How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR

I'm trying to test my Cisco VPN client from my workplace to my home where I have a Cisco ASA 5505 (VPN server) behind the Actiontec MI424WR.  I'm able to Ping the Actiontec external IP.  I also have Port Forwarding for IKE and IPSec configured on the Actiontec, but I cannot establish the VPN connection.
What do I need to configure on the Actiontec to make this work?
Also, when I test this at home, the MI424WR acts as the DHCP server for my laptop and the Cisco outside interface.  At home, I'm able to establish the VPN connection from my laptop to the ASA, allowing me to see a shared drive behind the ASA.  However, at home, I cannot go to the Internet while using the VPN client.
Thanks for any help.
Steve
Solved!
Go to Solution.

http://www.dslreports.com/faq/verizonfios/3.0_Networking
those are the best sample config's and resources on how to set the FiOS network
Bridging is possible but difficult.  That link will give you great info on it.
Are you a FiOS customer that has phone/internet/tv
or no tv?   or no phone?    You have to be careful on your configuration or you might lose some TV features and functionality, like the Interactive Program Guide, or the VOD or the Widgets.
Sorry the Portforwarding wasn't enough to resolve your issue, I am not sure that it's a Actiontec config you are looking for, from my understanding of Cisco's and FiOS it may be something behind the cisco that is causing an issue.  You may want to reach out to the Cisco admin that manages that, and find out if there are additional ports that are required and then you can come back and configure those ports too.

Similar Messages

  • Azure Site to Site VPN with Cisco ASA 5505

    I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
    IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
    Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
    Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
    Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
    Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
    I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
    (Does azure support 9.x version of asa?)
    How can i fix it?

    Hi,
    As of now, we do not have any scripts for Cisco ASA 9x series.
    Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
    Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
    However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
    demonstrated in this blog:
    Step-By-Step: Create a Site-to-Site VPN between your network and Azure
    http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
    You can refer to this article for Cisco ASA templates for Static routing:
    http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
    Did you download the VPN configuration file from the dashboard and copy the content of the configuration
    file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
    According to the
    Cisco ASA template, it should be similar to this:
    access-list <RP_AccessList>
    extended permit ip object-group
    <RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
    nat (inside,outside) source static <RP_OnPremiseNetwork>
    <RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
    <RP_AzureNetwork>
    Based on my experience, to establish
    IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
    VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
    compatible for dynamic routing, please make sure that you chose the static routing.
    Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
    Hope this helps you.
    Girish Prajwal

  • Setting up site to site vpn with cisco asa 5505

    I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
    IP of remote office router is 71.37.178.142
    IP of the main office firewall is 209.117.141.82
    Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
    ciscoasa# show run
    : Saved
    ASA Version 7.2(4)
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password TMACBloMlcBsq1kp encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
    access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group5
    crypto map outside_map 1 set peer 209.117.141.82
    crypto map outside_map 1 set transform-set ESP-AES-256-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn username [email protected] password ********* store-local
    dhcpd auto_config outside
    dhcpd address 192.168.1.2-192.168.1.129 inside
    dhcpd enable inside
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
    : end
    ciscoasa#
    Thanks!

    Hi Mandy,
    By using following access list define Peer IP as source and destination
    access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
    you are not defining the interesting traffic / subnets from both ends.
    Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
    !.1..source subnet(called local encryption domain) at your end  192.168.200.0
    !..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
    !..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
    !...at your end  192.168.200.0
    !..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
    !...at other end 192.168.100.0
    Please use Baisc Steps as follows:
    A. Configuration in your MAIN office  having IP = 209.117.141.82  (follow step 1 to 6)
    Step 1.
    Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    Step 2.
    Config ISAKMP Policy with minimum 4 parameters are to be config for
    crypto isakmp policy 10
    authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
    encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
    hash sha   --->  3rd parameter of ISAKMP Policy is OK
    group 5  --->  4th parameter of ISAKMP Policy is OK
    lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
    Step 3.
    Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
    Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
    Use following command:
    crypto isakmp key 0 CISCO123 address 71.37.178.142
    or , but not both
    crypto isakmp key 6 CISCO123 address71.37.178.142
    step 4.
    Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
    Here is yours one:
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
    crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
    or
    crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
    Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
    ah-sha-hmac or  ah-md5-hmac
    crypto ipsec transform-set TSET1 ah-sha-hmac
    or
    crypto ipsec transform-set TSET1 ah-md5-hmac
    Step 5.
    Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
    crypto map ipsec-isakmp
    1. Define peer -- called WHO to set tunnel with
    2. Define or call WHICH - Transform Set
    3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
    Like in your case it is but ipsec-isakmp keyword missing in the ;ast
    crypto map outside_map 10 ipsec-isakmp
    1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
    2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
    !..In you case it is correct
    !...set transform-set ESP-AES-256-SHA (also correct)
    3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
    4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
    Step 6.
    Now apply this one crypto MAP to your OUTSIDE interface always
    interface outside
    crypto map outside_map
    Configure the same but just change ACL on other end in step one  by reversing source and destination
    and also set the peer IP of this router in other end.
    So other side config should look as follows:
    B.  Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
    Step 7.
    Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
    access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
    Step 8.
    Config ISAKMP Policy with minimum 4 parameters are to be config for
    crypto isakmp policy 10
    authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
    encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
    hash sha   --->  3rd parameter of ISAKMP Policy is OK
    group 5  --->  4th parameter of ISAKMP Policy is OK
    lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
    Step 9.
    Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
    Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
    Use following command:
    crypto isakmp key 0 CISCO123 address 209.117.141.82
    or , but not both
    crypto isakmp key 6 CISCO123 address 209.117.141.82
    step 10.
    Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
    Here is yours one:
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
    crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
    or
    crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
    Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
    ah-sha-hmac or  ah-md5-hmac
    crypto ipsec transform-set TSET1 ah-sha-hmac
    or
    crypto ipsec transform-set TSET1 ah-md5-hmac
    Step 11.
    Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
    crypto map    ipsec-isakmp
    1. Define peer -- called WHO to set tunnel with
    2. Define or call WHICH - Transform Set, only one is permissible
    3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
    Like in your case it is but ipsec-isakmp keyword missing in the ;ast
    crypto map outside_map 10 ipsec-isakmp
    1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
    2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
    !..In you case it is correct
    !...set transform-set ESP-AES-256-SHA (also correct)
    3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
    4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
    Step 12.
    Now apply this one crypto MAP to your OUTSIDE interface always
    interface outside
    crypto map outside_map
    Now initite a ping
    Here is for your summary:
    IPSec: Site to Site - Routers
    Configuration Steps
    Phase 1
    Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
    Step 2: Configure ISAKMP Policy
    Step 3: Configure ISAKMP Key
    Phase 2
    Step 4: Configure Transform Set
    Step 5: Configure Crypto Map
    Step 6: Apply Crypto Map to an Interface
    To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
    Router#debug crpyto isakmp
    Router#debug crpyto ipsec
    Router(config)# logging buffer 7
    Router(config)# logging buffer 99999
    Router(config)# logging console 6
    Router# clear logging
    Configuration
    In R1:
    (config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
    (config)# crypto isakmp policy 10
    (config-policy)# encryption 3des
    (config-policy)# authentication pre-share
    (config-policy)# group 2
    (config-policy)# hash sha1
    (config)# crypto isakmp key 0 cisco address 2.2.2.1
    (config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
    (config)# crypto map CMAP 10 ipsec-isakmp
    (config-crypto-map)# set peer 2.2.2.1
    (config-crypto-map)# match address 101
    (config-crypto-map)# set transform-set TSET
    (config)# int f0/0
    (config-if)# crypto map CMAP
    Similarly in R2
    Verification Commands
    #show crypto isakmp SA
    #show crypto ipsec SA
    Change to Transport Mode, add the following command in Step 4:
    (config-tranform-set)# mode transport
    Even after  doing this change, the ipsec negotiation will still be done through  tunnel mode if pinged from Loopback to Loopback. To overcome this we  make changes to ACL.
    Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
    (config)# crypto isakmp peer address 2.2.2.1
    (config-peer)# set aggressive-mode password cisco
    (config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1
    Similarly on R2.
    The below process is for the negotiation using RSA-SIG (PKI) as authentication type
    Debug Process:
    After  we debug, we can see the negotiation between the two peers. The first  packet of the interesting traffic triggers the ISAKMP (Phase1)  negotiation. Important messages are marked in BOLD and explanation in  RED
    R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
    Packet sent with a source address of 2.2.2.2
    Mar  2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) //  Router tried to find any IPSec SA matching the outgoing connection but  no valid SA has been found in Security Association Database (SADB)
    Mar  2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
    Mar  2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
    Mar  2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
    Mar  2 16:18:42.939: ISAKMP: local port 500, remote port 500
    Mar  2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE    
    Mar  2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
    Mar  2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
    Mar  2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
    Mar  2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    Mar  2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
    Mar  2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
    Mar  2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
    Mar  2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Mar  2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
    Mar  2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
    Mar  2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
    Mar  2 16:18:42.947:.!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
    R2(config)# ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Mar  2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
    Mar  2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
    Mar  2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
    Mar  2 16:18:42.947: ISAKMP:      hash SHA
    Mar  2 16:18:42.947: ISAKMP:      default group 2
    Mar  2 16:18:42.947: ISAKMP:      auth RSA sig
    Mar  2 16:18:42.947: ISAKMP:      life type in seconds
    Mar  2 16:18:42.947: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
    Mar  2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
    Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
    Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
    Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
    Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    Mar  2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
    Mar  2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
    Mar  2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
    Mar  2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
    Mar  2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
    Mar  2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
    Mar  2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
    Mar  2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
    Mar  2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
    Mar  2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
    Mar  2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
    Mar  2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
    Mar  2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
    Mar  2 16:18:43.007:  Choosing trustpoint CA_Server as issuer
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
    Mar  2 16:18:43.007: ISAKMP:received payload type 20
    Mar  2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
    Mar  2 16:18:43.007: ISAKMP:received payload type 20
    Mar  2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
    Mar  2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4
    Mar  2 16:18:43.011: ISAKMP:(1008):Send initial contact
    Mar  2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
    Mar  2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
    Mar  2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
    Mar  2 16:18:43.011: ISAKMP (1008): ID payload
              next-payload : 6
              type         : 2
              FQDN name    : R2
              protocol     : 17
              port         : 500
              length       : 10
    Mar  2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
    Mar  2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
    Mar  2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
    Mar  2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Mar  2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5
    Mar  2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
    // "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
    Mar  2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
    Mar  2 16:18:43.047: ISAKMP (1008): ID payload
              next-payload : 6
              type         : 2
              FQDN name    : ASA1
              protocol     : 0
              port         : 0
              length       : 12
    Mar  2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
    Mar  2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
    Mar  2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
    Mar  2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
    Mar  2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
    Mar  2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
    Mar  2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
    Mar  2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
    Mar  2 16:18:43.067: ISAKMP:received payload type 17
    Mar  2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
    Mar  2 16:18:43.067: ISAKMP:(1008):SA authentication status:
              authenticated
    Mar  2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
    Mar  2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/,  and inserted successfully 46519678. // SA inserted into SADB
    Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6
    Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6
    Mar  2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
    Mar  2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
    Mar  2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
    Mar  2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
    Mar  2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
    Mar  2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
    Mar  2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
    Mar  2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
    Mar  2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
    Mar  2 16:18:43.079: ISAKMP:   attributes in transform:
    Mar  2 16:18:43.079: ISAKMP:      SA life type in seconds
    Mar  2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
    Mar  2 16:18:43.079: ISAKMP:      SA life type in kilobytes
    Mar  2 16:18:43.079: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
    Mar  2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
    Mar  2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
    Mar  2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
    Mar  2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
    Mar  2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
    Mar  2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i)  0/ 0
              (proxy 1.1.1.1 to 2.2.2.2)
    Mar  2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
    Mar  2 16:18:43.083:         lifetime of 3600 seconds
    Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
    Mar  2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
              (proxy 2.2.2.2 to 1.1.1.1)
    Mar  2 16:18:43.083:         has spi  0x2B367FB4 and conn_id 0
    Mar  2 16:18:43.083:         lifetime of 3600 seconds
    Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
    Mar  2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
    Mar  2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
    Mar  2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    Mar  2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
    Verification Commands
    #show crypto isakmp SA
    #show crypto ipsec SA
    Kindly rate if you find the explanation useful !!
    Best Regards
    Sachin Garg

  • VPN PROBLEM CISCO ASA 5505

        Hello,  I have been trying to configure a VPN with Cisco Asa 5505 and Cisco VPN client 5.X for 3 weeks and I am not being able to accomplish it, so I decided to reset to factory defaults and start over again.
         I used ASDM 6.4 VPN wizard to configure it (I selected exempt local network from NAT and enabled split tunneling, but I have tried other combinations as well).
         Tunnel seems to be established properly since I do see an endpoint while using 'sh crypto isakmp sa' but 'sh crypto ipsec sa' shows no packets encrypted or decrypted, so VPN is not working as expected. I can't ping or rdp to internal LAN:
         #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
          #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
         The running-config it created is:
    ciscoasa# sh run
    : Saved
    ASA Version 8.4(2)
    hostname ciscoasa
    enable password XXXX encrypted
    passwd XXXX encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.16.1.254 255.255.0.0
    interface Vlan2
    nameif outside
    security-level 0
    pppoe client vpdn group ADSL_Telefonica
    ip address pppoe setroute
    ftp mode passive
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network NETWORK_OBJ_10.0.0.0_24
    subnet 10.0.0.0 255.255.255.0
    object network NETWORK_OBJ_172.16.0.0_16
    subnet 172.16.0.0 255.255.0.0
    access-list test_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    ip local pool test 10.0.0.1-10.0.0.254 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_16 NETWORK_OBJ_172.16.0.0_16 destination static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 172.16.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 172.16.0.0 255.255.0.0 inside
    telnet timeout 55
    ssh 172.16.0.0 255.255.0.0 inside
    ssh timeout 55
    console timeout 0
    vpdn group ADSL_Telefonica request dialout pppoe
    vpdn group ADSL_Telefonica localname adslppp@telefonicanetpa
    vpdn group ADSL_Telefonica ppp authentication pap
    vpdn username adslppp@telefonicanetpa password *****
    dhcpd auto_config outside
    dhcpd address 172.16.2.2-172.16.2.129 inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy test internal
    group-policy test attributes
    dns-server value 172.16.1.1
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value test_splitTunnelAcl
    username test password XXXXXX encrypted privilege 0
    username test attributes
    vpn-group-policy test
    username ignacio password XXXXXXX encrypted
    tunnel-group test type remote-access
    tunnel-group test general-attributes
    address-pool test
    default-group-policy test
    tunnel-group test ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:c8935bd572dfd37e81c6aa9f9dc8207c
    : end
    Thank you very much for your help

    Yes, it was a VPN client problem. I was doing test with a WWAN card and it seems it is not compatible with windows 7.
    • The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).
    I should have read Release Notes before. Thank you very much for your help and effort.

  • How to sync clock of Cisco ASA 5505 from NTP Server on internet

    Hi there!
    i've setup a site, with cisco ASA 5505. It has public ip also.
    i want to sync the clock of firewall from on ntp server on internet, or with internal domain controller that is inside LAN.
    The firewall has public IP also.
    how can i do this?
    Regards!

    Hello Lasandro,
    This should do it!
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/basic_hostname_pw.html#wp1236530
    Looking for some Networking Assistance? 
    Contact me directly at [email protected]
    I will fix your problem ASAP.
    Cheers,
    Julio Carvajal Segura
    http://laguiadelnetworking.com

  • Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

    Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
    I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
    Please help me to find where is the issue.
    I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
    192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
    Here is my current configuration.
    Thanks for your help.
    IOS Configuration
    version 15.2
    crypto isakmp policy 1
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp key cisco address 198.0.183.225
    crypto isakmp invalid-spi-recovery
    crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
    mode transport
    crypto map static-map 1 ipsec-isakmp
    set peer S2.S2.S2.S2
    set transform-set AES-SET
    set pfs group2
    match address 100
    interface GigabitEthernet0/0
    ip address S1.S1.S1.S1 255.255.255.240
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map static-map
    interface GigabitEthernet0/1
    ip address 192.168.17.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
    ASA Configuration
    ASA Version 8.4(3)
    interface Ethernet0/0
    switchport access vlan 2
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.83.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address S2.S2.S2.S2 255.255.255.248
    ftp mode passive
    same-security-traffic permit intra-interface
    object network inside-network
    subnet 192.168.83.0 255.255.255.0
    object network datacenter
    host S1.S1.S1.S1
    object network datacenter-network
    subnet 192.168.17.0 255.255.255.0
    object network NETWORK_OBJ_192.168.83.0_24
    subnet 192.168.83.0 255.255.255.0
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended deny ip any any log
    access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source dynamic inside-network interface
    nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
    nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
    nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
    crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set vpn-transform-set mode transport
    crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set L2L_SET mode transport
    crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
    crypto map vpn 1 match address outside_cryptomap
    crypto map vpn 1 set pfs
    crypto map vpn 1 set peer S1.S1.S1.S1
    crypto map vpn 1 set ikev1 transform-set L2L_SET
    crypto map vpn 20 ipsec-isakmp dynamic dyno
    crypto map vpn interface outside
    crypto isakmp nat-traversal 3600
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    group-policy GroupPolicy_S1.S1.S1.S1 internal
    group-policy GroupPolicy_S1.S1.S1.S1 attributes
    vpn-tunnel-protocol ikev1
    group-policy remote_vpn_policy internal
    group-policy remote_vpn_policy attributes
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
    username admin password rqiFSVJFung3fvFZ encrypted privilege 15
    tunnel-group DefaultRAGroup general-attributes
    address-pool vpn_pool
    default-group-policy remote_vpn_policy
    tunnel-group DefaultRAGroup ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group DefaultRAGroup ppp-attributes
    authentication ms-chap-v2
    tunnel-group S1.S1.S1.S1 type ipsec-l2l
    tunnel-group S1.S1.S1.S1 general-attributes
    default-group-policy GroupPolicy_S1.S1.S1.S1
    tunnel-group S1.S1.S1.S1 ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:f55f10c19a0848edd2466d08744556eb
    : end

    Thanks for helping me again. I really appreciate.
    I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
    Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
    Because on Cisco ASA I guess I have everything.
    Here is show crypto session detail
    router(config)#do show crypto session detail
    Crypto session current status
    Code: C - IKE Configuration mode, D - Dead Peer Detection
    K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
    X - IKE Extended Authentication, F - IKE Fragmentation
    Interface: GigabitEthernet0/0
    Session status: DOWN
    Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
          Desc: (none)
          Phase1_id: (none)
      IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
            Active SAs: 0, origin: crypto map
            Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
            Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
    Should I see something in crypto isakmp sa?
    pp-border#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    IPv6 Crypto ISAKMP SA
    Thanks again for your help.

  • VPN Between Cisco ASA 5505 and Cisco Router 881

    Hi All,
    I want to interconnect two office to each other but i have trouble: Please see below my configuration: What is missing to finalize the configuration properly?
    Cisco ASA 5505.
    Version 8.4(3)
    HQ-ASA5505(config)# crypto ikev1 policy 888
    HQ-ASA5505(config-ikev1-policy)# authentication pre-share
    HQ-ASA5505(config-ikev1-policy)# encryption 3des
    HQ-ASA5505(config-ikev1-policy)# hash md5
    HQ-ASA5505(config-ikev1-policy)# lifetime 86400
    HQ-ASA5505(config-ikev1-policy)# group 2
    HQ-ASA5505(config)# tunnel-group 1.1.1.1 type ipsec-l2l
    HQ-ASA5505(config)# tunnel-group 1.1.1.1 ipsec-attributes
    HQ-ASA5505(config-tunnel-ipsec)# ikev1 pre-shared-key test
    HQ-ASA5505(config)#object network HQ-Users
    HQ-ASA5505(config-network-object)#subnet 10.48.0.0 255.255.255.0
    HQ-ASA5505(config)# object-group network HQ.grp
    HQ-ASA5505(config-network-object-group)# network-object object HQ-Users
    HQ-ASA5505(config)#object network FSP_DATA
    HQ-ASA5505(config-network-object)#subnet 10.48.12.0 255.255.255.0
    HQ-ASA5505(config)#object-group network FSP.grp
    HQ-ASA5505(config-network-object-group)#network-object object FSP_DATA
    HQ-ASA5505(config)#access-list VPN_to_FSP extended permit ip object-group HQ.grp object-group FSP.grp
    HQ-ASA5505(config)# crypto ipsec ikev1 transform-set TS esp-3des esp-md5-hmac
    HQ-ASA5505(config)# crypto map ouside_map 888 set ikev1 transform-set TS
    HQ-ASA5505(config)# crypto map ouside_map 888 match address VPN_to_FSP
    HQ-ASA5505(config)# crypto map ouside_map 888 set peer 1.1.1.1
    HQ-ASA5505(config)# crypto map ouside_map 888 set pfs group2
    HQ-ASA5505(config)# crypto ikev1 enable outside
    HQ-ASA5505(config)# crypto map ouside_map interface outside
    Router 881
    Version 12.4
    License Information for 'c880-data'
        License Level: advipservices   Type: Permanent
        Next reboot license Level: advipservices
    LAB_ROuter(config)#object-group network HQ
    LAB_ROuter(config-network-group)#10.48.0.0 255.255.255.0
    LAB_ROuter(config)#object-group network FSP
    LAB_ROuter(config-network-group)#10.48.12.0 255.255.255.0
    ip access-list extended FSP_VPN
     permit ip object-group FSP object-group HQ
    LAB_ROuter(config)#crypto isakmp policy 888
    LAB_ROuter(config-isakmp)#encryption 3des
    LAB_ROuter(config-isakmp)#authentication pre-share
    LAB_ROuter(config-isakmp)#hash md5
    LAB_ROuter(config-isakmp)#group 2
    LAB_ROuter(config-isakmp)#lifetime 86400
    LAB_ROuter(config)#crypto isakmp key test address 2.2.2.2
    LAB_ROuter(config)#crypto ipsec transform-set TS esp-3des esp-md5-hmac
    crypto map outside_map 888 ipsec-isakmp
     set peer 2.2.2.2
     set transform-set TS
     match address FSP_VPN
    interface fast4 --> Outside Interface (where public IP address is assigned) 
    crypto map outside_map
    Thank you in advance for your prompt advice!

    If you do a show crypto map in the router you will see the VPN traffic to be "any to any".
    This is due a known bug on Cisco routers. The router does not support object-groups network for the VPN traffic. Use a regular ACL instead.

  • My First VPN with a ASA 5505

    First of all, thanks for reading my post.
    I have a newly aquired asa 5505 that I just set up to the bare minimum configurations. I followed a cisco paper on how to create a "remote access vpn" setup for ipsec. I can sucessfully connect and establish a VPN, but when I try to access an inside resource from the vpn address, the asa blocks it.
    Specific error is:
    5 May 09 2012 15:17:48 305013 192.168.1.2 80 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.1.220/53101 dst inside:192.168.1.2/80 denied due to NAT reverse path failure
    Here is my config.
    : Saved
    ASA Version 8.2(2)
    hostname asawood
    domain-name wood.local
    enable password W/KqlBn3sSTvaD0T encrypted
    passwd W/KqlBn3sSTvaD0T encrypted
    names
    name 192.168.1.117 kylewooddesk description kyle
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    boot system disk0:/asa822-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name wood.local
    object-group service rdp tcp
    description rdp access
    port-object eq 3389
    access-list outside_access_in extended permit tcp any interface outside eq 3389
    access-list outside_access_in extended permit tcp any interface outside eq 8080
    access-list outside_access_in extended permit tcp any interface outside eq 3333
    access-list inside_nat0_outbound extended permit ip any 192.168.1.200 255.255.255.248
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool vpnpool 192.168.1.220-192.168.1.230
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-631.bin
    no asdm history enable
    arp timeout 14400
    global (inside) 2 interface
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface 3389 kylewooddesk 3389 netmask 255.255.255.255 dns
    static (inside,outside) tcp interface 8080 kylewooddesk 8080 netmask 255.255.255.255
    static (inside,outside) tcp interface 3333 192.168.1.86 3333 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication http console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map dyn1 1 set transform-set FirstSet
    crypto dynamic-map dyn1 1 set reverse-route
    crypto map mymap 1 ipsec-isakmp dynamic dyn1
    crypto map mymap interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 43200
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd dns 8.8.8.8 8.8.4.4
    dhcpd lease 3000
    dhcpd address 192.168.1.100-192.168.1.130 inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username vpnkyle password p29RprV0OZB6997h encrypted
    username mrkylewood password Q4339wmn1ourxj9X encrypted
    tunnel-group woodgroup type remote-access
    tunnel-group woodgroup general-attributes
    address-pool vpnpool
    tunnel-group woodgroup ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect ip-options
    policy-map type inspect dns MY_DNS_INSPECT_MAP
    parameters
    service-policy global_policy global
    prompt hostname context
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/...es/DDCEService
    destination address email
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:f9f7a0ad86a0a913921eed28f1e7369c
    : end
    asdm image disk0:/asdm-631.bin
    asdm location kylewooddesk 255.255.255.255 inside
    no asdm history enable

    Hello Kyle,
    The Unicast Reverses Path Check is going to drop the packet as he is going to receive a packet on the outside interface from a host from the inside interface subnet.
    So here is what you can try:
    1- THIS WILL SOLVE IT 100 % sure. Change the pool from the VPN remote users to a different one from the inside interface
    2- Disable the uRPF check from the outside interface.
    As a Security Engineer Guy I will go with option 1
    Regards.
    Julio
    Do rate all the helpful posts

  • Cisco ASA 5505 behind Fritzbox in homelab

    Hello all,
    I'm a bit new to networking with firewalls, and for that reason I've purchased a second-hand asa5505 for my home lab.
    Because it's a home-lab I've got a Fritzbox router/modem. How do I set up my asa (.2.253) to forward all outgoing traffic to the fritzbox (.2.254) and my fritzbox to forward all incoming traffic to the asa?
    I've applied a basic config, so the asa's inside interface has the .253 address, but the outside interface does not have an ip. Reason being I'm reading different stories (one says put on dhcp, other says config as static with the ip given by the isp).
    Also; can anyone tell me where to get the latest asdm/firmware for the asa when it's out of support (thanks Cisco for the 90-day basic support).
    This topic first appeared in the Spiceworks Community

    Hello all,
    I'm a bit new to networking with firewalls, and for that reason I've purchased a second-hand asa5505 for my home lab.
    Because it's a home-lab I've got a Fritzbox router/modem. How do I set up my asa (.2.253) to forward all outgoing traffic to the fritzbox (.2.254) and my fritzbox to forward all incoming traffic to the asa?
    I've applied a basic config, so the asa's inside interface has the .253 address, but the outside interface does not have an ip. Reason being I'm reading different stories (one says put on dhcp, other says config as static with the ip given by the isp).
    Also; can anyone tell me where to get the latest asdm/firmware for the asa when it's out of support (thanks Cisco for the 90-day basic support).
    This topic first appeared in the Spiceworks Community

  • How to configure SGE2000P with CISCO 7900 phones and data VLAN

    Hello all
    I am having problem setting up SGE2000P switches to work with my default data VLAN and additional voice VLAN. I am configuring it to pick IP address for phones from voice VLAN which is working fine but when I connect a PC on phone port it is also picking up an IP from Voice VLAN while default VLAN is data with different scope of IP.
    Is there any good discussion or documents out there to help me resolve this issue before I pack these switches and purchase ESW 500 series. I have ESW 500 at another client and they are working fine out of the box but this guy is giving me hard time.
    Any suggestions help will be appreciated
    Mo

    HI Muhammed,
    I suggest you contact the Small Business Support Center for some help:
    http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
    Regards,
    Cindy Toy
    Cisco Small Business Community Manager
    for Cisco Small Business Products
    www.cisco.com/go/smallbizsupport
    twitter: CiscoSBsupport

  • AnyConnect issue with Cisco ASA 5505

    I continue to bang my head against the wall on this one. Everytime I try to connect to the AnyConnect SSL VPN I get the following error
    "No address available for SVC connection"
    I have verified up and down that my VPN pool is there and assigned. I have deleted/re-added this so many times. I am using the ADSM to set this up via the wizard. Any help please?
    Here is my config
    http://pastebin.com/ABvSpzUq

    It seems like you are falling into the default group policy.  You need to either enable tunnel-group-list under the webvpn which allows users to select the group they are connecting to, or configure user attributes to force that user into the correct connection profile..
    enabling tunnel-group-list
    webvpn
    tunnel-group-list enable
    configuring user attributes:
    username Chris password mXB.dKavHoEa0gaC encrypted
    username Chris attributes
    vpn-group-policy HBNS_AnyConnect
    group-lock value HBNS_AnyConnect
    service-type remote-access
    Please remember to select a correct answer and rate

  • Azure multiple site-to-site VPNs (dynamic gateway) with Cisco ASA devices

    Hello
    I've been experimenting with moving certain on-premise servers to Azure however they would need a site-to-site VPN link to our many branch sites e.g. monitoring of nodes.
    The documentation says I need to configure a dynamic gateway to have multiple site-to-site VPNs. This is not a problem for our typical Cisco ISR's. However three of our key sites use Cisco ASA devices which are listed as 'Not Compatible' with dynamic routing.
    So I am stuck...
    What options are available to me? Is there any sort of tweak-configuration to make a Cisco ASA work with Azure and dynamic routing?
    I was hoping Azure's VPN solution would be very flexible.
    Thanks

    Hello RTF_Admin,
    1. Which is the Series of CISCO ASA device you are using?
    Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
    Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
    However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as demonstrated in this blog:
    Step-By-Step: Create a Site-to-Site VPN between your network and Azure
    http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
    You can refer to this article for Cisco ASA templates for Static routing:
    http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
    If your requirement is only for Multi-Site VPN then there is no option but to upgrade the device as Multisite VPN requires dyanmic routing and unfortunately there is no tweak or workaround due to hardware compatibility issue.
    I hope that this information is helpful
    Thanks,
    Syed Irfan Hussain

  • Cisco ASA 5505 Site to Site VPN

    Hello All,
    First time posting to the forums. I've been working with Cisco ASA 5505 for a number of months and recently I purchased a 2nd ASA with the goal of setting up Site to Site VPN tunnel. It look so simple from the number of videos that I have watched on the internet. But when I have done it suprise suprise it didn't work for me ... I have deleted the tunnels a number of times and attempted to recreate them. I am using the VPN wizard in the ADM to create the tunnel. Both the asa are 5505 and have the same same firmware etc.
    I would appreciate any help that can be directed towards this issue please.  Slowly losing my mind
    Please see details below:
    Both ADM are 7.1
    IOS
    ASA 1
    aved
    ASA Version 9.0(1)
    hostname PAYBACK
    enable password HSMurh79NVmatjY0 encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    description Trunk link to SW1
    switchport trunk allowed vlan 1,10,20,30,40
    switchport trunk native vlan 1
    switchport mode trunk
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    no nameif
    no security-level
    no ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address 92.51.193.158 255.255.255.252
    interface Vlan10
    nameif inside
    security-level 100
    ip address 192.168.10.1 255.255.255.0
    interface Vlan20
    nameif servers
    security-level 100
    ip address 192.168.20.1 255.255.255.0
    interface Vlan30
    nameif printers
    security-level 100
    ip address 192.168.30.1 255.255.255.0
    interface Vlan40
    nameif wireless
    security-level 100
    ip address 192.168.40.1 255.255.255.0
    banner login line Welcome to Payback Loyalty Systems
    boot system disk0:/asa901-k8.bin
    ftp mode passive
    clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns domain-lookup servers
    dns domain-lookup printers
    dns domain-lookup wireless
    dns server-group DefaultDNS
    name-server 83.147.160.2
    name-server 83.147.160.130
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network ftp_server
    object network Internal_Report_Server
    host 192.168.20.21
    description Automated Report Server Internal Address
    object network Report_Server
    host 89.234.126.9
    description Automated Report Server
    object service RDP
    service tcp destination eq 3389
    description RDP to Server
    object network Host_QA_Server
    host 89.234.126.10
    description QA Host External Address
    object network Internal_Host_QA
    host 192.168.20.22
    description Host of VM machine for QA
    object network Internal_QA_Web_Server
    host 192.168.20.23
    description Web Server in QA environment
    object network Web_Server_QA_VM
    host 89.234.126.11
    description Web server in QA environment
    object service SQL_Server
    service tcp destination eq 1433
    object network Demo_Server
    host 89.234.126.12
    description Server set up to Demo Product
    object network Internal_Demo_Server
    host 192.168.20.24
    description Internal IP Address of Demo Server
    object network NETWORK_OBJ_192.168.20.0_24
    subnet 192.168.20.0 255.255.255.0
    object network NETWORK_OBJ_192.168.50.0_26
    subnet 192.168.50.0 255.255.255.192
    object network NETWORK_OBJ_192.168.0.0_16
    subnet 192.168.0.0 255.255.0.0
    object service MSSQL
    service tcp destination eq 1434
    description MSSQL port
    object network VPN-network
    subnet 192.168.50.0 255.255.255.0
    object network NETWORK_OBJ_192.168.50.0_24
    subnet 192.168.50.0 255.255.255.0
    object service TS
    service tcp destination eq 4400
    object service TS_Return
    service tcp source eq 4400
    object network External_QA_3
    host 89.234.126.13
    object network Internal_QA_3
    host 192.168.20.25
    object network Dev_WebServer
    host 192.168.20.27
    object network External_Dev_Web
    host 89.234.126.14
    object network CIX_Subnet
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.10.0_24
    subnet 192.168.10.0 255.255.255.0
    object network NETWORK_OBJ_84.39.233.50
    host 84.39.233.50
    object network NETWORK_OBJ_92.51.193.158
    host 92.51.193.158
    object network NETWORK_OBJ_192.168.100.0_24
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.1.0_24
    subnet 192.168.1.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_1
    service-object tcp destination eq ftp
    service-object tcp destination eq netbios-ssn
    service-object tcp destination eq smtp
    service-object object TS
    object-group network Payback_Internal
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.20.0 255.255.255.0
    network-object 192.168.40.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_3
    service-object tcp destination eq www
    service-object tcp destination eq https
    service-object object TS
    service-object object TS_Return
    object-group service DM_INLINE_SERVICE_4
    service-object object RDP
    service-object tcp destination eq www
    service-object tcp destination eq https
    object-group service DM_INLINE_SERVICE_5
    service-object object MSSQL
    service-object object RDP
    service-object object TS
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_SERVICE_6
    service-object object TS
    service-object object TS_Return
    service-object tcp destination eq www
    service-object tcp destination eq https
    access-list outside_access_in remark This rule is allowing from internet to interal server.
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark FTP
    access-list outside_access_in remark RDP
    access-list outside_access_in remark SMTP
    access-list outside_access_in remark Net Bios
    access-list outside_access_in remark SQL
    access-list outside_access_in remark TS - 4400
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
    access-list outside_access_in remark Access rule to internal host QA
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark HTTP
    access-list outside_access_in remark RDP
    access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
    access-list outside_access_in remark Access to INternal Web Server:
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark HTTP
    access-list outside_access_in remark RDP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
    access-list outside_access_in remark Rule for allowing access to Demo server
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark RDP
    access-list outside_access_in remark MSSQL
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
    access-list outside_access_in remark Access for Development WebServer
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
    access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
    access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
    access-list AnyConnect_Client_Local_Print remark Windows' printing port
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
    access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
    access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
    access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
    access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
    access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
    access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
    pager lines 24
    logging enable
    logging console informational
    logging asdm informational
    logging from-address
    [email protected]
    logging recipient-address
    [email protected]
    level alerts
    mtu outside 1500
    mtu inside 1500
    mtu servers 1500
    mtu printers 1500
    mtu wireless 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-711-52.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source dynamic any interface
    nat (wireless,outside) source dynamic any interface
    nat (servers,outside) source dynamic any interface
    nat (servers,outside) source static Internal_Report_Server Report_Server
    nat (servers,outside) source static Internal_Host_QA Host_QA_Server
    nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
    nat (servers,outside) source static Internal_Demo_Server Demo_Server
    nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
    nat (servers,outside) source static Internal_QA_3 External_QA_3
    nat (servers,outside) source static Dev_WebServer External_Dev_Web
    nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
    nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.10.0 255.255.255.0 inside
    http 192.168.40.0 255.255.255.0 wireless
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 84.39.233.50
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 77.75.100.208 255.255.255.240 outside
    ssh 192.168.10.0 255.255.255.0 inside
    ssh 192.168.40.0 255.255.255.0 wireless
    ssh timeout 5
    console timeout 0
    dhcpd dns 192.168.0.1
    dhcpd auto_config outside
    dhcpd address 192.168.10.21-192.168.10.240 inside
    dhcpd dns 192.168.20.21 83.147.160.2 interface inside
    dhcpd option 15 ascii paybackloyalty.com interface inside
    dhcpd enable inside
    dhcpd address 192.168.40.21-192.168.40.240 wireless
    dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
    dhcpd update dns interface wireless
    dhcpd option 15 ascii paybackloyalty.com interface wireless
    dhcpd enable wireless
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy Payback_VPN internal
    group-policy Payback_VPN attributes
    vpn-simultaneous-logins 10
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Payback_VPN_splitTunnelAcl
    group-policy DfltGrpPolicy attributes
    dns-server value 83.147.160.2 83.147.160.130
    vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
    group-policy GroupPolicy_84.39.233.50 internal
    group-policy GroupPolicy_84.39.233.50 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username Noelle password XB/IpvYaATP.2QYm encrypted
    username Noelle attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
    username Eanna attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Michael password qpbleUqUEchRrgQX encrypted
    username Michael attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
    username Danny attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
    username Aileen attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
    username Aidan attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
    username shane.c password iqGMoWOnfO6YKXbw encrypted
    username shane.c attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Shane password uYePLcrFadO9pBZx encrypted
    username Shane attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username James password TdYPv1pvld/hPM0d encrypted
    username James attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username mark password yruxpddqfyNb.qFn encrypted
    username mark attributes
    service-type admin
    username Mary password XND5FTEiyu1L1zFD encrypted
    username Mary attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
    username Massimo attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    tunnel-group Payback_VPN type remote-access
    tunnel-group Payback_VPN general-attributes
    address-pool VPN1
    default-group-policy Payback_VPN
    tunnel-group Payback_VPN ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 84.39.233.50 type ipsec-l2l
    tunnel-group 84.39.233.50 general-attributes
    default-group-policy GroupPolicy_84.39.233.50
    tunnel-group 84.39.233.50 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map global-class
    match default-inspection-traffic
    policy-map global-policy
    class global-class
      inspect dns
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect pptp
      inspect rsh
      inspect rtsp
      inspect sip
      inspect snmp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect xdmcp
      inspect icmp error
      inspect icmp
    service-policy global-policy global
    smtp-server 192.168.20.21
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1
    ASA 2
    ASA Version 9.0(1)
    hostname Payback-CIX
    enable password HSMurh79NVmatjY0 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    description This port connects to VLAN 100
    switchport access vlan 100
    interface Ethernet0/2
    interface Ethernet0/3
    switchport access vlan 100
    interface Ethernet0/4
    switchport access vlan 100
    interface Ethernet0/5
    switchport access vlan 100
    interface Ethernet0/6
    switchport access vlan 100
    interface Ethernet0/7
    switchport access vlan 100
    interface Vlan2
    nameif outside
    security-level 0
    ip address 84.39.233.50 255.255.255.240
    interface Vlan100
    nameif inside
    security-level 100
    ip address 192.168.100.1 255.255.255.0
    banner login line Welcome to Payback Loyalty - CIX
    ftp mode passive
    clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns server-group defaultDNS
    name-server 8.8.8.8
    name-server 8.8.4.4
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network CIX-Host-1
    host 192.168.100.2
    description This is the host machine of the VM servers
    object network External_CIX-Host-1
    host 84.39.233.51
    description This is the external IP address of the host server for the VM server
    object service RDP
    service tcp source range 1 65535 destination eq 3389
    object network Payback_Office
    host 92.51.193.158
    object service MSQL
    service tcp destination eq 1433
    object network Development_OLTP
    host 192.168.100.10
    description VM for Eiresoft
    object network External_Development_OLTP
    host 84.39.233.52
    description This is the external IP address for the VM for Eiresoft
    object network Eiresoft
    host 146.66.160.70
    description DBA Contractor
    object network External_TMC_Web
    host 84.39.233.53
    description Public Address of TMC Webserver
    object network TMC_Webserver
    host 192.168.100.19
    description Internal Address of TMC Webserver
    object network External_TMC_OLTP
    host 84.39.233.54
    description Targets OLTP external IP
    object network TMC_OLTP
    host 192.168.100.18
    description Targets interal IP address
    object network External_OLTP_Failover
    host 84.39.233.55
    description Public IP of OLTP Failover
    object network OLTP_Failover
    host 192.168.100.60
    description Server for OLTP failover
    object network Servers
    subnet 192.168.20.0 255.255.255.0
    object network Wired
    subnet 192.168.10.0 255.255.255.0
    object network Wireless
    subnet 192.168.40.0 255.255.255.0
    object network NETWORK_OBJ_192.168.100.0_24
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.10.0_24
    subnet 192.168.10.0 255.255.255.0
    object network Eiresoft_2nd
    host 137.117.217.29
    description Eiresoft 2nd IP
    object network Dev_Test_Webserver
    host 192.168.100.12
    description Dev Test Webserver Internal Address
    object network External_Dev_Test_Webserver
    host 84.39.233.56
    description This is the PB Dev Test Webserver
    object network NETWORK_OBJ_192.168.1.0_24
    subnet 192.168.1.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_1
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_2
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_3
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_4
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_5
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_6
    service-object object MSQL
    service-object object RDP
    object-group network Payback_Intrernal
    network-object object Servers
    network-object object Wired
    network-object object Wireless
    object-group service DM_INLINE_SERVICE_7
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_8
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_9
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_10
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_11
    service-object object RDP
    service-object tcp destination eq ftp
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
    access-list outside_access_in remark Development OLTP from Payback Office
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
    access-list outside_access_in remark Access for Eiresoft
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
    access-list outside_access_in remark Access to OLTP for target from Payback Office
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
    access-list outside_access_in remark This is allowing access from Eiresoft to the OLTP Failover server
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover
    access-list outside_access_in remark Access for the 2nd IP from Eiresoft
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
    access-list outside_access_in remark Access from the 2nd Eiresoft IP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
    access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source dynamic any interface
    nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
    nat (inside,outside) source static Development_OLTP External_Development_OLTP
    nat (inside,outside) source static TMC_Webserver External_TMC_Web
    nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
    nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
    nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
    nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
    nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 92.51.193.156 255.255.255.252 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 92.51.193.158
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 77.75.100.208 255.255.255.240 outside
    ssh 92.51.193.156 255.255.255.252 outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy GroupPolicy_92.51.193.158 internal
    group-policy GroupPolicy_92.51.193.158 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
    tunnel-group 92.51.193.158 type ipsec-l2l
    tunnel-group 92.51.193.158 general-attributes
    default-group-policy GroupPolicy_92.51.193.158
    tunnel-group 92.51.193.158 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
    : end

    Hi,
    Thanks for the help to date
    I now have the Site to Site working but there is one little issue I have. If I try to RD to a server through the tunnel it will not allow connection on the first attempt however if I ping that host and then attempt to RD it will allow the connection. It looks like the host is asleep until it receives traffic through the tunnel. Is this thje correct behaviour.
    See below the details:
    ASA1:
    hostname PAYBACK
    enable password HSMurh79NVmatjY0 encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    description Trunk link to SW1
    switchport trunk allowed vlan 1,10,20,30,40
    switchport trunk native vlan 1
    switchport mode trunk
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    no nameif
    no security-level
    no ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address XX.XX.XX.XX 255.255.255.252
    interface Vlan10
    nameif inside
    security-level 100
    ip address 192.168.10.1 255.255.255.0
    interface Vlan20
    nameif servers
    security-level 100
    ip address 192.168.20.1 255.255.255.0
    interface Vlan30
    nameif printers
    security-level 100
    ip address 192.168.30.1 255.255.255.0
    interface Vlan40
    nameif wireless
    security-level 100
    ip address 192.168.40.1 255.255.255.0
    banner login line Welcome to Payback Loyalty Systems
    boot system disk0:/asa901-k8.bin
    ftp mode passive
    clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns domain-lookup servers
    dns domain-lookup printers
    dns domain-lookup wireless
    dns server-group DefaultDNS
    name-server 83.147.160.2
    name-server 83.147.160.130
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network ftp_server
    object network Internal_Report_Server
    host 192.168.20.21
    description Automated Report Server Internal Address
    object network Report_Server
    host 89.234.126.9
    description Automated Report Server
    object service RDP
    service tcp destination eq 3389
    description RDP to Server
    object network Host_QA_Server
    host 89.234.126.10
    description QA Host External Address
    object network Internal_Host_QA
    host 192.168.20.22
    description Host of VM machine for QA
    object network Internal_QA_Web_Server
    host 192.168.20.23
    description Web Server in QA environment
    object network Web_Server_QA_VM
    host 89.234.126.11
    description Web server in QA environment
    object service SQL_Server
    service tcp destination eq 1433
    object network Demo_Server
    host 89.234.126.12
    description Server set up to Demo Product
    object network Internal_Demo_Server
    host 192.168.20.24
    description Internal IP Address of Demo Server
    object network NETWORK_OBJ_192.168.20.0_24
    subnet 192.168.20.0 255.255.255.0
    object network NETWORK_OBJ_192.168.50.0_26
    subnet 192.168.50.0 255.255.255.192
    object network NETWORK_OBJ_192.168.0.0_16
    subnet 192.168.0.0 255.255.0.0
    object service MSSQL
    service tcp destination eq 1434
    description MSSQL port
    object network VPN-network
    subnet 192.168.50.0 255.255.255.0
    object network NETWORK_OBJ_192.168.50.0_24
    subnet 192.168.50.0 255.255.255.0
    object service TS
    service tcp destination eq 4400
    object service TS_Return
    service tcp source eq 4400
    object network External_QA_3
    host 89.234.126.13
    object network Internal_QA_3
    host 192.168.20.25
    object network Dev_WebServer
    host 192.168.20.27
    object network External_Dev_Web
    host 89.234.126.14
    object network NETWORK_OBJ_192.168.100.0_24
    subnet 192.168.100.0 255.255.255.0
    object network Wireless
    subnet 192.168.40.0 255.255.255.0
    description Wireless network
    object network Servers
    subnet 192.168.20.0 255.255.255.0
    object-group service DM_INLINE_SERVICE_1
    service-object tcp destination eq ftp
    service-object tcp destination eq netbios-ssn
    service-object tcp destination eq smtp
    service-object object TS
    service-object object SQL_Server
    object-group service DM_INLINE_SERVICE_3
    service-object tcp destination eq www
    service-object tcp destination eq https
    service-object object TS
    service-object object TS_Return
    object-group service DM_INLINE_SERVICE_4
    service-object object RDP
    service-object tcp destination eq www
    service-object tcp destination eq https
    object-group service DM_INLINE_SERVICE_5
    service-object object MSSQL
    service-object object RDP
    service-object object TS
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_SERVICE_6
    service-object object TS
    service-object object TS_Return
    service-object tcp destination eq www
    service-object tcp destination eq https
    object-group network DM_INLINE_NETWORK_1
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.20.0 255.255.255.0
    network-object 192.168.40.0 255.255.255.0
    object-group network Payback_Internal
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.20.0 255.255.255.0
    network-object 192.168.40.0 255.255.255.0
    access-list outside_access_in remark This rule is allowing from internet to interal server.
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark FTP
    access-list outside_access_in remark RDP
    access-list outside_access_in remark SMTP
    access-list outside_access_in remark Net Bios
    access-list outside_access_in remark SQL
    access-list outside_access_in remark TS - 4400
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
    access-list outside_access_in remark Access rule to internal host QA
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark HTTP
    access-list outside_access_in remark RDP
    access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
    access-list outside_access_in remark Access to INternal Web Server:
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark HTTP
    access-list outside_access_in remark RDP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
    access-list outside_access_in remark Rule for allowing access to Demo server
    access-list outside_access_in remark Allowed:
    access-list outside_access_in remark RDP
    access-list outside_access_in remark MSSQL
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
    access-list outside_access_in remark Access for Development WebServer
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
    access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
    access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
    access-list AnyConnect_Client_Local_Print remark Windows' printing port
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
    access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
    access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
    access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
    access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
    access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
    access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.100.0 255.255.255.0
    pager lines 24
    logging enable
    logging console informational
    logging asdm informational
    logging from-address [email protected]
    logging recipient-address [email protected] level alerts
    mtu outside 1500
    mtu inside 1500
    mtu servers 1500
    mtu printers 1500
    mtu wireless 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-711-52.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
    nat (wireless,outside) source static Wireless Wireless destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
    nat (servers,outside) source static Servers Servers destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
    nat (inside,outside) source dynamic any interface
    nat (wireless,outside) source dynamic any interface
    nat (servers,outside) source dynamic any interface
    nat (servers,outside) source static Internal_Report_Server Report_Server
    nat (servers,outside) source static Internal_Host_QA Host_QA_Server
    nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
    nat (servers,outside) source static Internal_Demo_Server Demo_Server
    nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
    nat (servers,outside) source static Internal_QA_3 External_QA_3
    nat (servers,outside) source static Dev_WebServer External_Dev_Web
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.10.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer XX.XX.XX.XX
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto map servers_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map servers_map interface servers
    crypto ca trustpool policy
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 enable inside client-services port 443
    crypto ikev1 enable outside
    crypto ikev1 enable inside
    crypto ikev1 enable servers
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.10.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd dns 192.168.0.1
    dhcpd auto_config outside
    dhcpd address 192.168.10.21-192.168.10.240 inside
    dhcpd dns 192.168.20.21 83.147.160.2 interface inside
    dhcpd option 15 ascii paybackloyalty.com interface inside
    dhcpd enable inside
    dhcpd address 192.168.40.21-192.168.40.240 wireless
    dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
    dhcpd update dns interface wireless
    dhcpd option 15 ascii paybackloyalty.com interface wireless
    dhcpd enable wireless
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy Payback_VPN internal
    group-policy Payback_VPN attributes
    vpn-simultaneous-logins 10
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Payback_VPN_splitTunnelAcl
    group-policy DfltGrpPolicy attributes
    dns-server value 83.147.160.2 83.147.160.130
    vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
    group-policy GroupPolicy_84.39.233.50 internal
    group-policy GroupPolicy_84.39.233.50 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username Noelle password XB/IpvYaATP.2QYm encrypted
    username Noelle attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
    username Eanna attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Michael password qpbleUqUEchRrgQX encrypted
    username Michael attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
    username Danny attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username niamh password MlFlIlEiy8vismE0 encrypted
    username niamh attributes
    service-type admin
    username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
    username Aileen attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
    username Aidan attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
    username shane.c password iqGMoWOnfO6YKXbw encrypted
    username shane.c attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Shane password yQeVtvLLKqapoUje encrypted privilege 0
    username Shane attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username James password TdYPv1pvld/hPM0d encrypted
    username James attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username mark password yruxpddqfyNb.qFn encrypted
    username mark attributes
    service-type admin
    username Mary password XND5FTEiyu1L1zFD encrypted
    username Mary attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
    username Massimo attributes
    vpn-group-policy Payback_VPN
    service-type remote-access
    tunnel-group Payback_VPN type remote-access
    tunnel-group Payback_VPN general-attributes
    address-pool VPN1
    default-group-policy Payback_VPN
    tunnel-group Payback_VPN ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 84.39.233.50 type ipsec-l2l
    tunnel-group 84.39.233.50 general-attributes
    default-group-policy GroupPolicy_84.39.233.50
    tunnel-group 84.39.233.50 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map global-class
    match default-inspection-traffic
    policy-map global-policy
    class global-class
      inspect dns
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect pptp
      inspect rsh
      inspect rtsp
      inspect sip
      inspect snmp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect xdmcp
      inspect icmp error
      inspect icmp
    service-policy global-policy global
    smtp-server 192.168.20.21
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:83fa7ce1d93375645205f6e79b526381
    ASA2:
    ASA Version 9.0(1)
    hostname Payback-CIX
    enable password HSMurh79NVmatjY0 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    description This port connects to VLAN 100
    switchport access vlan 100
    interface Ethernet0/2
    interface Ethernet0/3
    switchport access vlan 100
    interface Ethernet0/4
    switchport access vlan 100
    interface Ethernet0/5
    switchport access vlan 100
    interface Ethernet0/6
    switchport access vlan 100
    interface Ethernet0/7
    switchport access vlan 100
    interface Vlan2
    nameif outside
    security-level 0
    ip address X.X.X.X 255.255.255.240
    interface Vlan100
    nameif inside
    security-level 100
    ip address 192.168.100.1 255.255.255.0
    banner login line Welcome to Payback Loyalty - CIX
    ftp mode passive
    clock timezone GMT 0
    clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup outside
    dns domain-lookup inside
    dns server-group defaultDNS
    name-server 8.8.8.8
    name-server 8.8.4.4
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network CIX-Host-1
    host 192.168.100.2
    description This is the host machine of the VM servers
    object network External_CIX-Host-1
    host 84.39.233.51
    description This is the external IP address of the host server for the VM server
    object service RDP
    service tcp source range 1 65535 destination eq 3389
    object network Payback_Office
    host 92.51.193.158
    object service MSQL
    service tcp destination eq 1433
    object network Development_OLTP
    host 192.168.100.10
    description VM for Eiresoft
    object network External_Development_OLTP
    host 84.39.233.52
    description This is the external IP address for the VM for Eiresoft
    object network External_TMC_Web
    host 84.39.233.53
    description Public Address of TMC Webserver
    object network TMC_Webserver
    host 192.168.100.19
    description Internal Address of TMC Webserver
    object network External_TMC_OLTP
    host 84.39.233.54
    description Targets OLTP external IP
    object network TMC_OLTP
    host 192.168.100.18
    description Targets interal IP address
    object network External_OLTP_Failover
    host 84.39.233.55
    description Public IP of OLTP Failover
    object network OLTP_Failover
    host 192.168.100.60
    description Server for OLTP failover
    object network Servers
    subnet 192.168.20.0 255.255.255.0
    object network Wired
    subnet 192.168.10.0 255.255.255.0
    object network Wireless
    subnet 192.168.40.0 255.255.255.0
    object network NETWORK_OBJ_192.168.100.0_24
    subnet 192.168.100.0 255.255.255.0
    object network NETWORK_OBJ_192.168.10.0_24
    subnet 192.168.10.0 255.255.255.0
    object network Eiresoft_2nd
    host 137.117.217.29
    description Eiresoft 2nd IP
    object network Dev_Test_Webserver
    host 192.168.100.12
    description Dev Test Webserver Internal Address
    object network External_Dev_Test_Webserver
    host 84.39.233.56
    description This is the PB Dev Test Webserver
    object network NETWORK_OBJ_192.168.1.0_24
    subnet 192.168.1.0 255.255.255.0
    object network LAN
    subnet 192.168.100.0 255.255.255.0
    object network REMOTE-LAN
    subnet 192.168.10.0 255.255.255.0
    object network TargetMC
    host 83.71.194.145
    description This is Target Location that will be accessing the Webserver
    object network Rackspace_OLTP
    host 162.13.34.56
    description This is the IP address of production OLTP
    object service DB
    service tcp destination eq 5022
    object network Topaz_Target_VM
    host 82.198.151.168
    description This is Topaz IP that will be accessing Targets VM
    object service DB_2
    service tcp destination eq 5023
    object network EireSoft_NEW_IP
    host 146.66.161.3
    description Eiresoft latest IP form ISP DHCP
    object-group service DM_INLINE_SERVICE_1
    service-object object MSQL
    service-object object RDP
    service-object icmp echo
    service-object icmp echo-reply
    object-group service DM_INLINE_SERVICE_2
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_4
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    service-object tcp destination eq www
    object-group service DM_INLINE_SERVICE_5
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_6
    service-object object MSQL
    service-object object RDP
    object-group network Payback_Intrernal
    network-object object Servers
    network-object object Wired
    network-object object Wireless
    object-group service DM_INLINE_SERVICE_8
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_9
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_10
    service-object object MSQL
    service-object object RDP
    service-object tcp destination eq ftp
    service-object icmp echo
    service-object icmp echo-reply
    service-object object DB
    object-group service DM_INLINE_SERVICE_11
    service-object object RDP
    service-object tcp destination eq ftp
    object-group service DM_INLINE_SERVICE_12
    service-object object MSQL
    service-object icmp echo
    service-object icmp echo-reply
    service-object object DB
    service-object object DB_2
    object-group service DM_INLINE_SERVICE_13
    service-object object MSQL
    service-object object RDP
    object-group service DM_INLINE_SERVICE_14
    service-object object MSQL
    service-object object RDP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
    access-list outside_access_in remark Development OLTP from Payback Office
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
    access-list outside_access_in remark Access to OLTP for target from Payback Office
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
    access-list outside_access_in remark Access for the 2nd IP from Eiresoft
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
    access-list outside_access_in remark Access from the 2nd Eiresoft IP
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
    access-list outside_access_in remark Access rules from Traget to CIX for testing
    access-list outside_access_in extended permit tcp object TargetMC object TMC_Webserver eq www
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12 object Rackspace_OLTP object OLTP_Failover
    access-list outside_access_in remark Topaz access to Target VM
    access-list outside_access_in extended permit tcp object Topaz_Target_VM object TMC_Webserver eq www
    access-list outside_access_in remark Opened up for Target for the weekend. Closing on Monday 20th
    access-list outside_access_in extended permit tcp any object TMC_Webserver eq www
    access-list outside_access_in remark Access for Eiresoft after their ISP changed their IP Address
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13 object EireSoft_NEW_IP object Development_OLTP
    access-list outside_access_in remark Eiresoft Access after ISP changed their IP Address
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14 object EireSoft_NEW_IP object OLTP_Failover
    access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object-group Payback_Intrernal
    pager lines 24
    logging enable
    logging console debugging
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static Payback_Intrernal Payback_Intrernal no-proxy-arp route-lookup
    nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
    nat (inside,outside) source static Development_OLTP External_Development_OLTP
    nat (inside,outside) source static TMC_Webserver External_TMC_Web
    nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
    nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
    nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
    nat (inside,outside) source dynamic LAN interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http X.X.X.X 255.255.255.252 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer X.X.X.X
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh X.X.X.X  255.255.255.240 outside
    ssh X.X.X.X 255.255.255.252 outside
    ssh 192.168.40.0 255.255.255.0 outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy GroupPolicy_92.51.193.158 internal
    group-policy GroupPolicy_92.51.193.158 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
    tunnel-group 92.51.193.158 type ipsec-l2l
    tunnel-group 92.51.193.158 general-attributes
    default-group-policy GroupPolicy_92.51.193.158
    tunnel-group 92.51.193.158 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:78a7b9ccec2fa048306092eb29a2b769

  • Cisco ASA 5505: How to change the default OS

    Hello,
    I'm learning how to work on the Cisco ASA 5505. My machine has two OS images: the old 7. whatever image and a more recent 8.2 image. The 8.2 image is lower in the index on disk0 so whenever I reboot the machine, the start up points it towards the older image and I have to go into ROMMON to boot the newer OS. Could someone please guide me on how to change the position of the newer OS so that it's the default image? I'd like to do this without deleting the older image so that I can have a proof of concept.
    Thank you!

    Hi Colin,
    You could use the 'boot system' global command to force the ASA to the pointed image file.
    boot system flash:/image.bin
    Sent from Cisco Technical Support iPhone App

  • Cisco ASA 5505 Cannot ping local traffic and local hosts cannot get out

    I have, what I believe to be, a simple issue - I must be missing something.
    Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209).
    There is a PC (10.51.253.210) plugged into e0/1.
    I know the PC is configured correctly with Windows firewall tuned off.
    The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
    I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue.
    Basically, the VPN is up and running but PC 10.51.253.210 cannot get out.
    Any ideas? Sanitized Config is below. Thanks !
    ASA Version 7.2(4)
    hostname *****
    domain-name *****
    enable password N7FecZuSHJlVZC2P encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif Inside
    security-level 100
    ip address 10.51.253.209 255.255.255.248
    interface Vlan2
    nameif Outside
    security-level 0
    ip address ***** 255.255.255.248
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    shutdown
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    shutdown
    interface Ethernet0/5
    shutdown
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    shutdown
    ftp mode passive
    dns server-group DefaultDNS
    domain-name *****
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
    pager lines 24
    mtu Outside 1500
    mtu Inside
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any Outside
    no asdm history enable
    arp timeout 14400
    global (Outside) 1 interface
    nat (Inside) 0 access-list No_NAT
    route Outside 0.0.0.0 0.0.0.0 ***** 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    aaa authentication enable console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set DPS_Set esp-3des esp-md5-hmac
    crypto map DPS_Map 10 match address Outside_VPN
    crypto map DPS_Map 10 set peer *****
    crypto map DPS_Map 10 set transform-set *****
    crypto map DPS_Map interface Outside
    crypto isakmp enable Outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 28800
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 Outside
    ssh timeout 60
    console timeout 0
    management-access Inside
    username test password P4ttSyrm33SV8TYp encrypted
    tunnel-group ***** type ipsec-l2l
    tunnel-group ***** ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:8d0adca63eab6c6c738cc4ab432f609d
    : end
    1500

    Hi Martin,
    Which way you are trying. Sending traffic via site to site is not working or traffic which you generate to outside world is not working?
    But you say ASA connected interface to PC itself is not pinging that is strange. But try setting up the specific rules for the outgoing connection and check. Instead of not having any ACL.
    If it is outside world the you may need to check on the NAT rules which is not correct.
    If it is site to site then you may need to check few other things.
    Please do rate for the helpful posts.
    By
    Karthik

Maybe you are looking for

  • How can I find out on the command line, when the last time machine backu succeeded?

    For verification of ~60 MacBooks, I'd like to write a script that posts status of the last backup via mail or HTTP call to our central server. How can I lookup this information?

  • Bullet chart in WEBI 4.0

    Hi, I believe that it is possible to create bullet chart type in WEBI 4.0. As far as I remember it was covered in one of the Better BOBJ webinars run by EVtechnologies. I can't remember how it's done and I couldn't  find any instructions. The only in

  • Po approver per purchasing group

    Hi, i need to see the list of approvers  for  particular purchasing group.kindly advice.Is there any table to see the list of approvers assigned for that user .kindly advice regards sp

  • Report viewer 2010 show blank page (with params loaded)

    Hi,  I have an infrastructure RS with a web server with an ASP.NET application with Report Viewer and a second server with an installation of RS 2008 R2.  My web application (ASP.NET in C #) uses the ReportViewer 2010 component to show the report.  I

  • CS4 Embeded font problem

    I have 2 problem with CS4. (Vista 64 English) 1. I have imported font to Library. Imported font don't have all glyphs. Font Name Bytes Characters Verdana 20598 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxy