IPSec ikev2 between ASA and Cisco Router

Hi,
i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
- Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
- Authentication with Certificats
- integrity sha2
I try a lot of configurations without success.
Thanks for your help.
Mic

The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
There are two (three) better options:
Best option with very little needed configuration:
Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
Best option with a little stronger crypto but more configuration:
Move to AnyConnect with IPsec/IKEv2. 
Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
For option 1) and 2) there is an extra license needed, but thats not very expensive.

Similar Messages

  • Not able to telnet or ssh to outside interface of ASA and Cisco Router

    Dear All
    Please help me with following question, I have set up testing lab, but still not work.
    it is Hub and spoke site to site vpn case, connection between hub and spoke is metro-E, so we are using private ip for outside interface at each site.
    Hub -- Juniper SRX
    Spoke One - Cisco ASA with version 9.1(5)
    spoke two - Cisco router with version 12.3
    site to site vpn has been successful established. Customer would like to telnet/ssh to spoke's outside ip from Hub(using Hub's outside interface as source for telnet/ssh), or vise versa. Reason for setting up like this is they wants to be able to make configuration change even when site to site vpn is down. Sound like a easy job to do, I tried for a long time, search this forum and google too, but still not work.
    Now I can successfully telnet/ssh to Hub SRX's outside interface from spoke (ASA has no telnet/ssh client, tested using Cisco router).
    Anyone has ever done it before, please help to share your exp. Does Cisco ASA or router even support it?
    When I tested it, of cause site to site vpn still up and running.
    Thanks
    YK

    Hello YK,
    On this case on the ASA, you should have the following:
    CConfiguring Management Access Over a VPN Tunnel
    If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.
    To specify an interface as a mangement-only interface, enter the following command:
    hostname(config)# management access management_interface
    where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.
    You can define only one management-access interface
    Also make sure you have the pertinent configuration for SSH, telnet, ASDM and SNMP(if required), for a quick test you can enable on your lab Test:
      SSH
    - ssh 0 0 outside
    - aaa authentication ssh console LOCAL
    - Make sure you have a default RSA key, or create a new one either ways, with this command:
        *crypto key generate rsa modulus 2048
    Telnet
    - telnet 0 0 outside
    - aaa authentication telnet console LOCAL
    Afterwards, if this works you can define the subnets that should be permitted.
    On the router:
    !--- Step 1: Configure the hostname if you have not previously done so.
    hostname Router
    !--- aaa new-model causes the local username and password on the router
    !--- to be used in the absence of other AAA statements.
    aaa new-model
    username cisco password 0 cisco
    !--- Step 2: Configure the router's DNS domain.
    ip domain-name yourdomain.com
    !--- Step 3: Generate an SSH key to be used with SSH.
    crypto key generate rsa
    ip ssh time-out 60
    ip ssh authentication-retries 3
    !--- Step 4: By default the vtys' transport is Telnet. In this case, 
    !--- Telnet and SSH is supported with transport input all
    line vty 0 4
    transport input All
    *!--- Instead of aaa new-model, the login local command may be used.
    no aaa new-model
    line vty 0 4
      login local
    Let me know how it works out!
    Please don't forget to Rate and mark as correct the helpful Post!
    David Castro,
    Regards,

  • VPN between ASA and IOS router

    We have established a VPN tunnel between IOS router and ASA, however it i working only from the latter. What are the common dissimilarities whcih occur between these two devices when setting up VPN?

    Do a search for the following on cisco.com- "Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions"
    It should help fix any problems.
    HTH and please rate.

  • LAN2LAN between ASA and Cisco 2821

    Greetings,
    Users on remote network behind Cisco 2821 reporting dropped connections to mail server behind ASA. 20-seconds later, the connections get re-established. I run a constant "ping" to the remote LAN and do not see a drop over the tunnel.
    Any ideas?
    Thanks.

    Thanks for the quick reply.
    As I understand what I've read - esmtp inspect is on by default on the ASA. Is that true? So - in this case - would I turn it on in the router as well? BTW: These two sites are on a LAN2LAN VPN .... does that change what you suggested?
    Thanks.

  • Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

    Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
    I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
    Please help me to find where is the issue.
    I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
    192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
    Here is my current configuration.
    Thanks for your help.
    IOS Configuration
    version 15.2
    crypto isakmp policy 1
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp key cisco address 198.0.183.225
    crypto isakmp invalid-spi-recovery
    crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
    mode transport
    crypto map static-map 1 ipsec-isakmp
    set peer S2.S2.S2.S2
    set transform-set AES-SET
    set pfs group2
    match address 100
    interface GigabitEthernet0/0
    ip address S1.S1.S1.S1 255.255.255.240
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map static-map
    interface GigabitEthernet0/1
    ip address 192.168.17.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
    ASA Configuration
    ASA Version 8.4(3)
    interface Ethernet0/0
    switchport access vlan 2
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.83.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address S2.S2.S2.S2 255.255.255.248
    ftp mode passive
    same-security-traffic permit intra-interface
    object network inside-network
    subnet 192.168.83.0 255.255.255.0
    object network datacenter
    host S1.S1.S1.S1
    object network datacenter-network
    subnet 192.168.17.0 255.255.255.0
    object network NETWORK_OBJ_192.168.83.0_24
    subnet 192.168.83.0 255.255.255.0
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended deny ip any any log
    access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source dynamic inside-network interface
    nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
    nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
    nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
    crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set vpn-transform-set mode transport
    crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set L2L_SET mode transport
    crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
    crypto map vpn 1 match address outside_cryptomap
    crypto map vpn 1 set pfs
    crypto map vpn 1 set peer S1.S1.S1.S1
    crypto map vpn 1 set ikev1 transform-set L2L_SET
    crypto map vpn 20 ipsec-isakmp dynamic dyno
    crypto map vpn interface outside
    crypto isakmp nat-traversal 3600
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    group-policy GroupPolicy_S1.S1.S1.S1 internal
    group-policy GroupPolicy_S1.S1.S1.S1 attributes
    vpn-tunnel-protocol ikev1
    group-policy remote_vpn_policy internal
    group-policy remote_vpn_policy attributes
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
    username admin password rqiFSVJFung3fvFZ encrypted privilege 15
    tunnel-group DefaultRAGroup general-attributes
    address-pool vpn_pool
    default-group-policy remote_vpn_policy
    tunnel-group DefaultRAGroup ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group DefaultRAGroup ppp-attributes
    authentication ms-chap-v2
    tunnel-group S1.S1.S1.S1 type ipsec-l2l
    tunnel-group S1.S1.S1.S1 general-attributes
    default-group-policy GroupPolicy_S1.S1.S1.S1
    tunnel-group S1.S1.S1.S1 ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:f55f10c19a0848edd2466d08744556eb
    : end

    Thanks for helping me again. I really appreciate.
    I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
    Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
    Because on Cisco ASA I guess I have everything.
    Here is show crypto session detail
    router(config)#do show crypto session detail
    Crypto session current status
    Code: C - IKE Configuration mode, D - Dead Peer Detection
    K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
    X - IKE Extended Authentication, F - IKE Fragmentation
    Interface: GigabitEthernet0/0
    Session status: DOWN
    Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
          Desc: (none)
          Phase1_id: (none)
      IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
            Active SAs: 0, origin: crypto map
            Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
            Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
    Should I see something in crypto isakmp sa?
    pp-border#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    IPv6 Crypto ISAKMP SA
    Thanks again for your help.

  • Remote site redundancy IPSEC VPN between 2911 and ASA

    We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
    Site A has an ASA with one internet circuit.
    Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
    Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
    The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
    What is the best way of achieving this?
    We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
    However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
    I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911.   Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved?  And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
    Any help/advice would be appreciated!

    Hello,
    I don't think GRE tunnel that you could set up on the switch  behind ASA would be really helpfull. Still site-2-site tunnel you want  to establish between ASA and some routers, but still it is ASA which needs to make decision about which peer to connect to.
    Possible solution would be to do HSRP between both routers on LAN side and with two independent tunnels/crypto maps (one on each of them). On ASA you would need to set up two hosts in set peer. Problem of this solution is that if one router at side B is going to go down and second ADSL line will take over ASA will not do preempt after you main Internet connection is up again. This would happen after ADSL Internet connection will be down.
    Solution to that would be to assign two different public IP addressess on two different interfaces of ASA. Then you attach two crypto maps to both interfaces and by using sla monitor (let's say icmp to main router, if it does not respond then you change routing for remote LAN to second interface) you are selecting which crypto map (with one peer this time) should be used.
    I hope what I wrote makes some sense.

  • IPSEC between Fortinet and Cisco SA540

    Hi,
    We have done the site to site VPN between Fortinet and Cisco SA540. Everything is configured at both ends but the tunnel is not establised. Can you help me out to resolve the issue.
    Regards,
    Satish.

      Hello Venkatasatish,
    I gonna send you an example of VPN between Cisco ASA 8.2 version and Fortigate mr4.
    In my example i gonna use the following environments:
    Cisco ASA "Zones"
    Inside: 192.168.1.0/24     "Asa inside interface Ip address 192.168.1.1"
    Outside: 200.200.200.0/29  "Asa outside interface Ip address 200.200.200.1"
    Fortigate "Zones"
    inside: 172.16.1.0/24     "Asa inside interface Ip address 172.16.1.1"
    outside: 201.201.201.0/29  "Asa outside interface Ip address 201.201.201.1"
    =================================> VPN Script of ASA <=================================
    access-list inside_access_in remark Firewall rule from ASA to Fortigate
    access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 log notifications
    access-group inside_access_in in interface inside
    access-list VPN_NONAT remark Nonat to VPN traffic over VPN
    access-list VPN_NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
    access-list CryptoMap_ASA_to_Fortigate remark VPN Site-to-Site to Fortigate Site
    access-list CryptoMap_ASA_to_Fortigate extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
    nat (inside) 0 access-list VPN_NONAT
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map OUTSIDE_map 1 match address CryptoMap_ASA_to_Fortigate
    crypto map OUTSIDE_map 1 set peer 201.201.201.1
    crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA
    crypto map OUTSIDE_map 1 set security-association lifetime seconds 3600
    crypto map OUTSIDE_map interface outside
    group-policy GP_TO_FORTIGATE internal
    group-policy GP_TO_FORTIGATE attributes
    vpn-idle-timeout none
    vpn-tunnel-protocol IPSec
    tunnel-group 201.201.201.1 type ipsec-l2l
    tunnel-group 201.201.201.1 general-attributes
    default-group-policy GP_TO_FORTIGATE
    tunnel-group 201.201.201.1 ipsec-attributes
    pre-shared-key cisco123
    =================================> VPN Script for Fortigate ==============================
    Phase 1:
    FORTIGATE# config vpn ipsec phase1-interface  "enter"
    FORTIGATE (phase1-interface) # edit 200.200.200.1 "enter"
            set interface "outside"
            set keylife 86400
            set mode main
            set dhgrp 2
            set proposal 3des-sha1
            set remote-gw 200.200.200.1
            set psksecret ENC cisco123
            next "to apply the configuration"
    Phase 2
    FORTIGATE# config vpn ipsec phase2-interface
        edit 200.200.200.1
            set keepalive enable
            set pfs disable
            set phase1name "200.200.200.1"
            set proposal 3des-sha1
            set dst-subnet 192.168.1.0 255.255.255.0
            set keylifeseconds 3600
            set src-subnet 172.16.1.0 255.255.255.0
            next "to apply the configuration"
    Config route to VPN: I am using 100 entry, you need to take a look at your firewall.
    FORTIGATE# config router static "enter"
    FORTIGATE (static) # edit 100 "enter"
    FORTIGATE (100) #  set device "200.200.200.1"
                       set distance 1
                       set dst 192.168.1.0 255.255.255.0
    Create a Rule: in my example I´m using any to any over VPN, but you can to filter based on network environments.
    FORTIGATE # config firewall policy "enter"
    FORTIGATE (policy) # edit 100 "enter"
    config firewall policy
        edit 100
            set srcintf "200.200.200.1"
            set dstintf "inside"
                set srcaddr "all"            
                set dstaddr "all"            
            set action accept
            set schedule "always"
                set service "ANY"            
            set logtraffic enable
            set comments "Access from VPN ASA site"
    FORTIGATE (policy) # edit 101 "enter"
    config firewall policy
        edit 101
            set srcintf "inside"
            set dstintf "200.200.200.1"
                set srcaddr "all"            
                set dstaddr "all"            
            set action accept
            set schedule "always"
                set service "ANY"            
            set logtraffic enable
            set comments "Access to VPN ASA Site"
    After that, please start a traffic between private network, 192.168.1.0 and 172.16.1.0/24.
    Please let me know about it!
    Good luck.
    Fabio Jorge Amorim

  • IPSEC b/w ASA and Router --- with nat stuff

    I need help regarding the following issue..
    An asa is connected to a router which is connected to the internet.
    A vpn must be established b/w ASA and a router that is over internet . The ASA is not directly connected to the internet. It is connected to a router which nat the Asa outside ip to a static global IP .
    All i need to know is that do need any special configs for this . or its the same as if ASA would have been directly connected to the internet

    In order to configure a LAN-to-LAN tunnel between a Cisco IOS? router and an Adaptive Security Appliance (ASA), these configurations are required on the ASA:
    Configure the crypto ipsec command in Phase 2.
    Configure the isakmp policy command.
    Configure the nat 0 command and the access-list command in order to bypass NATting.
    Configure the crypto-map command.
    Configure the tunnel-group DefaultL2LGroup command with group information

  • Administration of ASA5520 and cisco router mpls 1900

    Hi
    i just want to administor cisco
    ASA5520 and cisco router mpls 1900
    can some tell me as admin what to check as u get into office /reguraly in cisco asa 5520 and vpn mpls router for administrator ,right now its working as configured by supplier for remote sites to connect HQ and access several server
    My interest to know what are the basic day to day checkup on cisco asa5520 working as ips and cisco asa 5520 working as content filtering and cisco vpn mpls
    thx ,attached pic for ur view
    J

    Hello Malai,
    This question is subjective, I mean you can check the statistics on the CSC module for logs of the users going to blacklisted sites.
    You can check the CPU for the ASA's and IPS.
    You can monitor the amount of traffic traversing the interfaces of the ASA, you can determine witch host is using most of the bandwith,etc.
    Its pretty basic administration stuff
    Regards,
    Julio
    Rate all the helpful posts

  • How to create multiple sip trunks between cucm and cisco unified sip proxy

    Dear Expert,
    Is there a way to create multiple sip trunks between CUCM and Cisco Unified SIP Proxy (CUSP)? How to achieve it without creating multiple IP interfaces on the CUSP module.
    CUCM: 8.5.1.10000-9
    CUSP: 8.5.2
    Thank you,
    .wan

    Hello Michael,
    This SIP trunk is part of UCCE solution, which used between CVP, CUSP, and CUCM.
    The requirements:
    1) To have different codecs for different type of calls, as the phones are at few countries
    2) To pass different number of digits from CUSP to CUCM for different call treatments
    .wan

  • What is the fundamental difference between classful and classless routing?

    Hello to all,
    After reading several RFCs, guides and HOWTOs I am confused by an apparently trivial question - what is the basic, fundamental difference between classful and classless routing?
    I am well aware that - said in a very primitive way - the classful routing does not make use of netmasks and instead uses the address classes while the classless routing utilizes the netmasks and does not evaluate the address classes.
    However, already in 1985 the RFC 950 (Internet Standard Subnetting Procedure) stated that the networks can be further subnetted using the network mask. Since then the routers are expected to use network masks in the routing decision process in the precise way they use it nowadays. However, if the routers use network masks they are doing the classless routing, aren't they? Where is then the difference if we used to describe the 80's way of routing as a classful routing? Or was it already the classless routing? The RFCs about CIDR came gradually only in 1992 and 1993.
    If somebody could give me an insight into the key difference between classful and classless routing (and perhaps into the Internet history, how was the real routing done then) I would be most grateful.
    Thank you a lot!
    Regards,
    Peter

    Hello Mohammed,
    I am afraid we still have not understood each other ;) I am not looking for the algorithms used to select the best path. I am well aware of them, both Ford-Bellman and Dijkstra, and about their internals. By the way, these algorithms do not have any influence whether the routing is classful or classless because they deal with metrics, not with masks. For example, a classless EIGRP internally uses a distance-vector algorithm, not a SPF algorithm.
    I will try to explain once more what is my problem... There are two terms commonly used but badly defined: the classless routing and classful routing. Originally, I have thought that the classful routing works as follows:
    - The routing table consists only of classful destination networks (major nets), metrics and respective gateways. No network masks are stored in the table because we are classful, that is, we use exclusively the route classes and all entries in the routing table are already classful.
    - When routing a packet, the router looks at its destination IP address and determines the major net of this IP address (that is, the classful network that this IP address belongs to). Then it looks up the corresponding entry in the routing table and sends the packet to the respective gateway.
    I thought that the classful routing works in this way. I won't describe the classless routing - both of us know how do the today's routers select the next hop.
    However, in the RFCs 917 and 950 which were published in 1985, long ago before the term 'classless routing' was coined, the network mask was already defined and it was stated how the routers should work with it.
    Now I am confused. The terms classless addresses and classless routing were defined sometime in 1990's, therefore I assume that the routing before the invention of classless IP assignment can be in fact described as classful. In other words, I thought that the routing that was commonly used in 1980's did not use netmasks and can be described as classful because the notion of classlessness came first in 1990's. But now I see that netmasks were defined in 1985.
    Now where am I wrong? Do I understand the classful routing properly as I described it? Is it correct to talk about routing in that era as classful although the netmasks were already in use? Or was it already the classless routing?
    Basically I am trying to understand what was called the classful routing if the classless routing is said to be something different.
    Mohammed, I am most grateful to you for your patience and suggestions! Thank you indeed.
    Regards,
    Peter

  • Can't get L2L VPN up between ASA and Fortinet (IKEv2)

    Hi,
    I'm having issues getting a L2L tunnel up between a Cisco ASA and a Fortinet. This is the first tunnel being setup with IKEv2. The ASA is complaining that it can't find a matching policy.
    The Fortinet device is configured by other party and I have confirmed that they are using the agreed settings.
    Configuration from the ASA:
    crypto ipsec ikev2 ipsec-proposal AES-3DES-SHA1
     protocol esp encryption 3des
     protocol esp integrity sha-1
    crypto map VPN 100 match address ABC
    crypto map VPN 100 set pfs group5
    crypto map VPN 100 set peer x.x.x.x
    crypto map VPN 100 set ikev2 ipsec-proposal AES-3DES-SHA1
    crypto map VPN 100 set security-association lifetime seconds 28800
    crypto map VPN interface outside
    crypto ikev2 policy 10
     encryption aes-256 3des
     integrity sha256 sha
     group 5
     prf sha256
     lifetime seconds 86400
    crypto ikev2 enable outside
    tunnel-group x.x.x.x type ipsec-l2l
    tunnel-group x.x.x.x ipsec-attributes
     ikev2 remote-authentication pre-shared-key blablabla
     ikev2 local-authentication pre-shared-key blablabla
    Debugs say that there is no matching policy:
    IKEv2-PROTO-3: (97): Get peer authentication method
    IKEv2-PROTO-3: (97): Get peer's preshared key for x.x.x.x
    IKEv2-PROTO-3: (97): Verify authentication data
    IKEv2-PROTO-3: (97): Use preshared key for id x.x.x.x, key len 15
    IKEv2-PROTO-2: (97): Processing auth message
    IKEv2-PROTO-1: (97): Failed to find a matching policy
    IKEv2-PROTO-1: (97): Received Policies:
    ESP: Proposal 1:  3DES SHA96
    IKEv2-PROTO-1: (97): Failed to find a matching policy
    IKEv2-PROTO-1: (97): Expected Policies:
    IKEv2-PROTO-5: (97): Failed to verify the proposed policies
    IKEv2-PROTO-1: (97): Failed to find a matching policy

    Dear Robert,
    The above error from ASA indicates there may be a problem with your preshared key..Both Local and remotre sites...or an Out of Synce problem to the remote end/peer. Give more details about ur Watchguard version with what application it is running..Send the complete log of
    1. sh crypto ipsec sa
    2. sh crypto isakmp sa
    3. debug crypto isa 255
    4. debug crypto ipsec 255

  • How to use the private subnet between ASA and Router

    Guys,
    Here is the context:
    I am connecting to 2 ISPs for load sharing traffic coming from my private network.
    The 2 links from the ISPs terminate in the router which connects to an ASA via a private subnet, back to my private network.
    I have configured PBR in the router, to prefer ISP1 for trafic coming from my internal servers X, Y, Z  (public addresses, no need for the ASA to translate).  The router  should send any other traffic coming from the rest of my private address space, servers W, V, U  (after translation by ASA) to ISP2.
    So far so good.  The default route defined on ASA points to the internal LAN interface of the Router (private ip address). How can I route this subnet used between the ASA and Router? Being a private address I have to translate it to something (public) before the router can send it out. But translate to what?
    Alternatively I could use a public subnet. But I do not have any.How do I get aroung this?
    Regards
    Ndaungwe

    You have IP addresses on the direct interface links to the ISP's?? You ccould use those IP addresses with NAT overload.

  • Connection dropped between ASA and router

    Hi,
    Last night Internet traffic was going from my 2811 router to the Internet via my ASA 5510 (as it should do and in accordance with my route-map policy) but, when I came in this morning, traffic wasn't going via my ASA as my route-map policy specified, it was going straight to the Internet via my Gateway of Last Resort (an SDSL router). When I did a ping between the ASA and the 2811 router, traffic started to be routed via the ASA again, as specified by the Route-Map policy. Does anyone know what caused this to happen?
    Thanks,
    Jaime

    Ensure your ACL configured properly in your device or may be you did any changes recently.

  • Site-to-site vpn with 2 asa and home router

    I am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
    Internal Network              Local ASA                   ISP1      ISP2          Remote Router                       Remote ASA                 Remote Network
    192.168.1.0/24         local-gateway/public ip                                 public ip/192.168.0.1/24     192.168.0.10/10.10.10.254         10.10.10.0/24
    10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
    192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
    Below are the configs of the local and remote asa. any help would be greatly appreaciated.
    local-asa
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.6 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network Switch
    host 192.168.1.5
    description 2960-24 Switch
    object network NETWORK_OBJ_192.168.1.0_24
    subnet 192.168.1.0 255.255.255.0
    object network Mark_Public
    host 76.98.2.63
    description Mark Public
    object network Mark
    subnet 10.10.10.0 255.255.255.0
    description Marks Network
    object network Mark_routed_subnet
    subnet 192.168.0.0 255.255.255.0
    access-list outside_access_in extended permit icmp any4 any4 echo-reply
    access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
    access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
    access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
    access-list Home standard permit 192.168.1.0 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    icmp deny any outside
    asdm image disk0:/asdm-711.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group outside_access_in in interface outside
    route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
    route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
    aaa-server Radius protocol radius
    aaa-server Radius (inside) host 192.168.1.101
    key *****
    user-identity default-domain LOCAL
    aaa authentication ssh console Radius LOCAL
    aaa authentication telnet console Radius LOCAL
    aaa authentication enable console Radius LOCAL
    aaa authentication http console Radius LOCAL
    aaa authentication serial console Radius LOCAL
    aaa accounting enable console Radius
    aaa accounting serial console Radius
    aaa accounting ssh console Radius
    aaa accounting telnet console Radius
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 66.162.9.0 255.255.255.0 outside
    http 76.98.2.63 255.255.255.255 outside
    http 10.10.10.0 255.255.255.0 inside
    snmp-server host inside 192.168.1.101 community *****
    snmp-server location 149 Cinder Cross
    snmp-server contact Ted Stout
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    snmp-server enable traps syslog
    snmp-server enable traps ipsec start stop
    snmp-server enable traps entity config-change
    snmp-server enable traps memory-threshold
    snmp-server enable traps interface-threshold
    snmp-server enable traps cpu threshold rising
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map0 1 match address outside_cryptomap
    crypto map outside_map0 1 set peer 76.98.2.63
    crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
    crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map0 interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    subject-name CN=stout-fw
    keypair vpn.stoutte.homeip.net
    crl configure
    crypto ca trustpoint ASDM_TrustPoint1
    enrollment terminal
    crl configure
    crypto ca trustpoint Home--Server-CA
    enrollment terminal
    subject-name CN=stout-fw,O=home
    keypair HOME-SERVER-CA
    crl configure
    crypto ca trustpoint HOME-SSL
    enrollment terminal
    fqdn stoutfw.homeip.net
    subject-name CN=stoutfw,O=Home
    keypair HOME-SSL
    no validation-usage
    crl configure
    crypto ca trustpoint SelfSigned
    enrollment self
    fqdn stoutfw.homeip.net
    subject-name CN=stout-fw
    keypair SelfSigned
    crl configure
    crypto ca trustpoint ASDM_TrustPoint2
    enrollment self
    fqdn 192.168.1.6
    subject-name CN=stout-fw
    keypair SelfSigned
    crl configure
    crypto ca trustpool policy
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
    crypto ikev1 enable inside
    crypto ikev1 enable outside
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 20
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    management-access inside
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 192.168.1.5 source inside prefer
    ssl trust-point SelfSigned outside
    ssl trust-point ASDM_TrustPoint2 inside
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
    vpn-tunnel-protocol ikev1
    username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
    username stoutte attributes
    webvpn
      anyconnect keep-installer installed
      anyconnect profiles value VPN_client_profile type user
    tunnel-group 76.98.2.63 type ipsec-l2l
    tunnel-group 76.98.2.63 general-attributes
    default-group-policy GroupPolicy1
    tunnel-group 76.98.2.63 ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group VPN type remote-access
    tunnel-group VPN general-attributes
    authentication-server-group Radius LOCAL
    default-group-policy GroupPolicy_VPN
    dhcp-server link-selection 192.168.1.101
    tunnel-group VPN webvpn-attributes
    group-alias VPN enable
    class-map inspection_default
    match default-inspection-traffic
    remote-asa
    : Saved
    ASA Version 9.1(1)
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.10.10.254 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 192.168.0.10 255.255.255.0
    ftp mode passive
    clock timezone EDT -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name netlab.com
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network Ted
    subnet 192.168.1.0 255.255.255.0
    description Teds Network
    object network Ted_Public
    host 24.163.116.187
    object network outside_private
    subnet 192.168.0.0 255.255.255.0
    object network NETWORK_OBJ_10.10.10.0_24
    subnet 10.10.10.0 255.255.255.0
    access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
    access-list outside_access_in extended permit icmp any4 any4 echo-reply
    access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
    access-list outside_access_in extended permit ip object Ted_Public any
    pager lines 24
    logging enable
    logging buffered debugging
    logging asdm informational
    logging debug-trace
    nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
    route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 24.163.116.187 255.255.255.255 outside
    http 192.168.0.0 255.255.255.0 outside
    http 10.10.10.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    crypto map outside_map2 1 match address outside_cryptomap
    crypto map outside_map2 1 set peer 24.163.116.187
    crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
    crypto map outside_map2 interface outside
    crypto ikev2 enable outside
    crypto ikev2 enable inside
    crypto ikev1 enable outside
    crypto ikev1 enable inside
    ssh 10.10.10.0 255.255.255.0 inside
    ssh timeout 30
    console timeout 0
    dhcpd address 10.10.10.1-10.10.10.20 inside
    dhcpd enable inside
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
    vpn-tunnel-protocol ikev1
    username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
    tunnel-group 24.163.116.187 type ipsec-l2l
    tunnel-group 24.163.116.187 general-attributes
    default-group-policy GroupPolicy1
    tunnel-group 24.163.116.187 ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
    : end
    no asdm history enable

    I am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
    Internal Network              Local ASA                   ISP1      ISP2          Remote Router                       Remote ASA                 Remote Network
    192.168.1.0/24         local-gateway/public ip                                 public ip/192.168.0.1/24     192.168.0.10/10.10.10.254         10.10.10.0/24
    10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
    192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
    Below are the configs of the local and remote asa. any help would be greatly appreaciated.
    local-asa
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.6 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network Switch
    host 192.168.1.5
    description 2960-24 Switch
    object network NETWORK_OBJ_192.168.1.0_24
    subnet 192.168.1.0 255.255.255.0
    object network Mark_Public
    host 76.98.2.63
    description Mark Public
    object network Mark
    subnet 10.10.10.0 255.255.255.0
    description Marks Network
    object network Mark_routed_subnet
    subnet 192.168.0.0 255.255.255.0
    access-list outside_access_in extended permit icmp any4 any4 echo-reply
    access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
    access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
    access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
    access-list Home standard permit 192.168.1.0 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    icmp deny any outside
    asdm image disk0:/asdm-711.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group outside_access_in in interface outside
    route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
    route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
    aaa-server Radius protocol radius
    aaa-server Radius (inside) host 192.168.1.101
    key *****
    user-identity default-domain LOCAL
    aaa authentication ssh console Radius LOCAL
    aaa authentication telnet console Radius LOCAL
    aaa authentication enable console Radius LOCAL
    aaa authentication http console Radius LOCAL
    aaa authentication serial console Radius LOCAL
    aaa accounting enable console Radius
    aaa accounting serial console Radius
    aaa accounting ssh console Radius
    aaa accounting telnet console Radius
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 66.162.9.0 255.255.255.0 outside
    http 76.98.2.63 255.255.255.255 outside
    http 10.10.10.0 255.255.255.0 inside
    snmp-server host inside 192.168.1.101 community *****
    snmp-server location 149 Cinder Cross
    snmp-server contact Ted Stout
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    snmp-server enable traps syslog
    snmp-server enable traps ipsec start stop
    snmp-server enable traps entity config-change
    snmp-server enable traps memory-threshold
    snmp-server enable traps interface-threshold
    snmp-server enable traps cpu threshold rising
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map0 1 match address outside_cryptomap
    crypto map outside_map0 1 set peer 76.98.2.63
    crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
    crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map0 interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    subject-name CN=stout-fw
    keypair vpn.stoutte.homeip.net
    crl configure
    crypto ca trustpoint ASDM_TrustPoint1
    enrollment terminal
    crl configure
    crypto ca trustpoint Home--Server-CA
    enrollment terminal
    subject-name CN=stout-fw,O=home
    keypair HOME-SERVER-CA
    crl configure
    crypto ca trustpoint HOME-SSL
    enrollment terminal
    fqdn stoutfw.homeip.net
    subject-name CN=stoutfw,O=Home
    keypair HOME-SSL
    no validation-usage
    crl configure
    crypto ca trustpoint SelfSigned
    enrollment self
    fqdn stoutfw.homeip.net
    subject-name CN=stout-fw
    keypair SelfSigned
    crl configure
    crypto ca trustpoint ASDM_TrustPoint2
    enrollment self
    fqdn 192.168.1.6
    subject-name CN=stout-fw
    keypair SelfSigned
    crl configure
    crypto ca trustpool policy
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
    crypto ikev1 enable inside
    crypto ikev1 enable outside
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 20
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    management-access inside
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 192.168.1.5 source inside prefer
    ssl trust-point SelfSigned outside
    ssl trust-point ASDM_TrustPoint2 inside
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
    vpn-tunnel-protocol ikev1
    username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
    username stoutte attributes
    webvpn
      anyconnect keep-installer installed
      anyconnect profiles value VPN_client_profile type user
    tunnel-group 76.98.2.63 type ipsec-l2l
    tunnel-group 76.98.2.63 general-attributes
    default-group-policy GroupPolicy1
    tunnel-group 76.98.2.63 ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group VPN type remote-access
    tunnel-group VPN general-attributes
    authentication-server-group Radius LOCAL
    default-group-policy GroupPolicy_VPN
    dhcp-server link-selection 192.168.1.101
    tunnel-group VPN webvpn-attributes
    group-alias VPN enable
    class-map inspection_default
    match default-inspection-traffic
    remote-asa
    : Saved
    ASA Version 9.1(1)
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.10.10.254 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 192.168.0.10 255.255.255.0
    ftp mode passive
    clock timezone EDT -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name netlab.com
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network Ted
    subnet 192.168.1.0 255.255.255.0
    description Teds Network
    object network Ted_Public
    host 24.163.116.187
    object network outside_private
    subnet 192.168.0.0 255.255.255.0
    object network NETWORK_OBJ_10.10.10.0_24
    subnet 10.10.10.0 255.255.255.0
    access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
    access-list outside_access_in extended permit icmp any4 any4 echo-reply
    access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
    access-list outside_access_in extended permit ip object Ted_Public any
    pager lines 24
    logging enable
    logging buffered debugging
    logging asdm informational
    logging debug-trace
    nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
    route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 24.163.116.187 255.255.255.255 outside
    http 192.168.0.0 255.255.255.0 outside
    http 10.10.10.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    crypto map outside_map2 1 match address outside_cryptomap
    crypto map outside_map2 1 set peer 24.163.116.187
    crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
    crypto map outside_map2 interface outside
    crypto ikev2 enable outside
    crypto ikev2 enable inside
    crypto ikev1 enable outside
    crypto ikev1 enable inside
    ssh 10.10.10.0 255.255.255.0 inside
    ssh timeout 30
    console timeout 0
    dhcpd address 10.10.10.1-10.10.10.20 inside
    dhcpd enable inside
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
    vpn-tunnel-protocol ikev1
    username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
    tunnel-group 24.163.116.187 type ipsec-l2l
    tunnel-group 24.163.116.187 general-attributes
    default-group-policy GroupPolicy1
    tunnel-group 24.163.116.187 ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
    : end
    no asdm history enable

Maybe you are looking for

  • How can I move my preferences and extensions to a new computer? Have I done it successfully?

    My old computer crashed. I've set up the new computer. I copied all the profile files/folders to the profile on the new computer in both the local and roaming folders. Does this copy over my preferences and extensions? The help pages say they don't t

  • Problem with E-Business Control Center

    Hi, I am trying to create a content selector using the e-business control cnter. When I try to save it I get the following error. The content selector is not complete. Please complete before saving. Could not save the rule. Could not find GlobalConte

  • Java 6  JEditorPane.print pagination

    I now see that Java 6 has a print() function for JEditorPane. My question is does this method do some sort of pagination so that a line of text will not be split between two pages? Does anyone have experience with this method yet?

  • 11i forms not loading

    Hi all, Environment is EBS 11i(11.5.10.2) DB 9.2.0.6.0 OS = OEL 4.8 32 bit Single node environment and 32 GB Ram installed forms are not loading, clicking on forms doesn't open any form. Executed autoconfig..... completed successfully Relinked applic

  • HT4623 Im getting error while updating iphone wirelessly

    Im updating my iphone 4 from IOS 5.1.1 to IOS 6.1, before filnalizing downloading, it gives an error