Cisco ASA 5510 Site to Site VPN with Sonicwall

I am trying to setup a VPN tunnel between a Cisco ASA 5510 (Version 8.2(2)) and Sonicwall TZ200. I got tunnel up and going and I am able to ping the Cisco ASA internal IP from the Sonicwall LAN but nothing else works. When I try to ping a host behind the Cisco ASA from the Sonicwall LAN I get the following message "Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.20.10.x/xxxx dst inside:10.20.2.x/xxxx denied due to NAT reverse path failures" on the ASA
Googling the above error shows issues with version 8.3 and later which looked like the nat commands were changed but the ASA I am working on is still on 8.2 and the other common issue is not adding a NAT exemption. I have double-triple checked that I did add a NAT exception rule from the hosts on the cisco network to the hosts on the Sonicwall network. Seems like I have hit a road block so any help would be appreciated. Thanks
Here are some excertps from the config file (10.20.2.0 behind the cisco and 10.20.10.0 behind the sonicwall)
nat (inside) 0 access-list nonat
access-list nonat extended permit ip 10.20.2.0 255.255.255.0 10.20.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.20.2.0 255.255.255.0 10.20.10.0 255.255.255.0
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
group-policy SiteToSitePolicy internal
group-policy SiteToSitePolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
split-tunnel-network-list none
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy SiteToSitePolicy
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
Added few excerpts from config file

Yes inspect icmp is enabled in global_policy
The ping requests time out (The only ping that works is when I ping from the remote side to the ASA internal IP address, no other pings from either side work)
#show crypto isakmp sa
1   IKE Peer: x.x.x.x
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
#show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x
      access-list outside_2_cryptomap extended permit ip 10.20.2.0 255.255.255.0 10.20.10.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.20.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.20.10.0/255.255.255.0/0/0)
      current_peer: y.y.y.y
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 39543, #pkts decrypt: 39543, #pkts verify: 39543
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0
      local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 0ED0F897
      current inbound spi : 596CCE6F
    inbound esp sas:
      spi: 0x596CCE6F (1500302959)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 50327552, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 7440
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x0ED0F897 (248576151)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 50327552, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 7440
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Similar Messages

  • NPS and Cisco ASA 5510 - AnyConnect Certificate based authentication

    Hi everyone,
    Hoping someone can help please.
    We're trying to go for a single VPN solution at our company, as we currently have a few through, when buying other companies.
    We're currently running a 2008 R2 domain, so we're looking at NPS and we have Cisco ASA 5510 devices for the VPN side.
    What we would like to achieve, is certificate based authentication. So, user laptop has certificate applied via group policy based on domain membership and group settings, then user goes home. They connect via Cisco AnyConnect via the Cisco ASA 5510 and
    then that talks to MS 2008 R2 NPS and authenticates for VPN access and following that, network connectivity.
    Has anyone implemented this before and if so, are there any guides available please?
    Many Thanks,
    Dean.

    Hi Dean,
    Thanks for posting here.
    Yes, this is possible . But we have guide about a sample that using Windows based server (RRAS) to act as VPN server and working with Windows RADIUS/NPS server and use certificate based authentication method (Extensible Authentication Protocol-Transport
    Layer Security (EAP-TLS) or PEAP-TLS without smart cards) for reference :
    Checklist: Configure NPS for Dial-Up and VPN Access
    http://technet.microsoft.com/en-us/library/cc754114.aspx
    Thanks.
    Tiger Li
    Tiger Li
    TechNet Community Support

  • %ASA-7-710005: TCP request discarded error in Client to Site VPN in CISCO ASA 5510

    Hi Friends,
    I'm trying to built client to site VPN in CISCO ASA 5510 8.4(4) and getting below error while connecting cisco VPN client software. Also, I'm getting below log in ASA. Please help me to reslove.
    Error in CISCO VPN Client Software:
    Secure VPN Connection Terminated locally by the client.
    Reason : 414 : Failed to establish a TCP connection.
    Error in CISCO ASA 5510
    %ASA-7-710005: TCP request discarded from <Public IP> /49276 to outside:<Outside Interface IP of my ASA> /10000
    ASA Configuration:
    XYZ# sh run
    : Saved
    ASA Version 8.4(4)
    hostname XYZ
    domain-name XYZ
    enable password 3uLkVc9JwRA1/OXb level 3 encrypted
    enable password R/x90UjisGVJVlh2 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    nameif outside_rim
    security-level 0
    ip address 1.1.1.1 255.255.255.252
    interface Ethernet0/1
    duplex full
    nameif XYZ_DMZ
    security-level 50
    ip address 172.1.1.1 255.255.255.248
    interface Ethernet0/2
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address 2.2.2.2 255.255.255.252
    interface Ethernet0/3
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 3.3.3.3 255.255.255.224
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    boot system disk0:/asa844-k8.bin
    ftp mode passive
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server xx.xx.xx.xx
    name-server xx.xx.xx.xx
    name-server xx.xx.xx.xx
    name-server xx.xx.xx.xx
    domain-name XYZ
    object network obj-172.17.10.3
    host 172.17.10.3
    object network obj-10.1.134.0
    subnet 10.1.134.0 255.255.255.0
    object network obj-208.75.237.0
    subnet 208.75.237.0 255.255.255.0
    object network obj-10.7.0.0
    subnet 10.7.0.0 255.255.0.0
    object network obj-172.17.2.0
    subnet 172.17.2.0 255.255.255.0
    object network obj-172.17.3.0
    subnet 172.17.3.0 255.255.255.0
    object network obj-172.19.2.0
    subnet 172.19.2.0 255.255.255.0
    object network obj-172.19.3.0
    subnet 172.19.3.0 255.255.255.0
    object network obj-172.19.7.0
    subnet 172.19.7.0 255.255.255.0
    object network obj-10.1.0.0
    subnet 10.1.0.0 255.255.0.0
    object network obj-10.2.0.0
    subnet 10.2.0.0 255.255.0.0
    object network obj-10.3.0.0
    subnet 10.3.0.0 255.255.0.0
    object network obj-10.4.0.0
    subnet 10.4.0.0 255.255.0.0
    object network obj-10.6.0.0
    subnet 10.6.0.0 255.255.0.0
    object network obj-10.9.0.0
    subnet 10.9.0.0 255.255.0.0
    object network obj-10.11.0.0
    subnet 10.11.0.0 255.255.0.0
    object network obj-10.12.0.0
    subnet 10.12.0.0 255.255.0.0
    object network obj-172.19.1.0
    subnet 172.19.1.0 255.255.255.0
    object network obj-172.21.2.0
    subnet 172.21.2.0 255.255.255.0
    object network obj-172.16.2.0
    subnet 172.16.2.0 255.255.255.0
    object network obj-10.19.130.201
    host 10.19.130.201
    object network obj-172.30.2.0
    subnet 172.30.2.0 255.255.255.0
    object network obj-172.30.3.0
    subnet 172.30.3.0 255.255.255.0
    object network obj-172.30.7.0
    subnet 172.30.7.0 255.255.255.0
    object network obj-10.10.1.0
    subnet 10.10.1.0 255.255.255.0
    object network obj-10.19.130.0
    subnet 10.19.130.0 255.255.255.0
    object network obj-XXXXXXXX
    host XXXXXXXX
    object network obj-145.248.194.0
    subnet 145.248.194.0 255.255.255.0
    object network obj-10.1.134.100
    host 10.1.134.100
    object network obj-10.9.124.100
    host 10.9.124.100
    object network obj-10.1.134.101
    host 10.1.134.101
    object network obj-10.9.124.101
    host 10.9.124.101
    object network obj-10.1.134.102
    host 10.1.134.102
    object network obj-10.9.124.102
    host 10.9.124.102
    object network obj-115.111.99.133
    host 115.111.99.133
    object network obj-10.8.108.0
    subnet 10.8.108.0 255.255.255.0
    object network obj-115.111.99.129
    host 115.111.99.129
    object network obj-195.254.159.133
    host 195.254.159.133
    object network obj-195.254.158.136
    host 195.254.158.136
    object network obj-209.164.192.0
    subnet 209.164.192.0 255.255.224.0
    object network obj-209.164.208.19
    host 209.164.208.19
    object network obj-209.164.192.126
    host 209.164.192.126
    object network obj-10.8.100.128
    subnet 10.8.100.128 255.255.255.128
    object network obj-115.111.99.130
    host 115.111.99.130
    object network obj-10.10.0.0
    subnet 10.10.0.0 255.255.0.0
    object network obj-115.111.99.132
    host 115.111.99.132
    object network obj-10.10.1.45
    host 10.10.1.45
    object network obj-10.99.132.0
    subnet 10.99.132.0 255.255.255.0
    object-group network Serversubnet
    network-object 10.10.1.0 255.255.255.0
    network-object 10.10.5.0 255.255.255.192
    object-group network XYZ_destinations
    network-object 10.1.0.0 255.255.0.0
    network-object 10.2.0.0 255.255.0.0
    network-object 10.3.0.0 255.255.0.0
    network-object 10.4.0.0 255.255.0.0
    network-object 10.6.0.0 255.255.0.0
    network-object 10.7.0.0 255.255.0.0
    network-object 10.11.0.0 255.255.0.0
    network-object 10.12.0.0 255.255.0.0
    network-object 172.19.1.0 255.255.255.0
    network-object 172.19.2.0 255.255.255.0
    network-object 172.19.3.0 255.255.255.0
    network-object 172.19.7.0 255.255.255.0
    network-object 172.17.2.0 255.255.255.0
    network-object 172.17.3.0 255.255.255.0
    network-object 172.16.2.0 255.255.255.0
    network-object 172.16.3.0 255.255.255.0
    network-object host 10.50.2.206
    object-group network XYZ_us_admin
    network-object 10.3.1.245 255.255.255.255
    network-object 10.5.33.7 255.255.255.255
    network-object 10.211.5.7 255.255.255.255
    network-object 10.3.33.7 255.255.255.255
    network-object 10.211.3.7 255.255.255.255
    object-group network XYZ_blr_networkdevices
    network-object 10.200.10.0 255.255.255.0
    access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
    access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.21
    access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.22
    access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
    access-list XYZ_PAT extended permit ip 10.19.130.0 255.255.255.0 any
    access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.159.133
    access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.158.136
    access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 any
    access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 209.164.192.0 255.255.224.0
    access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.208.19
    access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.192.126
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
    access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
    access-list nonat extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
    access-list nonat extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
    access-list nonat extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
    access-list nonat extended permit ip object-group Serversubnet object-group XYZ_destinations
    access-list nonat extended permit ip 10.10.1.0 255.255.255.0 10.2.0.0 255.255.0.0
    access-list nonat extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
    access-list nonat extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
    access-list Guest_PAT extended permit ip 10.8.108.0 255.255.255.0 any
    access-list Cacib extended permit ip 10.8.100.128 255.255.255.128 145.248.194.0 255.255.255.0
    access-list Cacib_PAT extended permit ip 10.8.100.128 255.255.255.128 any
    access-list New_Edge extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.7.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 172.17.2.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.17.3.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.19.2.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.19.3.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.19.7.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.2.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.3.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.4.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.6.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.9.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.11.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.12.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.19.1.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.21.2.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.16.2.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.30.2.0 255.255.255.0 host 10.19.130.201
    access-list XYZ_global extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.30.3.0 255.255.255.0 host 10.19.130.201
    access-list XYZ_global extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
    access-list XYZ_global extended permit ip 172.30.7.0 255.255.255.0 host 10.19.130.201
    access-list XYZ_global extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
    access-list XYZ_global extended permit ip object-group Serversubnet object-group XYZ_destinations
    access-list XYZ_global extended permit ip object-group XYZ_destinations object-group Serversubnet
    access-list ML_VPN extended permit ip host 115.111.99.129 209.164.192.0 255.255.224.0
    access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.208.19
    access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.192.126
    access-list Da_VPN extended permit ip host 10.9.124.100 host 10.125.81.88
    access-list Da_VPN extended permit ip host 10.9.124.101 host 10.125.81.88
    access-list Da_VPN extended permit ip host 10.9.124.102 host 10.125.81.88
    access-list Da_VPN extended permit ip host 10.9.124.100 10.125.81.0 255.255.255.0
    access-list Da_VPN extended permit ip host 10.9.124.101 10.125.81.0 255.255.255.0
    access-list Da_VPN extended permit ip host 10.9.124.102 10.125.81.0 255.255.255.0
    access-list Sr_PAT extended permit ip 10.10.0.0 255.255.0.0 any
    access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.80.64 255.255.255.192
    access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.64.0 255.255.240.0
    access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.85.46
    access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.86.46
    access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.80.64 255.255.255.192
    access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.64.0 255.255.240.0
    access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.85.46
    access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.86.46
    access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.80.64 255.255.255.192
    access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.64.0 255.255.240.0
    access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.85.46
    access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.86.46
    access-list XYZ_reliance extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
    access-list coextended permit ip host 2.2.2.2 host XXXXXXXX
    access-list coextended permit ip host XXXXXXXXhost 2.2.2.2
    access-list ci extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
    access-list ci extended permit ip 208.75.237.0 255.255.255.0 10.1.134.0 255.255.255.0
    access-list acl-outside extended permit ip host 57.66.81.159 host 172.17.10.3
    access-list acl-outside extended permit ip host 80.169.223.179 host 172.17.10.3
    access-list acl-outside extended permit ip any host 172.17.10.3
    access-list acl-outside extended permit tcp any host 10.10.1.45 eq https
    access-list acl-outside extended permit tcp any any eq 10000
    access-list acl-outside extended deny ip any any log
    pager lines 10
    logging enable
    logging buffered debugging
    mtu outside_rim 1500
    mtu XYZ_DMZ 1500
    mtu outside 1500
    mtu inside 1500
    ip local pool XYZ_c2s_vpn_pool 172.30.10.51-172.30.10.254
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    no asdm history enable
    arp timeout 14400
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-208.75.237.0 obj-208.75.237.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.7.0.0 obj-10.7.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.2.0 obj-172.17.2.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.3.0 obj-172.17.3.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.2.0 obj-172.19.2.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.3.0 obj-172.19.3.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.7.0 obj-172.19.7.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.1.0.0 obj-10.1.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.3.0.0 obj-10.3.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.4.0.0 obj-10.4.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.6.0.0 obj-10.6.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.9.0.0 obj-10.9.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.11.0.0 obj-10.11.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.12.0.0 obj-10.12.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.1.0 obj-172.19.1.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.21.2.0 obj-172.21.2.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.16.2.0 obj-172.16.2.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.2.0 obj-172.30.2.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.3.0 obj-172.30.3.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.7.0 obj-172.30.7.0 no-proxy-arp route-lookup
    nat (inside,any) source static Serversubnet Serversubnet destination static XYZ_destinations XYZ_destinations no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-XXXXXXXX obj-XXXXXXXX no-proxy-arp route-lookup
    nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-145.248.194.0 obj-145.248.194.0 no-proxy-arp route-lookup
    nat (inside,outside) source static obj-10.1.134.100 obj-10.9.124.100
    nat (inside,outside) source static obj-10.1.134.101 obj-10.9.124.101
    nat (inside,outside) source static obj-10.1.134.102 obj-10.9.124.102
    nat (inside,outside) source dynamic obj-10.8.108.0 interface
    nat (inside,outside) source dynamic obj-10.19.130.0 obj-115.111.99.129
    nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.159.133 obj-195.254.159.133
    nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.158.136 obj-195.254.158.136
    nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129
    nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.0 obj-209.164.192.0
    nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.208.19 obj-209.164.208.19
    nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.126 obj-209.164.192.126
    nat (inside,outside) source dynamic obj-10.8.100.128 obj-115.111.99.130
    nat (inside,outside) source dynamic obj-10.10.0.0 obj-115.111.99.132
    nat (inside,outside) source static obj-10.10.1.45 obj-115.111.99.133
    nat (inside,outside) source dynamic obj-10.99.132.0 obj-115.111.99.129
    object network obj-172.17.10.3
    nat (XYZ_DMZ,outside) static 115.111.99.134
    access-group acl-outside in interface outside
    route outside 0.0.0.0 0.0.0.0 115.111.23.129 1
    route outside 0.0.0.0 0.0.0.0 115.254.127.130 10
    route inside 10.10.0.0 255.255.0.0 10.8.100.1 1
    route inside 10.10.1.0 255.255.255.0 10.8.100.1 1
    route inside 10.10.5.0 255.255.255.192 10.8.100.1 1
    route inside 10.8.100.128 255.255.255.128 10.8.100.1 1
    route inside 10.8.108.0 255.255.255.0 10.8.100.1 1
    route inside 10.19.130.0 255.255.255.0 10.8.100.1 1
    route inside 10.99.4.0 255.255.255.0 10.99.130.254 1
    route inside 10.99.132.0 255.255.255.0 10.8.100.1 1
    route inside 10.1.134.0 255.255.255.0 10.8.100.1 1
    route outside 208.75.237.0 255.255.255.0 115.111.23.129 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication telnet console LOCAL
    aaa authorization command LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set vpn2 esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set vpn6 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set vpn5 esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set vpn7 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set vpn4 esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set vpn1 esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set vpn_reliance esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set c2s_vpn esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 86400
    crypto dynamic-map dyn1 1 set ikev1 transform-set c2s_vpn
    crypto dynamic-map dyn1 1 set reverse-route
    crypto map vpn 1 match address XYZ
    crypto map vpn 1 set peer XYZ Peer IP
    crypto map vpn 1 set ikev1 transform-set vpn1
    crypto map vpn 1 set security-association lifetime seconds 3600
    crypto map vpn 1 set security-association lifetime kilobytes 4608000
    crypto map vpn 2 match address NE
    crypto map vpn 2 set peer NE_Peer IP
    crypto map vpn 2 set ikev1 transform-set vpn2
    crypto map vpn 2 set security-association lifetime seconds 3600
    crypto map vpn 2 set security-association lifetime kilobytes 4608000
    crypto map vpn 4 match address ML_VPN
    crypto map vpn 4 set pfs
    crypto map vpn 4 set peer ML_Peer IP
    crypto map vpn 4 set ikev1 transform-set vpn4
    crypto map vpn 4 set security-association lifetime seconds 3600
    crypto map vpn 4 set security-association lifetime kilobytes 4608000
    crypto map vpn 5 match address XYZ_global
    crypto map vpn 5 set peer XYZ_globa_Peer IP
    crypto map vpn 5 set ikev1 transform-set vpn5
    crypto map vpn 5 set security-association lifetime seconds 3600
    crypto map vpn 5 set security-association lifetime kilobytes 4608000
    crypto map vpn 6 match address Da_VPN
    crypto map vpn 6 set peer Da_VPN_Peer IP
    crypto map vpn 6 set ikev1 transform-set vpn6
    crypto map vpn 6 set security-association lifetime seconds 3600
    crypto map vpn 6 set security-association lifetime kilobytes 4608000
    crypto map vpn 7 match address Da_Pd_VPN
    crypto map vpn 7 set peer Da_Pd_VPN_Peer IP
    crypto map vpn 7 set ikev1 transform-set vpn6
    crypto map vpn 7 set security-association lifetime seconds 3600
    crypto map vpn 7 set security-association lifetime kilobytes 4608000
    crypto map vpn interface outside
    crypto map vpn_reliance 1 match address XYZ_rim
    crypto map vpn_reliance 1 set peer XYZ_rim_Peer IP
    crypto map vpn_reliance 1 set ikev1 transform-set vpn_reliance
    crypto map vpn_reliance 1 set security-association lifetime seconds 3600
    crypto map vpn_reliance 1 set security-association lifetime kilobytes 4608000
    crypto map vpn_reliance interface outside_rim
    crypto map mymap 1 ipsec-isakmp dynamic dyn1
    crypto isakmp identity address
    no crypto isakmp nat-traversal
    crypto ikev1 enable outside_rim
    crypto ikev1 enable outside
    crypto ikev1 policy 1
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 28800
    crypto ikev1 policy 2
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    crypto ikev1 policy 4
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 28000
    crypto ikev1 policy 5
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 43200
    crypto ikev1 policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 10.8.100.0 255.255.255.224 inside
    telnet timeout 5
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    no threat-detection basic-threat
    no threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy XYZ_c2s_vpn internal
    username testadmin password oFJjANE3QKoA206w encrypted
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group XXXXXXXX ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group XXXXXXXXtype ipsec-l2l
    tunnel-group XXXXXXXXipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group XXXXXXXX ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group XXXXXXXX ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group XXXXXXXX ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group XXXXXXXX ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group XXXXXXXX ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group XYZ_c2s_vpn type remote-access
    tunnel-group XYZ_c2s_vpn general-attributes
    address-pool XYZ_c2s_vpn_pool
    tunnel-group XYZ_c2s_vpn ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
      inspect icmp
      inspect ip-options
    service-policy global_policy global
    privilege show level 3 mode exec command running-config
    privilege show level 3 mode exec command logging
    privilege show level 3 mode exec command crypto
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:caa7476cd348ed89b95d37d4e3c9e1d8
    : end
    XYZ#

    Thanks Javier.
    But i have revised the VPN confuration. Below are the latest configs. with this latest configs. I'm getting username & password screen while connecting cisco vpn client software. once we entered the login credential. it shows "security communication channel" then it goes to "not connected" state. Can you help me to fix this.
    access-list ACL-RA-SPLIT standard permit host 10.10.1.3
    access-list ACL-RA-SPLIT standard permit host 10.10.1.13
    access-list ACL-RA-SPLIT standard permit host 10.91.130.201
    access-list nonat line 1 extended permit ip host 10.10.1.3 172.30.10.0 255.255.255.0
    access-list nonat line 2 extended permit ip host 10.10.1.13 172.30.10.0 255.255.255.0
    access-list nonat line 3 extended permit ip host 10.91.130.201 172.30.10.0 255.255.255.0
    ip local pool CO-C2S-VPOOL 172.30.10.51-172.30.10.254 mask 255.255.255.0
    group-policy CO-C2S internal
    group-policy CO-C2S attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list vlauel ACL-RA-SPLIT
    dns-server value 10.10.1.3
    tunnel-group TUN-RA-SPLIT type remote-access
    tunnel-group TUN-RA-SPLIT general-attributes
    default-group-policy CO-C2S
    address-pool CO-C2S-VPOOL
    tunnel-group TUN-RA-SPLIT ipsec-attributes
    pre-shared-key sekretk3y
    username ra-user1 password passw0rd1 priv 1
    group-policy CO-C2S internal
    group-policy CO-C2S attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list vlauel ACL-RA-SPLIT
    dns-server value 10.10.1.3
    tunnel-group TUN-RA-SPLIT type remote-access
    tunnel-group TUN-RA-SPLIT general-attributes
    default-group-policy CO-C2S
    address-pool CO-C2S-VPOOL
    tunnel-group TUN-RA-SPLIT ipsec-attributes
    pre-shared-key *********
    username ******* password ******** priv 1
    crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 10 set transform-set 3DES
    crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
    crypto isakmp identify address
    crypto isakmp enable outside
    crypto isakmp policy 100
    authentication pre-share
    encr 3des
    hash sha
    crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 10 set transform-set 3DES
    crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
    crypto map vpn interface outside
    crypto isakmp identify address
    crypto isakmp enable outside
    crypto isakmp policy 100
    authentication pre-share
    encr 3des
    hash sha
    group 1
    lifetime 3600

  • Cisco ASA 5510 site to site VPN only

    Hi,
    Need some expert help. I will be deploying the CISCO ASA 5510 in VPN site to site scenario only. One interface will be for the WAN and the other LAN interface is connected to another firewall appliance. The main purpose of the ASA is for branch site VPN connection only. My default gateway is pointing to the Internet router on my WAN inteface. Should NAT be enabled on my WAN inteface? The only expected traffic to go thru my ASA is VPN traffic to the other site. I have already defined static routes and have gone thru the wizard for site to site VPN and added my local and remote networks. Also how do I approach my access policies, the default deny any any is in place. Should I allow anything on it? The firewall connected to my LAN interface is expected to do the filtering, like I said the ASA's purpose is just to do VPN site to site. Thanks all

    Thanks Jon. That is what I want to clarify as well, running the VPN site to site wizard, will automatically create the 'cryptomap' access rules, will the existing deny all rule apply to the VPN traffic? I think there was an option that VPN traffic will bypass access rules.
    So having NAT enabled for anything that goes out on My WAN inteface would not matter at all, even if the VPN traffic will go out of that interface right? Hope I don't sound confusing.
    As per your second question, I know it sounds weird and is not good network design, but customer just renewed maintenance contract for the other firewall box that is why he does not want to get rid of it yet. Although ISA can perform the function as well. Thanks.

  • Web Filtering Cisco ASA 5510

    Hello !
    I m a netword administrator, and i have been looking how to setup web filtering in a network, we are using cisco asa 5510 as a firewall and i have been looking for a way to block url such as facebook and streaming web sites since users are allowed to access to any website and they have been downloding stuff lately and i cant controll the bandwith!!
    What u guys recommand !
    Thanks

    Hi Neji,
    Here you have all the content security options available on the ASA. I think only the CX doesn't apply to your HW but the other options are available.
    Block URLs using Regular Experessions (Regex)
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
    CSC module:
    http://www.cisco.com/en/US/products/ps6823/index.html
    How to enable the CSC module:
    http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ssm.html
    ASA CX module (ASA 5512,5525,5545,5545,5555)
    http://www.cisco.com/en/US/docs/security/asa/quick_start/cx/cx_qsg.html
    Scansafe:
    http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/scansafe.html
    Configuration Cisco Cloud Web Security
    http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/protect_cloud_web_security.html#wp1559223
    Ironport:
    http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/ironport.html
    How to integrate the ASA with Ironport (WCCP):
    https://supportforums.cisco.com/docs/DOC-12623
    HTH
    Luis Silva
    "If you need PDI (Planning, Design, Implement) assistance feel free to reach"
    http://www.cisco.com/web/partners/tools/pdihd.html

  • Cisco asa 5510 Patch OpenSSL to 0.9.8j or later

    Our PCI scan found the following bug "Patch OpenSSL to 0.9.8j or later"
    We have an ASA 5510 running 8.2(2) with the following ssl: ssl encryption rc4-sha1 aes128-sha1 aes256-sha1
    Reviewing the 8.2x OpenSSL notes in the releases documentation it specifices it is using 0.9.8 but not which version.
    Can someone recommend which version to upgrade to?

    Cisco is still evaluating this and hasn't released fixed code yet:
    http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl
    -- Jim Leinweber, WI State Lab of Hygiene

  • How to configure QOS on certain IP in the Cisco ASA 5510

    Hi,
    I am need to configure QOS on certain IP in the Cisco ASA 5510. Assume the IP's are 10.0.1.5 , 10.0.1.6 , 10.0.1.7. Here i have to configure 512 KBPS for 10.0.1.5 and 2 MBPS for 10.0.1.6 and 10.0.1.7
    Can this done on a ASA 5510 series? if yes can you help me how ?
    Regards,
    Venkat

    Yes you can do it.You can match the ip addresses in an access-list, put in a class-map and the class-map in a policy map that will do policing.
    Good examples for what you want to do are here https://supportforums.cisco.com/docs/DOC-1230
    I hope it helps.
    PK

  • Cisco ASA 5510 Content Security bundle

    Hello,
    please help me  to understand if i buy  the    Cisco ASA 5510 Content Security bundle  for  my  network   found  there is   1 yr subscription for the content
    security features.  what are  services included in it.  Does   URL blocking and filtering  includ  in this subscription  or  its a seperate features.
    Thanks,
    Saroj Pradhan

    Here is the license for CSC module and it lists what is included in Basic and Plus CSC license:
    http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc1.html#wp1045405
    One year subscription is providing you the ability to upgrade the virus scan engine, spyware pattern file, anti spam, etc

  • How to Enable IP Accounting or capture packets in Cisco ASA 5510 (8.2)

    Hi All,
    How to Enable IP Accounting or capture packets in Cisco ASA 5510 (8.2)
    Thanks
    Roopesh

    Hi Roopesh,
    Please go through this document for detailed documentation on captures:
    https://supportforums.cisco.com/docs/DOC-17814
    Hope that helps.
    Thanks,
    Varun Rao
    Security Team,
    Cisco TAC

  • Site-to-ste VPN with overlapped subnet.

    Hi Friends
    I have to set up site to site VPN with overlapped network ASA 5540 and checkpoint   what is the best parctice to achive tis goal
    Thanks in advance

    It has to be configured on both sides.
    X and Y are unused networks in this example: Site A has to hide 172.16.1.0/24 behind X when communicating to Y, site B has to hide 172.16.1.0/24 behind Y when communicating to X. The users in site A have to use Y as a destination, users in site B have to use X as destination. To make it usable for the users you should include the destinations in the DNS so that they never need the destination-IP.
    On the ASA you describe the communication 172.16.1.0/24 -> Y with an access-list and add that ACL to your static-command. You find an example here:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • Cisco ASA 5510 - Cisco Client Can Connect To VPN But Can't Ping!

    Hi,
    I have an ASA 5510 with the configuration below. I have configure the ASA as remote access vpn server with cisco vpn client, my problem now is I can connect but I can't ping.
    Config
    ciscoasa# sh run
    : Saved
    ASA Version 8.0(3)
    hostname ciscoasa
    enable password 5QB4svsHoIHxXpF/ encrypted
    names
    name xxx.xxx.xxx.xxx SAP_router_IP_on_SAP
    name xxx.xxx.xxx.xxx ISA_Server_second_external_IP
    name xxx.xxx.xxx.xxx Mail_Server
    name xxx.xxx.xxx.xxx IncomingIP
    name xxx.xxx.xxx.xxx SAP
    name xxx.xxx.xxx.xxx WebServer
    name xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold
    name 192.168.2.2 isa_server_outside
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address IncomingIP 255.255.255.248
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.253 255.255.255.0
    management-only
    passwd 123
    ftp mode passive
    clock timezone EEST 2
    clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
    object-group service TCP_8081 tcp
    port-object eq 8081
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq 3389
    port-object eq ftp
    port-object eq www
    port-object eq https
    port-object eq smtp
    port-object eq pop3
    port-object eq 3200
    port-object eq 3300
    port-object eq 3600
    port-object eq 3299
    port-object eq 3390
    port-object eq 50000
    port-object eq 3396
    port-object eq 3397
    port-object eq 3398
    port-object eq imap4
    port-object eq 587
    port-object eq 993
    port-object eq 8000
    port-object eq 8443
    port-object eq telnet
    port-object eq 3901
    group-object TCP_8081
    port-object eq 1433
    port-object eq 3391
    port-object eq 3399
    port-object eq 8080
    port-object eq 3128
    port-object eq 3900
    port-object eq 3902
    port-object eq 7777
    port-object eq 3392
    port-object eq 3393
    port-object eq 3394
    port-object eq 3395
    port-object eq 92
    port-object eq 91
    port-object eq 3206
    port-object eq 8001
    port-object eq 8181
    port-object eq 7778
    port-object eq 8180
    port-object eq 22222
    port-object eq 11001
    port-object eq 11002
    port-object eq 1555
    port-object eq 2223
    port-object eq 2224
    object-group service RDP tcp
    port-object eq 3389
    object-group service 3901 tcp
    description 3901
    port-object eq 3901
    object-group service 50000 tcp
    description 50000
    port-object eq 50000
    object-group service Enable_Transparent_Tunneling_UDP udp
    port-object eq 4500
    access-list inside_access_in remark connection to SAP
    access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 host SAP_router_IP_on_SAP
    access-list inside_access_in remark VPN Outgoing - PPTP
    access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp
    access-list inside_access_in remark VPN Outgoing - GRE
    access-list inside_access_in extended permit gre 192.168.2.0 255.255.255.0 any
    access-list inside_access_in remark VPN - GRE
    access-list inside_access_in extended permit gre any any
    access-list inside_access_in remark VPN Outgoing - IKE Client
    access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq isakmp
    access-list inside_access_in remark VPN Outgoing - IPSecNAT - T
    access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq 4500
    access-list inside_access_in remark DNS Outgoing
    access-list inside_access_in extended permit udp any any eq domain
    access-list inside_access_in remark DNS Outgoing
    access-list inside_access_in extended permit tcp any any eq domain
    access-list inside_access_in remark Outoing Ports
    access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any object-group DM_INLINE_TCP_1
    access-list inside_access_in extended permit ip 172.16.1.0 255.255.255.0 any
    access-list outside_access_in extended permit ip any any
    access-list outside_access_in extended permit tcp any any eq pptp
    access-list outside_access_in extended permit gre any any
    access-list outside_access_in extended permit gre any host Mail_Server
    access-list outside_access_in extended permit tcp any host Mail_Server eq pptp
    access-list outside_access_in extended permit esp any any
    access-list outside_access_in extended permit ah any any
    access-list outside_access_in extended permit udp any any eq isakmp
    access-list outside_access_in extended permit udp any any object-group Enable_Transparent_Tunneling_UDP
    access-list VPN standard permit 192.168.2.0 255.255.255.0
    access-list corp_vpn extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool POOL 172.16.1.10-172.16.1.20 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-603.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 2 Mail_Server netmask 255.0.0.0
    global (outside) 1 interface
    global (inside) 2 interface
    nat (inside) 0 access-list corp_vpn
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp Mail_Server 8001 ISA_Server_second_external_IP 8001 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server pptp isa_server_outside pptp netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server smtp isa_server_outside smtp netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server 587 isa_server_outside 587 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server 9443 isa_server_outside 9443 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server 3389 isa_server_outside 3389 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server 3390 isa_server_outside 3390 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255
    static (inside,outside) tcp SAP 50000 isa_server_outside 50000 netmask 255.255.255.255
    static (inside,outside) tcp SAP 3200 isa_server_outside 3200 netmask 255.255.255.255
    static (inside,outside) tcp SAP 3299 isa_server_outside 3299 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server pop3 isa_server_outside pop3 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server imap4 isa_server_outside imap4 netmask 255.255.255.255
    static (inside,outside) tcp cms_eservices_projects_sharepointold 9999 isa_server_outside 9999 netmask 255.255.255.255
    static (inside,outside) 192.168.2.0  access-list corp_vpn
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set transet esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 10 set pfs
    crypto dynamic-map dynmap 10 set transform-set transet ESP-3DES-SHA
    crypto map cryptomap 10 ipsec-isakmp dynamic dynmap
    crypto map cryptomap interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    no crypto isakmp nat-traversal
    telnet 192.168.2.0 255.255.255.0 inside
    telnet 192.168.1.0 255.255.255.0 management
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
    dhcpd domain domain.local interface inside
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics access-list
    tftp-server management 192.168.1.123 /
    group-policy mypolicy internal
    group-policy mypolicy attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN
    username vpdn password 123
    username vpdn attributes
    vpn-group-policy mypolicy
    service-type remote-access
    tunnel-group mypolicy type remote-access
    tunnel-group mypolicy general-attributes
    address-pool POOL
    default-group-policy mypolicy
    tunnel-group mypolicy ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect pptp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac
    : end
    Thank you very much.

    Here is the output:
    ciscoasa# packet-tracer input outside icmp 172.16.1.10 8 0 192.168.2.1
    Phase: 1
    Type: FLOW-LOOKUP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Found no matching flow, creating a new flow
    Phase: 2
    Type: UN-NAT
    Subtype: static
    Result: ALLOW
    Config:
    static (inside,outside) 192.168.2.0  access-list corp_vpn
    nat-control
      match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
        static translation to 192.168.2.0
        translate_hits = 0, untranslate_hits = 139
    Additional Information:
    NAT divert to egress interface inside
    Untranslate 192.168.2.0/0 to 192.168.2.0/0 using netmask 255.255.255.0
    Phase: 3
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group outside_access_in in interface outside
    access-list outside_access_in extended permit ip any any
    Additional Information:
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 5
    Type: CP-PUNT
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect icmp
    service-policy global_policy global
    Additional Information:
    Phase: 7
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: NAT-EXEMPT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 10
    Type: NAT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    static (inside,outside) 192.168.2.0  access-list corp_vpn
    nat-control
      match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
        static translation to 192.168.2.0
        translate_hits = 0, untranslate_hits = 140
    Additional Information:
    Phase: 11
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule

  • RV042 Site-to-Stie VPN with NAT on one side

    I set up a site-to-site VPN using two RV042s some time ago.  One was behind a NATting router.  The other was the internet interface itself.
    Somewhere I had found a paper describing how to do this.  It said that only ONE of them could be behind another NATting router.  So, that's how this was set up.  I sure wish I could find that paper again!!!  Any suggestions?
    Now I have to do the same thing again but can't get it working.  It looks like this:
    RV042 VPN public address <> cable modem <> internet <> RV042 "firewall" with IPSEC passthrough enabled <> interim subnet LAN <> RV042 VPN <> LAN
    I'm getting log messages and on the remote site log (the left side of the above) like:
    initial Aggressive Mode packet claiming to be from [xxx.xxx.xxx.xxx] on [same] but no connection has been authorized 
    and
    No suitable connection for peer '10.98.76.2', Please check Phase 1 ID value 
    (where 10.98.76.2 is the IP address of the RV042 WAN port on the interim subnet)
    I have them both in Aggressive mode as eventually I'll be using a dyndns url.  But, for now, I'm using the actual IP addresses so that should not be an issue one way or the other..

    make sure the configuration u do on both the side should be same....and secondly exempt the NAT rules then only it will work.

  • Cisco Asa 5505 and Layer 3 Switch With Remote VPN Access

    i got today a new CISCO LAYER 3 Switch .. so here is my scenrio
    Cisco Asa 5505
    I
    Outside  == 155.155.155.x
    Inside  =      192.168.7.1
    VPN POOL Address =   10.10.10.1   -   10.10.10.20
    Layer 3 Switch Config
    Vlan 2
    interface ip address =  192.168.1.1
    Vlan 2
    interface ip address =  192.168.2.1
    Vlan 2
    interface ip address =  192.168.3.1
    Vlan 2
    interface ip address =  192.168.4.1
    Vlan 2
    interface ip address =  192.168.5.1
    ip Routing
    So i want My Remote Access VPN clients to access all this Networks. So Please can you give me a helpfull trick or Link to configure the rest of my routing
    Thank You all

    When My Remote VPN is Connected , it reaches 192.168.7.2 of the Layer 3 VLan that's Connected to The ASA 5505 ,
    But i can't reach the rest of the VLAN - example
    192.168.1.1
    192.168.1.2
    192.168.1.3
    192.168.1.4
    192.168.1.5
    But i can reach the Connected Interface Vlan to My ASA ..
    So here i think iam miss configuration to my Route
    Any Help Please this is urgent

  • Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL

    Hi all.
    we have following IPSec configuration:
    ASA Site 1:
    Cisco Adaptive Security Appliance Software Version 9.1(1)
    crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
    crypto ipsec ikev2 ipsec-proposal PropAES256
    access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
    access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
    access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
    access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
    access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0
    crypto map CMVPN 5 match address SITE_2
    crypto map CMVPN 5 set peer IP_SITE2
    crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
    crypto map CMVPN interface OUTSIDE
    route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
    route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255
    tunnel-group IP_SITE2 type ipsec-l2l
    tunnel-group IP_SITE2 general-attributes
    default-group-policy VPN_S2S_WAN
    tunnel-group IP_SITE2 ipsec-attributes
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    ASA Site 2:
    Cisco Adaptive Security Appliance Software Version 9.1(4)
    access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
    access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
    access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
    access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
    access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
    crypto map CMVPN 10 match address SITE_1
    crypto map CMVPN 10 match address SITE_1
    crypto map CMVPN 10 set peer IP_SITE1
    crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
    crypto map CMVPN 10 set reverse-route
    crypto map CMVPN interface OUTSIDE
    tunnel-group IP_SITE1 type ipsec-l2l
    tunnel-group IP_SITE1 general-attributes
    default-group-policy VPN_S2S_WAN
    tunnel-group IP_SITE1 ipsec-attributes
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    We are not able to reach from 172.22.20.x ips 172.27.99.x.
    It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.
    We are using similar configuration on many sites and it works correctly expect sites with DSL line.
    We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.
    Thanks in advance for your help.
    Regards.
    Jan
    ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
    Session Type: LAN-to-LAN Detailed
    Connection   : IP ASA Site 2
    Index        : 3058                   IP Addr      : IP ASA Site 2
    Protocol     : IKEv2 IPsec
    Encryption   : IKEv2: (1)AES256  IPsec: (3)AES256
    Hashing      : IKEv2: (1)SHA512  IPsec: (3)SHA1
    Bytes Tx     : 423634                 Bytes Rx     : 450526
    Login Time   : 19:59:35 HKT Tue Apr 29 2014
    Duration     : 1h:50m:45s
    IKEv2 Tunnels: 1
    IPsec Tunnels: 3
    IKEv2:
      Tunnel ID    : 3058.1
      UDP Src Port : 500                    UDP Dst Port : 500
      Rem Auth Mode: preSharedKeys
      Loc Auth Mode: preSharedKeys
      Encryption   : AES256                 Hashing      : SHA512
      Rekey Int (T): 86400 Seconds          Rekey Left(T): 79756 Seconds
      PRF          : SHA512                 D/H Group    : 5
      Filter Name  :
      IPv6 Filter  :
    IPsec:
      Tunnel ID    : 3058.2
      Local Addr   : 172.22.0.0/255.255.0.0/0/0
      Remote Addr  : 172.27.97.0/255.255.255.0/0/0
      Encryption   : AES256                 Hashing      : SHA1
      Encapsulation: Tunnel
      Rekey Int (T): 28800 Seconds          Rekey Left(T): 22156 Seconds
      Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607648 K-Bytes
      Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
      Bytes Tx     : 312546                 Bytes Rx     : 361444
      Pkts Tx      : 3745                   Pkts Rx      : 3785
    IPsec:
      Tunnel ID    : 3058.3
      Local Addr   : 172.27.0.0/255.255.0.0/0/0
      Remote Addr  : 172.27.97.0/255.255.255.0/0/0
      Encryption   : AES256                 Hashing      : SHA1
      Encapsulation: Tunnel
      Rekey Int (T): 28800 Seconds          Rekey Left(T): 22165 Seconds
      Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607952 K-Bytes
      Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
      Bytes Tx     : 50014                  Bytes Rx     : 44621
      Pkts Tx      : 496                    Pkts Rx      : 503
    IPsec:
      Tunnel ID    : 3058.4
      Local Addr   : 172.27.0.0/255.255.0.0/0/0
      Remote Addr  : 172.27.99.0/255.255.255.0/0/0
      Encryption   : AES256                 Hashing      : SHA1
      Encapsulation: Tunnel
      Rekey Int (T): 28800 Seconds          Rekey Left(T): 22324 Seconds
      Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607941 K-Bytes
      Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
      Bytes Tx     : 61074                  Bytes Rx     : 44461
      Pkts Tx      : 402                    Pkts Rx      : 437
    NAC:
      Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
      SQ Int (T)   : 0 Seconds              EoU Age(T)   : 6648 Seconds
      Hold Left (T): 0 Seconds              Posture Token:
      Redirect URL :
    ....  after ping from 172.27.99.x any ip in 172.22.20.x.
    ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
    Session Type: LAN-to-LAN Detailed
    Connection   : IP ASA Site 2
    Index        : 3058                   IP Addr      : IP ASA Site 2
    Protocol     : IKEv2 IPsec
    Encryption   : IKEv2: (1)AES256  IPsec: (4)AES256
    Hashing      : IKEv2: (1)SHA512  IPsec: (4)SHA1
    Bytes Tx     : 784455                 Bytes Rx     : 1808965
    Login Time   : 19:59:35 HKT Tue Apr 29 2014
    Duration     : 2h:10m:48s
    IKEv2 Tunnels: 1
    IPsec Tunnels: 4
    IKEv2:
      Tunnel ID    : 3058.1
      UDP Src Port : 500                    UDP Dst Port : 500
      Rem Auth Mode: preSharedKeys
      Loc Auth Mode: preSharedKeys
      Encryption   : AES256                 Hashing      : SHA512
      Rekey Int (T): 86400 Seconds          Rekey Left(T): 78553 Seconds
      PRF          : SHA512                 D/H Group    : 5
      Filter Name  :
      IPv6 Filter  :
    IPsec:
      Tunnel ID    : 3058.2
      Local Addr   : 172.22.0.0/255.255.0.0/0/0
      Remote Addr  : 172.27.97.0/255.255.255.0/0/0
      Encryption   : AES256                 Hashing      : SHA1
      Encapsulation: Tunnel
      Rekey Int (T): 28800 Seconds          Rekey Left(T): 20953 Seconds
      Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4606335 K-Bytes
      Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
      Bytes Tx     : 652492                 Bytes Rx     : 1705136
      Pkts Tx      : 7419                   Pkts Rx      : 7611
    IPsec:
      Tunnel ID    : 3058.3
      Local Addr   : 172.27.0.0/255.255.0.0/0/0
      Remote Addr  : 172.27.97.0/255.255.255.0/0/0
      Encryption   : AES256                 Hashing      : SHA1
      Encapsulation: Tunnel
      Rekey Int (T): 28800 Seconds          Rekey Left(T): 20962 Seconds
      Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607942 K-Bytes
      Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
      Bytes Tx     : 60128                  Bytes Rx     : 52359
      Pkts Tx      : 587                    Pkts Rx      : 594
    IPsec:
      Tunnel ID    : 3058.4
      Local Addr   : 172.27.0.0/255.255.0.0/0/0
      Remote Addr  : 172.27.99.0/255.255.255.0/0/0
      Encryption   : AES256                 Hashing      : SHA1
      Encapsulation: Tunnel
      Rekey Int (T): 28800 Seconds          Rekey Left(T): 21121 Seconds
      Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607931 K-Bytes
      Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
      Bytes Tx     : 70949                  Bytes Rx     : 50684
      Pkts Tx      : 475                    Pkts Rx      : 514
    IPsec:
      Tunnel ID    : 3058.5
      Local Addr   : 172.22.0.0/255.255.0.0/0/0
      Remote Addr  : 172.27.99.0/255.255.255.0/0/0
      Encryption   : AES256                 Hashing      : SHA1
      Encapsulation: Tunnel
      Rekey Int (T): 28800 Seconds          Rekey Left(T): 28767 Seconds
      Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4608000 K-Bytes
      Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
      Bytes Tx     : 961                    Bytes Rx     : 871
      Pkts Tx      : 17                     Pkts Rx      : 14
    NAC:
      Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
      SQ Int (T)   : 0 Seconds              EoU Age(T)   : 7852 Seconds
      Hold Left (T): 0 Seconds              Posture Token:
      Redirect URL :

    Hi,
    on 212 is see
    tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
    tunnel-group 195.xxx.xxx.xxx ipsec-attributes
    pre-shared-key
    When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
    If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
    Regards,
    Abaji.

  • Cisco ASA 5510 Specs

    In Cisco ASA Firewall 5510 does the feature content filter come built in?
    Posted by WebUser Allyson Buscemi from Cisco Support Community App

    Here is a number of Cisco Press book for ASA:
    http://www.ciscopress.com/search/index.asp?query=ASA
    Cisco ASA, PIX, and FWSM Firewall Handbook, 2nd Edition
    Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance, 2nd Edition

Maybe you are looking for

  • How to create a simple spot the difference game

    Hi everyone. I'm new to the forums and relatively new to flash, so bear with me I'm looking to do a very simple spot the difference game using flash CS3 and actionscript 2 for a school project. As it stands, I have 2 images on separate layers on a ti

  • Vendor email-address in SUS too short

    Hello guys, following problem: When I send the PO from MM to SUS (SRM 5.0 on Server 5.5) the email adress of the vendor is cut in the middle in SUS. The Idoc of the ECC is fine, it seems that the problem could be found in the Mapping of the XI or in

  • Sending a PDF to printer

    Hi, I have a requirement to send the PDF file to the printer/spool in my BADI implementation. I have generated the pdf file using web service, got it converted to binary/byte stream. Now i want to send that to the printer for printing. Please help me

  • Strange NUMC, Can anyone please Define NUMC.

    Hi Experts, I have experienced a Strange things with NUMC. How ever you define your Numc (straight or dictionary ref like "DATA: value1 TYPE pa0000-pernr) or what ever. I have seen different results different scenarios as shown in below example. REPO

  • Output of DMEE format

    Hi all.. I am using DMEE format for ouput file which to be sent to bank in their format. I designed the format and did all configuration settings for the same. Now how to get the file output to my desktop or common server? Kindly guide. Thanks & rega