config-crypto-map)# match address 101
(config-crypto-map)# set transform-set TSET
(config)# int f0/0
(config-if)# crypto map CMAP
Similarly in R2
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Change to Transport Mode, add the following command in Step 4:
(config-tranform-set)# mode transport
Even after doing this change, the ipsec negotiation will still be done through tunnel mode if pinged from Loopback to Loopback. To overcome this we make changes to ACL.
Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
(config)# crypto isakmp peer address 2.2.2.1
(config-peer)# set aggressive-mode password cisco
(config-peer)# set aggressive-mode clien-endpoint ipv4-address 2.2.2.1
Similarly on R2.
The below process is for the negotiation using RSA-SIG (PKI) as authentication type
Debug Process:
After we debug, we can see the negotiation between the two peers. The first packet of the interesting traffic triggers the ISAKMP (Phase1) negotiation. Important messages are marked in BOLD and explanation in RED
R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
Mar 2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) // Router tried to find any IPSec SA matching the outgoing connection but no valid SA has been found in Security Association Database (SADB)
Mar 2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
Mar 2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
Mar 2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
Mar 2 16:18:42.939: ISAKMP: local port 500, remote port 500
Mar 2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE
Mar 2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
Mar 2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
Mar 2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Mar 2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
Mar 2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Mar 2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947:.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R2(config)# ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
Mar 2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Mar 2 16:18:42.947: ISAKMP: encryption 3DES-CBC
Mar 2 16:18:42.947: ISAKMP: hash SHA
Mar 2 16:18:42.947: ISAKMP: default group 2
Mar 2 16:18:42.947: ISAKMP: auth RSA sig
Mar 2 16:18:42.947: ISAKMP: life type in seconds
Mar 2 16:18:42.947: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Mar 2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Mar 2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
Mar 2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Mar 2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
Mar 2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Mar 2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
Mar 2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Mar 2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
Mar 2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:43.007: Choosing trustpoint CA_Server as issuer
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
Mar 2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM4
Mar 2 16:18:43.011: ISAKMP:(1008):Send initial contact
Mar 2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
Mar 2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
Mar 2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
Mar 2 16:18:43.011: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : R2
protocol : 17
port : 500
length : 10
Mar 2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
Mar 2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
Mar 2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
Mar 2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM5
Mar 2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
// "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
Mar 2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : ASA1
protocol : 0
port : 0
length : 12
Mar 2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
Mar 2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
Mar 2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
Mar 2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
Mar 2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
Mar 2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
Mar 2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
Mar 2 16:18:43.067: ISAKMP:received payload type 17
Mar 2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
Mar 2 16:18:43.067: ISAKMP:(1008):SA authentication status:
authenticated
Mar 2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
Mar 2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/, and inserted successfully 46519678. // SA inserted into SADB
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5 New State = IKE_I_MM6
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_I_MM6
Mar 2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
Mar 2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
Mar 2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Mar 2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Mar 2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
Mar 2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
Mar 2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
Mar 2 16:18:43.079: ISAKMP: attributes in transform:
Mar 2 16:18:43.079: ISAKMP: SA life type in seconds
Mar 2 16:18:43.079: ISAKMP: SA life duration (basic) of 3600
Mar 2 16:18:43.079: ISAKMP: SA life type in kilobytes
Mar 2 16:18:43.079: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Mar 2 16:18:43.079: ISAKMP: encaps is 1 (Tunnel)
Mar 2 16:18:43.079: ISAKMP: authenticator is HMAC-SHA
Mar 2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
Mar 2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
Mar 2 16:18:43.083: inbound SA from 20.1.1.10 to 40.1.1.1 (f/i) 0/ 0
(proxy 1.1.1.1 to 2.2.2.2)
Mar 2 16:18:43.083: has spi 0xA9A66D46 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
(proxy 2.2.2.2 to 1.1.1.1)
Mar 2 16:18:43.083: has spi 0x2B367FB4 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
Mar 2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Kindly rate if you find the explanation useful !!
Best Regards
Sachin Garg -
Cisco ASA 5505 - 2 internal Networks
Hi new to ASA's,
Been trying to get the following setup working for ages but can't see what I am missing:
(Got image from another post but exactly what I want but cannot get working)
I can get ping between subnets but nothing else and Lan 2 cannot get to internet.
The reolution for this guy was the following I believe; (from his config he has ASA v8.2)
same-security-traffic permit intra-interface
access-list NONAT permit ip 192.168.50.0 255.255.255.0 10.0.50.0255.255.255.0
access-list NONAT permit ip 10.0.50.0 255.255.255.0 192.168.50.0 255.255.255.0
nat (inside) 0 access-list NONAT
I have tried this but I have ASA v8.4 and whilst commands 1 - 3 work command 4 doesn't.
I get a message about the command being deprecated. I couldn't find a new version I could understand.
Hope nothing stupid and simple but any help greatly appreciated.
BTW, I have reset my ASA back to defaults except internet access is working and internet LAN as I made some many changes I feared one my conflict with the other.
Many thanks for any views or help.Hi Jumora,
Thanks for the reply.
The 192 network behind the ASA can access the internet but the 10 network past the 1841 router can't.
I have setup tcp bypass already as that got me at least remote access to the PC's on the 10 network from the 192 network.
I had the 1841 router set to use the interface on the 192 subnet as the route to the 0.0.0.0 0.0.0.0 network but I couldn't get out but have just changed this to go to the inside interface of the ASA and can now ping 8.8.8.8 for example but still not internet access.
Also I have found that the ASA seems to occasionally when it feels like it block pings from the 10 subnet to devices in the 192 subnet...... annoying for testing! but I can still access shares even though the ping fails.
e.g. as per above yesterday it stopped when I enabled icmp error inspection but when I switched that off it worked again. Then suddenly again today with no changes it has stopped working again, drives me nuts the inconsistency!
I couldn't find an attach option for the show tech so it has made this post massive.... apologies for that....
ASA5505# show tech
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 6.4(9)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
ASA5505 up 8 days 23 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is 4403.a7a2.e7c7, irq 11
1: Ext: Ethernet0/0 : address is 4403.a7a2.e7bf, irq 255
2: Ext: Ethernet0/1 : address is 4403.a7a2.e7c0, irq 255
3: Ext: Ethernet0/2 : address is 4403.a7a2.e7c1, irq 255
4: Ext: Ethernet0/3 : address is 4403.a7a2.e7c2, irq 255
5: Ext: Ethernet0/4 : address is 4403.a7a2.e7c3, irq 255
6: Ext: Ethernet0/5 : address is 4403.a7a2.e7c4, irq 255
7: Ext: Ethernet0/6 : address is 4403.a7a2.e7c5, irq 255
8: Ext: Ethernet0/7 : address is 4403.a7a2.e7c6, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 50 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Serial Number: JMX3434343T
Running Permanent Activation Key: 0x8509ef7f 0x2cff5895 0xa4675895 0x7989798 0xc1323132
Configuration register is 0x1
Configuration last modified by enable_15 at 16:21:28.863 UTC Wed Oct 23 2013
------------------ show disk0: controller ------------------
Flash Model: SMART CF
------------------ show clock ------------------
04:43:59.822 UTC Thu Oct 24 2013
------------------ show crashinfo ------------------
No crash file found.
------------------ show module ------------------
Mod Card Type Model Serial No.
0 ASA 5505 Adaptive Security Appliance ASA5505 JMX3434343T
Mod MAC Address Range Hw Version Fw Version Sw Version
0 1255.a3a4.e3bf to 1233.a4a4.e4c4 0.1 1.0(12)13 8.4(4)1
Mod SSC Application Name Status SSC Application Version
Mod Status Data Plane Status Compatibility
0 Up Sys Not Applicable
------------------ show memory ------------------
Free memory: 283382600 bytes (53%)
Used memory: 253488312 bytes (47%)
Total memory: 536870912 bytes (100%)
------------------ show conn count ------------------
76 in use, 704 most used
------------------ show xlate count ------------------
80 in use, 814 most used
------------------ show vpn-sessiondb summary ------------------
No sessions to display.
------------------ show blocks ------------------
SIZE MAX LOW CNT
0 400 399 400
4 100 99 99
80 347 332 347
256 200 192 195
1550 6374 6306 6371
2048 1200 1199 1200
2560 264 264 264
4096 100 99 100
8192 100 99 100
16384 100 99 100
65536 16 15 16
CORE LIMIT ALLOC HIGH CNT FAILED
0 24576 26 26 25 0
------------------ show blocks queue history detail ------------------
History buffer memory usage: 2832 bytes (default)
History analysis time limit: 100 msec
Please see 'show blocks exhaustion snapshot' for more information
------------------ show interface ------------------
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 4403.a7a2.e7bf, MTU not set
IP address unassigned
8257648 packets input, 9051289473 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
6222 switch ingress policy drops
6399241 packets output, 1011134108 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 4403.a7a2.e7c0, MTU not set
IP address unassigned
1330699 packets input, 312264395 bytes, 0 no buffer
Received 63097 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
1738131 packets output, 637935280 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 4
Interface config status is active
Interface state is active
Interface Ethernet0/2 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 4403.a7a2.e7c1, MTU not set
IP address unassigned
5028958 packets input, 693527818 bytes, 0 no buffer
Received 28835 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
1 switch ingress policy drops
7782140 packets output, 8316018900 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 5
Interface config status is active
Interface state is active
Interface Ethernet0/3 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 4403.a7a2.e7c2, MTU not set
IP address unassigned
17048409 packets input, 21350059442 bytes, 0 no buffer
Received 75081 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
18 switch ingress policy drops
8319277 packets output, 5138543287 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 6
Interface config status is active
Interface state is active
Interface Ethernet0/4 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 4403.a7a2.e7c3, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 7
Interface config status is not active
Interface state is active
Interface Ethernet0/5 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 4403.a7a2.e7c4, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 8
Interface config status is not active
Interface state is active
Interface Ethernet0/6 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 4403.a7a2.e7c5, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 9
Interface config status is not active
Interface state is active
Interface Ethernet0/7 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 4403.a7a2.e7c6, MTU not set
IP address unassigned
7293552 packets input, 4521902362 bytes, 0 no buffer
Received 6520 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
16232858 packets output, 21234947011 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 10
Interface config status is active
Interface state is active
Interface Internal-Data0/0 "", is up, line protocol is up
Hardware is y88acs06, BW 1000 Mbps, DLY 10 usec
(Full-duplex), (1000 Mbps)
Input flow control is unsupported, output flow control is unsupported
MAC address 4403.a2a2.e2c2, MTU not set
IP address unassigned
15222257 packets input, 10134321711 bytes, 0 no buffer
Received 173531 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops, 0 demux drops
15128507 packets output, 10256870512 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (512/487)
output queue (blocks free curr/low): hardware (512/450)
Control Point Interface States:
Interface number is 2
Interface config status is active
Interface state is active
Interface Internal-Data0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 1000 Mbps, DLY 10 usec
(Full-duplex), (1000 Mbps)
Input flow control is unsupported, output flow control is unsupported
MAC address 0000.0003.0002, MTU not set
IP address unassigned
15128465 packets input, 10256855882 bytes, 0 no buffer
Received 1967 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 switch ingress policy drops
15222217 packets output, 10134318430 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 11
Interface config status is active
Interface state is active
Interface Vlan1 "inside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 4403.a7a2.e7c7, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
Traffic Statistics for "inside":
4183727 packets input, 523675346 bytes
5702790 packets output, 5851485425 bytes
142576 packets dropped
1 minute input rate 22 pkts/sec, 2839 bytes/sec
1 minute output rate 30 pkts/sec, 22751 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 33 pkts/sec, 3746 bytes/sec
5 minute output rate 46 pkts/sec, 20906 bytes/sec
5 minute drop rate, 1 pkts/sec
Control Point Interface States:
Interface number is 14
Interface config status is active
Interface state is active
Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 4403.a7a2.e7c7, MTU 1492
IP address 98.22.77.33, subnet mask 255.255.255.255
Traffic Statistics for "outside":
10541983 packets input, 11433817622 bytes
3793777 packets output, 526586888 bytes
13654 packets dropped
1 minute input rate 47 pkts/sec, 41657 bytes/sec
1 minute output rate 18 pkts/sec, 2802 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 80 pkts/sec, 38519 bytes/sec
5 minute output rate 29 pkts/sec, 3749 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 15
Interface config status is active
Interface state is active
Interface Virtual0 "_internal_loopback", is up, line protocol is up
Hardware is Virtual MAC address 0000.0000.0000, MTU 1500
IP address 127.0.0.1, subnet mask 255.255.255.0
Traffic Statistics for "_internal_loopback":
1 packets input, 28 bytes
1 packets output, 28 bytes
1 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 12
Interface config status is active
Interface state is active
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 12%; 1 minute: 8%; 5 minutes: 8%
------------------ show cpu hogging process ------------------
Process: Unicorn Admin Handler, PROC_PC_TOTAL: 1, MAXHOG: 23, LASTHOG: 23
LASTHOG At: 06:01:57 UTC Oct 15 2013
PC: 0x0853e1f4 (suspend)
Process: Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 23, LASTHOG: 23
LASTHOG At: 06:01:57 UTC Oct 15 2013
PC: 0x0853e1f4 (suspend)
Call stack: 0x0853e1f4 0x0853ec36 0x0854182c 0x0869cc4b 0x08415ae7 0x0840ae40 0x0806e6cf
0x08aade2b 0x0806e6cf 0x084a0a44 0x0849986d 0x08499aac 0x08499dd6 0x084a0909
Process: Unicorn Admin Handler, PROC_PC_TOTAL: 2, MAXHOG: 18, LASTHOG: 18
LASTHOG At: 06:01:57 UTC Oct 15 2013
PC: 0x0853fb48 (suspend)
Process: Unicorn Admin Handler, NUMHOG: 2, MAXHOG: 18, LASTHOG: 18
LASTHOG At: 06:01:57 UTC Oct 15 2013
PC: 0x0853fb48 (suspend)
Call stack: 0x0853fb48 0x0853fd1d 0x0853e1bc 0x0853ec36 0x0854182c 0x0869cc4b 0x08415ae7
0x0840ae40 0x0806e6cf 0x08aade2b 0x0806e6cf 0x084a0a44 0x0849986d 0x08499aac
Process: Unicorn Admin Handler, PROC_PC_TOTAL: 2, MAXHOG: 24, LASTHOG: 24
LASTHOG At: 06:01:57 UTC Oct 15 2013
PC: 0x084167d2 (suspend)
Process: Unicorn Admin Handler, NUMHOG: 2, MAXHOG: 24, LASTHOG: 24
LASTHOG At: 06:01:57 UTC Oct 15 2013
PC: 0x084167d2 (suspend)
Call stack: 0x08538afd 0x0853fa3a 0x0853fd1d 0x0853e1bc 0x0853ec36 0x0854182c 0x0869cc4b
0x08415ae7 0x0840ae40 0x0806e6cf 0x08aade2b 0x0806e6cf 0x084a0a44 0x0849986d
Process: Unicorn Admin Handler, PROC_PC_TOTAL: 1, MAXHOG: 12, LASTHOG: 12
LASTHOG At: 06:01:57 UTC Oct 15 2013
PC: 0x08ee9b4e (suspend)
Process: Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 12, LASTHOG: 12
LASTHOG At: 06:01:57 UTC Oct 15 2013
PC: 0x08ee9b4e (suspend)
Call stack: 0x08ee9e12 0x084a1032 0x0849986d 0x08499aac 0x08499dd6 0x084a0909 0x080689bc
Process: Dispatch Unit, PROC_PC_TOTAL: 2, MAXHOG: 12, LASTHOG: 12
LASTHOG At: 06:01:57 UTC Oct 15 2013
PC: 0x081e208a (suspend)
Process: Dispatch Unit, NUMHOG: 2, MAXHOG: 12, LASTHOG: 12
LASTHOG At: 06:01:57 UTC Oct 15 2013
PC: 0x081e208a (suspend)
Call stack: 0x081e208a 0x080689bc
Process: Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 180, LASTHOG: 180
LASTHOG At: 07:24:33 UTC Oct 19 2013
PC: 0x0806a8c2 (suspend)
Call stack: 0x0806a8c2 0x08a8ebd7 0x08a8f7c8 0x08a914fa 0x080ddd6f 0x080df9db 0x080f4132
0x080f5b16 0x080dd956 0x080de0ef 0x080de876 0x080dea37 0xdd6e6c1c 0xdd6e71b5
Process: rtcli async executor process, NUMHOG: 14, MAXHOG: 94, LASTHOG: 82
LASTHOG At: 07:28:06 UTC Oct 19 2013
PC: 0x08f262e3 (suspend)
Call stack: 0x0806a881 0x08f262e3 0x08f432a2 0x09064ba8 0x0903dfa9 0x0904f88d 0x0903ed70
0x09036221 0x0903d29b 0x0903d49f 0x09035ffa 0x09055321 0x0903dfa9 0x0904f88d
Process: rtcli async executor process, PROC_PC_TOTAL: 27, MAXHOG: 319, LASTHOG: 88
LASTHOG At: 07:28:06 UTC Oct 19 2013
PC: 0x08f4212d (suspend)
Process: rtcli async executor process, NUMHOG: 27, MAXHOG: 319, LASTHOG: 88
LASTHOG At: 07:28:06 UTC Oct 19 2013
PC: 0x08f4212d (suspend)
Call stack: 0x08069faa 0x08f4212d 0x08f260b6 0x08f27b85 0x08f27c35 0xcb147b98
Process: rtcli async executor process, PROC_PC_TOTAL: 12, MAXHOG: 45, LASTHOG: 10
LASTHOG At: 07:28:14 UTC Oct 19 2013
PC: 0x08f2594b (suspend)
Process: rtcli async executor process, NUMHOG: 12, MAXHOG: 45, LASTHOG: 10
LASTHOG At: 07:28:14 UTC Oct 19 2013
PC: 0x08f2594b (suspend)
Call stack: 0x0806a881 0x08f2594b 0x08f27b85 0x08f27c35 0xcb147b98
Process: Unicorn Admin Handler, NUMHOG: 4, MAXHOG: 11, LASTHOG: 11
LASTHOG At: 07:28:14 UTC Oct 19 2013
PC: 0x0806a8c2 (suspend)
Call stack: 0x0806a8c2 0x08a8ebd7 0x08b9aa46 0x08b9ad0e 0x080dc76f 0xdd6e6961 0xdd6e71b5
0xdd6e7b07 0xdd6e8d5c 0xdd6e138d 0xdd6e247a 0x080dcb22 0x0849f899 0x084981c7
Process: rtcli async executor process, PROC_PC_TOTAL: 83, MAXHOG: 298, LASTHOG: 119
LASTHOG At: 07:28:16 UTC Oct 19 2013
PC: 0x08f262e3 (suspend)
Process: rtcli async executor process, NUMHOG: 47, MAXHOG: 298, LASTHOG: 119
LASTHOG At: 07:28:16 UTC Oct 19 2013
PC: 0x08f262e3 (suspend)
Call stack: 0x0806a881 0x08f262e3 0x08f38fad 0x08f3acc0 0x0905a29e 0x0905b2ba 0x0903dfa9
0x0903ecb5 0x0904f6f5 0x0903ed70 0x09036221 0x0903d29b 0x0903d49f 0x09035ffa
Process: Unicorn Admin Handler, NUMHOG: 3, MAXHOG: 180, LASTHOG: 180
LASTHOG At: 07:28:16 UTC Oct 19 2013
PC: 0x0806a8c2 (suspend)
Call stack: 0x0806a881 0x0806a8c2 0x0816261b 0x095302a7 0x0954abef 0x0954acc3 0x0815aabe
0x08134da6 0x08c64632 0x08ea8079 0x08ea8481 0x08ea85f7 0x08f41adc 0x0806e6cf
Process: Unicorn Admin Handler, NUMHOG: 3, MAXHOG: 15, LASTHOG: 15
LASTHOG At: 07:28:20 UTC Oct 19 2013
PC: 0x0806a8c2 (suspend)
Call stack: 0x0806a881 0x0806a8c2 0x0947a399 0x0946d24d 0x0946d364 0x08c2b0e6 0x08c38f65
0x08ea810b 0x08ea8481 0x08ea85f7 0x08f41adc 0x0806e6cf 0x08f3cc48 0x092afca6
Process: Unicorn Admin Handler, NUMHOG: 3, MAXHOG: 64, LASTHOG: 64
LASTHOG At: 07:28:20 UTC Oct 19 2013
PC: 0x0806a8c2 (suspend)
Call stack: 0x0806a881 0x0806a8c2 0x0947a3e4 0x09479cf9 0x094750eb 0x08c3f645 0x08c3fcab
0x08c2b235 0x08c38f65 0x08ea810b 0x08ea8481 0x08ea85f7 0x08f41adc 0x0806e6cf
Process: IP Thread, NUMHOG: 4, MAXHOG: 14, LASTHOG: 14
LASTHOG At: 07:28:24 UTC Oct 19 2013
PC: 0x0806a8c2 (suspend)
Call stack: 0x0806a8c2 0x0947a399 0x0946d24d 0x0946d364 0x08c2b0e6 0x08c38f65 0x08ea810b
0x08ea8481 0x08ea85f7 0x08ea5f86 0x090e086e 0x090e0b6e 0x090b9a99 0x090b6b00
Process: Unicorn Admin Handler, PROC_PC_TOTAL: 22, MAXHOG: 180, LASTHOG: 64
LASTHOG At: 07:28:24 UTC Oct 19 2013
PC: 0x0806a8c2 (suspend)
Process: IP Thread, NUMHOG: 4, MAXHOG: 64, LASTHOG: 64
LASTHOG At: 07:28:24 UTC Oct 19 2013
PC: 0x0806a8c2 (suspend)
Call stack: 0x0806a8c2 0x0947a3e4 0x09479cf9 0x094750eb 0x08c3f645 0x08c3fcab 0x08c2b235
0x08c38f65 0x08ea810b 0x08ea8481 0x08ea85f7 0x08ea5f86 0x090e086e 0x090e0b6e
CPU hog threshold (msec): 10.240
Last cleared: None
------------------ show process ------------------
PC SP STATE Runtime SBASE Stack Process
Lwe 0x08058ba4 0xc82baf84 0x0a345788 0 0xc82b7078 15760/16384 block_diag
Mrd 0x081e1e11 0xc82ed54c 0x0a346144 430188 0xc82cd6e0 120548/131072 Dispatch Unit
Msi 0x087509a4 0xc82fdcb4 0x0a3458b0 713 0xc82f9da8 15688/16384 WebVPN KCD Process
Msi 0x09200c7b 0xc839b3d4 0x0a3458b0 3466 0xc83974c8 15688/16384 y88acs06 OneSec Thread
Mwe 0x080718dd 0xc83a3804 0x0a3458b0 0 0xc839f948 15808/16384 Reload Control Thread
Mwe 0x080849b9 0xc83ae79c 0x0a346e2c 0 0xc83aabe0 15256/16384 aaa
Mwe 0x08f4212d 0xc8d3d1e4 0x0a3458b0 9 0xc83aed78 15056/16384 UserFromCert Thread
Mwe 0x08f4212d 0xc9003fe4 0x0a3458b0 14 0xc83b2f50 14528/16384 aaa_shim_thread
Mwe 0x080b477c 0xc83bfa1c 0x0a347eb4 0 0xc83bbb20 15760/16384 CMGR Server Process
Mwe 0x080b6ded 0xc83c3b64 0x0a3458b0 0 0xc83bfcb8 15832/16384 CMGR Timer Process
Lwe 0x081e0474 0xc83d83bc 0x0a3568e0 0 0xc83d44b0 15488/16384 dbgtrace
Mwe 0x084de0ed 0xc83ef574 0x0a3458b0 0 0xc83e76d8 31680/32768 idfw_proc
Mwe 0x084ea35b 0xc83f75b4 0x0a3458b0 0 0xc83ef708 32216/32768 idfw_service
Mwe 0x084f5fc5 0xc83fb70c 0x0a3458b0 0 0xc83f78a0 15524/16384 idfw_adagent
Mwe 0x085351b5 0xc84038dc 0x0a3458b0 89 0xc83ffbd0 11568/16384 eswilp_svi_init
Mwe 0x08f4212d 0xc8770564 0x0a3458b0 0 0xc8433aa0 15280/16384 netfs_thread_init
Mwe 0x09576795 0xc844c10c 0x0a3458b0 0 0xc8448290 15848/16384 Chunk Manager
Msi 0x08ae10be 0xc84508ac 0x0a3458b0 3523 0xc844c9c0 15656/16384 PIX Garbage Collector
Mwe 0x08ac328a 0xc8461a0c 0x0a1d5d24 0 0xc845db00 16104/16384 IP Address Assign
Mwe 0x08d0477a 0xc85f7534 0x0a251838 0 0xc85f3628 16104/16384 QoS Support Module
Mwe 0x08b5c32a 0xc85fb70c 0x0a1d6c88 0 0xc85f7800 16104/16384 Client Update Task
Lwe 0x095d54f5 0xc860009c 0x0a3458b0 109750 0xc85fc1f0 14448/16384 Checkheaps
Mwe 0x08d093ed 0xc861080c 0x0a3458b0 454 0xc86089a0 19328/32768 Quack process
Mwe 0x08d8569d 0xc86189c4 0x0a3458b0 533 0xc8610b38 31952/32768 Session Manager
Mwe 0x08ed964d 0xc8620cd4 0xcadf5b08 8 0xc861ce68 15464/16384 uauth
Mwe 0x08e66621 0xc8624f0c 0x0a264a10 0 0xc8621000 15632/16384 Uauth_Proxy
Msp 0x08ea87de 0xc86313d4 0x0a3458b0 561 0xc862d4c8 15688/16384 SSL
Mwe 0x08ed72d4 0xc863554c 0x0a26bc14 0 0xc8631660 15708/16384 SMTP
Mwe 0x08ed170c 0xc86396a4 0x0a26af38 23255 0xc86357f8 13608/16384 Logger
Mwe 0x08ecfd1d 0xc863d80c 0x0a3458b0 0 0xc8639990 15784/16384 Syslog Retry Thread
Mwe 0x08ecadf5 0xc86419d4 0x0a3458b0 0 0xc863db28 15600/16384 Thread Logger
Mwe 0x08ed50b4 0xc866457c 0x0a26b5e0 0 0xc8660680 15464/16384 syslogd
Mwe 0x09132032 0xc8681094 0x0a2a5688 0 0xc867d1a8 15328/16384 vpnlb_thread
Mwe 0x092037ec 0xc86916c4 0x0a2aa9e8 0 0xc868d808 16024/16384 pci_nt_bridge
Mwe 0x082beb95 0xc8756e44 0x0a3458b0 0 0xc8752fb8 15864/16384 TLS Proxy Inspector
Msi 0x08da221c 0xc87d44a4 0x0a3458b0 2749 0xc87d0598 15688/16384 emweb/cifs_timer
Mwe 0x08852cc4 0xc88291f4 0x0a1c4c44 0 0xc88252f8 15712/16384 netfs_mount_handler
Msi 0x086b4248 0xc8316454 0x0a3458b0 27304 0xc8312568 15312/16384 arp_timer
Mwe 0x086bc58e 0xc8447fb4 0x0a371110 0 0xc84440f8 16024/16384 arp_forward_thread
Mwe 0x08eddb77 0xc8f2e27c 0x0a26c680 0 0xc8f2a380 15672/16384 tcp_fast
Mwe 0x08ee69a8 0xc8f3229c 0x0a26c680 0 0xc8f2e3b0 15656/16384 tcp_slow
Mwe 0x08f1df34 0xc8f42fac 0x0a2745d0 0 0xc8f3f0b0 16000/16384 udp_timer
Mwe 0x0814110d 0xc8fb133c 0xc83ca8d0 4 0xc8fad4a0 15664/16384 IPsec message handler
Mwe 0x087515c6 0xc8fdc834 0x0a376060 1 0xc8fd8958 16056/16384 Lic TMR
Mwe 0x087513bc 0xc8fe0884 0x0a1c0ea0 242 0xc8fdc988 16088/16384 Lic HA
Msi 0x08153267 0xc84270dc 0x0a3458b0 54986 0xc8423440 13872/16384 CTM message handler
Mwe 0x0811bd2d 0xc843bb8c 0x0a3458b0 0 0xc8437ce0 15832/16384 CTCP Timer process
Mwe 0x090d3d95 0xc843fbac 0x0a3458b0 0 0xc843bd10 15816/16384 L2TP data daemon
Mwe 0x090d6605 0xc9b5b24c 0x0a3458b0 0 0xc9b573b0 15816/16384 L2TP mgmt daemon
Mwe 0x090c2b27 0xc9b9339c 0x0a29a3ec 2228 0xc9b8f4e0 15480/16384 ppp_timer_thread
Msi 0x0913239d 0xc9b973ec 0x0a3458b0 4093 0xc9b93510 15640/16384 vpnlb_timer_thread
Mwe 0x081c7708 0xc9c67c84 0x0a13ef88 2899 0xc9c47f18 118548/131072 tmatch compile thread
Mwe 0x08d38b2d 0xcac940cc 0x0a3458b0 0 0xcac90210 15848/16384 ICMP event handler
Mwe 0x0908081d 0xcac98254 0x0a3458b0 0 0xcac943a8 15832/16384 Dynamic Filter VC Housekeeper
Mwe 0x08a1b612 0xcacc47f4 0x0a3458b0 819 0xcacc0938 13860/16384 IP Background
Mwe 0x08c26e63 0xcaed904c 0x0a3458b0 0 0xcaed51a0 15832/16384 Crypto CA
Mwe 0x08c60c18 0xcaedd1e4 0x0a3458b0 0 0xcaed9338 15896/16384 CERT API
Mwe 0x08c257d5 0xcaee6e24 0x0a3458b0 0 0xcaee2f58 15928/16384 Crypto PKI RECV
Mwe 0x0878dd85 0xc862d1cc 0x0a3458b0 187 0xc8629330 15272/16384 ESW_MRVL switch interrupt service
Mwe 0x08cae62c 0xc866c89c 0x0a1ea7e0 0 0xc86689b0 15832/16384 lina_int
Mrd 0x0959948b 0xc8684f1c 0x0a346144 28493079 0xc8681340 13824/16384 esw_stats
Lsi 0x08af3199 0xc86958bc 0x0a3458b0 152 0xc86919a0 15704/16384 uauth_urlb clean
Lwe 0x08acbd76 0xc83ff8b4 0x0a3458b0 4432 0xc83fba38 14308/16384 pm_timer_thread
Mwe 0x08555f8d 0xc8418b0c 0x0a3458b0 0 0xc8414c60 15832/16384 IKE Common thread
Mwe 0x0858cecd 0xcaf8688c 0x0a3458b0 0 0xcaf82a60 15704/16384 IKE Timekeeper
Mwe 0x0857bad1 0xcaf8ccc4 0x0a1bc678 1 0xcaf890e8 12116/16384 IKE Daemon
Mwe 0x08629eb3 0xcaf90c64 0x0a3458b0 964 0xcaf8d118 14744/16384 IKEv2 Daemon
Mwe 0x08628e7c 0xcaf94ff4 0x0a3458b0 1095 0xcaf91148 15640/16384 IKEv2 DPD Client Process
Mwe 0x08e7d2e4 0xcafafd7c 0x0a2690f4 0 0xcafabe90 16072/16384 RADIUS Proxy Event Daemon
Mwe 0x08e41f35 0xcafb3d74 0xcb07e358 7 0xcafb0028 14912/16384 RADIUS Proxy Listener
Mwe 0x08e7ca0d 0xcafb806c 0x0a3458b0 0 0xcafb41c0 15832/16384 RADIUS Proxy Time Keeper
Mwe 0x086a1e44 0xcafbc184 0x0a3710c8 0 0xcafb8358 15264/16384 Integrity FW Task
Mrd 0x082c923a 0xcaffce54 0x0a346144 0 0xcaff8f98 14552/16384 CP Threat-Detection Processing
Mwe 0x081fb74e 0xcb0cc4bc 0x09c4a8bc 2497 0xcb0acd60 122448/131072 ci/console
Msi 0x08b0ea8c 0xcb0d0e14 0x0a3458b0 217583 0xcb0ccef8 14004/16384 update_cpu_usage
Mwe 0x08ef5ff5 0xcb0d4ecc 0x0a3458b0 77 0xcb0d1090 15360/16384 npshim_thread
Msi 0x08b0eb14 0xcb0e1224 0x0a3458b0 0 0xcb0dd428 13104/16384 NIC status poll
Mwe 0x08dd5f2c 0xcb0e54bc 0x0a259ec8 228 0xcb0e15c0 15540/16384 SNMP Notify Thread
Mwe 0x086aba0e 0xcb12ebe4 0x0a37170c 235813 0xcb126d08 25428/32768 IP Thread
Mwe 0x086b31fe 0xcb132d9c 0x0a371100 9150 0xcb12eea0 9700/16384 ARP Thread
Mwe 0x084be3ae 0xcb136f8c 0x0a3716c8 1743 0xcb1331b0 12696/16384 icmp_thread
Mwe 0x08f1f443 0xcb13b1e4 0x0a3458b0 158 0xcb137348 15728/16384 udp_thread
Mwe 0x08ee0f44 0xcb13f0bc 0x0a37178c 0 0xcb13b4e0 15288/16384 tcp_thread
Mwe 0x08f4212d 0xcb1bccd4 0x0a3458b0 12848 0xcb13fd70 26600/32768 rtcli async executor process
Mwe 0x090e408d 0xcb4dff64 0x0a3458b0 0 0xcb4dc0a8 14608/16384 PPPOE background daemon
Mwe 0x090e53c4 0xcb4e3fb4 0x0a29aa4c 1 0xcb4e00d8 14656/16384 PPPOE CLI daemon
Mwe 0x0824ff45 0xcb501e4c 0x0a3458b0 258 0xcb4fdf90 15624/16384 Timekeeper
Mwe 0x08e41f35 0xcb89a6d4 0xcb89eb10 7 0xcb896998 15392/16384 EAPoUDP-sock
Mwe 0x0822323d 0xcb89e544 0x0a3458b0 0 0xcb89a9c8 15016/16384 EAPoUDP
Mwe 0x08204371 0xcb3df9dc 0x0a3458b0 149 0xcb3dbb20 15168/16384 DHCPD Timer
Mwe 0x082066a1 0xcb3e6404 0x0a3458b0 1286 0xcb3e25a8 7172/16384 dhcp_daemon
Mwe 0x0910dfd4 0xcbc3b4e4 0x0a2a5380 0 0xcbc335e8 32472/32768 vpnfol_thread_msg
Msi 0x09116252 0xcbc3fac4 0x0a3458b0 2657 0xcbc3bbd8 15656/16384 vpnfol_thread_timer
Mwe 0x09114882 0xcbc44074 0x0a2a53c0 0 0xcbc401c8 16008/16384 vpnfol_thread_sync
Msi 0x09115fdc 0xcbc486b4 0x0a3458b0 11061 0xcbc447b8 15672/16384 vpnfol_thread_unsent
Mwe 0x0869e365 0xc8689384 0x0a3458b0 0 0xc86854d8 15832/16384 Integrity Fw Timer Thread
Msi 0x08852fd6 0xc868d55c 0x0a3458b0 206 0xc8689670 15656/16384 netfs_vnode_reclaim
Mwe 0x08f4212d 0xcb2a1914 0x0a3458b0 1277 0xcbd38510 15008/16384 Unicorn Proxy Thread
Mwe 0x0825afcb 0xcbc61254 0x0a3458b0 335 0xcbc5d788 14272/16384 emweb/https
Mwe 0x08eef828 0xcbd4dd0c 0xcbd4fd7c 0 0xcbd49fd0 14888/16384 listen/telnet
Mwe 0x08aac530 0xcbdbd754 0xcbd6c9fc 102 0xcbd9def8 127432/131072 Unicorn Admin Handler
Mwe 0x08aab345 0xcbddd644 0x0a3458b0 105 0xcbdbdf28 123712/131072 Unicorn Admin Handler
Mwe 0x08cd7c6f 0xcaf358cc 0x0a49edc8 0 0xcaf31bb0 15384/16384 qos_metric_daemon
Mwe 0x08218c82 0xcb2693fc 0x0a3458b0 3 0xcb265560 13248/16384 DHCP Client
Mwe 0x08f1d929 0xcb4bb0fc 0xc8f3ece4 0 0xcb4b3300 31552/32768 DHCPC Receiver
M* 0x08a86f55 0xdcc1df2c 0x0a346144 274 0xcb34deb8 19696/32768 telnet/ci
- - - - 0 - - DATAPATH-0-455
- - - - 744377118 - - scheduler
- - - - 774156778 - - total elapsed
------------------ show kernel process ------------------
PID PPID PRI NI VSIZE RSS WCHAN STAT RUNTIME COMMAND
1 0 20 0 2080768 616 3725686580 S 630 init
2 0 15 -5 0 0 3725738556 S 0 kthreadd
3 2 15 -5 0 0 3725692956 S 0 ksoftirqd/0
4 2 15 -5 0 0 3725728656 S 0 events/0
5 2 15 -5 0 0 3725728656 S 0 khelper
50 2 15 -5 0 0 3725728656 S 0 kblockd/0
53 2 15 -5 0 0 3726777703 S 0 kseriod
99 2 20 0 0 0 3725848262 S 0 pdflush
100 2 20 0 0 0 3725848262 S 0 pdflush
101 2 15 -5 0 0 3725861131 S 0 kswapd0
102 2 15 -5 0 0 3725728656 S 0 aio/0
103 2 15 -5 0 0 3725728656 S 0 nfsiod
214 2 15 -5 0 0 3725728656 S 0 hid_compat
215 2 15 -5 0 0 3725728656 S 0 rpciod/0
240 1 16 -4 1789952 600 3725997327 S 4 udevd
272 240 18 -2 1785856 564 3725997327 S 0 udevd
277 240 18 -2 1785856 552 3725997327 S 0 udevd
421 1 20 0 5201920 1600 4294967295 S 11 lwsmd
423 421 20 0 16736256 3600 4294967295 S 102 lwregd
448 1 20 0 2084864 512 3725686580 S 1 sh
449 448 20 0 10186752 528 4294967295 S 2 lina_monitor
451 449 0 -20 440270848 53000 4294967295 S 77713055 lina
------------------ show kernel cgroup-controller detail ------------------
memory controller:
memory.limit_in_bytes: unlimited
memory.usage_in_bytes: 61665280 (11%)
memory.max_usage_in_bytes: 64245760 (12%)
memory.failcnt: 0
tasks:
group "normal"
memory.limit_in_bytes: unlimited
memory.usage_in_bytes: 77824 (0%)
memory.max_usage_in_bytes: 544768 (0%)
memory.failcnt: 0
tasks:
PID RSS COMMAND
1 630784 init
2 0 kthreadd
3 0 ksoftirqd/0
4 0 events/0
5 0 khelper
50 0 kblockd/0
53 0 kseriod
99 0 pdflush
100 0 pdflush
101 0 kswapd0
102 0 aio/0
103 0 nfsiod
214 0 hid_compat
215 0 rpciod/0
240 614400 udevd
272 577536 udevd
277 565248 udevd
448 524288 sh
group "privileged"
memory.limit_in_bytes: unlimited
memory.usage_in_bytes: 22327296 (4%)
memory.max_usage_in_bytes: 22515712 (4%)
memory.failcnt: 0
tasks:
PID RSS COMMAND
449 540672 lina_monitor
450 0 lina_monitor
451 54280192 lina
452 0 lina
453 0 lina
454 0 lina
455 0 lina
group "restricted"
memory.limit_in_bytes: 23068672 (4%)
memory.usage_in_bytes: 1724416 (0%)
memory.max_usage_in_bytes: 1900544 (0%)
memory.failcnt: 0
tasks:
PID RSS COMMAND
421 1638400 lwsmd
422 0 lwsmd
423 3686400 lwregd
425 0 lwregd
426 0 lwregd
427 0 lwregd
428 0 lwregd
429 0 lwregd
430 0 lwsmd
431 0 lwsmd
432 0 lwsmd
433 0 lwsmd
434 0 lwsmd
cpu controller:
cpu.shares: 1024
cpuacct.usage: 777015353084076
tasks:
group "normal"
cpu.shares: 1024
cpuacct.usage: 53525955783 (0%)
tasks:
PID RSS COMMAND
1 630784 init
2 0 kthreadd
3 0 ksoftirqd/0
4 0 events/0
5 0 khelper
50 0 kblockd/0
53 0 kseriod
99 0 pdflush
100 0 pdflush
101 0 kswapd0
102 0 aio/0
103 0 nfsiod
214 0 hid_compat
215 0 rpciod/0
240 614400 udevd
272 577536 udevd
277 565248 udevd
448 524288 sh
449 540672 lina_monitor
450 0 lina_monitor
451 54280192 lina
452 0 lina
453 0 lina
454 0 lina
group "privileged"
cpu.shares: 16384
cpuacct.usage: 776952528547140 (100%)
tasks:
PID RSS COMMAND
455 0 lina
group "restricted"
cpu.shares: 1024
cpuacct.usage: 1291957168 (0%)
tasks:
PID RSS COMMAND
421 1638400 lwsmd
422 0 lwsmd
423 3686400 lwregd
425 0 lwregd
426 0 lwregd
427 0 lwregd
428 0 lwregd
429 0 lwregd
430 0 lwsmd
431 0 lwsmd
432 0 lwsmd
433 0 lwsmd
434 0 lwsmd
------------------ show traffic ------------------
inside:
received (in 422169.300 secs):
4183910 packets 523687951 bytes
9 pkts/sec 1006 bytes/sec
transmitted (in 422169.300 secs):
5702974 packets 5851550584 bytes
3 pkts/sec 13006 bytes/sec
1 minute input rate 22 pkts/sec, 2839 bytes/sec
1 minute output rate 30 pkts/sec, 22751 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 33 pkts/sec, 3746 bytes/sec
5 minute output rate 46 pkts/sec, 20906 bytes/sec
5 minute drop rate, 1 pkts/sec
outside:
received (in 422169.300 secs):
10542135 packets 11433861540 bytes
4 pkts/sec 27002 bytes/sec
transmitted (in 422169.300 secs):
3793870 packets 526596330 bytes
8 pkts/sec 1003 bytes/sec
1 minute input rate 47 pkts/sec, 41657 bytes/sec
1 minute output rate 18 pkts/sec, 2802 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 80 pkts/sec, 38519 bytes/sec
5 minute output rate 29 pkts/sec, 3749 bytes/sec
5 minute drop rate, 0 pkts/sec
_internal_loopback:
received (in 422168.950 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 422168.950 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Aggregated Traffic on Physical Interface
Ethernet0/0:
received (in 776992.730 secs):
8257731 packets 9051312645 bytes
5 pkts/sec 11002 bytes/sec
transmitted (in 776992.730 secs):
6399342 packets 1011145708 bytes
2 pkts/sec 1002 bytes/sec
1 minute input rate 26 pkts/sec, 24481 bytes/sec
1 minute output rate 20 pkts/sec, 3472 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 40 pkts/sec, 20147 bytes/sec
5 minute output rate 29 pkts/sec, 4280 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/1:
received (in 776992.730 secs):
1330771 packets 312271947 bytes
1 pkts/sec 3 bytes/sec
transmitted (in 776992.730 secs):
1738316 packets 638003030 bytes
2 pkts/sec 3 bytes/sec
1 minute input rate 4 pkts/sec, 405 bytes/sec
1 minute output rate 11 pkts/sec, 3333 bytes/sec
<--- More --->
1 minute drop rate, 0 pkts/sec
5 minute input rate 7 pkts/sec, 735 bytes/sec
5 minute output rate 13 pkts/sec, 4410 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/2:
received (in 776993.220 secs):
5028958 packets 693527818 bytes
0 pkts/sec 2 bytes/sec
transmitted (in 776993.220 secs):
7782202 packets 8316039741 bytes
4 pkts/sec 10000 bytes/sec
1 minute input rate 1 pkts/sec, 153 bytes/sec
1 minute output rate 2 pkts/sec, 391 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 1 pkts/sec, 187 bytes/sec
5 minute output rate 3 pkts/sec, 1011 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/3:
received (in 776993.220 secs):
17219822 packets 21609826615 bytes
0 pkts/sec 27005 bytes/sec
transmitted (in 776993.220 secs):
8373382 packets 5142266559 bytes
5 pkts/sec 6004 bytes/sec
<--- More --->
1 minute input rate 8384 pkts/sec, 12695156 bytes/sec
1 minute output rate 2657 pkts/sec, 203156 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 8010 pkts/sec, 12112337 bytes/sec
5 minute output rate 2525 pkts/sec, 188122 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/4:
received (in 776993.680 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 776993.680 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/5:
received (in 776993.690 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 776993.690 secs):
<--- More --->
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/6:
received (in 776994.140 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 776994.140 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/7:
received (in 776994.140 secs):
7328915 packets 4524298170 bytes
<--- More --->
3 pkts/sec 5004 bytes/sec
transmitted (in 776994.140 secs):
16345245 packets 21405489647 bytes
4 pkts/sec 27001 bytes/sec
1 minute input rate 2330 pkts/sec, 158045 bytes/sec
1 minute output rate 7422 pkts/sec, 11264540 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 2481 pkts/sec, 168427 bytes/sec
5 minute output rate 7977 pkts/sec, 12105867 bytes/sec
5 minute drop rate, 0 pkts/sec
Internal-Data0/0:
received (in 776994.640 secs):
15222548 packets 10134365294 bytes
3 pkts/sec 13004 bytes/sec
transmitted (in 776994.640 secs):
15128813 packets 10256961010 bytes
2 pkts/sec 13001 bytes/sec
1 minute input rate 45 pkts/sec, 24860 bytes/sec
1 minute output rate 49 pkts/sec, 26647 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 73 pkts/sec, 24918 bytes/sec
5 minute output rate 75 pkts/sec, 26334 bytes/sec
5 minute drop rate, 0 pkts/sec
Internal-Data0/1:
<--- More --->
received (in 776994.640 secs):
15128721 packets 10256943282 bytes
2 pkts/sec 13001 bytes/sec
transmitted (in 776994.640 secs):
15222455 packets 10134357062 bytes
3 pkts/sec 13004 bytes/sec
1 minute input rate 48 pkts/sec, 26530 bytes/sec
1 minute output rate 45 pkts/sec, 24826 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 75 pkts/sec, 26323 bytes/sec
5 minute output rate 73 pkts/sec, 24908 bytes/sec
5 minute drop rate, 0 pkts/sec
------------------ show perfmon ------------------
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 0/s 0/s
TCP Conns 0/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req -
Cisco ASA 5505 Site to Site VPN
Hello All,
First time posting to the forums. I've been working with Cisco ASA 5505 for a number of months and recently I purchased a 2nd ASA with the goal of setting up Site to Site VPN tunnel. It look so simple from the number of videos that I have watched on the internet. But when I have done it suprise suprise it didn't work for me ... I have deleted the tunnels a number of times and attempted to recreate them. I am using the VPN wizard in the ADM to create the tunnel. Both the asa are 5505 and have the same same firmware etc.
I would appreciate any help that can be directed towards this issue please. Slowly losing my mind
Please see details below:
Both ADM are 7.1
IOS
ASA 1
aved
ASA Version 9.0(1)
hostname PAYBACK
enable password HSMurh79NVmatjY0 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
description Trunk link to SW1
switchport trunk allowed vlan 1,10,20,30,40
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif outside
security-level 0
ip address 92.51.193.158 255.255.255.252
interface Vlan10
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan20
nameif servers
security-level 100
ip address 192.168.20.1 255.255.255.0
interface Vlan30
nameif printers
security-level 100
ip address 192.168.30.1 255.255.255.0
interface Vlan40
nameif wireless
security-level 100
ip address 192.168.40.1 255.255.255.0
banner login line Welcome to Payback Loyalty Systems
boot system disk0:/asa901-k8.bin
ftp mode passive
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup servers
dns domain-lookup printers
dns domain-lookup wireless
dns server-group DefaultDNS
name-server 83.147.160.2
name-server 83.147.160.130
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ftp_server
object network Internal_Report_Server
host 192.168.20.21
description Automated Report Server Internal Address
object network Report_Server
host 89.234.126.9
description Automated Report Server
object service RDP
service tcp destination eq 3389
description RDP to Server
object network Host_QA_Server
host 89.234.126.10
description QA Host External Address
object network Internal_Host_QA
host 192.168.20.22
description Host of VM machine for QA
object network Internal_QA_Web_Server
host 192.168.20.23
description Web Server in QA environment
object network Web_Server_QA_VM
host 89.234.126.11
description Web server in QA environment
object service SQL_Server
service tcp destination eq 1433
object network Demo_Server
host 89.234.126.12
description Server set up to Demo Product
object network Internal_Demo_Server
host 192.168.20.24
description Internal IP Address of Demo Server
object network NETWORK_OBJ_192.168.20.0_24
subnet 192.168.20.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.0_26
subnet 192.168.50.0 255.255.255.192
object network NETWORK_OBJ_192.168.0.0_16
subnet 192.168.0.0 255.255.0.0
object service MSSQL
service tcp destination eq 1434
description MSSQL port
object network VPN-network
subnet 192.168.50.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.0_24
subnet 192.168.50.0 255.255.255.0
object service TS
service tcp destination eq 4400
object service TS_Return
service tcp source eq 4400
object network External_QA_3
host 89.234.126.13
object network Internal_QA_3
host 192.168.20.25
object network Dev_WebServer
host 192.168.20.27
object network External_Dev_Web
host 89.234.126.14
object network CIX_Subnet
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_84.39.233.50
host 84.39.233.50
object network NETWORK_OBJ_92.51.193.158
host 92.51.193.158
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq ftp
service-object tcp destination eq netbios-ssn
service-object tcp destination eq smtp
service-object object TS
object-group network Payback_Internal
network-object 192.168.10.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq www
service-object tcp destination eq https
service-object object TS
service-object object TS_Return
object-group service DM_INLINE_SERVICE_4
service-object object RDP
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_5
service-object object MSSQL
service-object object RDP
service-object object TS
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_6
service-object object TS
service-object object TS_Return
service-object tcp destination eq www
service-object tcp destination eq https
access-list outside_access_in remark This rule is allowing from internet to interal server.
access-list outside_access_in remark Allowed:
access-list outside_access_in remark FTP
access-list outside_access_in remark RDP
access-list outside_access_in remark SMTP
access-list outside_access_in remark Net Bios
access-list outside_access_in remark SQL
access-list outside_access_in remark TS - 4400
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
access-list outside_access_in remark Access rule to internal host QA
access-list outside_access_in remark Allowed:
access-list outside_access_in remark HTTP
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
access-list outside_access_in remark Access to INternal Web Server:
access-list outside_access_in remark Allowed:
access-list outside_access_in remark HTTP
access-list outside_access_in remark RDP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
access-list outside_access_in remark Rule for allowing access to Demo server
access-list outside_access_in remark Allowed:
access-list outside_access_in remark RDP
access-list outside_access_in remark MSSQL
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
access-list outside_access_in remark Access for Development WebServer
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging console informational
logging asdm informational
logging from-address
[email protected]
logging recipient-address
[email protected]
level alerts
mtu outside 1500
mtu inside 1500
mtu servers 1500
mtu printers 1500
mtu wireless 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
nat (wireless,outside) source dynamic any interface
nat (servers,outside) source dynamic any interface
nat (servers,outside) source static Internal_Report_Server Report_Server
nat (servers,outside) source static Internal_Host_QA Host_QA_Server
nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
nat (servers,outside) source static Internal_Demo_Server Demo_Server
nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
nat (servers,outside) source static Internal_QA_3 External_QA_3
nat (servers,outside) source static Dev_WebServer External_Dev_Web
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 wireless
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 84.39.233.50
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 77.75.100.208 255.255.255.240 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.40.0 255.255.255.0 wireless
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.1
dhcpd auto_config outside
dhcpd address 192.168.10.21-192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
dhcpd option 15 ascii paybackloyalty.com interface inside
dhcpd enable inside
dhcpd address 192.168.40.21-192.168.40.240 wireless
dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
dhcpd update dns interface wireless
dhcpd option 15 ascii paybackloyalty.com interface wireless
dhcpd enable wireless
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy Payback_VPN internal
group-policy Payback_VPN attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Payback_VPN_splitTunnelAcl
group-policy DfltGrpPolicy attributes
dns-server value 83.147.160.2 83.147.160.130
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
group-policy GroupPolicy_84.39.233.50 internal
group-policy GroupPolicy_84.39.233.50 attributes
vpn-tunnel-protocol ikev1 ikev2
username Noelle password XB/IpvYaATP.2QYm encrypted
username Noelle attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
username Eanna attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Michael password qpbleUqUEchRrgQX encrypted
username Michael attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
username Danny attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
username Aileen attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
username Aidan attributes
vpn-group-policy Payback_VPN
service-type remote-access
username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
username shane.c password iqGMoWOnfO6YKXbw encrypted
username shane.c attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Shane password uYePLcrFadO9pBZx encrypted
username Shane attributes
vpn-group-policy Payback_VPN
service-type remote-access
username James password TdYPv1pvld/hPM0d encrypted
username James attributes
vpn-group-policy Payback_VPN
service-type remote-access
username mark password yruxpddqfyNb.qFn encrypted
username mark attributes
service-type admin
username Mary password XND5FTEiyu1L1zFD encrypted
username Mary attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
username Massimo attributes
vpn-group-policy Payback_VPN
service-type remote-access
tunnel-group Payback_VPN type remote-access
tunnel-group Payback_VPN general-attributes
address-pool VPN1
default-group-policy Payback_VPN
tunnel-group Payback_VPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 general-attributes
default-group-policy GroupPolicy_84.39.233.50
tunnel-group 84.39.233.50 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp error
inspect icmp
service-policy global-policy global
smtp-server 192.168.20.21
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1
ASA 2
ASA Version 9.0(1)
hostname Payback-CIX
enable password HSMurh79NVmatjY0 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
description This port connects to VLAN 100
switchport access vlan 100
interface Ethernet0/2
interface Ethernet0/3
switchport access vlan 100
interface Ethernet0/4
switchport access vlan 100
interface Ethernet0/5
switchport access vlan 100
interface Ethernet0/6
switchport access vlan 100
interface Ethernet0/7
switchport access vlan 100
interface Vlan2
nameif outside
security-level 0
ip address 84.39.233.50 255.255.255.240
interface Vlan100
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
banner login line Welcome to Payback Loyalty - CIX
ftp mode passive
clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group defaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network CIX-Host-1
host 192.168.100.2
description This is the host machine of the VM servers
object network External_CIX-Host-1
host 84.39.233.51
description This is the external IP address of the host server for the VM server
object service RDP
service tcp source range 1 65535 destination eq 3389
object network Payback_Office
host 92.51.193.158
object service MSQL
service tcp destination eq 1433
object network Development_OLTP
host 192.168.100.10
description VM for Eiresoft
object network External_Development_OLTP
host 84.39.233.52
description This is the external IP address for the VM for Eiresoft
object network Eiresoft
host 146.66.160.70
description DBA Contractor
object network External_TMC_Web
host 84.39.233.53
description Public Address of TMC Webserver
object network TMC_Webserver
host 192.168.100.19
description Internal Address of TMC Webserver
object network External_TMC_OLTP
host 84.39.233.54
description Targets OLTP external IP
object network TMC_OLTP
host 192.168.100.18
description Targets interal IP address
object network External_OLTP_Failover
host 84.39.233.55
description Public IP of OLTP Failover
object network OLTP_Failover
host 192.168.100.60
description Server for OLTP failover
object network Servers
subnet 192.168.20.0 255.255.255.0
object network Wired
subnet 192.168.10.0 255.255.255.0
object network Wireless
subnet 192.168.40.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network Eiresoft_2nd
host 137.117.217.29
description Eiresoft 2nd IP
object network Dev_Test_Webserver
host 192.168.100.12
description Dev Test Webserver Internal Address
object network External_Dev_Test_Webserver
host 84.39.233.56
description This is the PB Dev Test Webserver
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_2
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_3
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_4
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_5
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_6
service-object object MSQL
service-object object RDP
object-group network Payback_Intrernal
network-object object Servers
network-object object Wired
network-object object Wireless
object-group service DM_INLINE_SERVICE_7
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_8
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_9
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_10
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_11
service-object object RDP
service-object tcp destination eq ftp
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
access-list outside_access_in remark Development OLTP from Payback Office
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
access-list outside_access_in remark Access for Eiresoft
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
access-list outside_access_in remark Access to OLTP for target from Payback Office
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
access-list outside_access_in remark This is allowing access from Eiresoft to the OLTP Failover server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover
access-list outside_access_in remark Access for the 2nd IP from Eiresoft
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
access-list outside_access_in remark Access from the 2nd Eiresoft IP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
nat (inside,outside) source static Development_OLTP External_Development_OLTP
nat (inside,outside) source static TMC_Webserver External_TMC_Web
nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 92.51.193.156 255.255.255.252 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 92.51.193.158
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 77.75.100.208 255.255.255.240 outside
ssh 92.51.193.156 255.255.255.252 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_92.51.193.158 internal
group-policy GroupPolicy_92.51.193.158 attributes
vpn-tunnel-protocol ikev1 ikev2
username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 general-attributes
default-group-policy GroupPolicy_92.51.193.158
tunnel-group 92.51.193.158 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
: endHi,
Thanks for the help to date
I now have the Site to Site working but there is one little issue I have. If I try to RD to a server through the tunnel it will not allow connection on the first attempt however if I ping that host and then attempt to RD it will allow the connection. It looks like the host is asleep until it receives traffic through the tunnel. Is this thje correct behaviour.
See below the details:
ASA1:
hostname PAYBACK
enable password HSMurh79NVmatjY0 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
description Trunk link to SW1
switchport trunk allowed vlan 1,10,20,30,40
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.XX 255.255.255.252
interface Vlan10
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan20
nameif servers
security-level 100
ip address 192.168.20.1 255.255.255.0
interface Vlan30
nameif printers
security-level 100
ip address 192.168.30.1 255.255.255.0
interface Vlan40
nameif wireless
security-level 100
ip address 192.168.40.1 255.255.255.0
banner login line Welcome to Payback Loyalty Systems
boot system disk0:/asa901-k8.bin
ftp mode passive
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup servers
dns domain-lookup printers
dns domain-lookup wireless
dns server-group DefaultDNS
name-server 83.147.160.2
name-server 83.147.160.130
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ftp_server
object network Internal_Report_Server
host 192.168.20.21
description Automated Report Server Internal Address
object network Report_Server
host 89.234.126.9
description Automated Report Server
object service RDP
service tcp destination eq 3389
description RDP to Server
object network Host_QA_Server
host 89.234.126.10
description QA Host External Address
object network Internal_Host_QA
host 192.168.20.22
description Host of VM machine for QA
object network Internal_QA_Web_Server
host 192.168.20.23
description Web Server in QA environment
object network Web_Server_QA_VM
host 89.234.126.11
description Web server in QA environment
object service SQL_Server
service tcp destination eq 1433
object network Demo_Server
host 89.234.126.12
description Server set up to Demo Product
object network Internal_Demo_Server
host 192.168.20.24
description Internal IP Address of Demo Server
object network NETWORK_OBJ_192.168.20.0_24
subnet 192.168.20.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.0_26
subnet 192.168.50.0 255.255.255.192
object network NETWORK_OBJ_192.168.0.0_16
subnet 192.168.0.0 255.255.0.0
object service MSSQL
service tcp destination eq 1434
description MSSQL port
object network VPN-network
subnet 192.168.50.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.0_24
subnet 192.168.50.0 255.255.255.0
object service TS
service tcp destination eq 4400
object service TS_Return
service tcp source eq 4400
object network External_QA_3
host 89.234.126.13
object network Internal_QA_3
host 192.168.20.25
object network Dev_WebServer
host 192.168.20.27
object network External_Dev_Web
host 89.234.126.14
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network Wireless
subnet 192.168.40.0 255.255.255.0
description Wireless network
object network Servers
subnet 192.168.20.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq ftp
service-object tcp destination eq netbios-ssn
service-object tcp destination eq smtp
service-object object TS
service-object object SQL_Server
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq www
service-object tcp destination eq https
service-object object TS
service-object object TS_Return
object-group service DM_INLINE_SERVICE_4
service-object object RDP
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_5
service-object object MSSQL
service-object object RDP
service-object object TS
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_6
service-object object TS
service-object object TS_Return
service-object tcp destination eq www
service-object tcp destination eq https
object-group network DM_INLINE_NETWORK_1
network-object 192.168.10.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
object-group network Payback_Internal
network-object 192.168.10.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
access-list outside_access_in remark This rule is allowing from internet to interal server.
access-list outside_access_in remark Allowed:
access-list outside_access_in remark FTP
access-list outside_access_in remark RDP
access-list outside_access_in remark SMTP
access-list outside_access_in remark Net Bios
access-list outside_access_in remark SQL
access-list outside_access_in remark TS - 4400
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
access-list outside_access_in remark Access rule to internal host QA
access-list outside_access_in remark Allowed:
access-list outside_access_in remark HTTP
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
access-list outside_access_in remark Access to INternal Web Server:
access-list outside_access_in remark Allowed:
access-list outside_access_in remark HTTP
access-list outside_access_in remark RDP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
access-list outside_access_in remark Rule for allowing access to Demo server
access-list outside_access_in remark Allowed:
access-list outside_access_in remark RDP
access-list outside_access_in remark MSSQL
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
access-list outside_access_in remark Access for Development WebServer
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging console informational
logging asdm informational
logging from-address [email protected]
logging recipient-address [email protected] level alerts
mtu outside 1500
mtu inside 1500
mtu servers 1500
mtu printers 1500
mtu wireless 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
nat (wireless,outside) source static Wireless Wireless destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
nat (servers,outside) source static Servers Servers destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
nat (inside,outside) source dynamic any interface
nat (wireless,outside) source dynamic any interface
nat (servers,outside) source dynamic any interface
nat (servers,outside) source static Internal_Report_Server Report_Server
nat (servers,outside) source static Internal_Host_QA Host_QA_Server
nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
nat (servers,outside) source static Internal_Demo_Server Demo_Server
nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
nat (servers,outside) source static Internal_QA_3 External_QA_3
nat (servers,outside) source static Dev_WebServer External_Dev_Web
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer XX.XX.XX.XX
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map servers_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map servers_map interface servers
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 enable servers
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.1
dhcpd auto_config outside
dhcpd address 192.168.10.21-192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
dhcpd option 15 ascii paybackloyalty.com interface inside
dhcpd enable inside
dhcpd address 192.168.40.21-192.168.40.240 wireless
dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
dhcpd update dns interface wireless
dhcpd option 15 ascii paybackloyalty.com interface wireless
dhcpd enable wireless
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy Payback_VPN internal
group-policy Payback_VPN attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Payback_VPN_splitTunnelAcl
group-policy DfltGrpPolicy attributes
dns-server value 83.147.160.2 83.147.160.130
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
group-policy GroupPolicy_84.39.233.50 internal
group-policy GroupPolicy_84.39.233.50 attributes
vpn-tunnel-protocol ikev1 ikev2
username Noelle password XB/IpvYaATP.2QYm encrypted
username Noelle attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
username Eanna attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Michael password qpbleUqUEchRrgQX encrypted
username Michael attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
username Danny attributes
vpn-group-policy Payback_VPN
service-type remote-access
username niamh password MlFlIlEiy8vismE0 encrypted
username niamh attributes
service-type admin
username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
username Aileen attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
username Aidan attributes
vpn-group-policy Payback_VPN
service-type remote-access
username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
username shane.c password iqGMoWOnfO6YKXbw encrypted
username shane.c attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Shane password yQeVtvLLKqapoUje encrypted privilege 0
username Shane attributes
vpn-group-policy Payback_VPN
service-type remote-access
username James password TdYPv1pvld/hPM0d encrypted
username James attributes
vpn-group-policy Payback_VPN
service-type remote-access
username mark password yruxpddqfyNb.qFn encrypted
username mark attributes
service-type admin
username Mary password XND5FTEiyu1L1zFD encrypted
username Mary attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
username Massimo attributes
vpn-group-policy Payback_VPN
service-type remote-access
tunnel-group Payback_VPN type remote-access
tunnel-group Payback_VPN general-attributes
address-pool VPN1
default-group-policy Payback_VPN
tunnel-group Payback_VPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 general-attributes
default-group-policy GroupPolicy_84.39.233.50
tunnel-group 84.39.233.50 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp error
inspect icmp
service-policy global-policy global
smtp-server 192.168.20.21
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:83fa7ce1d93375645205f6e79b526381
ASA2:
ASA Version 9.0(1)
hostname Payback-CIX
enable password HSMurh79NVmatjY0 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
description This port connects to VLAN 100
switchport access vlan 100
interface Ethernet0/2
interface Ethernet0/3
switchport access vlan 100
interface Ethernet0/4
switchport access vlan 100
interface Ethernet0/5
switchport access vlan 100
interface Ethernet0/6
switchport access vlan 100
interface Ethernet0/7
switchport access vlan 100
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.240
interface Vlan100
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
banner login line Welcome to Payback Loyalty - CIX
ftp mode passive
clock timezone GMT 0
clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group defaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network CIX-Host-1
host 192.168.100.2
description This is the host machine of the VM servers
object network External_CIX-Host-1
host 84.39.233.51
description This is the external IP address of the host server for the VM server
object service RDP
service tcp source range 1 65535 destination eq 3389
object network Payback_Office
host 92.51.193.158
object service MSQL
service tcp destination eq 1433
object network Development_OLTP
host 192.168.100.10
description VM for Eiresoft
object network External_Development_OLTP
host 84.39.233.52
description This is the external IP address for the VM for Eiresoft
object network External_TMC_Web
host 84.39.233.53
description Public Address of TMC Webserver
object network TMC_Webserver
host 192.168.100.19
description Internal Address of TMC Webserver
object network External_TMC_OLTP
host 84.39.233.54
description Targets OLTP external IP
object network TMC_OLTP
host 192.168.100.18
description Targets interal IP address
object network External_OLTP_Failover
host 84.39.233.55
description Public IP of OLTP Failover
object network OLTP_Failover
host 192.168.100.60
description Server for OLTP failover
object network Servers
subnet 192.168.20.0 255.255.255.0
object network Wired
subnet 192.168.10.0 255.255.255.0
object network Wireless
subnet 192.168.40.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network Eiresoft_2nd
host 137.117.217.29
description Eiresoft 2nd IP
object network Dev_Test_Webserver
host 192.168.100.12
description Dev Test Webserver Internal Address
object network External_Dev_Test_Webserver
host 84.39.233.56
description This is the PB Dev Test Webserver
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network LAN
subnet 192.168.100.0 255.255.255.0
object network REMOTE-LAN
subnet 192.168.10.0 255.255.255.0
object network TargetMC
host 83.71.194.145
description This is Target Location that will be accessing the Webserver
object network Rackspace_OLTP
host 162.13.34.56
description This is the IP address of production OLTP
object service DB
service tcp destination eq 5022
object network Topaz_Target_VM
host 82.198.151.168
description This is Topaz IP that will be accessing Targets VM
object service DB_2
service tcp destination eq 5023
object network EireSoft_NEW_IP
host 146.66.161.3
description Eiresoft latest IP form ISP DHCP
object-group service DM_INLINE_SERVICE_1
service-object object MSQL
service-object object RDP
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_2
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_4
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
service-object tcp destination eq www
object-group service DM_INLINE_SERVICE_5
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_6
service-object object MSQL
service-object object RDP
object-group network Payback_Intrernal
network-object object Servers
network-object object Wired
network-object object Wireless
object-group service DM_INLINE_SERVICE_8
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_9
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_10
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
service-object icmp echo
service-object icmp echo-reply
service-object object DB
object-group service DM_INLINE_SERVICE_11
service-object object RDP
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_12
service-object object MSQL
service-object icmp echo
service-object icmp echo-reply
service-object object DB
service-object object DB_2
object-group service DM_INLINE_SERVICE_13
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_14
service-object object MSQL
service-object object RDP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
access-list outside_access_in remark Development OLTP from Payback Office
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
access-list outside_access_in remark Access to OLTP for target from Payback Office
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
access-list outside_access_in remark Access for the 2nd IP from Eiresoft
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
access-list outside_access_in remark Access from the 2nd Eiresoft IP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
access-list outside_access_in remark Access rules from Traget to CIX for testing
access-list outside_access_in extended permit tcp object TargetMC object TMC_Webserver eq www
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12 object Rackspace_OLTP object OLTP_Failover
access-list outside_access_in remark Topaz access to Target VM
access-list outside_access_in extended permit tcp object Topaz_Target_VM object TMC_Webserver eq www
access-list outside_access_in remark Opened up for Target for the weekend. Closing on Monday 20th
access-list outside_access_in extended permit tcp any object TMC_Webserver eq www
access-list outside_access_in remark Access for Eiresoft after their ISP changed their IP Address
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13 object EireSoft_NEW_IP object Development_OLTP
access-list outside_access_in remark Eiresoft Access after ISP changed their IP Address
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14 object EireSoft_NEW_IP object OLTP_Failover
access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object-group Payback_Intrernal
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static Payback_Intrernal Payback_Intrernal no-proxy-arp route-lookup
nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
nat (inside,outside) source static Development_OLTP External_Development_OLTP
nat (inside,outside) source static TMC_Webserver External_TMC_Web
nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
nat (inside,outside) source dynamic LAN interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http X.X.X.X 255.255.255.252 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh X.X.X.X 255.255.255.240 outside
ssh X.X.X.X 255.255.255.252 outside
ssh 192.168.40.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_92.51.193.158 internal
group-policy GroupPolicy_92.51.193.158 attributes
vpn-tunnel-protocol ikev1 ikev2
username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 general-attributes
default-group-policy GroupPolicy_92.51.193.158
tunnel-group 92.51.193.158 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:78a7b9ccec2fa048306092eb29a2b769
Maybe you are looking for
-
To find pinch open and close and how it works in macbook pro go to the apple icon. Open system preferences and the choose trackpad. Each item is illustrated.
-
Error when starting weblogic server 10.3.6
hi am having below error when starting my weblogic server am in window xp C:\mydomain\base_domain\bin>DIR Volume in drive C is WinXP Volume Serial Number is F086-F167 Directory of C:\mydomain\base_domain\bin 22/04/2011 11:10 PM <DIR> . 2
-
Automatic Filing With Rules - Long
This is a long post, sorry, but I think the details might be worthwhile for someone who might be like me and wants to automate their mail processing as much as possible. I do have a question below about how I might better configure some rules, and ab
-
Scripts to notify stop and start of services
dear all, i m looking for a script to send me a mail whenever oracle apps service is shutdown and start.your help will be appreciated thanks in advance. os:rhel6 ebs :12.1.3 db:11.2.0.3
-
how to add Ipad 2 to my wireless?