Cisco RV016 2.0.18 firmware VPN timeouts
Hi i have a RV016 with older firmware that when connected to a cisco 1841 via ipsec the cisco tunnel times out and protocol goes down. Im able to pass traffic for about one minute each time its up then goes down. The only way to bring it back up is to initiate the connection on the RV016 or do a shut/no shut on the tunnel interface on the 1841.
I notice that older version of firmware is not even being offered anymore and version 3.0.x fixes a few vpn issues but the release notes dont go into it much.
thanks, Paul
Hello Thomas,
In my case, it was pfSense Linux firewall connected to the WRVS4400N...
We changed the ISP modem during the troubleshooting and as a result, the tunnel was always up at both sides. In both modems (the original modem and the new one) we used PPPoE (bridge mode) so there was no reason to have a problem with the first one...
Unfortunately, with the new modem we got another problem:
- If I try to connect from the pfSense network to the WRVS4400N network I have access all the time
- If I try to connect from the WRVS4400N network to the pfSense network I am getting "Request timed out". If I do PING x.x.x.x -t for a minute I am getting a reply and the connection works fine. As soon as I stop using the tunnel for more then 5 minutes, the WRVS4400N shows that the tunnel is up but the ping shows again "Request timed out".
As a final solution, we replaced the WRVS4400N with RV-042 and now it works fine at both sides all the time...
So... Sorry but I am done with the WRVS4400N. Do not have time for it.
Similar Messages
-
Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem
Hi,
i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
I have installed 50 Site-to-Site VPN tunnels, and they work fine.
but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
it happens when there is no TRAFIC on, i suspect.
in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
Any idea?
Thanks,
DanielWhat is the lifetime value configured for in your crypto policies?
For example:
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400 -
RV016 V3 vs RV082 V3 VPN Tunnel Backup not available on RV016
VPN tunnel backup is not available on the RV016 firmware version 4.0.2.08 (it IS on the RV082. The data sheet and the manual for the RV016 is wrong. I have purchased several RV016 hardware V3 and several RV082 hardware V3. Both have the same current firmware version. We have noted that the RV016 does not have the VPN tunnel failover option found in the RV082. It also does not have split DNS (noted in the manual. A I would have thought that the firmware would provide equal options on the RV042, RV082, and RV016. Good job, Cisco!
We did not have VPN back up with the V1 RV016, either. Also tried V2 and at the time it was not working. The product that we have found works as expected is the Peplink Balance. There is still a few second delay on failover, but if you have two broadband connections, it is imperceptible. We gave up on the Cisco products.
-
Cisco RV016 not so Intelligent Balancer
Hi All,
We have a problem with our Cisco RV016 Routers (we have 12 of them).
Somehow the routers keep switching randomly between internet connections. (2-3 connections per router)
We want to completely disable load balancing and just use the 2nd to 3th internet connection as a failover (when 1st connection is down)
Load balancing breaks the clients session because the ip's switch mid session.
Does anyone have a solution to the problem?
We can't deploy them like this and our distributor does not want to take the unopened boxes with routers back.
We use:
Firmware Version : v4.2.2.08 (Apr 26 2013 19:12:26)
Regards,Hi Wouter,
We had the same issue. What I did is create a rule in [System Management] - [Dual WAN] - [WAN 1 --> configuration].
The following rules are in my system:
All Traffic [TCP&UDP/1~65535]->192.168.1.1~192.168.1.254(0.0.0.0~0.0.0.0)WAN1 [Enabled]
All Traffic [TCP&UDP/1~65535]->192.168.1.1~192.168.1.254(0.0.0.0~0.0.0.0)WAN2 [Enabled]
The rest of the settings:
Enable Network Service Detection: Yes
Retry count: 5
Retry timeout: 30 seconds
When Fail: Keep the system log and remove the connection
Only [Remote Host] checked with value 8.8.8.8
Especially the setting with the remote host set to 8.8.8.8 is important.
Of course it's possible to set this to the IP address of the modem, but this only works if the complete modem is switched off. To failover when the internet connection is down, setting it to 8.8.8.8 works.
Hope this helps you. -
Problem to open ports in Cisco RV016
Hello everyone,
I have a Cisco RV016 router, with some ports configured in "Setup --> UPnP". Currently I have problems to configure new ports. I can create the service in "Service Management", but when I add this service to the list, I press "Save" and the router close the session. I need to re-login the router, and it don't save the changes.
However, if I add a service that was already exists before having this problems, the router save the changes (But the router close the session too).
The router has the last version of firmware since the first run.
Anyone has the same problem? Or how to solve it?
Thanks and regardsHello,
Yes, I tried with different computers and different browsers (Firefox and Internet Explorer). I contact with Cisco Support and their solution is reset the router to factory settings, and configure manually all the options. Is possible that the configuration files are corrupted.
I can't reset it now, when I do I will tell you the result.
Regards -
Cisco RV016 dropping company POP3 connections
I am getting crazy with our Cisco Linksys RV016. It handles 3 simultaneous connections to the internet using 3 ISP.
All our company goes to the internet using this cisco linksys RV016, our corporate switches are connected as clients to the router.
Sometime ago, this router started to drop POP3 connections to our network, when this problems is present, all users get Receiving' reported error (0x80042108) in Outlook 2007-2010.
Currently i have setup POP3 service to use the First ISP connection, but when this problem is present, the only way to eventually resolve it is to switch the link POP3 Service from the First to the Third ISP, sometimes it works immediately, sometimes don't.
We are using this router since 2007 but this problems started to arise from this month.
Our switch is the latest firmware available is Cisco website, this is the Firmware Version: 3.0.2.01-tm.
any tip, suggestion, will be really appreciated.
thanks in advance.
Sergio.This issue is getting more strange behaviour. Since Monday, it occurs between 4.30pm and 5.00pm and after about 30 minutes it goes away without my intervention.
Is it the CISCO RV016 throughput maybe ?
Is it because i use Intelligent Balancer (Auto Mode) on all my 3 WANs? Should i use IP Group by Users instead?
Thanks,
throughput -
Cisco RV016 making connections drop
Hi,
My cisco rv016 is currently set to load balance 2 lines and soon 3.
However some connections that are active here are with servers and FTP clients.
With load balancing active it appears that people are getting their sessions timed out rather frequently.
MySQL database connections
SSH connections
FTP, SFTP connections are the ones that spring to mine straight away.
Any advice?
ThanksRight now I'm testing on a single access point (autonomous) with WEP! The same laptop works fine without the Cisco client. Usually it is several hours, 12 or more when it happens, but I've seen it less than that. And I've seen it up for over a day and a half. At this point I just don't trust the client to roll out to a larger audience.
-
I've setup the VPN server in OS X server, and have a new Apple Airport Extreme base station as my wireless router, and it is properly configured for OSX VPN. I can usually connect to the VPN on my iPhone over the cellular network (on the first or second try). However after a few minutes of inactivity, the VPN connection goes away.
Other VPNs I have configured on my phone (for work) don't timeout after periods of inactivity, and I was wondering if there were any settings I could change for the OSX VPN server to not have it drop the VPN connection after a few minutes of idle time.Sorry, I didn't catch the phone part. That was for client. You can set the OS X Server's VPN timeout via the serveradmin command. Run the following to see all the settings...
serveradmin settings vpn
In particular, look at...
vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdle
vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdleTimer
The caveat here is that the longer, or lack of, timeout, the more insecure. -
Anyone using Cisco Clean Access with Juniper SSL VPN?
We're testing Cisco Clean Access with Juniper SSL VPN, and are running into a problem with single sign on. The Juniper box is sending the user's source IP as the framed-ip-address, and not the Network Connect assigned IP, which is why we need to get SSO to work. Has anyone done this, and what did you do to get it working? Thanks.
Hi,
I've no experience with this app but it does list
Juniper as a sujpported client:
http://www.equinux.com/us/products/vpntracker/interoperability.html -
Snow Leopard Cisco VPN timeout
I am using the built-in Cisco IPSec VPN in Snow Leopard to connect to my company's server. My VPN connection times out after 1 hour regardless whether I am actively using (sending/retrieving information through the VPN).
Any help as to where I can change a setting to keep the connection alive longer or until I disconnect?I don't think it is a timeout. The console shows the following sequence when a disconnection occurs.
IKE Packet: transmit success. (Information message).
IKEv1 Information-Notice: transmit success. (R-U-THERE?).
IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
IKE Packet: transmit success. (Information message).
IKEv1 Information-Notice: transmit success. (R-U-THERE?).
IKEv1 Dead-Peer-Detection: request retransmitted. (Initiator DPD Request).
... This is repeated a number of times until the following message is seen
IKEv1 Dead-Peer-Detection: maximum retransmits. (DPD maximum retransmits).
IKE Packet: transmit failed. (Information message).
IKEv1 Information-Notice: transmit failed. (Delete IPSEC-SA).
IKE Packet: transmit failed. (Information message).
IKEv1 Information-Notice: transmit failed. (Delete IPSEC-SA).
I have increased the debug level in racoon to see if it will give a little more information but still connected at the moment. -
Problem with VPN timeout on Cisco ASA5505
Hi i'm sorry if it's vague, but i'm coming here without any config simply because i don't have access.
At work we have 1 Cisco ASA5505 which is used for IPSEC VPN only.
We have 4-5 users that work 100% from the VPN (8h per day 40h per week)
The problem we have will be the disconnection.
We have 1 user that will never never never have the problem (he can stay log all 8h if he wants to)
The 2nd user can get disconnected, but mostly if the VPN stays on for too long without any action.
Me and the other user can get frequent Disconnection in a day, but it's all random (1 days i can get disconnected 0 times and the next day 3 times)
I am using Mac OS 10.7 (just like the one that never gets disconnected and the one that gets disconnected randomly)
The other person who gets disconnected alot is on Windows 7 32 bits with Cisco Client.
On my side when i get disconnected there is 2 problem i see (it will happen to the windows person too)
1) When i'm working on servers sometimes i won't be able to click anywhere and i see that my connection is still on, so i need to close it manually wait 2 minutes then reconnect.
2) When i check my VPN connection it simply disconnected alone.
Thanks for possible solutions. (also the windows client had another PC Before and she said it never disconnected, but it started on new PC) (Before she was on WinXP)
ThanksHi i'm sorry if it's vague, but i'm coming here without any config simply because i don't have access.
At work we have 1 Cisco ASA5505 which is used for IPSEC VPN only.
We have 4-5 users that work 100% from the VPN (8h per day 40h per week)
The problem we have will be the disconnection.
We have 1 user that will never never never have the problem (he can stay log all 8h if he wants to)
The 2nd user can get disconnected, but mostly if the VPN stays on for too long without any action.
Me and the other user can get frequent Disconnection in a day, but it's all random (1 days i can get disconnected 0 times and the next day 3 times)
I am using Mac OS 10.7 (just like the one that never gets disconnected and the one that gets disconnected randomly)
The other person who gets disconnected alot is on Windows 7 32 bits with Cisco Client.
On my side when i get disconnected there is 2 problem i see (it will happen to the windows person too)
1) When i'm working on servers sometimes i won't be able to click anywhere and i see that my connection is still on, so i need to close it manually wait 2 minutes then reconnect.
2) When i check my VPN connection it simply disconnected alone.
Thanks for possible solutions. (also the windows client had another PC Before and she said it never disconnected, but it started on new PC) (Before she was on WinXP)
Thanks -
WLAN Public IP - Cisco RV016 Multi-WAN VPN Router
Hi, I need to get the public IP address for the WLAN1.
The IT person of my ISP ask me for the public IP address for the WLAN which MAC Address that ends with 63:17 but I can't find it in the configuration utility. How can I get it?
I attached some images so you can get an idea of what I'm talking about.
Thanks!Hi Joaquin,
your ISP is natting on the cable or dsl modem,
for you to get an internet address, call them and ask them to put the modem in "bridge mode" or ask them to give you an internet accessible address.
That should do it.
Good luck,
Dan -
Cisco ASA 5505 Site to Site VPN
Hello All,
First time posting to the forums. I've been working with Cisco ASA 5505 for a number of months and recently I purchased a 2nd ASA with the goal of setting up Site to Site VPN tunnel. It look so simple from the number of videos that I have watched on the internet. But when I have done it suprise suprise it didn't work for me ... I have deleted the tunnels a number of times and attempted to recreate them. I am using the VPN wizard in the ADM to create the tunnel. Both the asa are 5505 and have the same same firmware etc.
I would appreciate any help that can be directed towards this issue please. Slowly losing my mind
Please see details below:
Both ADM are 7.1
IOS
ASA 1
aved
ASA Version 9.0(1)
hostname PAYBACK
enable password HSMurh79NVmatjY0 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
description Trunk link to SW1
switchport trunk allowed vlan 1,10,20,30,40
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif outside
security-level 0
ip address 92.51.193.158 255.255.255.252
interface Vlan10
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan20
nameif servers
security-level 100
ip address 192.168.20.1 255.255.255.0
interface Vlan30
nameif printers
security-level 100
ip address 192.168.30.1 255.255.255.0
interface Vlan40
nameif wireless
security-level 100
ip address 192.168.40.1 255.255.255.0
banner login line Welcome to Payback Loyalty Systems
boot system disk0:/asa901-k8.bin
ftp mode passive
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup servers
dns domain-lookup printers
dns domain-lookup wireless
dns server-group DefaultDNS
name-server 83.147.160.2
name-server 83.147.160.130
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ftp_server
object network Internal_Report_Server
host 192.168.20.21
description Automated Report Server Internal Address
object network Report_Server
host 89.234.126.9
description Automated Report Server
object service RDP
service tcp destination eq 3389
description RDP to Server
object network Host_QA_Server
host 89.234.126.10
description QA Host External Address
object network Internal_Host_QA
host 192.168.20.22
description Host of VM machine for QA
object network Internal_QA_Web_Server
host 192.168.20.23
description Web Server in QA environment
object network Web_Server_QA_VM
host 89.234.126.11
description Web server in QA environment
object service SQL_Server
service tcp destination eq 1433
object network Demo_Server
host 89.234.126.12
description Server set up to Demo Product
object network Internal_Demo_Server
host 192.168.20.24
description Internal IP Address of Demo Server
object network NETWORK_OBJ_192.168.20.0_24
subnet 192.168.20.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.0_26
subnet 192.168.50.0 255.255.255.192
object network NETWORK_OBJ_192.168.0.0_16
subnet 192.168.0.0 255.255.0.0
object service MSSQL
service tcp destination eq 1434
description MSSQL port
object network VPN-network
subnet 192.168.50.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.0_24
subnet 192.168.50.0 255.255.255.0
object service TS
service tcp destination eq 4400
object service TS_Return
service tcp source eq 4400
object network External_QA_3
host 89.234.126.13
object network Internal_QA_3
host 192.168.20.25
object network Dev_WebServer
host 192.168.20.27
object network External_Dev_Web
host 89.234.126.14
object network CIX_Subnet
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_84.39.233.50
host 84.39.233.50
object network NETWORK_OBJ_92.51.193.158
host 92.51.193.158
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq ftp
service-object tcp destination eq netbios-ssn
service-object tcp destination eq smtp
service-object object TS
object-group network Payback_Internal
network-object 192.168.10.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq www
service-object tcp destination eq https
service-object object TS
service-object object TS_Return
object-group service DM_INLINE_SERVICE_4
service-object object RDP
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_5
service-object object MSSQL
service-object object RDP
service-object object TS
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_6
service-object object TS
service-object object TS_Return
service-object tcp destination eq www
service-object tcp destination eq https
access-list outside_access_in remark This rule is allowing from internet to interal server.
access-list outside_access_in remark Allowed:
access-list outside_access_in remark FTP
access-list outside_access_in remark RDP
access-list outside_access_in remark SMTP
access-list outside_access_in remark Net Bios
access-list outside_access_in remark SQL
access-list outside_access_in remark TS - 4400
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
access-list outside_access_in remark Access rule to internal host QA
access-list outside_access_in remark Allowed:
access-list outside_access_in remark HTTP
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
access-list outside_access_in remark Access to INternal Web Server:
access-list outside_access_in remark Allowed:
access-list outside_access_in remark HTTP
access-list outside_access_in remark RDP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
access-list outside_access_in remark Rule for allowing access to Demo server
access-list outside_access_in remark Allowed:
access-list outside_access_in remark RDP
access-list outside_access_in remark MSSQL
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
access-list outside_access_in remark Access for Development WebServer
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging console informational
logging asdm informational
logging from-address
[email protected]
logging recipient-address
[email protected]
level alerts
mtu outside 1500
mtu inside 1500
mtu servers 1500
mtu printers 1500
mtu wireless 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
nat (wireless,outside) source dynamic any interface
nat (servers,outside) source dynamic any interface
nat (servers,outside) source static Internal_Report_Server Report_Server
nat (servers,outside) source static Internal_Host_QA Host_QA_Server
nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
nat (servers,outside) source static Internal_Demo_Server Demo_Server
nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
nat (servers,outside) source static Internal_QA_3 External_QA_3
nat (servers,outside) source static Dev_WebServer External_Dev_Web
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 wireless
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 84.39.233.50
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 77.75.100.208 255.255.255.240 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.40.0 255.255.255.0 wireless
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.1
dhcpd auto_config outside
dhcpd address 192.168.10.21-192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
dhcpd option 15 ascii paybackloyalty.com interface inside
dhcpd enable inside
dhcpd address 192.168.40.21-192.168.40.240 wireless
dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
dhcpd update dns interface wireless
dhcpd option 15 ascii paybackloyalty.com interface wireless
dhcpd enable wireless
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy Payback_VPN internal
group-policy Payback_VPN attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Payback_VPN_splitTunnelAcl
group-policy DfltGrpPolicy attributes
dns-server value 83.147.160.2 83.147.160.130
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
group-policy GroupPolicy_84.39.233.50 internal
group-policy GroupPolicy_84.39.233.50 attributes
vpn-tunnel-protocol ikev1 ikev2
username Noelle password XB/IpvYaATP.2QYm encrypted
username Noelle attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
username Eanna attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Michael password qpbleUqUEchRrgQX encrypted
username Michael attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
username Danny attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
username Aileen attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
username Aidan attributes
vpn-group-policy Payback_VPN
service-type remote-access
username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
username shane.c password iqGMoWOnfO6YKXbw encrypted
username shane.c attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Shane password uYePLcrFadO9pBZx encrypted
username Shane attributes
vpn-group-policy Payback_VPN
service-type remote-access
username James password TdYPv1pvld/hPM0d encrypted
username James attributes
vpn-group-policy Payback_VPN
service-type remote-access
username mark password yruxpddqfyNb.qFn encrypted
username mark attributes
service-type admin
username Mary password XND5FTEiyu1L1zFD encrypted
username Mary attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
username Massimo attributes
vpn-group-policy Payback_VPN
service-type remote-access
tunnel-group Payback_VPN type remote-access
tunnel-group Payback_VPN general-attributes
address-pool VPN1
default-group-policy Payback_VPN
tunnel-group Payback_VPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 general-attributes
default-group-policy GroupPolicy_84.39.233.50
tunnel-group 84.39.233.50 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp error
inspect icmp
service-policy global-policy global
smtp-server 192.168.20.21
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1
ASA 2
ASA Version 9.0(1)
hostname Payback-CIX
enable password HSMurh79NVmatjY0 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
description This port connects to VLAN 100
switchport access vlan 100
interface Ethernet0/2
interface Ethernet0/3
switchport access vlan 100
interface Ethernet0/4
switchport access vlan 100
interface Ethernet0/5
switchport access vlan 100
interface Ethernet0/6
switchport access vlan 100
interface Ethernet0/7
switchport access vlan 100
interface Vlan2
nameif outside
security-level 0
ip address 84.39.233.50 255.255.255.240
interface Vlan100
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
banner login line Welcome to Payback Loyalty - CIX
ftp mode passive
clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group defaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network CIX-Host-1
host 192.168.100.2
description This is the host machine of the VM servers
object network External_CIX-Host-1
host 84.39.233.51
description This is the external IP address of the host server for the VM server
object service RDP
service tcp source range 1 65535 destination eq 3389
object network Payback_Office
host 92.51.193.158
object service MSQL
service tcp destination eq 1433
object network Development_OLTP
host 192.168.100.10
description VM for Eiresoft
object network External_Development_OLTP
host 84.39.233.52
description This is the external IP address for the VM for Eiresoft
object network Eiresoft
host 146.66.160.70
description DBA Contractor
object network External_TMC_Web
host 84.39.233.53
description Public Address of TMC Webserver
object network TMC_Webserver
host 192.168.100.19
description Internal Address of TMC Webserver
object network External_TMC_OLTP
host 84.39.233.54
description Targets OLTP external IP
object network TMC_OLTP
host 192.168.100.18
description Targets interal IP address
object network External_OLTP_Failover
host 84.39.233.55
description Public IP of OLTP Failover
object network OLTP_Failover
host 192.168.100.60
description Server for OLTP failover
object network Servers
subnet 192.168.20.0 255.255.255.0
object network Wired
subnet 192.168.10.0 255.255.255.0
object network Wireless
subnet 192.168.40.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network Eiresoft_2nd
host 137.117.217.29
description Eiresoft 2nd IP
object network Dev_Test_Webserver
host 192.168.100.12
description Dev Test Webserver Internal Address
object network External_Dev_Test_Webserver
host 84.39.233.56
description This is the PB Dev Test Webserver
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_2
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_3
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_4
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_5
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_6
service-object object MSQL
service-object object RDP
object-group network Payback_Intrernal
network-object object Servers
network-object object Wired
network-object object Wireless
object-group service DM_INLINE_SERVICE_7
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_8
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_9
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_10
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_11
service-object object RDP
service-object tcp destination eq ftp
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
access-list outside_access_in remark Development OLTP from Payback Office
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
access-list outside_access_in remark Access for Eiresoft
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
access-list outside_access_in remark Access to OLTP for target from Payback Office
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
access-list outside_access_in remark This is allowing access from Eiresoft to the OLTP Failover server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover
access-list outside_access_in remark Access for the 2nd IP from Eiresoft
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
access-list outside_access_in remark Access from the 2nd Eiresoft IP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
nat (inside,outside) source static Development_OLTP External_Development_OLTP
nat (inside,outside) source static TMC_Webserver External_TMC_Web
nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 92.51.193.156 255.255.255.252 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 92.51.193.158
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 77.75.100.208 255.255.255.240 outside
ssh 92.51.193.156 255.255.255.252 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_92.51.193.158 internal
group-policy GroupPolicy_92.51.193.158 attributes
vpn-tunnel-protocol ikev1 ikev2
username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 general-attributes
default-group-policy GroupPolicy_92.51.193.158
tunnel-group 92.51.193.158 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
: endHi,
Thanks for the help to date
I now have the Site to Site working but there is one little issue I have. If I try to RD to a server through the tunnel it will not allow connection on the first attempt however if I ping that host and then attempt to RD it will allow the connection. It looks like the host is asleep until it receives traffic through the tunnel. Is this thje correct behaviour.
See below the details:
ASA1:
hostname PAYBACK
enable password HSMurh79NVmatjY0 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
description Trunk link to SW1
switchport trunk allowed vlan 1,10,20,30,40
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.XX 255.255.255.252
interface Vlan10
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan20
nameif servers
security-level 100
ip address 192.168.20.1 255.255.255.0
interface Vlan30
nameif printers
security-level 100
ip address 192.168.30.1 255.255.255.0
interface Vlan40
nameif wireless
security-level 100
ip address 192.168.40.1 255.255.255.0
banner login line Welcome to Payback Loyalty Systems
boot system disk0:/asa901-k8.bin
ftp mode passive
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup servers
dns domain-lookup printers
dns domain-lookup wireless
dns server-group DefaultDNS
name-server 83.147.160.2
name-server 83.147.160.130
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ftp_server
object network Internal_Report_Server
host 192.168.20.21
description Automated Report Server Internal Address
object network Report_Server
host 89.234.126.9
description Automated Report Server
object service RDP
service tcp destination eq 3389
description RDP to Server
object network Host_QA_Server
host 89.234.126.10
description QA Host External Address
object network Internal_Host_QA
host 192.168.20.22
description Host of VM machine for QA
object network Internal_QA_Web_Server
host 192.168.20.23
description Web Server in QA environment
object network Web_Server_QA_VM
host 89.234.126.11
description Web server in QA environment
object service SQL_Server
service tcp destination eq 1433
object network Demo_Server
host 89.234.126.12
description Server set up to Demo Product
object network Internal_Demo_Server
host 192.168.20.24
description Internal IP Address of Demo Server
object network NETWORK_OBJ_192.168.20.0_24
subnet 192.168.20.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.0_26
subnet 192.168.50.0 255.255.255.192
object network NETWORK_OBJ_192.168.0.0_16
subnet 192.168.0.0 255.255.0.0
object service MSSQL
service tcp destination eq 1434
description MSSQL port
object network VPN-network
subnet 192.168.50.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.0_24
subnet 192.168.50.0 255.255.255.0
object service TS
service tcp destination eq 4400
object service TS_Return
service tcp source eq 4400
object network External_QA_3
host 89.234.126.13
object network Internal_QA_3
host 192.168.20.25
object network Dev_WebServer
host 192.168.20.27
object network External_Dev_Web
host 89.234.126.14
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network Wireless
subnet 192.168.40.0 255.255.255.0
description Wireless network
object network Servers
subnet 192.168.20.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq ftp
service-object tcp destination eq netbios-ssn
service-object tcp destination eq smtp
service-object object TS
service-object object SQL_Server
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq www
service-object tcp destination eq https
service-object object TS
service-object object TS_Return
object-group service DM_INLINE_SERVICE_4
service-object object RDP
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_5
service-object object MSSQL
service-object object RDP
service-object object TS
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_6
service-object object TS
service-object object TS_Return
service-object tcp destination eq www
service-object tcp destination eq https
object-group network DM_INLINE_NETWORK_1
network-object 192.168.10.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
object-group network Payback_Internal
network-object 192.168.10.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
access-list outside_access_in remark This rule is allowing from internet to interal server.
access-list outside_access_in remark Allowed:
access-list outside_access_in remark FTP
access-list outside_access_in remark RDP
access-list outside_access_in remark SMTP
access-list outside_access_in remark Net Bios
access-list outside_access_in remark SQL
access-list outside_access_in remark TS - 4400
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
access-list outside_access_in remark Access rule to internal host QA
access-list outside_access_in remark Allowed:
access-list outside_access_in remark HTTP
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
access-list outside_access_in remark Access to INternal Web Server:
access-list outside_access_in remark Allowed:
access-list outside_access_in remark HTTP
access-list outside_access_in remark RDP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
access-list outside_access_in remark Rule for allowing access to Demo server
access-list outside_access_in remark Allowed:
access-list outside_access_in remark RDP
access-list outside_access_in remark MSSQL
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
access-list outside_access_in remark Access for Development WebServer
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging console informational
logging asdm informational
logging from-address [email protected]
logging recipient-address [email protected] level alerts
mtu outside 1500
mtu inside 1500
mtu servers 1500
mtu printers 1500
mtu wireless 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
nat (wireless,outside) source static Wireless Wireless destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
nat (servers,outside) source static Servers Servers destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
nat (inside,outside) source dynamic any interface
nat (wireless,outside) source dynamic any interface
nat (servers,outside) source dynamic any interface
nat (servers,outside) source static Internal_Report_Server Report_Server
nat (servers,outside) source static Internal_Host_QA Host_QA_Server
nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
nat (servers,outside) source static Internal_Demo_Server Demo_Server
nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
nat (servers,outside) source static Internal_QA_3 External_QA_3
nat (servers,outside) source static Dev_WebServer External_Dev_Web
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer XX.XX.XX.XX
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map servers_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map servers_map interface servers
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 enable servers
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.1
dhcpd auto_config outside
dhcpd address 192.168.10.21-192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
dhcpd option 15 ascii paybackloyalty.com interface inside
dhcpd enable inside
dhcpd address 192.168.40.21-192.168.40.240 wireless
dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
dhcpd update dns interface wireless
dhcpd option 15 ascii paybackloyalty.com interface wireless
dhcpd enable wireless
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy Payback_VPN internal
group-policy Payback_VPN attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Payback_VPN_splitTunnelAcl
group-policy DfltGrpPolicy attributes
dns-server value 83.147.160.2 83.147.160.130
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
group-policy GroupPolicy_84.39.233.50 internal
group-policy GroupPolicy_84.39.233.50 attributes
vpn-tunnel-protocol ikev1 ikev2
username Noelle password XB/IpvYaATP.2QYm encrypted
username Noelle attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
username Eanna attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Michael password qpbleUqUEchRrgQX encrypted
username Michael attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
username Danny attributes
vpn-group-policy Payback_VPN
service-type remote-access
username niamh password MlFlIlEiy8vismE0 encrypted
username niamh attributes
service-type admin
username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
username Aileen attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
username Aidan attributes
vpn-group-policy Payback_VPN
service-type remote-access
username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
username shane.c password iqGMoWOnfO6YKXbw encrypted
username shane.c attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Shane password yQeVtvLLKqapoUje encrypted privilege 0
username Shane attributes
vpn-group-policy Payback_VPN
service-type remote-access
username James password TdYPv1pvld/hPM0d encrypted
username James attributes
vpn-group-policy Payback_VPN
service-type remote-access
username mark password yruxpddqfyNb.qFn encrypted
username mark attributes
service-type admin
username Mary password XND5FTEiyu1L1zFD encrypted
username Mary attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
username Massimo attributes
vpn-group-policy Payback_VPN
service-type remote-access
tunnel-group Payback_VPN type remote-access
tunnel-group Payback_VPN general-attributes
address-pool VPN1
default-group-policy Payback_VPN
tunnel-group Payback_VPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 general-attributes
default-group-policy GroupPolicy_84.39.233.50
tunnel-group 84.39.233.50 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp error
inspect icmp
service-policy global-policy global
smtp-server 192.168.20.21
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:83fa7ce1d93375645205f6e79b526381
ASA2:
ASA Version 9.0(1)
hostname Payback-CIX
enable password HSMurh79NVmatjY0 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
description This port connects to VLAN 100
switchport access vlan 100
interface Ethernet0/2
interface Ethernet0/3
switchport access vlan 100
interface Ethernet0/4
switchport access vlan 100
interface Ethernet0/5
switchport access vlan 100
interface Ethernet0/6
switchport access vlan 100
interface Ethernet0/7
switchport access vlan 100
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.240
interface Vlan100
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
banner login line Welcome to Payback Loyalty - CIX
ftp mode passive
clock timezone GMT 0
clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group defaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network CIX-Host-1
host 192.168.100.2
description This is the host machine of the VM servers
object network External_CIX-Host-1
host 84.39.233.51
description This is the external IP address of the host server for the VM server
object service RDP
service tcp source range 1 65535 destination eq 3389
object network Payback_Office
host 92.51.193.158
object service MSQL
service tcp destination eq 1433
object network Development_OLTP
host 192.168.100.10
description VM for Eiresoft
object network External_Development_OLTP
host 84.39.233.52
description This is the external IP address for the VM for Eiresoft
object network External_TMC_Web
host 84.39.233.53
description Public Address of TMC Webserver
object network TMC_Webserver
host 192.168.100.19
description Internal Address of TMC Webserver
object network External_TMC_OLTP
host 84.39.233.54
description Targets OLTP external IP
object network TMC_OLTP
host 192.168.100.18
description Targets interal IP address
object network External_OLTP_Failover
host 84.39.233.55
description Public IP of OLTP Failover
object network OLTP_Failover
host 192.168.100.60
description Server for OLTP failover
object network Servers
subnet 192.168.20.0 255.255.255.0
object network Wired
subnet 192.168.10.0 255.255.255.0
object network Wireless
subnet 192.168.40.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network Eiresoft_2nd
host 137.117.217.29
description Eiresoft 2nd IP
object network Dev_Test_Webserver
host 192.168.100.12
description Dev Test Webserver Internal Address
object network External_Dev_Test_Webserver
host 84.39.233.56
description This is the PB Dev Test Webserver
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network LAN
subnet 192.168.100.0 255.255.255.0
object network REMOTE-LAN
subnet 192.168.10.0 255.255.255.0
object network TargetMC
host 83.71.194.145
description This is Target Location that will be accessing the Webserver
object network Rackspace_OLTP
host 162.13.34.56
description This is the IP address of production OLTP
object service DB
service tcp destination eq 5022
object network Topaz_Target_VM
host 82.198.151.168
description This is Topaz IP that will be accessing Targets VM
object service DB_2
service tcp destination eq 5023
object network EireSoft_NEW_IP
host 146.66.161.3
description Eiresoft latest IP form ISP DHCP
object-group service DM_INLINE_SERVICE_1
service-object object MSQL
service-object object RDP
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_2
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_4
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
service-object tcp destination eq www
object-group service DM_INLINE_SERVICE_5
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_6
service-object object MSQL
service-object object RDP
object-group network Payback_Intrernal
network-object object Servers
network-object object Wired
network-object object Wireless
object-group service DM_INLINE_SERVICE_8
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_9
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_10
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
service-object icmp echo
service-object icmp echo-reply
service-object object DB
object-group service DM_INLINE_SERVICE_11
service-object object RDP
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_12
service-object object MSQL
service-object icmp echo
service-object icmp echo-reply
service-object object DB
service-object object DB_2
object-group service DM_INLINE_SERVICE_13
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_14
service-object object MSQL
service-object object RDP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
access-list outside_access_in remark Development OLTP from Payback Office
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
access-list outside_access_in remark Access to OLTP for target from Payback Office
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
access-list outside_access_in remark Access for the 2nd IP from Eiresoft
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
access-list outside_access_in remark Access from the 2nd Eiresoft IP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
access-list outside_access_in remark Access rules from Traget to CIX for testing
access-list outside_access_in extended permit tcp object TargetMC object TMC_Webserver eq www
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12 object Rackspace_OLTP object OLTP_Failover
access-list outside_access_in remark Topaz access to Target VM
access-list outside_access_in extended permit tcp object Topaz_Target_VM object TMC_Webserver eq www
access-list outside_access_in remark Opened up for Target for the weekend. Closing on Monday 20th
access-list outside_access_in extended permit tcp any object TMC_Webserver eq www
access-list outside_access_in remark Access for Eiresoft after their ISP changed their IP Address
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13 object EireSoft_NEW_IP object Development_OLTP
access-list outside_access_in remark Eiresoft Access after ISP changed their IP Address
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14 object EireSoft_NEW_IP object OLTP_Failover
access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object-group Payback_Intrernal
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static Payback_Intrernal Payback_Intrernal no-proxy-arp route-lookup
nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
nat (inside,outside) source static Development_OLTP External_Development_OLTP
nat (inside,outside) source static TMC_Webserver External_TMC_Web
nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
nat (inside,outside) source dynamic LAN interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http X.X.X.X 255.255.255.252 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh X.X.X.X 255.255.255.240 outside
ssh X.X.X.X 255.255.255.252 outside
ssh 192.168.40.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_92.51.193.158 internal
group-policy GroupPolicy_92.51.193.158 attributes
vpn-tunnel-protocol ikev1 ikev2
username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 general-attributes
default-group-policy GroupPolicy_92.51.193.158
tunnel-group 92.51.193.158 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:78a7b9ccec2fa048306092eb29a2b769 -
Cisco ASA 5505 Site to Site VPN tunnel up, but not passing traffic
Thanks to a previous thread, I do have a 5505 up and running, and passing data....
https://supportforums.cisco.com/message/3900751
Now I am trying to get a IPSEC VPN tunnel working.
I actually have it up (IKE phase 1 & 2 both passed), but it is not sending/receiving data through the tunnel.
The networks concerned:
name 10.0.0.0 Eventual (HQ Site behind Firewall)
name 1.1.1.0 CFS (Public Network Gateway for Palo Alto Firewall - Firewall IP: 1.1.1.1)
name 2.2.2.0 T1 (Remote site - Outside interface of 5505: 2.2.2.2)
name 10.209.0.0 Local (Remote Network - internal interface of 5505: 10.209.0.3)
On a ping to the HQ network from behind the ASA, I get....
portmap translation creation failed for icmp src inside:10.209.0.9 dst inside:10.0.0.33 (type 8, code 0)
I am suspecting that there is a NAT error and/or a lack of a static route for the rest of the 10.0.0.0 traffic, and that I may have to exempt/route the traffic for the HQ network (10.0.0.0), but I haven't been able to get the correct entries to make it work.
Below is the config.
Can anyone see if there is something sticking out?
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 Eventual
name 10.209.0.0 Local
name 2.2.2.0 T1
name 1.1.1.0 CFS
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 0
ip address 10.209.0.3 255.0.0.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
time-range Indefinite
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object Eventual 255.0.0.0
network-object T1 255.255.255.248
network-object CFS 255.255.255.240
access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 67.139.113.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Eventual 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.209.0.201-10.209.0.232 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy FTMGP internal
group-policy FTMGP attributes
vpn-idle-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy FTMGP
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:701d8da28ee256692a1e49d904e9cb04
: end
asdm location Eventual 255.0.0.0 inside
asdm location Local 255.255.255.0 inside
asdm location T1 255.255.255.248 inside
asdm location CFS 255.255.255.240 inside
asdm history enable
Thank You.I'm just re-engaging on the firewall this afternoon, but right now I'm getting request timed out on the pings....
Here's the output requested:
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : AM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 2.2.2.2
access-list outside_1_cryptomap extended permit ip 10.209.0.0 255.255.255.0 10.0.0.0 255.0.0.0
local ident (addr/mask/prot/port): (Local/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (Eventual/255.0.0.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 84, #pkts encrypt: 84, #pkts digest: 84
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 84, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 8FC06BD1
current inbound spi : 42EC16F4
inbound esp sas:
spi: 0x42EC16F4 (1122768628)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (62207/28464)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x8FC06BD1 (2411752401)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (62201/28464)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Here's the current config:
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 Eventual
name 10.209.0.0 Local
name 67.139.113.216 T1
name 1.1.1.0 IntegraCFS
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 0
ip address 10.209.0.3 255.0.0.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
time-range Indefinite
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object Eventual 255.0.0.0
network-object T1 255.255.255.248
network-object IntegraCFS 255.255.255.240
access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list No_NAT extended permit ip Local 255.255.255.0 Eventual 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list No_NAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 2.2.2.0 1
route outside Eventual 255.255.255.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Eventual 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime kilobytes 65535
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.209.0.201-10.209.0.232 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy FTMGP internal
group-policy FTMGP attributes
vpn-idle-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy FTMGP
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:301e573544ce0f89b3c597bdfe2c414a
: end
asdm location Eventual 255.0.0.0 inside
asdm location Local 255.255.255.0 inside
asdm location T1 255.255.255.248 inside
asdm location IntegraCFS 255.255.255.240 inside
asdm history enable -
Cisco ASA 5505 Site to Site VPN Problem
Hi All,
We have a site to site VPN with a cisco asa 5505 on one end and a Checkpoint firewall on the other end.
We can establish the vpn tunnel and all users in the remote office are working great. However at a random point during the day or it may even be after 2 weeks of working, the tunnel between the sites automatically fails.
When I dial into the modem which is connected to the firewall I see the following messages in the logs:
Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
There is nothing in the Checkpoint logs. To solve the issue I have to reload the firewall.
I have checked both firewalls for any mis-matched parameters and do not see any.
Any help is very much appreciated as it is very frustrating for myself and the users in the remote office.
Thanks!Also to note, PFS is enabled on both firewalls. Config on Cisco ASA firewall as follows:
hostname
domain-name
enable passwordpasswd names
interface Vlan701
nameif inside
security-level 100
ip address 10.65.0.69 255.255.255.252
interface Vlan999
nameif outside
security-level 0
ip address ****** 255.255.255.248
interface Ethernet0/0
description Link to Internet
switchport access vlan 999
interface Ethernet0/1
description
switchport access vlan 701
interface range Ethernet0/2 - 0/7
switchport access vlan 2
shutdown
ftp mode passive
dns server-group DefaultDNS
domain-name******
access-list 101 extended permit ip host ****** 172.25.0.0 255.255.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 host ******
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 ******* 255.255.255.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 ******** 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap warnings
logging asdm informational
logging host outside *****
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
route inside ******
route outside 0.0.0.0 0.0.0.0 ********
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
snmp-server location **:
snmp-server contact **
snmp-server community shortkey
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
crypto map CASGMAP 50 match address 101
crypto map CASGMAP 50 set pfs group1
crypto map CASGMAP 50 set peer ********
crypto map CASGMAP 50 set transform-set 3desmd5
crypto map CASGMAP 50 set security-association lifetime seconds 3600
crypto map CASGMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet **** inside
telnet timeout 5
ssh **** inside
ssh **** outside
ssh timeout 5
console timeout 30
management-access inside
dhcpd ping_timeout 750
priority-queue outside
ntp server **
username ***
tunnel-group ******** type ipsec-l2l
tunnel-group ******** ipsec-attributes
pre-shared-key ***
class-map VoIP
match dscp ef
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map General-purpose
class VoIP
priority
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
service-policy General-purpose interface outside
prompt hostname context
Maybe you are looking for
-
How to restrict the authorisation of J1IH_other adj. (Cenvat debit)
Dear Experts, We have take the other then Goods receipt credit like sales return through JV with t code J1IH_(Additional Excise) & debit through J1IH_(other adj.) We have to restrict only J1IH_other adj. (Cenvat debit) to avoid wrong entry create by
-
Issues in creating a Pre-defined filter in Universe
Hello Everyone, Here is the problem... The idea is to have a prompt (Prompt1) to allow user select the Input type ..ie."Check Number or Invoice Number". There is the second prompt (Prompt2) which will allow user to input a value. Based on Prompt1 val
-
How do you now reach the Java settings for your machine for things like memory allocation? Also, what about 32- and 64-bit architecture? How do I control which is active?
-
How much is it to replace cracked screen of macbook pro retina display?
I stepped on the corner of my macbook pro 13" retina display and the screen has cracked and there is a black square in the corner where the screen is broken. I was wondering from others who have had the same experience how much is it to have the scre
-
Dreamweaver CS3 will not save page
I have few details as I'm troubleshooting for a client, but hopefully someone can help get me to the answer... Client has Dreamweaver CS3. Been using it for about a year (and before that, earlier versions). One person now cannot save files. After mak