Cisco ASA 5505 Site to Site VPN tunnel up, but not passing traffic

Similar Messages

• Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic

  hello,
  i am setting up a site to site vpn between two asa 5505's.  the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point.  i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated.  i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
  FYI the asa's are different versions, one is 9.2 the other is 8.2
  Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
  Site A running config:
  Result of the command: "sh run"
  : Saved
  ASA Version 8.2(2)
  hostname csol-asa
  enable password WI19w3dXj6ANP8c6 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.1.0 san_antonio_inside
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.2.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 1.1.1.1 255.255.255.248
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns domain-lookup inside
  dns server-group DefaultDNS
   name-server 24.93.41.125
   name-server 24.93.41.126
  object-group network NETWORK_OBJ_192.168.2.0_24
  access-list inside_access_out extended permit ip any any
  access-list outside_access_out extended permit ip any any
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in_1 extended permit icmp any interface outside
  access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
  access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
  access-list outside_access_in_1 extended permit udp any interface outside eq 8100
  access-list outside_access_in_1 extended permit udp any interface outside eq 1025
  access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
  access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
  access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
  access-list outside_access_in_1 extended permit tcp any interface outside eq www
  access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
  access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
  access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (inside) 2 interface
  global (outside) 101 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 101 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
  static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
  static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
  static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
  static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
  static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
  static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
  access-group inside_access_out out interface inside
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 2.2.2.2 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map1 1 match address outside_1_cryptomap_1
  crypto map outside_map1 1 set peer 2.2.2.2
  crypto map outside_map1 1 set transform-set ESP-3DES-SHA
  crypto map outside_map1 interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.30-192.168.2.155 inside
  dhcpd dns 24.93.41.125 24.93.41.126 interface inside
  dhcpd domain corporatesolutionsfw.local interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  group-policy DfltGrpPolicy attributes
  tunnel-group 2.2.2.2 type ipsec-l2l
  tunnel-group 2.2.2.2 ipsec-attributes
   pre-shared-key *****
  prompt hostname context
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:021cf43a4211a99232849372c380dda2
  : end
  Site A sh crypto isakmp sa:
  Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 2.2.2.2
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Site A sh ipsec sa:
  Result of the command: "sh ipsec sa"
  interface: outside
      Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
        access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
        current_peer: 2.2.2.2
        #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
        #pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
        path mtu 1500, ipsec overhead 58, media mtu 1500
        current outbound spi: C1074C40
        current inbound spi : B21273A9
      inbound esp sas:
        spi: 0xB21273A9 (2987553705)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1691648, crypto-map: outside_map1
           sa timing: remaining key lifetime (kB/sec): (3914989/27694)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xC1074C40 (3238480960)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1691648, crypto-map: outside_map1
           sa timing: remaining key lifetime (kB/sec): (3914999/27694)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  Site B running config:
  Result of the command: "sh run"
  : Saved
  : Serial Number: JMX184640WY
  : Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  ASA Version 9.2(2)4
  hostname CSOLSAASA
  enable password WI19w3dXj6ANP8c6 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  names
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.1.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 2.2.2.2 255.255.255.248
  ftp mode passive
  object network NETWORK_OBJ_192.168.1.0_24
   subnet 192.168.1.0 255.255.255.0
  object network mcallen_network
   subnet 192.168.2.0 255.255.255.0
  access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
  access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-731-101.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
   protocol esp encryption des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
   protocol esp encryption 3des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
   protocol esp encryption aes
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
   protocol esp encryption aes-192
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
   protocol esp encryption aes-256
   protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map3 1 match address outside_cryptomap
  crypto map outside_map3 1 set peer 1.1.1.1
  crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map3 interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
   encryption aes-256
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 10
   encryption aes-192
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 20
   encryption aes
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 30
   encryption 3des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 40
   encryption des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 120
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh stricthostkeycheck
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd address 192.168.1.200-192.168.1.250 inside
  dhcpd dns 24.93.41.125 24.93.41.126 interface inside
  dhcpd domain CSOLSA.LOCAL interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  group-policy DfltGrpPolicy attributes
   vpn-tunnel-protocol ikev1
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
   ikev1 pre-shared-key *****
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
  : end
  Site B sh crypto isakmp sa:
  Result of the command: "sh crypto isakmp sa"
  IKEv1 SAs:
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 1.1.1.1
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  There are no IKEv2 SAs
  Site B sh ipsec sa:
  Result of the command: "sh ipsec sa"
  interface: outside
      Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
        access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        current_peer: 1.1.1.1
        #pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
        #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #TFC rcvd: 0, #TFC sent: 0
        #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
        path mtu 1500, ipsec overhead 58(36), media mtu 1500
        PMTU time remaining (sec): 0, DF policy: copy-df
        ICMP error validation: disabled, TFC packets: disabled
        current outbound spi: B21273A9
        current inbound spi : C1074C40
      inbound esp sas:
        spi: 0xC1074C40 (3238480960)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 28672, crypto-map: outside_map3
           sa timing: remaining key lifetime (kB/sec): (4373999/27456)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000003
      outbound esp sas:
        spi: 0xB21273A9 (2987553705)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 28672, crypto-map: outside_map3
           sa timing: remaining key lifetime (kB/sec): (4373987/27456)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001

  Hi Keegan,
  Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
  I would suggest to do a 'clear xlate'?  Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
  HTH
  "Please rate useful posts"

• Cisco ASA & Router Site to Site VPN up but not passing traffic

  Dear all,
  Please help me the attached document vpn issue, site-to-site vpn is up but I am not able to passing traffic.
  Advance Thanks
  ahossain

  ASA#
  ASA Version 8.2(1)
  hostname Active
  domain-name test.com
  interface Ethernet0/0
  description LAN/STATE Failover Interface
  interface Ethernet0/1
  speed 100
  nameif outside
  security-level 0
  ip address 212.71.53.38 255.255.255.224 standby 212.71.53.37
  interface Ethernet0/2
  nameif DMZ
  security-level 50
  ip address 192.168.50.1 255.255.255.0 standby 192.168.50.4
  interface Ethernet0/3
  description INSIDE
  speed 100
  nameif inside
  security-level 100
  ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  boot system disk0:/asa821-k8.bin
  boot config disk0:/running-config
  ftp mode passive
  dns server-group DefaultDNS
  domain-name test.com
  access-list deny-flow-max 1
  access-list alert-interval 2
  access-list allow extended permit ip any any
  access-list VPN extended permit ip any any
  access-list OUTSIDE extended permit ip any any
  access-list al-outside extended permit ip any host 212.107.106.129
  access-list al-outside extended permit ip any any
  access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  access-list outside_access_in extended permit ip any any
  access-list inside_access_out extended permit ip any any
  access-list DMZ_access_out extended permit ip any any
  access-list inside_access_in extended permit ip any any
  access-list DMZ_access_in extended permit ip any any
  access-list outside_access_in_1 extended permit ip any any
  access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  pager lines 24
  mtu outside 1500
  mtu DMZ 1500
  mtu inside 1500
  failover
  failover lan unit primary
  failover lan interface failover Ethernet0/0
  failover key *****
  failover link failover Ethernet0/0
  failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any DMZ
  icmp permit any inside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 212.71.53.36 1
  route outside 10.2.2.0 255.255.255.0 212.71.53.36 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication http console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  service resetoutside
  crypto ipsec transform-set mal esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map mal 10 set peer 212.107.106.129
  crypto map IPSec_map 10 match address encrypt_acl
  crypto map IPSec_map 10 set peer 212.107.106.129
  crypto map IPSec_map 10 set transform-set mal
  crypto map IPSec_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 outside
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key XXXXXX address 212.71.53.38
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec transform-set mal esp-3des esp-md5-hmac
  crypto map mal 10 ipsec-isakmp
  set peer 212.71.53.38
  set transform-set mal
  match address 120
  interface Loopback0
  ip address 10.3.3.1 255.255.255.0
  ip virtual-reassembly in
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  ip address 172.20.34.54 255.255.255.252
  ip nat outside
  ip virtual-reassembly in
  load-interval 30
  duplex auto
  speed auto
  crypto map mal
  interface GigabitEthernet0/1
  ip address 212.107.106.129 255.255.255.248
  ip nat outside
  ip virtual-reassembly in
  no ip route-cache
  duplex auto
  speed auto
  crypto map mal
  interface GigabitEthernet0/2
  description *!* LAN *!*
  ip address 10.2.2.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip nat pool OUTPOOL 212.107.106.132 212.107.106.132 netmask 255.255.255.248
  ip nat inside source route-map nonat pool OUTPOOL overload
  ip route 0.0.0.0 0.0.0.0 172.20.34.53
  ip route 10.1.1.0 255.255.255.0 212.107.106.130
  ip route 192.168.50.0 255.255.255.0 212.71.53.38
  ip access-list extended outside
  remark CCP_ACL Category=1
  permit ip any any log
  ip access-list extended outside1
  remark CCP_ACL Category=1
  permit ip any any log
  access-list 110 permit tcp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 deny   ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 deny   ip 10.2.2.0 0.0.0.255 192.168.50.0 0.0.0.255
  access-list 130 permit ip 10.2.2.0 0.0.0.255 any
  route-map nonat permit 10
  match ip address 130
  control-plane
  ASA Version 8.2(1)
  hostname Active
  domain-name test.com
  interface Ethernet0/0
  description LAN/STATE Failover Interface
  interface Ethernet0/1
  speed 100
  nameif outside
  security-level 0
  ip address 212.71.53.38 255.255.255.224 standby 212.71.53.37
  interface Ethernet0/2
  nameif DMZ
  security-level 50
  ip address 192.168.50.1 255.255.255.0 standby 192.168.50.4
  interface Ethernet0/3
  description INSIDE
  speed 100
  nameif inside
  security-level 100
  ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  boot system disk0:/asa821-k8.bin
  boot config disk0:/running-config
  ftp mode passive
  dns server-group DefaultDNS
  domain-name test.com
  access-list deny-flow-max 1
  access-list alert-interval 2
  access-list allow extended permit ip any any
  access-list VPN extended permit ip any any
  access-list OUTSIDE extended permit ip any any
  access-list al-outside extended permit ip any host 212.107.106.129
  access-list al-outside extended permit ip any any
  access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  access-list outside_access_in extended permit ip any any
  access-list inside_access_out extended permit ip any any
  access-list DMZ_access_out extended permit ip any any
  access-list inside_access_in extended permit ip any any
  access-list DMZ_access_in extended permit ip any any
  access-list outside_access_in_1 extended permit ip any any
  access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  pager lines 24
  mtu outside 1500
  mtu DMZ 1500
  mtu inside 1500
  failover
  failover lan unit primary
  failover lan interface failover Ethernet0/0
  failover key *****
  failover link failover Ethernet0/0
  failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any DMZ
  icmp permit any inside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 212.71.53.36 1
  route outside 10.2.2.0 255.255.255.0 212.71.53.36 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication http console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  service resetoutside
  crypto ipsec transform-set mal esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map mal 10 set peer 212.107.106.129
  crypto map IPSec_map 10 match address encrypt_acl
  crypto map IPSec_map 10 set peer 212.107.106.129
  crypto map IPSec_map 10 set transform-set mal
  crypto map IPSec_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 outside
  ==================================================================
  Remote-Router#
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key XXXXXX address 212.71.53.38
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec transform-set mal esp-3des esp-md5-hmac
  crypto map mal 10 ipsec-isakmp
  set peer 212.71.53.38
  set transform-set mal
  match address 120
  interface Loopback0
  ip address 10.3.3.1 255.255.255.0
  ip virtual-reassembly in
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  ip address 172.20.34.54 255.255.255.252
  ip nat outside
  ip virtual-reassembly in
  load-interval 30
  duplex auto
  speed auto
  crypto map mal
  interface GigabitEthernet0/1
  ip address 212.107.106.129 255.255.255.248
  ip nat outside
  ip virtual-reassembly in
  no ip route-cache
  duplex auto
  speed auto
  crypto map mal
  interface GigabitEthernet0/2
  description *!* LAN *!*
  ip address 10.2.2.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip nat pool OUTPOOL 212.107.106.132 212.107.106.132 netmask 255.255.255.248
  ip nat inside source route-map nonat pool OUTPOOL overload
  ip route 0.0.0.0 0.0.0.0 172.20.34.53
  ip route 10.1.1.0 255.255.255.0 212.107.106.130
  ip route 192.168.50.0 255.255.255.0 212.71.53.38
  ip access-list extended outside
  remark CCP_ACL Category=1
  permit ip any any log
  ip access-list extended outside1
  remark CCP_ACL Category=1
  permit ip any any log
  access-list 110 permit tcp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 deny   ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 deny   ip 10.2.2.0 0.0.0.255 192.168.50.0 0.0.0.255
  access-list 130 permit ip 10.2.2.0 0.0.0.255 any
  route-map nonat permit 10
  match ip address 130
  control-plane

• Cisco ASA 5505 Dual-ISP Backup VPN

  I am trying to create a backup tunnel from an ASA 5505 to a pix 501 in the case of the Main ISP failing.  The Pix external side will stay the same, but not quite sure how I can create a new crypto map and have it use the Backup ISP interface without bringing down the main tunnel.
  My first thought was to add the following crypto map to the configuration below:
  crypto map outside_map 2 match address outside_1_cryptomap
  crypto map outside_map 2 set peer 9.3.21.13
  crypto map outside_map 2 set transform-set ESP-DES-MD5
  crypto map outside_map interface backupisp -->but this would break the current tunnel.
  NYASA# sh run
  : Saved
  ASA Version 7.2(4)
  hostname NYASA
  domain-name girls.org
  enable password CHwdJ2WMUcjxIIm8 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.1.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 9.17.5.8 255.255.255.240
  interface Vlan3
  description Backup ISP
  nameif backupisp
  security-level 0
  ip address 6.27.9.5 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  switchport access vlan 3
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended permit icmp any any source-quench
  access-list outside_access_in extended permit icmp any any unreachable
  access-list outside_access_in extended permit icmp any any time-exceeded
  access-list outside_access_in extended permit icmp any any
  access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.100.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.100.0 255.255.255.0
  access-list 150 extended permit ip any host 10.1.2.27
  access-list 150 extended permit ip host 10.1.2.27 any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu backupisp 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  global (backupisp) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 9.17.5.7 1 track 1
  route backupisp 0.0.0.0 0.0.0.0 6.27.9.1 254
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa authentication ssh console LOCAL
  http server enable
  http 10.1.2.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sla monitor 10
  type echo protocol ipIcmpEcho 4.2.2.2 interface outside
  num-packets 3
  timeout 1000
  frequency 3
  sla monitor schedule 10 life forever start-time now
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 9.3.21.13
  crypto map outside_map 1 set transform-set ESP-DES-MD5
  crypto map outside_map interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp nat-traversal  20
  track 1 rtr 10 reachability
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 60
  console timeout 0
  management-access inside
  username ptiadmin password BtOLil2gR0VaUjfX encrypted privilege 15
  tunnel-group 9.4.21.13 type ipsec-l2l
  tunnel-group 9.4.21.13 ipsec-attributes
  pre-shared-key *
  prompt hostname context
  Cryptochecksum:22bb60b07c4c1805b89eb2376683f861
  : end
  NYASA#
  Thanks in advance.

  In that case is the PIX who needs two peers (to the ASA).
  The ASA will requiere the crypto map to be applied to the backup interface as well (as you mentioned)
  crypto map outside_map interface backupisp -->but this would break the current tunnel.
  The above command should not break the current tunnel (if the route to reach the other end goes out via the primary interface).
  Additionally you need IP SLA configured in the ASA to allow it to use the primary connection and fallback to the backup connection to build-up the tunnel (as well to use again the primary interface when it recovers).
  Federico.

• Remote Access VPN connecting but not passing traffic

  I have a remote access VPN configured on a device here. I'm able to connect a device and it assigns me an IP address out of the pool, and injects the routes to its local network, but I'm not able to pass any traffic through the VPN and none of the IPSec SA counters increment for the dial-in connection. I've compared the config here to the samples from documentation and I don't know what I'm missing. Config is below.
  3118-FWL001(config)# sho run
  : Saved
  ASA Version 7.2(3)
  hostname 3118-FWL001
  domain-name rr-rentals.com
  enable password hEgvNHfNHV8zypPu encrypted
  names
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.10.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 199.X.X.162 255.255.255.248
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  passwd 2KFQnbNIdI.2KYOU encrypted
  banner exec
  banner exec
  banner exec
  banner exec Any attempted or unauthorized access, use, or modification is prohibited.
  banner exec Unauthorized users may face criminal and/or civil penalties.
  banner exec The use of this system may be monitored and recorded.
  banner exec If the monitoring reveals possible evidence of criminal activity, Adhost can
  banner exec provide the records to law enforcement.
  banner exec Be safe!  Do not share your access information with anyone!
  banner exec
  banner exec
  banner exec
  banner asdm
  banner asdm
  banner asdm
  banner asdm Any attempted or unauthorized access, use, or modification is prohibited.
  banner asdm Unauthorized users may face criminal and/or civil penalties.
  banner asdm The use of this system may be monitored and recorded.
  banner asdm If the monitoring reveals possible evidence of criminal activity, Adhost can
  banner asdm provide the records to law enforcement.
  banner asdm Be safe!  Do not share your access information with anyone!
  banner asdm
  banner asdm
  banner asdm
  ftp mode passive
  dns server-group DefaultDNS
   domain-name rr-rentals.com
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list outside_acl extended permit ip any host 199.X.X.163
  access-list outside_acl extended permit icmp any any echo
  access-list outside_acl extended permit icmp any any echo-reply
  access-list outside_acl extended permit tcp 216.X.X.64 255.255.255.192 any
  access-list outside_acl extended permit tcp host 76.X.X.166 any eq 3389
  access-list outside_acl extended permit tcp 67.X.X.192 255.255.255.224 any eq 3389
  access-list outside_acl extended permit tcp any any eq ftp
  access-list outside_acl extended permit tcp any any eq ftp-data
  access-list outside_acl extended permit tcp host 72.X.X.71 any eq 3389
  access-list outside_acl extended permit tcp host 26.X.X.155 any eq 3389
  access-list outside_acl extended permit tcp host 24.X.X.155 any eq 3389
  access-list outside_acl extended permit icmp any any unreachable
  access-list outside_acl extended permit icmp any any time-exceeded
  access-list outside_acl extended permit tcp host 71.X.X.170 any eq 3389
  access-list outside_acl extended permit tcp host 24.X.X.200 any eq 3389
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list outside_4_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
  access-list outside_3_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list rr-vpn_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
  access-list rr-vpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffer-size 1048576
  logging buffered debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpnpool 192.168.20.1-192.168.20.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-523.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) 199.X.X.163 192.168.10.2 netmask 255.255.255.255
  access-group outside_acl in interface outside
  route outside 0.0.0.0 0.0.0.0 199.X.X.161 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  aaa authentication enable console LOCAL
  aaa authentication serial console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 216.X.X.64 255.255.255.192 outside
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt connection tcpmss 1200
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 50.X.X.58
  crypto map outside_map 1 set transform-set ESP-AES-128-SHA
  crypto map outside_map 2 match address outside_2_cryptomap
  crypto map outside_map 2 set pfs
  crypto map outside_map 2 set peer 75.X.X.253
  crypto map outside_map 2 set transform-set ESP-AES-128-SHA
  crypto map outside_map 3 match address outside_3_cryptomap
  crypto map outside_map 3 set pfs
  crypto map outside_map 3 set peer 173.X.X.69
  crypto map outside_map 3 set transform-set ESP-AES-128-SHA
  crypto map outside_map 4 match address outside_4_cryptomap
  crypto map outside_map 4 set pfs
  crypto map outside_map 4 set peer 70.X.X.194
  crypto map outside_map 4 set transform-set ESP-AES-128-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption aes
   hash sha
   group 5
   lifetime 86400
  crypto isakmp policy 30
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh 192.168.10.2 255.255.255.255 inside
  ssh 192.168.0.0 255.255.0.0 inside
  ssh 216.X.X.64 255.255.255.192 outside
  ssh 50.X.X.58 255.255.255.255 outside
  ssh timeout 60
  ssh version 2
  console timeout 0
  management-access inside
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
    inspect icmp error
  service-policy global_policy global
  tftp-server outside 216.X.X.116 3118-FWL001.config
  group-policy rr-vpn internal
  group-policy rr-vpn attributes
   dns-server value 216.X.X.12 66.X.X.11
   vpn-tunnel-protocol IPSec
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value rr-vpn_splitTunnelAcl
  username rrlee password B6rKS8LmKC50oIXK encrypted privilege 0
  username rrlee attributes
   vpn-group-policy rr-vpn
  username cschirado password QYICGrOFAZ9iPWpp encrypted privilege 0
  username cschirado attributes
   vpn-group-policy rr-vpn
  username daniel password SZsXZCSuVXcFn9NB encrypted privilege 15
  username adhostadm password 7P2Y2Ow1o0.VSjvh encrypted privilege 15
  username troy password amZKsxVU.8N9kKPb encrypted privilege 0
  username troy attributes
   vpn-group-policy rr-vpn
  username troyr password Hek9zbMrM6wEDSfi encrypted privilege 15
  username druiz password 33oau7XOcvhJ3DMv encrypted privilege 0
  username druiz attributes
   vpn-group-policy rr-vpn
  username theresa password qWsPnR.vfjXzlunC encrypted privilege 0
  username theresa attributes
   vpn-group-policy rr-vpn
  username kevin password R5DPfUVhzGCEg6pu encrypted privilege 0
  username kevin attributes
   vpn-group-policy rr-vpn
  username andrea password MyhIPdH6UJQDon77 encrypted privilege 0
  username andrea attributes
   vpn-group-policy rr-vpn
  tunnel-group 50.X.X.58 type ipsec-l2l
  tunnel-group 50.X.X.58 ipsec-attributes
   pre-shared-key *
  tunnel-group 75.X.X.253 type ipsec-l2l
  tunnel-group 75.X.X.253 ipsec-attributes
   pre-shared-key *
  tunnel-group 72.X.X.71 type ipsec-l2l
  tunnel-group 72.X.X.71 ipsec-attributes
   pre-shared-key *
  tunnel-group 173.X.X.69 type ipsec-l2l
  tunnel-group 173.X.X.69 ipsec-attributes
   pre-shared-key *
  tunnel-group rr-vpn type ipsec-ra
  tunnel-group rr-vpn general-attributes
   address-pool vpnpool
   default-group-policy rr-vpn
  tunnel-group rr-vpn ipsec-attributes
   pre-shared-key *
  tunnel-group 70.X.X.194 type ipsec-l2l
  tunnel-group 70.X.X.194 ipsec-attributes
   pre-shared-key *
  prompt hostname context

  Here are the results of the commands you requested. I'm not able to ping either direction.
  Thanks,
  James
  3118-FWL001# sho cry isa sa
     Active SA: 5
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 5
  1   IKE Peer: 50.34.254.58
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  2   IKE Peer: 173.10.71.69
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  3   IKE Peer: 75.151.109.253
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  4   IKE Peer: 70.99.88.194
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  5   IKE Peer: 216.211.143.85
      Type    : user            Role    : responder
      Rekey   : no              State   : AM_ACTIVE
  3118-FWL001# sho cry ips sa
  interface: outside
      Crypto map tag: outside_dyn_map, seq num: 20, local addr: 199.21.66.162
        local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.20.2/255.255.255.255/0/0)
        current_peer: 216.211.143.85, username: kevin
        dynamic allocated peer ip: 192.168.20.2
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 199.21.66.162, remote crypto endpt.: 216.211.143.85
        path mtu 1500, ipsec overhead 58, media mtu 1500
        current outbound spi: CBF94621
      inbound esp sas:
        spi: 0x8D8279CA (2374138314)
           transform: esp-3des esp-sha-hmac none
           in use settings ={RA, Tunnel, }
           slot: 0, conn_id: 200, crypto-map: outside_dyn_map
           sa timing: remaining key lifetime (sec): 28715
           IV size: 8 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0xCBF94621 (3422111265)
           transform: esp-3des esp-sha-hmac none
           in use settings ={RA, Tunnel, }
           slot: 0, conn_id: 200, crypto-map: outside_dyn_map
           sa timing: remaining key lifetime (sec): 28715
           IV size: 8 bytes
           replay detection support: Y
      Crypto map tag: outside_map, seq num: 1, local addr: 199.21.66.162
        access-list outside_1_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
        current_peer: 50.34.254.58
        #pkts encaps: 15356573, #pkts encrypt: 15356573, #pkts digest: 15356573
        #pkts decaps: 9021115, #pkts decrypt: 9021114, #pkts verify: 9021114
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 15356573, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 199.21.66.162, remote crypto endpt.: 50.34.254.58
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: FE16571B
      inbound esp sas:
        spi: 0x78BD7E4F (2025684559)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 86, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4263158/5788)
           IV size: 16 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0xFE16571B (4262876955)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 86, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4064653/5788)
           IV size: 16 bytes
           replay detection support: Y
      Crypto map tag: outside_map, seq num: 4, local addr: 199.21.66.162
        access-list outside_4_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
        current_peer: 70.99.88.194
        #pkts encaps: 491814, #pkts encrypt: 491814, #pkts digest: 491814
        #pkts decaps: 416810, #pkts decrypt: 416810, #pkts verify: 416810
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 491814, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 199.21.66.162, remote crypto endpt.: 70.99.88.194
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 533F55E1
      inbound esp sas:
        spi: 0xE2F461AD (3807666605)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 194, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4273818/27167)
           IV size: 16 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0x533F55E1 (1396659681)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 194, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4266133/27167)
           IV size: 16 bytes
           replay detection support: Y
      Crypto map tag: outside_map, seq num: 2, local addr: 199.21.66.162
        access-list outside_2_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        current_peer: 75.151.109.253
        #pkts encaps: 207718, #pkts encrypt: 207718, #pkts digest: 207718
        #pkts decaps: 142739, #pkts decrypt: 142739, #pkts verify: 142739
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 207722, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 199.21.66.162, remote crypto endpt.: 75.151.109.253
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 8D74AC18
      inbound esp sas:
        spi: 0x0CF7F70B (217577227)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 195, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4274490/23242)
           IV size: 16 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0x8D74AC18 (2373233688)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 195, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4270718/23242)
           IV size: 16 bytes
           replay detection support: Y
      Crypto map tag: outside_map, seq num: 3, local addr: 199.21.66.162
        access-list outside_3_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
        current_peer: 173.10.71.69
        #pkts encaps: 3427935, #pkts encrypt: 3427935, #pkts digest: 3427935
        #pkts decaps: 2006044, #pkts decrypt: 2006044, #pkts verify: 2006044
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 3427935, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 199.21.66.162, remote crypto endpt.: 173.10.71.69
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 2E8A6147
      inbound esp sas:
        spi: 0x467968AB (1182361771)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 154, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4270213/18597)
           IV size: 16 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0x2E8A6147 (780820807)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 154, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4162093/18597)
           IV size: 16 bytes
           replay detection support: Y
  3118-FWL001# sho run route
  route outside 0.0.0.0 0.0.0.0 199.21.66.161 1

• CIsco ASA 5505 and VPN licenses

  Hi,
  Cisco ASA 5505 comes with 10 VPN licenses in a standard configuration.
  How those licenses are counted? Will I need a license per one IPSec SA?
  If I have two site connected with LAN-to-LAN VPN with 10 subnets at one site, how many licenses will be taken? 10 - one per IPSec SA or just 1 - one per point-to-point VPN?
  Thank you.
  Regards,
  Alex

  Alex,
  In an ASA 5505, it should say something like this...when you do sh ver.
  VPN Peers : 25
  It means that you can have so many peers connecting to the ASA. Its not per IPSec SA.
  Its a per tunnel license.
  Rate this, if it helps!
  Gilbert

• Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

  Hi,
  I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
  When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
  After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
  They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
  Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
  3
  Nov 21 2012
  07:11:09
  713061
  Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5
  Nov 21 2012
  07:11:09
  713119
  Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
  Here is from the syntax: show crypto isakmp sa
  Result of the command: "show crypto isakmp sa"
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 195.149.180.254
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Result of the command: "show crypto ipsec sa"
  interface: outside
      Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
        access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
        local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
        current_peer:195.149.180.254
        #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
        #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: E715B315
      inbound esp sas:
        spi: 0xFAC769EB (4207372779)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38738/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xE715B315 (3876958997)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38673/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  And here are my Accesslists and vpn site to site config:
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 84600
  crypto isakmp nat-traversal 40
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map CustomerCryptoMap 10 match address VPN_Tunnel
  crypto map CustomerCryptoMap 10 set pfs group5
  crypto map CustomerCryptoMap 10 set peer 195.149.180.254
  crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
  crypto map CustomerCryptoMap interface outside
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  nat (inside) 0 access-list nonat
  All these remote networks are at the Main Site Clavister Firewall.
  Best Regards
  Michael

  Hi,
  I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
  If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
  Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
  I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
  Maybe you could try to change the Encryption Domain configurations a bit and test it then.
  You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
  - Jouni

• CISCO ASA 5505 Split Tunnel DNS with Site to Site VPN

  I have a working configuration for Site to Site VPN between our head office and a private AWS VPC instance.
  The tunnel is active and I can ping the IP address of the remote network and connect to the remote machines using the IP address, but we need to use the FQDN and not the IP.  We have a DNS server set up in AWS for any DNS queries for the remote domain name.
  My question is whether or not the ASA 5505 supports a DNS split tunnel for Site to Site VPN and how it can be configured.
  I can not find where I can interogate the DNS query to be redirected to the VPN tunnel when our domain name is used in a DNS query.  Thus, any pings I try with the FQDN of our servers in AWS are failing as they are going to the default DNS, which is the internet.
  Can any one point me in the right direction on how to configure this DNS rewrite so that we can access our AWS private cloud using FQDN from our AWS domain rather than an IP address?

  Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface.  Try to be more restrictive than an '...ip any any' rule for outside_in connections.  For instance, this is what I have for incoming VOIP (access list and nat rules):
  access list rule:
  access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
  nat rule:
  nat (inside,outside) source static server interface service voip-range voip-range
  - 'server' is a network object *
  - 'voip-range' is a service group range
  I'd assume you can do something similar here in combination with my earlier comment:
  access-list incoming extended permit tcp any any eq 5900
  Can you explain your forwarding methodology a little more?  I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to.  Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ?

• Setting up site to site vpn with cisco asa 5505

  I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
  IP of remote office router is 71.37.178.142
  IP of the main office firewall is 209.117.141.82
  Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
  ciscoasa# show run
  : Saved
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password TMACBloMlcBsq1kp encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group5
  crypto map outside_map 1 set peer 209.117.141.82
  crypto map outside_map 1 set transform-set ESP-AES-256-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  vpdn username [email protected] password ********* store-local
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.129 inside
  dhcpd enable inside
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
  : end
  ciscoasa#
  Thanks!

  Hi Mandy,
  By using following access list define Peer IP as source and destination
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  you are not defining the interesting traffic / subnets from both ends.
  Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
  !.1..source subnet(called local encryption domain) at your end  192.168.200.0
  !..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
  !..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
  !...at your end  192.168.200.0
  !..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
  !...at other end 192.168.100.0
  Please use Baisc Steps as follows:
  A. Configuration in your MAIN office  having IP = 209.117.141.82  (follow step 1 to 6)
  Step 1.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  Step 2.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 3.
  Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 71.37.178.142
  or , but not both
  crypto isakmp key 6 CISCO123 address71.37.178.142
  step 4.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 5.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 6.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Configure the same but just change ACL on other end in step one  by reversing source and destination
  and also set the peer IP of this router in other end.
  So other side config should look as follows:
  B.  Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
  Step 7.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
  Step 8.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 9.
  Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 209.117.141.82
  or , but not both
  crypto isakmp key 6 CISCO123 address 209.117.141.82
  step 10.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 11.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map    ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set, only one is permissible
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 12.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Now initite a ping
  Here is for your summary:
  IPSec: Site to Site - Routers
  Configuration Steps
  Phase 1
  Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
  Step 2: Configure ISAKMP Policy
  Step 3: Configure ISAKMP Key
  Phase 2
  Step 4: Configure Transform Set
  Step 5: Configure Crypto Map
  Step 6: Apply Crypto Map to an Interface
  To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
  Router#debug crpyto isakmp
  Router#debug crpyto ipsec
  Router(config)# logging buffer 7
  Router(config)# logging buffer 99999
  Router(config)# logging console 6
  Router# clear logging
  Configuration
  In R1:
  (config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
  (config)# crypto isakmp policy 10
  (config-policy)# encryption 3des
  (config-policy)# authentication pre-share
  (config-policy)# group 2
  (config-policy)# hash sha1
  (config)# crypto isakmp key 0 cisco address 2.2.2.1
  (config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
  (config)# crypto map CMAP 10 ipsec-isakmp
  (config-crypto-map)# set peer 2.2.2.1
  (config-crypto-map)# match address 101
  (config-crypto-map)# set transform-set TSET
  (config)# int f0/0
  (config-if)# crypto map CMAP
  Similarly in R2
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Change to Transport Mode, add the following command in Step 4:
  (config-tranform-set)# mode transport
  Even after  doing this change, the ipsec negotiation will still be done through  tunnel mode if pinged from Loopback to Loopback. To overcome this we  make changes to ACL.
  Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
  (config)# crypto isakmp peer address 2.2.2.1
  (config-peer)# set aggressive-mode password cisco
  (config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1
  Similarly on R2.
  The below process is for the negotiation using RSA-SIG (PKI) as authentication type
  Debug Process:
  After  we debug, we can see the negotiation between the two peers. The first  packet of the interesting traffic triggers the ISAKMP (Phase1)  negotiation. Important messages are marked in BOLD and explanation in  RED
  R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
  Packet sent with a source address of 2.2.2.2
  Mar  2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) //  Router tried to find any IPSec SA matching the outgoing connection but  no valid SA has been found in Security Association Database (SADB)
  Mar  2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
  Mar  2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
  Mar  2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
  Mar  2 16:18:42.939: ISAKMP: local port 500, remote port 500
  Mar  2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE    
  Mar  2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
  Mar  2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
  Mar  2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
  Mar  2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  Mar  2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
  Mar  2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
  Mar  2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
  Mar  2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947:.!!!!
  Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
  R2(config)# ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
  Mar  2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
  Mar  2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
  Mar  2 16:18:42.947: ISAKMP:      hash SHA
  Mar  2 16:18:42.947: ISAKMP:      default group 2
  Mar  2 16:18:42.947: ISAKMP:      auth RSA sig
  Mar  2 16:18:42.947: ISAKMP:      life type in seconds
  Mar  2 16:18:42.947: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  Mar  2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  Mar  2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
  Mar  2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  Mar  2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
  Mar  2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  Mar  2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
  Mar  2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
  Mar  2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
  Mar  2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:43.007:  Choosing trustpoint CA_Server as issuer
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
  Mar  2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4
  Mar  2 16:18:43.011: ISAKMP:(1008):Send initial contact
  Mar  2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
  Mar  2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
  Mar  2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
  Mar  2 16:18:43.011: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : R2
            protocol     : 17
            port         : 500
            length       : 10
  Mar  2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
  Mar  2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
  Mar  2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
  Mar  2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Mar  2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5
  Mar  2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
  // "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : ASA1
            protocol     : 0
            port         : 0
            length       : 12
  Mar  2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
  Mar  2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
  Mar  2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
  Mar  2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
  Mar  2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
  Mar  2 16:18:43.067: ISAKMP:received payload type 17
  Mar  2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
  Mar  2 16:18:43.067: ISAKMP:(1008):SA authentication status:
            authenticated
  Mar  2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
  Mar  2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/,  and inserted successfully 46519678. // SA inserted into SADB
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6
  Mar  2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
  Mar  2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
  Mar  2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
  Mar  2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
  Mar  2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
  Mar  2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
  Mar  2 16:18:43.079: ISAKMP:   attributes in transform:
  Mar  2 16:18:43.079: ISAKMP:      SA life type in seconds
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
  Mar  2 16:18:43.079: ISAKMP:      SA life type in kilobytes
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
  Mar  2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
  Mar  2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
  Mar  2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
  Mar  2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
  Mar  2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i)  0/ 0
            (proxy 1.1.1.1 to 2.2.2.2)
  Mar  2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
            (proxy 2.2.2.2 to 1.1.1.1)
  Mar  2 16:18:43.083:         has spi  0x2B367FB4 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
  Mar  2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  Mar  2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Kindly rate if you find the explanation useful !!
  Best Regards
  Sachin Garg

• Cisco ASA 5505 Site to Site VPN

  Hello All,
  First time posting to the forums. I've been working with Cisco ASA 5505 for a number of months and recently I purchased a 2nd ASA with the goal of setting up Site to Site VPN tunnel. It look so simple from the number of videos that I have watched on the internet. But when I have done it suprise suprise it didn't work for me ... I have deleted the tunnels a number of times and attempted to recreate them. I am using the VPN wizard in the ADM to create the tunnel. Both the asa are 5505 and have the same same firmware etc.
  I would appreciate any help that can be directed towards this issue please.  Slowly losing my mind
  Please see details below:
  Both ADM are 7.1
  IOS
  ASA 1
  aved
  ASA Version 9.0(1)
  hostname PAYBACK
  enable password HSMurh79NVmatjY0 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description Trunk link to SW1
  switchport trunk allowed vlan 1,10,20,30,40
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  no nameif
  no security-level
  no ip address
  interface Vlan2
  nameif outside
  security-level 0
  ip address 92.51.193.158 255.255.255.252
  interface Vlan10
  nameif inside
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Vlan20
  nameif servers
  security-level 100
  ip address 192.168.20.1 255.255.255.0
  interface Vlan30
  nameif printers
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  interface Vlan40
  nameif wireless
  security-level 100
  ip address 192.168.40.1 255.255.255.0
  banner login line Welcome to Payback Loyalty Systems
  boot system disk0:/asa901-k8.bin
  ftp mode passive
  clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns domain-lookup servers
  dns domain-lookup printers
  dns domain-lookup wireless
  dns server-group DefaultDNS
  name-server 83.147.160.2
  name-server 83.147.160.130
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network ftp_server
  object network Internal_Report_Server
  host 192.168.20.21
  description Automated Report Server Internal Address
  object network Report_Server
  host 89.234.126.9
  description Automated Report Server
  object service RDP
  service tcp destination eq 3389
  description RDP to Server
  object network Host_QA_Server
  host 89.234.126.10
  description QA Host External Address
  object network Internal_Host_QA
  host 192.168.20.22
  description Host of VM machine for QA
  object network Internal_QA_Web_Server
  host 192.168.20.23
  description Web Server in QA environment
  object network Web_Server_QA_VM
  host 89.234.126.11
  description Web server in QA environment
  object service SQL_Server
  service tcp destination eq 1433
  object network Demo_Server
  host 89.234.126.12
  description Server set up to Demo Product
  object network Internal_Demo_Server
  host 192.168.20.24
  description Internal IP Address of Demo Server
  object network NETWORK_OBJ_192.168.20.0_24
  subnet 192.168.20.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_26
  subnet 192.168.50.0 255.255.255.192
  object network NETWORK_OBJ_192.168.0.0_16
  subnet 192.168.0.0 255.255.0.0
  object service MSSQL
  service tcp destination eq 1434
  description MSSQL port
  object network VPN-network
  subnet 192.168.50.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_24
  subnet 192.168.50.0 255.255.255.0
  object service TS
  service tcp destination eq 4400
  object service TS_Return
  service tcp source eq 4400
  object network External_QA_3
  host 89.234.126.13
  object network Internal_QA_3
  host 192.168.20.25
  object network Dev_WebServer
  host 192.168.20.27
  object network External_Dev_Web
  host 89.234.126.14
  object network CIX_Subnet
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
  object network NETWORK_OBJ_84.39.233.50
  host 84.39.233.50
  object network NETWORK_OBJ_92.51.193.158
  host 92.51.193.158
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq ftp
  service-object tcp destination eq netbios-ssn
  service-object tcp destination eq smtp
  service-object object TS
  object-group network Payback_Internal
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.20.0 255.255.255.0
  network-object 192.168.40.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_3
  service-object tcp destination eq www
  service-object tcp destination eq https
  service-object object TS
  service-object object TS_Return
  object-group service DM_INLINE_SERVICE_4
  service-object object RDP
  service-object tcp destination eq www
  service-object tcp destination eq https
  object-group service DM_INLINE_SERVICE_5
  service-object object MSSQL
  service-object object RDP
  service-object object TS
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service DM_INLINE_SERVICE_6
  service-object object TS
  service-object object TS_Return
  service-object tcp destination eq www
  service-object tcp destination eq https
  access-list outside_access_in remark This rule is allowing from internet to interal server.
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark FTP
  access-list outside_access_in remark RDP
  access-list outside_access_in remark SMTP
  access-list outside_access_in remark Net Bios
  access-list outside_access_in remark SQL
  access-list outside_access_in remark TS - 4400
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
  access-list outside_access_in remark Access rule to internal host QA
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
  access-list outside_access_in remark Access to INternal Web Server:
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
  access-list outside_access_in remark Rule for allowing access to Demo server
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark RDP
  access-list outside_access_in remark MSSQL
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
  access-list outside_access_in remark Access for Development WebServer
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
  access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
  access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
  pager lines 24
  logging enable
  logging console informational
  logging asdm informational
  logging from-address
  [email protected]
  logging recipient-address
  [email protected]
  level alerts
  mtu outside 1500
  mtu inside 1500
  mtu servers 1500
  mtu printers 1500
  mtu wireless 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source dynamic any interface
  nat (wireless,outside) source dynamic any interface
  nat (servers,outside) source dynamic any interface
  nat (servers,outside) source static Internal_Report_Server Report_Server
  nat (servers,outside) source static Internal_Host_QA Host_QA_Server
  nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
  nat (servers,outside) source static Internal_Demo_Server Demo_Server
  nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
  nat (servers,outside) source static Internal_QA_3 External_QA_3
  nat (servers,outside) source static Dev_WebServer External_Dev_Web
  nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.10.0 255.255.255.0 inside
  http 192.168.40.0 255.255.255.0 wireless
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 84.39.233.50
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 77.75.100.208 255.255.255.240 outside
  ssh 192.168.10.0 255.255.255.0 inside
  ssh 192.168.40.0 255.255.255.0 wireless
  ssh timeout 5
  console timeout 0
  dhcpd dns 192.168.0.1
  dhcpd auto_config outside
  dhcpd address 192.168.10.21-192.168.10.240 inside
  dhcpd dns 192.168.20.21 83.147.160.2 interface inside
  dhcpd option 15 ascii paybackloyalty.com interface inside
  dhcpd enable inside
  dhcpd address 192.168.40.21-192.168.40.240 wireless
  dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
  dhcpd update dns interface wireless
  dhcpd option 15 ascii paybackloyalty.com interface wireless
  dhcpd enable wireless
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy Payback_VPN internal
  group-policy Payback_VPN attributes
  vpn-simultaneous-logins 10
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Payback_VPN_splitTunnelAcl
  group-policy DfltGrpPolicy attributes
  dns-server value 83.147.160.2 83.147.160.130
  vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
  group-policy GroupPolicy_84.39.233.50 internal
  group-policy GroupPolicy_84.39.233.50 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username Noelle password XB/IpvYaATP.2QYm encrypted
  username Noelle attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
  username Eanna attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Michael password qpbleUqUEchRrgQX encrypted
  username Michael attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
  username Danny attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
  username Aileen attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
  username Aidan attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  username shane.c password iqGMoWOnfO6YKXbw encrypted
  username shane.c attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Shane password uYePLcrFadO9pBZx encrypted
  username Shane attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username James password TdYPv1pvld/hPM0d encrypted
  username James attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username mark password yruxpddqfyNb.qFn encrypted
  username mark attributes
  service-type admin
  username Mary password XND5FTEiyu1L1zFD encrypted
  username Mary attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
  username Massimo attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  tunnel-group Payback_VPN type remote-access
  tunnel-group Payback_VPN general-attributes
  address-pool VPN1
  default-group-policy Payback_VPN
  tunnel-group Payback_VPN ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 84.39.233.50 type ipsec-l2l
  tunnel-group 84.39.233.50 general-attributes
  default-group-policy GroupPolicy_84.39.233.50
  tunnel-group 84.39.233.50 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map global-class
  match default-inspection-traffic
  policy-map global-policy
  class global-class
    inspect dns
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect pptp
    inspect rsh
    inspect rtsp
    inspect sip
    inspect snmp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
    inspect icmp error
    inspect icmp
  service-policy global-policy global
  smtp-server 192.168.20.21
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1
  ASA 2
  ASA Version 9.0(1)
  hostname Payback-CIX
  enable password HSMurh79NVmatjY0 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description This port connects to VLAN 100
  switchport access vlan 100
  interface Ethernet0/2
  interface Ethernet0/3
  switchport access vlan 100
  interface Ethernet0/4
  switchport access vlan 100
  interface Ethernet0/5
  switchport access vlan 100
  interface Ethernet0/6
  switchport access vlan 100
  interface Ethernet0/7
  switchport access vlan 100
  interface Vlan2
  nameif outside
  security-level 0
  ip address 84.39.233.50 255.255.255.240
  interface Vlan100
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  banner login line Welcome to Payback Loyalty - CIX
  ftp mode passive
  clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group defaultDNS
  name-server 8.8.8.8
  name-server 8.8.4.4
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network CIX-Host-1
  host 192.168.100.2
  description This is the host machine of the VM servers
  object network External_CIX-Host-1
  host 84.39.233.51
  description This is the external IP address of the host server for the VM server
  object service RDP
  service tcp source range 1 65535 destination eq 3389
  object network Payback_Office
  host 92.51.193.158
  object service MSQL
  service tcp destination eq 1433
  object network Development_OLTP
  host 192.168.100.10
  description VM for Eiresoft
  object network External_Development_OLTP
  host 84.39.233.52
  description This is the external IP address for the VM for Eiresoft
  object network Eiresoft
  host 146.66.160.70
  description DBA Contractor
  object network External_TMC_Web
  host 84.39.233.53
  description Public Address of TMC Webserver
  object network TMC_Webserver
  host 192.168.100.19
  description Internal Address of TMC Webserver
  object network External_TMC_OLTP
  host 84.39.233.54
  description Targets OLTP external IP
  object network TMC_OLTP
  host 192.168.100.18
  description Targets interal IP address
  object network External_OLTP_Failover
  host 84.39.233.55
  description Public IP of OLTP Failover
  object network OLTP_Failover
  host 192.168.100.60
  description Server for OLTP failover
  object network Servers
  subnet 192.168.20.0 255.255.255.0
  object network Wired
  subnet 192.168.10.0 255.255.255.0
  object network Wireless
  subnet 192.168.40.0 255.255.255.0
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
  object network Eiresoft_2nd
  host 137.117.217.29
  description Eiresoft 2nd IP
  object network Dev_Test_Webserver
  host 192.168.100.12
  description Dev Test Webserver Internal Address
  object network External_Dev_Test_Webserver
  host 84.39.233.56
  description This is the PB Dev Test Webserver
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_2
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_3
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_4
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_5
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_6
  service-object object MSQL
  service-object object RDP
  object-group network Payback_Intrernal
  network-object object Servers
  network-object object Wired
  network-object object Wireless
  object-group service DM_INLINE_SERVICE_7
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_8
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_9
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_10
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_11
  service-object object RDP
  service-object tcp destination eq ftp
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
  access-list outside_access_in remark Development OLTP from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
  access-list outside_access_in remark Access for Eiresoft
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
  access-list outside_access_in remark Access to OLTP for target from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
  access-list outside_access_in remark This is allowing access from Eiresoft to the OLTP Failover server
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover
  access-list outside_access_in remark Access for the 2nd IP from Eiresoft
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
  access-list outside_access_in remark Access from the 2nd Eiresoft IP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
  access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source dynamic any interface
  nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
  nat (inside,outside) source static Development_OLTP External_Development_OLTP
  nat (inside,outside) source static TMC_Webserver External_TMC_Web
  nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
  nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
  nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
  nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 92.51.193.156 255.255.255.252 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 92.51.193.158
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 77.75.100.208 255.255.255.240 outside
  ssh 92.51.193.156 255.255.255.252 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy GroupPolicy_92.51.193.158 internal
  group-policy GroupPolicy_92.51.193.158 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  tunnel-group 92.51.193.158 type ipsec-l2l
  tunnel-group 92.51.193.158 general-attributes
  default-group-policy GroupPolicy_92.51.193.158
  tunnel-group 92.51.193.158 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
  : end

  Hi,
  Thanks for the help to date
  I now have the Site to Site working but there is one little issue I have. If I try to RD to a server through the tunnel it will not allow connection on the first attempt however if I ping that host and then attempt to RD it will allow the connection. It looks like the host is asleep until it receives traffic through the tunnel. Is this thje correct behaviour.
  See below the details:
  ASA1:
  hostname PAYBACK
  enable password HSMurh79NVmatjY0 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description Trunk link to SW1
  switchport trunk allowed vlan 1,10,20,30,40
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  no nameif
  no security-level
  no ip address
  interface Vlan2
  nameif outside
  security-level 0
  ip address XX.XX.XX.XX 255.255.255.252
  interface Vlan10
  nameif inside
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Vlan20
  nameif servers
  security-level 100
  ip address 192.168.20.1 255.255.255.0
  interface Vlan30
  nameif printers
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  interface Vlan40
  nameif wireless
  security-level 100
  ip address 192.168.40.1 255.255.255.0
  banner login line Welcome to Payback Loyalty Systems
  boot system disk0:/asa901-k8.bin
  ftp mode passive
  clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns domain-lookup servers
  dns domain-lookup printers
  dns domain-lookup wireless
  dns server-group DefaultDNS
  name-server 83.147.160.2
  name-server 83.147.160.130
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network ftp_server
  object network Internal_Report_Server
  host 192.168.20.21
  description Automated Report Server Internal Address
  object network Report_Server
  host 89.234.126.9
  description Automated Report Server
  object service RDP
  service tcp destination eq 3389
  description RDP to Server
  object network Host_QA_Server
  host 89.234.126.10
  description QA Host External Address
  object network Internal_Host_QA
  host 192.168.20.22
  description Host of VM machine for QA
  object network Internal_QA_Web_Server
  host 192.168.20.23
  description Web Server in QA environment
  object network Web_Server_QA_VM
  host 89.234.126.11
  description Web server in QA environment
  object service SQL_Server
  service tcp destination eq 1433
  object network Demo_Server
  host 89.234.126.12
  description Server set up to Demo Product
  object network Internal_Demo_Server
  host 192.168.20.24
  description Internal IP Address of Demo Server
  object network NETWORK_OBJ_192.168.20.0_24
  subnet 192.168.20.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_26
  subnet 192.168.50.0 255.255.255.192
  object network NETWORK_OBJ_192.168.0.0_16
  subnet 192.168.0.0 255.255.0.0
  object service MSSQL
  service tcp destination eq 1434
  description MSSQL port
  object network VPN-network
  subnet 192.168.50.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_24
  subnet 192.168.50.0 255.255.255.0
  object service TS
  service tcp destination eq 4400
  object service TS_Return
  service tcp source eq 4400
  object network External_QA_3
  host 89.234.126.13
  object network Internal_QA_3
  host 192.168.20.25
  object network Dev_WebServer
  host 192.168.20.27
  object network External_Dev_Web
  host 89.234.126.14
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network Wireless
  subnet 192.168.40.0 255.255.255.0
  description Wireless network
  object network Servers
  subnet 192.168.20.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq ftp
  service-object tcp destination eq netbios-ssn
  service-object tcp destination eq smtp
  service-object object TS
  service-object object SQL_Server
  object-group service DM_INLINE_SERVICE_3
  service-object tcp destination eq www
  service-object tcp destination eq https
  service-object object TS
  service-object object TS_Return
  object-group service DM_INLINE_SERVICE_4
  service-object object RDP
  service-object tcp destination eq www
  service-object tcp destination eq https
  object-group service DM_INLINE_SERVICE_5
  service-object object MSSQL
  service-object object RDP
  service-object object TS
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service DM_INLINE_SERVICE_6
  service-object object TS
  service-object object TS_Return
  service-object tcp destination eq www
  service-object tcp destination eq https
  object-group network DM_INLINE_NETWORK_1
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.20.0 255.255.255.0
  network-object 192.168.40.0 255.255.255.0
  object-group network Payback_Internal
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.20.0 255.255.255.0
  network-object 192.168.40.0 255.255.255.0
  access-list outside_access_in remark This rule is allowing from internet to interal server.
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark FTP
  access-list outside_access_in remark RDP
  access-list outside_access_in remark SMTP
  access-list outside_access_in remark Net Bios
  access-list outside_access_in remark SQL
  access-list outside_access_in remark TS - 4400
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
  access-list outside_access_in remark Access rule to internal host QA
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
  access-list outside_access_in remark Access to INternal Web Server:
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
  access-list outside_access_in remark Rule for allowing access to Demo server
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark RDP
  access-list outside_access_in remark MSSQL
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
  access-list outside_access_in remark Access for Development WebServer
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
  access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
  access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
  access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.100.0 255.255.255.0
  pager lines 24
  logging enable
  logging console informational
  logging asdm informational
  logging from-address [email protected]
  logging recipient-address [email protected] level alerts
  mtu outside 1500
  mtu inside 1500
  mtu servers 1500
  mtu printers 1500
  mtu wireless 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  nat (wireless,outside) source static Wireless Wireless destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  nat (servers,outside) source static Servers Servers destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source dynamic any interface
  nat (wireless,outside) source dynamic any interface
  nat (servers,outside) source dynamic any interface
  nat (servers,outside) source static Internal_Report_Server Report_Server
  nat (servers,outside) source static Internal_Host_QA Host_QA_Server
  nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
  nat (servers,outside) source static Internal_Demo_Server Demo_Server
  nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
  nat (servers,outside) source static Internal_QA_3 External_QA_3
  nat (servers,outside) source static Dev_WebServer External_Dev_Web
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer XX.XX.XX.XX
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto map servers_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map servers_map interface servers
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 enable inside client-services port 443
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  crypto ikev1 enable servers
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.10.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd dns 192.168.0.1
  dhcpd auto_config outside
  dhcpd address 192.168.10.21-192.168.10.240 inside
  dhcpd dns 192.168.20.21 83.147.160.2 interface inside
  dhcpd option 15 ascii paybackloyalty.com interface inside
  dhcpd enable inside
  dhcpd address 192.168.40.21-192.168.40.240 wireless
  dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
  dhcpd update dns interface wireless
  dhcpd option 15 ascii paybackloyalty.com interface wireless
  dhcpd enable wireless
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy Payback_VPN internal
  group-policy Payback_VPN attributes
  vpn-simultaneous-logins 10
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Payback_VPN_splitTunnelAcl
  group-policy DfltGrpPolicy attributes
  dns-server value 83.147.160.2 83.147.160.130
  vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
  group-policy GroupPolicy_84.39.233.50 internal
  group-policy GroupPolicy_84.39.233.50 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username Noelle password XB/IpvYaATP.2QYm encrypted
  username Noelle attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
  username Eanna attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Michael password qpbleUqUEchRrgQX encrypted
  username Michael attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
  username Danny attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username niamh password MlFlIlEiy8vismE0 encrypted
  username niamh attributes
  service-type admin
  username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
  username Aileen attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
  username Aidan attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  username shane.c password iqGMoWOnfO6YKXbw encrypted
  username shane.c attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Shane password yQeVtvLLKqapoUje encrypted privilege 0
  username Shane attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username James password TdYPv1pvld/hPM0d encrypted
  username James attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username mark password yruxpddqfyNb.qFn encrypted
  username mark attributes
  service-type admin
  username Mary password XND5FTEiyu1L1zFD encrypted
  username Mary attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
  username Massimo attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  tunnel-group Payback_VPN type remote-access
  tunnel-group Payback_VPN general-attributes
  address-pool VPN1
  default-group-policy Payback_VPN
  tunnel-group Payback_VPN ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 84.39.233.50 type ipsec-l2l
  tunnel-group 84.39.233.50 general-attributes
  default-group-policy GroupPolicy_84.39.233.50
  tunnel-group 84.39.233.50 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map global-class
  match default-inspection-traffic
  policy-map global-policy
  class global-class
    inspect dns
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect pptp
    inspect rsh
    inspect rtsp
    inspect sip
    inspect snmp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
    inspect icmp error
    inspect icmp
  service-policy global-policy global
  smtp-server 192.168.20.21
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:83fa7ce1d93375645205f6e79b526381
  ASA2:
  ASA Version 9.0(1)
  hostname Payback-CIX
  enable password HSMurh79NVmatjY0 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description This port connects to VLAN 100
  switchport access vlan 100
  interface Ethernet0/2
  interface Ethernet0/3
  switchport access vlan 100
  interface Ethernet0/4
  switchport access vlan 100
  interface Ethernet0/5
  switchport access vlan 100
  interface Ethernet0/6
  switchport access vlan 100
  interface Ethernet0/7
  switchport access vlan 100
  interface Vlan2
  nameif outside
  security-level 0
  ip address X.X.X.X 255.255.255.240
  interface Vlan100
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  banner login line Welcome to Payback Loyalty - CIX
  ftp mode passive
  clock timezone GMT 0
  clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group defaultDNS
  name-server 8.8.8.8
  name-server 8.8.4.4
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network CIX-Host-1
  host 192.168.100.2
  description This is the host machine of the VM servers
  object network External_CIX-Host-1
  host 84.39.233.51
  description This is the external IP address of the host server for the VM server
  object service RDP
  service tcp source range 1 65535 destination eq 3389
  object network Payback_Office
  host 92.51.193.158
  object service MSQL
  service tcp destination eq 1433
  object network Development_OLTP
  host 192.168.100.10
  description VM for Eiresoft
  object network External_Development_OLTP
  host 84.39.233.52
  description This is the external IP address for the VM for Eiresoft
  object network External_TMC_Web
  host 84.39.233.53
  description Public Address of TMC Webserver
  object network TMC_Webserver
  host 192.168.100.19
  description Internal Address of TMC Webserver
  object network External_TMC_OLTP
  host 84.39.233.54
  description Targets OLTP external IP
  object network TMC_OLTP
  host 192.168.100.18
  description Targets interal IP address
  object network External_OLTP_Failover
  host 84.39.233.55
  description Public IP of OLTP Failover
  object network OLTP_Failover
  host 192.168.100.60
  description Server for OLTP failover
  object network Servers
  subnet 192.168.20.0 255.255.255.0
  object network Wired
  subnet 192.168.10.0 255.255.255.0
  object network Wireless
  subnet 192.168.40.0 255.255.255.0
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
  object network Eiresoft_2nd
  host 137.117.217.29
  description Eiresoft 2nd IP
  object network Dev_Test_Webserver
  host 192.168.100.12
  description Dev Test Webserver Internal Address
  object network External_Dev_Test_Webserver
  host 84.39.233.56
  description This is the PB Dev Test Webserver
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network LAN
  subnet 192.168.100.0 255.255.255.0
  object network REMOTE-LAN
  subnet 192.168.10.0 255.255.255.0
  object network TargetMC
  host 83.71.194.145
  description This is Target Location that will be accessing the Webserver
  object network Rackspace_OLTP
  host 162.13.34.56
  description This is the IP address of production OLTP
  object service DB
  service tcp destination eq 5022
  object network Topaz_Target_VM
  host 82.198.151.168
  description This is Topaz IP that will be accessing Targets VM
  object service DB_2
  service tcp destination eq 5023
  object network EireSoft_NEW_IP
  host 146.66.161.3
  description Eiresoft latest IP form ISP DHCP
  object-group service DM_INLINE_SERVICE_1
  service-object object MSQL
  service-object object RDP
  service-object icmp echo
  service-object icmp echo-reply
  object-group service DM_INLINE_SERVICE_2
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_4
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  service-object tcp destination eq www
  object-group service DM_INLINE_SERVICE_5
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_6
  service-object object MSQL
  service-object object RDP
  object-group network Payback_Intrernal
  network-object object Servers
  network-object object Wired
  network-object object Wireless
  object-group service DM_INLINE_SERVICE_8
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_9
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_10
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  service-object icmp echo
  service-object icmp echo-reply
  service-object object DB
  object-group service DM_INLINE_SERVICE_11
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_12
  service-object object MSQL
  service-object icmp echo
  service-object icmp echo-reply
  service-object object DB
  service-object object DB_2
  object-group service DM_INLINE_SERVICE_13
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_14
  service-object object MSQL
  service-object object RDP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
  access-list outside_access_in remark Development OLTP from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
  access-list outside_access_in remark Access to OLTP for target from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
  access-list outside_access_in remark Access for the 2nd IP from Eiresoft
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
  access-list outside_access_in remark Access from the 2nd Eiresoft IP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
  access-list outside_access_in remark Access rules from Traget to CIX for testing
  access-list outside_access_in extended permit tcp object TargetMC object TMC_Webserver eq www
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12 object Rackspace_OLTP object OLTP_Failover
  access-list outside_access_in remark Topaz access to Target VM
  access-list outside_access_in extended permit tcp object Topaz_Target_VM object TMC_Webserver eq www
  access-list outside_access_in remark Opened up for Target for the weekend. Closing on Monday 20th
  access-list outside_access_in extended permit tcp any object TMC_Webserver eq www
  access-list outside_access_in remark Access for Eiresoft after their ISP changed their IP Address
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13 object EireSoft_NEW_IP object Development_OLTP
  access-list outside_access_in remark Eiresoft Access after ISP changed their IP Address
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14 object EireSoft_NEW_IP object OLTP_Failover
  access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object-group Payback_Intrernal
  pager lines 24
  logging enable
  logging console debugging
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static Payback_Intrernal Payback_Intrernal no-proxy-arp route-lookup
  nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
  nat (inside,outside) source static Development_OLTP External_Development_OLTP
  nat (inside,outside) source static TMC_Webserver External_TMC_Web
  nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
  nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
  nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
  nat (inside,outside) source dynamic LAN interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http X.X.X.X 255.255.255.252 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer X.X.X.X
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh X.X.X.X  255.255.255.240 outside
  ssh X.X.X.X 255.255.255.252 outside
  ssh 192.168.40.0 255.255.255.0 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy GroupPolicy_92.51.193.158 internal
  group-policy GroupPolicy_92.51.193.158 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  tunnel-group 92.51.193.158 type ipsec-l2l
  tunnel-group 92.51.193.158 general-attributes
  default-group-policy GroupPolicy_92.51.193.158
  tunnel-group 92.51.193.158 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:78a7b9ccec2fa048306092eb29a2b769

• Cisco ASA 5505 Site to Site VPN Problem

  Hi All,
  We have a site to site VPN with a cisco asa 5505 on one end and a Checkpoint firewall on the other end.
  We can establish the vpn tunnel and all users in the remote office are working great. However at a random point during the day or it may even be after 2 weeks of working, the tunnel between the sites automatically fails.
  When I dial into the modem which is connected to the firewall I see the following messages in the logs:
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
  Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
  Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
  Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
  Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  There is nothing in the Checkpoint logs. To solve the issue I have to reload the firewall.
  I have checked both firewalls for any mis-matched parameters and do not see any.
  Any help is very much appreciated as it is very frustrating for myself and the users in the remote office.
  Thanks!

  Also to note, PFS is enabled on both firewalls. Config on Cisco ASA firewall as follows:
  hostname
  domain-name
  enable passwordpasswd names
  interface Vlan701
  nameif inside
  security-level 100
  ip address 10.65.0.69 255.255.255.252
  interface Vlan999
  nameif outside
  security-level 0
  ip address ******  255.255.255.248
  interface Ethernet0/0
  description Link to Internet
  switchport access vlan 999
  interface Ethernet0/1
  description
  switchport access vlan 701
  interface range Ethernet0/2 - 0/7
  switchport access vlan 2
  shutdown
  ftp mode passive
  dns server-group DefaultDNS
  domain-name******
  access-list 101 extended permit ip host ****** 172.25.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 host ******
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 ******* 255.255.255.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 ******** 255.255.255.0
  pager lines 24
  logging enable
  logging timestamp
  logging buffered warnings
  logging trap warnings
  logging asdm informational
  logging host outside *****
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm history enable
  arp timeout 14400
  nat (inside) 0 access-list nonat
  route inside ******
  route outside 0.0.0.0 0.0.0.0 ********
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  snmp-server location **:
  snmp-server contact **
  snmp-server community shortkey
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  snmp-server enable traps syslog
  crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
  crypto map CASGMAP 50 match address 101
  crypto map CASGMAP 50 set pfs group1
  crypto map CASGMAP 50 set peer ********
  crypto map CASGMAP 50 set transform-set 3desmd5
  crypto map CASGMAP 50 set security-association lifetime seconds 3600
  crypto map CASGMAP interface outside
  crypto isakmp enable outside
  crypto isakmp policy 20
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet **** inside
  telnet timeout 5
  ssh **** inside
  ssh **** outside
  ssh timeout 5
  console timeout 30
  management-access inside
  dhcpd ping_timeout 750
  priority-queue outside
  ntp server **
  username ***
  tunnel-group ******** type ipsec-l2l
  tunnel-group ******** ipsec-attributes
  pre-shared-key ***
  class-map VoIP
  match dscp ef
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map General-purpose
  class VoIP
  priority
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect http
  service-policy General-purpose interface outside
  prompt hostname context

• Azure Site to Site VPN with Cisco ASA 5505

  I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
  IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
  Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
  Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
  Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
  Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
  I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
  (Does azure support 9.x version of asa?)
  How can i fix it?

  Hi,
  As of now, we do not have any scripts for Cisco ASA 9x series.
  Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
  Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
  However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
  demonstrated in this blog:
  Step-By-Step: Create a Site-to-Site VPN between your network and Azure
  http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
  You can refer to this article for Cisco ASA templates for Static routing:
  http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
  Did you download the VPN configuration file from the dashboard and copy the content of the configuration
  file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
  According to the
  Cisco ASA template, it should be similar to this:
  access-list <RP_AccessList>
  extended permit ip object-group
  <RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
  nat (inside,outside) source static <RP_OnPremiseNetwork>
  <RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
  <RP_AzureNetwork>
  Based on my experience, to establish
  IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
  VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
  compatible for dynamic routing, please make sure that you chose the static routing.
  Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
  Hope this helps you.
  Girish Prajwal

• Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

  Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
  I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
  Please help me to find where is the issue.
  I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
  192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
  Here is my current configuration.
  Thanks for your help.
  IOS Configuration
  version 15.2
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key cisco address 198.0.183.225
  crypto isakmp invalid-spi-recovery
  crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
  mode transport
  crypto map static-map 1 ipsec-isakmp
  set peer S2.S2.S2.S2
  set transform-set AES-SET
  set pfs group2
  match address 100
  interface GigabitEthernet0/0
  ip address S1.S1.S1.S1 255.255.255.240
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map static-map
  interface GigabitEthernet0/1
  ip address 192.168.17.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
  ASA Configuration
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.83.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address S2.S2.S2.S2 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network inside-network
  subnet 192.168.83.0 255.255.255.0
  object network datacenter
  host S1.S1.S1.S1
  object network datacenter-network
  subnet 192.168.17.0 255.255.255.0
  object network NETWORK_OBJ_192.168.83.0_24
  subnet 192.168.83.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic inside-network interface
  nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
  nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
  crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set vpn-transform-set mode transport
  crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set L2L_SET mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
  crypto map vpn 1 match address outside_cryptomap
  crypto map vpn 1 set pfs
  crypto map vpn 1 set peer S1.S1.S1.S1
  crypto map vpn 1 set ikev1 transform-set L2L_SET
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  group-policy GroupPolicy_S1.S1.S1.S1 internal
  group-policy GroupPolicy_S1.S1.S1.S1 attributes
  vpn-tunnel-protocol ikev1
  group-policy remote_vpn_policy internal
  group-policy remote_vpn_policy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
  username admin password rqiFSVJFung3fvFZ encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool vpn_pool
  default-group-policy remote_vpn_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group S1.S1.S1.S1 type ipsec-l2l
  tunnel-group S1.S1.S1.S1 general-attributes
  default-group-policy GroupPolicy_S1.S1.S1.S1
  tunnel-group S1.S1.S1.S1 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f55f10c19a0848edd2466d08744556eb
  : end

  Thanks for helping me again. I really appreciate.
  I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
  Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
  Because on Cisco ASA I guess I have everything.
  Here is show crypto session detail
  router(config)#do show crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: GigabitEthernet0/0
  Session status: DOWN
  Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  Should I see something in crypto isakmp sa?
  pp-border#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  IPv6 Crypto ISAKMP SA
  Thanks again for your help.

• VPN Site to Site Cisco ASA-5505-BUN-50 to RV-042

                     Hello guys , anyone has an example for connect by VPN Site to Site a Cisco ASA-5505 with RV-042 , i need establish a link for connect my UC560 with CUE on Cisco Router 2800 for VoIP Site to Site calls.
  Thanks

  On ASA running 8.4.3. B side. I believe object "email" is defined incorrectly.
  Existing configuration
  object network email
  host 172.16.0.0
  description 255.255.0.0
  Correct configuration
  object network email
  subnet 172.16.0.0 255.255.0.0

• Cisco ASA 5505 site to site Multiple subnet.

  Hi. I need some help configuring my cisco asa 5505.
  I've set up a VPN tunnel between two ASA 5505
  Site 1:
  Subnet 192.168.77.0
  Site 2:
  Have multiple vlans and now the tunnel goes to vlan400 - 192.168.1.0
  What I need help with:
  From site 1 i need to be able to reach another vlan on site 2. vlan480 - 192.168.20.0
  And from site 1 I need to reach 192.168.77.0 subnet from vlan480 - 192.168.20.0
  Vlan480 is used for phones. In vlan480 we have a PABX central.
  Is this possible to do?
  Any help would be greatfully appreciated!
  Config site 2:
  : Saved
  ASA Version 7.2(2)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password x encrypted
  names
  name 192.168.1.250 DomeneServer
  name 192.168.1.10 NotesServer
  name 192.168.1.90 OvServer
  name 192.168.1.97 TerminalServer
  name 192.168.1.98 w8-eyeshare
  name 192.168.50.10 w8-print
  name 192.168.1.94 w8-app
  name 192.168.1.89 FonnaFlyMedia
  interface Vlan1
  nameif Vlan1
  security-level 100
  ip address 192.168.200.100 255.255.255.0
  ospf cost 10
  interface Vlan2
  nameif outside
  security-level 0
  ip address 79.x.x.226 255.255.255.224
  ospf cost 10
  interface Vlan400
  nameif vlan400
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  ospf cost 10
  interface Vlan450
  nameif Vlan450
  security-level 100
  ip address 192.168.210.1 255.255.255.0
  ospf cost 10
  interface Vlan460
  nameif Vlan460-SuldalHotell
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  ospf cost 10
  interface Vlan461
  nameif Vlan461-SuldalHotellGjest
  security-level 100
  ip address 192.168.3.1 255.255.255.0
  ospf cost 10
  interface Vlan462
  nameif Vlan462-Suldalsposten
  security-level 100
  ip address 192.168.4.1 255.255.255.0
  ospf cost 10
  interface Vlan470
  nameif vlan470-Kyrkjekontoret
  security-level 100
  ip address 192.168.202.1 255.255.255.0
  ospf cost 10
  interface Vlan480
  nameif vlan480-Telefoni
  security-level 100
  ip address 192.168.20.1 255.255.255.0
  ospf cost 10
  interface Vlan490
  nameif Vlan490-QNapBackup
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  ospf cost 10
  interface Vlan500
  nameif Vlan500-HellandBadlands
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  ospf cost 10
  interface Vlan510
  nameif Vlan510-IsTak
  security-level 100
  ip address 192.168.40.1 255.255.255.0
  ospf cost 10
  interface Vlan600
  nameif Vlan600-SafeQ
  security-level 100
  ip address 192.168.50.1 255.255.255.0
  ospf cost 10
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  switchport access vlan 500
  switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610
  switchport mode trunk
  interface Ethernet0/3
  switchport access vlan 490
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  passwd x encrypted
  ftp mode passive
  clock timezone WAT 1
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group service Lotus_Notes_Utgaaande tcp
  description Frim Notes og ut til alle
  port-object eq domain
  port-object eq ftp
  port-object eq www
  port-object eq https
  port-object eq lotusnotes
  port-object eq pop3
  port-object eq pptp
  port-object eq smtp
  object-group service Lotus_Notes_inn tcp
  description From alle og inn til Notes
  port-object eq www
  port-object eq lotusnotes
  port-object eq pop3
  port-object eq smtp
  object-group service Reisebyraa tcp-udp
  port-object range 3702 3702
  port-object range 5500 5500
  port-object range 9876 9876
  object-group service Remote_Desktop tcp-udp
  description Tilgang til Remote Desktop
  port-object range 3389 3389
  object-group service Sand_Servicenter_50000 tcp-udp
  description Program tilgang til Sand Servicenter AS
  port-object range 50000 50000
  object-group service VNC_Remote_Admin tcp
  description Frå oss til alle
  port-object range 5900 5900
  object-group service Printer_Accept tcp-udp
  port-object range 9100 9100
  port-object eq echo
  object-group icmp-type Echo_Ping
  icmp-object echo
  icmp-object echo-reply
  object-group service Print tcp
  port-object range 9100 9100
  object-group service FTP_NADA tcp
  description Suldalsposten NADA tilgang
  port-object eq ftp
  port-object eq ftp-data
  object-group service Telefonsentral tcp
  description Hoftun
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  port-object eq telnet
  object-group service Printer_inn_800 tcp
  description Fra 800  nettet og inn til 400 port 7777
  port-object range 7777 7777
  object-group service Suldalsposten tcp
  description Sending av mail vha Mac Mail programmet - åpner smtp
  port-object eq pop3
  port-object eq smtp
  object-group service http2 tcp
  port-object range 81 81
  object-group service DMZ_FTP_PASSIVE tcp-udp
  port-object range 55536 56559
  object-group service DMZ_FTP tcp-udp
  port-object range 20 21
  object-group service DMZ_HTTPS tcp-udp
  port-object range 443 443
  object-group service DMZ_HTTP tcp-udp
  port-object range 8080 8080
  object-group service DNS_Query tcp
  port-object range domain domain
  object-group service DUETT_SQL_PORT tcp-udp
  description For kobling mellom andre nett og duett server
  port-object range 54659 54659
  access-list outside_access_in extended permit ip any any
  access-list outside_access_out extended permit ip any any
  access-list vlan400_access_in extended deny ip any host 149.20.56.34
  access-list vlan400_access_in extended deny ip any host 149.20.56.32
  access-list vlan400_access_in extended permit ip any any
  access-list Vlan450_access_in extended deny ip any host 149.20.56.34
  access-list Vlan450_access_in extended deny ip any host 149.20.56.32
  access-list Vlan450_access_in extended permit ip any any
  access-list Vlan460_access_in extended deny ip any host 149.20.56.34
  access-list Vlan460_access_in extended deny ip any host 149.20.56.32
  access-list Vlan460_access_in extended permit ip any any
  access-list vlan400_access_out extended permit icmp any any object-group Echo_Ping
  access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande
  access-list vlan400_access_out extended permit tcp any host DomeneServer object-group Remote_Desktop
  access-list vlan400_access_out extended permit tcp any host TerminalServer object-group Remote_Desktop
  access-list vlan400_access_out extended permit tcp any host OvServer object-group http2
  access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_inn
  access-list vlan400_access_out extended permit tcp any host NotesServer object-group Remote_Desktop
  access-list vlan400_access_out extended permit tcp any host w8-eyeshare object-group Remote_Desktop
  access-list vlan400_access_out extended permit tcp any host w8-app object-group Remote_Desktop
  access-list vlan400_access_out extended permit tcp any host FonnaFlyMedia range 8400 8600
  access-list vlan400_access_out extended permit udp any host FonnaFlyMedia range 9000 9001
  access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host DomeneServer
  access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host w8-app object-group DUETT_SQL_PORT
  access-list Vlan500_access_in extended deny ip any host 149.20.56.34
  access-list Vlan500_access_in extended deny ip any host 149.20.56.32
  access-list Vlan500_access_in extended permit ip any any
  access-list vlan470_access_in extended deny ip any host 149.20.56.34
  access-list vlan470_access_in extended deny ip any host 149.20.56.32
  access-list vlan470_access_in extended permit ip any any
  access-list Vlan490_access_in extended deny ip any host 149.20.56.34
  access-list Vlan490_access_in extended deny ip any host 149.20.56.32
  access-list Vlan490_access_in extended permit ip any any
  access-list Vlan450_access_out extended permit icmp any any object-group Echo_Ping
  access-list Vlan1_access_out extended permit ip any any
  access-list Vlan1_access_out extended permit tcp any host w8-print object-group Remote_Desktop
  access-list Vlan1_access_out extended deny ip any any
  access-list Vlan1_access_out extended permit icmp any any echo-reply
  access-list Vlan460_access_out extended permit icmp any any object-group Echo_Ping
  access-list Vlan490_access_out extended permit icmp any any object-group Echo_Ping
  access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP
  access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE
  access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTPS
  access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTP
  access-list Vlan500_access_out extended permit icmp any any object-group Echo_Ping
  access-list vlan470_access_out extended permit icmp any any object-group Echo_Ping
  access-list vlan470_access_out extended permit tcp any host 192.168.202.10 object-group Remote_Desktop
  access-list Vlan510_access_out extended permit icmp any any object-group Echo_Ping
  access-list vlan480_access_out extended permit ip any any
  access-list Vlan510_access_in extended permit ip any any
  access-list Vlan600_access_in extended permit ip any any
  access-list Vlan600_access_out extended permit icmp any any
  access-list Vlan600_access_out extended permit tcp any host w8-print object-group Remote_Desktop
  access-list Vlan600_access_out extended permit tcp 192.168.1.0 255.255.255.0 host w8-print eq www
  access-list Vlan600_access_out extended permit tcp 192.168.202.0 255.255.255.0 host w8-print eq www
  access-list Vlan600_access_out extended permit tcp 192.168.210.0 255.255.255.0 host w8-print eq www
  access-list Vlan600_access_in_1 extended permit ip any any
  access-list Vlan461_access_in extended permit ip any any
  access-list Vlan461_access_out extended permit icmp any any object-group Echo_Ping
  access-list vlan400_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
  access-list outside_20_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
  access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
  access-list Vlan462-Suldalsposten_access_in extended permit ip any any
  access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo-reply
  access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo-reply
  access-list Vlan462-Suldalsposten_access_in_1 extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu Vlan1 1500
  mtu outside 1500
  mtu vlan400 1500
  mtu Vlan450 1500
  mtu Vlan460-SuldalHotell 1500
  mtu Vlan461-SuldalHotellGjest 1500
  mtu vlan470-Kyrkjekontoret 1500
  mtu vlan480-Telefoni 1500
  mtu Vlan490-QNapBackup 1500
  mtu Vlan500-HellandBadlands 1500
  mtu Vlan510-IsTak 1500
  mtu Vlan600-SafeQ 1500
  mtu Vlan462-Suldalsposten 1500
  no failover
  monitor-interface Vlan1
  monitor-interface outside
  monitor-interface vlan400
  monitor-interface Vlan450
  monitor-interface Vlan460-SuldalHotell
  monitor-interface Vlan461-SuldalHotellGjest
  monitor-interface vlan470-Kyrkjekontoret
  monitor-interface vlan480-Telefoni
  monitor-interface Vlan490-QNapBackup
  monitor-interface Vlan500-HellandBadlands
  monitor-interface Vlan510-IsTak
  monitor-interface Vlan600-SafeQ
  monitor-interface Vlan462-Suldalsposten
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-522.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (vlan400) 0 access-list vlan400_nat0_outbound
  nat (vlan400) 1 0.0.0.0 0.0.0.0 dns
  nat (Vlan450) 1 0.0.0.0 0.0.0.0 dns
  nat (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0
  nat (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0
  nat (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0
  nat (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns
  nat (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0
  nat (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0
  nat (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0
  nat (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0
  static (vlan400,outside) 79.x.x.x DomeneServer netmask 255.255.255.255
  static (vlan470-Kyrkjekontoret,outside) 79.x.x.x 192.168.202.10 netmask 255.255.255.255
  static (vlan400,outside) 79.x.x.x NotesServer netmask 255.255.255.255 dns
  static (vlan400,outside) 79.x.x.231 TerminalServer netmask 255.255.255.255
  static (vlan400,outside) 79.x.x.234 OvServer netmask 255.255.255.255
  static (vlan400,outside) 79.x.x.232 w8-eyeshare netmask 255.255.255.255
  static (Vlan490-QNapBackup,outside) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns
  static (Vlan600-SafeQ,outside) 79.x.x.235 w8-print netmask 255.255.255.255
  static (vlan400,outside) 79.x.x.236 w8-app netmask 255.255.255.255
  static (Vlan450,vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
  static (Vlan500-HellandBadlands,vlan400) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
  static (vlan400,Vlan500-HellandBadlands) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
  static (vlan400,Vlan450) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
  static (vlan400,outside) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255
  static (Vlan462-Suldalsposten,vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
  static (vlan400,Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
  static (vlan400,Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
  static (Vlan600-SafeQ,vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
  static (Vlan600-SafeQ,Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
  static (Vlan600-SafeQ,vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
  static (Vlan450,Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
  static (vlan470-Kyrkjekontoret,Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0
  access-group Vlan1_access_out out interface Vlan1
  access-group outside_access_in in interface outside
  access-group outside_access_out out interface outside
  access-group vlan400_access_in in interface vlan400
  access-group vlan400_access_out out interface vlan400
  access-group Vlan450_access_in in interface Vlan450
  access-group Vlan450_access_out out interface Vlan450
  access-group Vlan460_access_in in interface Vlan460-SuldalHotell
  access-group Vlan460_access_out out interface Vlan460-SuldalHotell
  access-group Vlan461_access_in in interface Vlan461-SuldalHotellGjest
  access-group Vlan461_access_out out interface Vlan461-SuldalHotellGjest
  access-group vlan470_access_in in interface vlan470-Kyrkjekontoret
  access-group vlan470_access_out out interface vlan470-Kyrkjekontoret
  access-group vlan480_access_out out interface vlan480-Telefoni
  access-group Vlan490_access_in in interface Vlan490-QNapBackup
  access-group Vlan490_access_out out interface Vlan490-QNapBackup
  access-group Vlan500_access_in in interface Vlan500-HellandBadlands
  access-group Vlan500_access_out out interface Vlan500-HellandBadlands
  access-group Vlan510_access_in in interface Vlan510-IsTak
  access-group Vlan510_access_out out interface Vlan510-IsTak
  access-group Vlan600_access_in_1 in interface Vlan600-SafeQ
  access-group Vlan600_access_out out interface Vlan600-SafeQ
  access-group Vlan462-Suldalsposten_access_in_1 in interface Vlan462-Suldalsposten
  access-group Vlan462-Suldalsposten_access_out_1 out interface Vlan462-Suldalsposten
  route outside 0.0.0.0 0.0.0.0 79.x.x.225 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  username x password x encrypted privilege 15
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.210.0 255.255.255.0 Vlan450
  http 192.168.200.0 255.255.255.0 Vlan1
  http 192.168.1.0 255.255.255.0 vlan400
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map outside_map 20 match address outside_20_cryptomap_1
  crypto map outside_map 20 set pfs
  crypto map outside_map 20 set peer 62.92.159.137
  crypto map outside_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp enable vlan400
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  tunnel-group 62.92.159.137 type ipsec-l2l
  tunnel-group 62.92.159.137 ipsec-attributes
  pre-shared-key *
  telnet 192.168.200.0 255.255.255.0 Vlan1
  telnet 192.168.1.0 255.255.255.0 vlan400
  telnet timeout 5
  ssh 171.68.225.216 255.255.255.255 outside
  ssh timeout 5
  console timeout 0
  dhcpd update dns both
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface outside
  dhcpd address 192.168.1.100-192.168.1.225 vlan400
  dhcpd option 6 ip DomeneServer 81.167.36.11 interface vlan400
  dhcpd option 3 ip 192.168.1.1 interface vlan400
  dhcpd enable vlan400
  dhcpd address 192.168.210.100-192.168.210.200 Vlan450
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450
  dhcpd option 3 ip 192.168.210.1 interface Vlan450
  dhcpd enable Vlan450
  dhcpd address 192.168.2.100-192.168.2.150 Vlan460-SuldalHotell
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell
  dhcpd option 3 ip 192.168.2.1 interface Vlan460-SuldalHotell
  dhcpd enable Vlan460-SuldalHotell
  dhcpd address 192.168.3.100-192.168.3.200 Vlan461-SuldalHotellGjest
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest
  dhcpd option 3 ip 192.168.3.1 interface Vlan461-SuldalHotellGjest
  dhcpd enable Vlan461-SuldalHotellGjest
  dhcpd address 192.168.202.100-192.168.202.199 vlan470-Kyrkjekontoret
  dhcpd option 3 ip 192.168.202.1 interface vlan470-Kyrkjekontoret
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret
  dhcpd enable vlan470-Kyrkjekontoret
  dhcpd option 3 ip 192.168.20.1 interface vlan480-Telefoni
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni
  dhcpd address 192.168.10.80-192.168.10.90 Vlan490-QNapBackup
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup
  dhcpd option 3 ip 192.168.10.1 interface Vlan490-QNapBackup
  dhcpd address 192.168.30.100-192.168.30.199 Vlan500-HellandBadlands
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands
  dhcpd option 3 ip 192.168.30.1 interface Vlan500-HellandBadlands
  dhcpd enable Vlan500-HellandBadlands
  dhcpd address 192.168.40.100-192.168.40.150 Vlan510-IsTak
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak
  dhcpd option 3 ip 192.168.40.1 interface Vlan510-IsTak
  dhcpd enable Vlan510-IsTak
  dhcpd address 192.168.50.150-192.168.50.199 Vlan600-SafeQ
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ
  dhcpd enable Vlan600-SafeQ
  dhcpd address 192.168.4.100-192.168.4.150 Vlan462-Suldalsposten
  dhcpd option 6 ip DomeneServer 81.167.36.11 interface Vlan462-Suldalsposten
  dhcpd option 3 ip 192.168.4.1 interface Vlan462-Suldalsposten
  dhcpd enable Vlan462-Suldalsposten
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  prompt hostname context
  Cryptochecksum:x
  : end
  Config site 1:
  : Saved
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password x encrypted
  passwd x encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.77.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group Telenor
  ip address pppoe setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  switchport access vlan 15
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list outside_access_in extended permit icmp any any echo-reply log disable
  access-list outside_1_cryptomap extended permit ip 192.168.77.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 192.168.1.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.77.0 255.255.255.0 inside
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 79.160.252.226
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.77.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  vpdn group Telenor request dialout pppoe
  vpdn group Telenor localname x
  vpdn group Telenor ppp authentication chap
  vpdn username x password x store-local
  dhcpd auto_config outside
  dhcpd address 192.168.77.100-192.168.77.130 inside
  dhcpd dns 192.168.77.1 interface inside
  dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface inside
  dhcpd enable inside
  dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface outside
  tunnel-group 79.160.252.226 type ipsec-l2l
  tunnel-group 79.160.252.226 ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:x
  : end

  Hi,
  The addition of a new network to the existing L2L VPN should be a pretty simple process.
  Essentially you will have to add the network to the Crypto ACL present in the "crypto map" configurations. You will also have to configure the NAT0 configuration for it in the proper interfaces of the ASA. These configurations are all done on both ends of the L2L VPN connection.
  Looking at your above configurations it would seem that you will need the following configurations
  SITE 1
  We add the new network to both the crypto ACL and the NAT0 ACL
  access-list outside_1_cryptomap extended permit ip 192.168.77.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 192.168.20.0 255.255.255.0
  SITE 2
  We add the new network to the crypto ACL
  We create a new NAT0 configuration for the Vlan480 interface as it has no previous NAT0 configuration
  access-list outside_20_cryptomap_1 extended permit ip 192.168.20.0 255.255.255.0 192.168.77.0 255.255.255.0
  access-list VLAN480-NAT0 remark NAT0 for VPN
  access-list VLAN480-NAT0 permit ip 192.168.20.0 255.255.255.0 192.168.77.0 255.255.255.0
  nat (vlan480-Telefoni) 0 access-list VLAN480-NAT0
  These configurations should pretty much do the trick.
  Let me know if it worked
  - Jouni